I contact a slew of domain owners, hosts and registrars each day both via e-mail and telephone, to get domains/IPs cleaned, suspended or completely nuked. The vast majority generally go something like this;
1. Contact domain owner/host/registrar
2. Report what was found
In the case of domain owners, I typically also have to give advise on what's needed as far as getting it cleaned up and secured, and of course, reported to LE (i.e. who to contact and what they'll typically ask for).
The vast majority of the domain owners are grateful that I've taken the time to report it to them, and help them get everything sorted out. Hosting companies and registrars typically either don't respond, or respond with an auto-response - with some following up to let me know what they've done (i.e. cleaned up or suspended). Indeed, I'm working with several registrars and hosts on various cases on an on-going basis.
Calling a domain owner today however, I was to be pleasantly surprised. Usually when you call or e-mail a domain owner, whether it's an individual or a company, you tell them who you are, what you've found, how it was found and where you found it (e.g. homepage, sub-domain or specific page(s)). The company I called today, had their server compromised and used to house a phishing scam - nothing particularly unusual there. I gave them the usual information (who I was, where I was calling from, what I'd found etc), but I was surprised to hear a slightly suspicious tone in their voice.
The tone suggested they didn't believe me, they explained that they'd been called about a month earlier and told their site was compromised, but their IT staff/host had told them the report wasn't true - there was nothing there. This obviously explained their tone, and why they were skeptical. I sent them the phishing e-mail I'd received that actually pointed directly to the specific page on their site, containing the phish, but was then surprised to be asked how I'd received the e-mail (not entirely sure why, but the person I spoke to, seemed to think the scammer had sent it to me deliberately).
Anyway, to keep a long story short, I advised they needed to contact law enforcement in their country, and speak to their host/IT staff, as the report was evidently not false in this case, and further advised I'd ask my LE contact to get in touch with them to verify what I'd told them and verify who I was.
Was the previous report they received, the reason they were skeptical when I called them? Possibly, but never the less, it was a pleasant surprise as instead of immediately believing everything I told them - they instead questioned everything I told them - something everyone should be doing, it's the only way of verifying whether what you're being told is true or not, and whether the person telling you, is indeed an innocent party or not (I know, I know, it doesn't necessarily always tell you that, as it depends on the persons involved).
Anyway, I thought this would be a good time to point out some steps if you're going to be reporting malicious content, whether it's a compromised server, or something else.
1. Always ensure the first thing you tell them, is who you are and where you're from (whether you're calling from a company, or are an individual), and be honest.
I know I don't usually recommend giving your details to people, whether it's a company or an individual domain owner, and indeed, each specific case dictates who you give the information to and how much you give (e.g. if you've found a criminals website, then the last thing you want to do is give them your info - these cases you should report to either the registrar, host, LE, or people that specialize in getting things reported and took down (e.g. Malware Domain List, CleanMX or of course, me).
2. Always be specific, giving as much detail as possible
If you're for example, reporting a phish, give the exact path to the phish, and ensure you tell them exactly how you came about it, for example, if you received a phishing e-mail, tell them (and if you've not already done so, e-mail them a copy).
When reporting, ensure you're clear, if you need to make notes before e-mailing/calling, do it.
3. Always advise they contact LE - this is an absolute MUST.
LE are the only ones, or one of the only ones (depending on the country) with the authority to obtain the necessary files and logs and such, that can be used to trace the individual(s) responsible and prosecute accordingly.
4. NEVER ask for anything in return, or offer to clean anything up for them
The main reasons for this should be obvious, but to clarify, if for example, it's a compromised server, the last thing they should be doing, is giving access to someone that they do not know, that's contacted them out of the blue - regardless of your motives. If they need assistance, point them to their hosting company for assistance.
This of course, doesn't mean you can't give advise on where they need to look (in the case of malicious code within files) or what to look for. Indeed, you should usually (and again, this varies on a case by case basis) feel free to advise on what needs to be done to resolve the incident;
http://www.malwaredomainlist.com/forums/index.php?topic=3122.0
Important: If you're reporting a compromised server - DO NOT rely on any contact information on the website, this could quite easily have been changed by whoever compromised the server. In these cases, go to WhoIs records, or directly to the hosting company
I'm sure I've rambled here (I do that alot), so if you've got any questions, feel free to get in touch.
Thursday, 7 October 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment