Reporting phishing... oye

[JerryMungo]

.

 

[WAslayer]

What response were you expecting..?

 

[OCP]

Name and shame

 

[WAslayer]

We will investigate would be a great start.
Then perhaps in a follow up email they could say "we have investigated and closed their account"... or even "we have reported them to the authorities" (but that's a long shot).

I really don't think telling a crook what they already know is that helpful.

Reality is that more often than not, legitimate customers have had their legitimate website compromised (weak security, outdated plugins etc)..

That is for the customer to investigate and remediate..

 

[MattyW]

We will investigate would be a great start.
Then perhaps in a follow up email they could say "we have investigated and closed their account"... or even "we have reported them to the authorities" (but that's a long shot).

I really don't think telling a crook what they already know is that helpful.

I've worked in the hosting space before and there is no way you can suspend or terminate service for every abuse report received especially for things like malware, phishing, port scanning as a lot of legitimate development work does trip security flags and it's generally developers of websites and apps who are clients for VPS/VDS servers anyway (if we had suspended for every abuse report received when i still worked in the field we would have had about one tenth of our client base and the business would have gone bust), for example advertising on websites is often flagged as malware if configured poorly (mainly in Europe which seems to have some German Federal Authorities involved in abuse monitoring).

Obviously there are abuse reports for which we used to suspend immediately like Brute Force Attacks, Child Exploitation, SPAM exct. European abuse monitors tend to flag any and everything they can as abuse and a business would and should consult with it's paying clients before taking taking action against them like suspension or termination and as mentioned above a lot of severs are extremely easy to compromise with most of our clients (back in the day) using just the standard SSH/RDP password for server access only about 5% of clients set up a different port for SSH/RDP or used public and private keys for server access.

 

[WAslayer]

This was not one of those cases. It's hosted on a small virtual server that they have full ownership of. The IP is not being used for any other domains.

So immediately it must be that the virtual server was paid for by a malicious actor for the sole purpose of hosting the phishing site..

Can't at all possibly be a legitimate customer who had their server compromised through some means..

Malicious actors would far rather use compromised resources to host their nefarious sites than pay for them...

 

[MattyW]

Yeh, but you do investigate the issue when reported, right? Or do you ask the client to investigate?

Yet there are simple cases where a client rents your equipment for the sole purpose of hosting malware. Do you ask the client to self assess themselves when you've been given a URL that's hosted on your equipment that's clearly being used for organised crime?

Yip we always did investigate and logged the abuse report against the clients IP address, not excusing this circumstance just explaining that anyone who has control over an IP range probably receives 1000's of abuse reports for a standard /24 block (256 IP addresses) in a given month.

 

[MattyW]

Which is probably why a regulatory body needs to step in and require ISPs to block stuff they've been notified of. If it means DOS to clients, so be it - they must sort their mess out or be blocked. I assume that's not a strategy?

As said I don't work in the field anymore but it would essentially kill any provider that isn't huge if this was enforced, generally smaller providers are leasing blocks of 256 IP addresses and if they were forced to take down or suspend any client who received an abuse report, I can't see anyway to make the business viable they still pay all the costs to rent the IP addresses from the hosting provider on top of all the other costs for bandwidth, electricity, data center space exct., all that would happen I imagine is only Google, Microsoft, Amazon and other huge providers who can afford to meet the compliance costs and own millions of IP addresses would still be able to offer competitive services, many people already find these providers to expensive which is why smaller VPS providers generally can offer competitive pricing.

 

[MattyW]

Just to be clear, I'm not suggesting block by default on hearsay, I'm suggesting where the result of an investigation shows malware or phishing pages being hosted from the client's environment, block access to that server. Why would that sink a service provider? And why would you not want to deal with malware or phishing being hosted from your infrastructure?

1 minute reveals these are all the domains pointing to this IP - I'd put my head on a block that they're all used for phishing and the only thing that IP is being used for is phishing.

View attachment 1848159

I'm massively out of date but that was generally the way it went before when I used to work in the field, there are abuses for which most providers will suspend service immediately like Brute Force Attacks, Login Attacks, Child Exploitation, SPAM exct. but for malware, phishing, port scans usually a warning is issued to the client (so they can check if the server has been compromised or if they are doing something legitimate) and if further abuse reports come in the service is suspend then with an additional warning to the client.

The above (screenshot) does seem ridiculous and I would have suspended them after the second abuse report came in, for a lot of hosting providers their reputation is quite important (as their business depends on it, bigger clients won't even consider a VPS provider whose IPs are in poor reputation as delivering email and such becomes impossible when an IP is blacklisted) so they will monitor abuse quite seriously, I do think your ideas have merit just having worked in the field before for a smaller hosting provider balancing abuse monitoring with keeping clients happy is an ongoing and difficult struggle especially because of the multinational aspect of the business, like Europe has different abuse protocols than other regions as there is some EU agency is involved in enforcing abuse monitoring, other regions have there own regulatory burdens or enforcement as well, as usual South Africa is way behind the curve.