LiquidWeb contact re phishing 24 days

• Previous message (by thread): LF Microsoft Bing/Cache (edge) contact?
• Next message (by thread): LiquidWeb contact re phishing 24 days
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings, If anyone can help me reach a contact at LiquidWeb, there
appears to be phishing on its network for 24 days now and I cannot get a
response from them or an acknowledgement of receipt of our notices Yes, we
filled our web forms as early as May 5. I can be reached at
jonathan-m at riskiq.net or if Liquid Web can just respond to the notice, that
would be great! They just need to email notice335282 at irt.riskiq.net. Thanks
for any help you can provide here!

By the way, I could not find the phish myself, but I preserved it at
https://perma.cc/LR8N-SMTH from a RiskIQ crawl that I just looked over
internally.  The snapshot was taken Fri May 29 05:38:44 PDT 2020 From Chrome

Below is an example of what we are sending them:

From
RiskIQ Incident Response Team <notice335282 at irt.riskiq.net>
To
abuse at liquidweb.com

Sent At
May 18, 2020 8:02 PM






Subject
Important Notice - Phishing Materials on Your Network / Incident ID:
54873584 / IP Address: 69.167.190.92 / ASN: LIQUID-WEB-INC - Liquid Web,
Inc., US


2020-05-18 19:53:03 +0300


Team, please see the notice below from our incident response team beneath
my signature block. However, I need to point out a few things here.

I personally spoke with your team on 2020-03-19 12:49:00 +0200, where we
discussed you purchased Nexcess, and that is why there is a different
technical abuse contact. I had also re-submitted a ticket referencing the
prior ticket and someone at LiquidWeb was opening a ticket on the call to
make sure they are on top of this.

On 2020-03-24 20:13:44 +0200, Scott at LiquidWeb was investigating this
tenacious event. I was told that if this is a repeat offender, you will
terminate the account all together, but you woouldn't be able to share that
info with us for privacy reasons. However, your team was conducting at the
moment an internal investigation to see if they need to take different
measures.

At that time, Scott put me on hold while he reached out to the security
team.

At 2020-03-24 20:35:13 +0200, the Security supervisor was looking this over
and it was going to take some time for them to decide best course of
action. The site was then down. I was told that if it re-surfaces, we can
list the UTC date and time stamps that it came back online and your team
might then be able to take further action without a court order. You said
that if you check the logs, and it doesn’t match up, we would have to get
the courts involved.

We have preserved a lot of evidence that the phishing has gone back up
again after you took it down. For example, for your reference, we have
uploaded a screenshot at https://perma.cc/SL7L-6XUE

This screenshot in the PERMA record captures
hXXps://zionhighschools[.]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&amp%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&amp%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb

Load Date: Mon May 18 08:13:18 PDT 2020

IP Address: 69.167.190.92

HTTP Method: GET
Response Code 200
Response Message OK
Content Type text/htmlCharacter SetUTF-8Is
HTML Page true
Is From Cache false
Local Content Length 2.00 K
Overall Content Length 319.19 K
Local Response Time 4.97 s
Overall Response Time5.87 s
CPU Time76 ms
Dependent Requests 5
Window Name: TopLevelWindow at 79c734a4

Please take appropriate action. See all the confirmed URLs in the notice
below.

Thanks,

Jonathan Matkowsky , Vice President - Digital Risk (SME)*
Incident Investigation & Intelligence (i3)

Phone +1.888.415.4447 (USA) | +44 (0)203 282 7149 (UK)
RiskIQ: World Leader in Attack Surface Management


*GIAC-GLEG; IAPP-FIP; Active Attorney Admissions: NY, WA
This email does not create an attorney-client relationship or constitute
legal advice.

***We have defanged URLs in this notice. In the identity and location of
the phishing materials, please substitute "." for "[dot]", "http" for
"hxxp", and "https" for "hxxps"***

******* ***** ***** ****** ********

*Summary*

*Threat Activity Type*: Phishing
*Industry Impact*: Financial

*Spoofed Brand*: American Express

*Date and Time of Abuse:*: 2020-05-05 06:32 AM PDT

*IP Address*: 69.167.190.92

*ASN*: LIQUID-WEB-INC - Liquid Web, Inc., US

*Identify and Location of Phishing Materials*:

hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/
hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb


(individually or collectively, “*Phishing Materials*”)

******* ***** ***** ****** ********

Greetings,

Per the above summary, we write on behalf of American Express to request
your assistance to mitigate a confirmed threat that appears to utilise your
network resources for fraudulent purposes by hosting the Phishing Materials
as identified above.

We would appreciate it if you would take all reasonable and appropriate
steps to ensure your network resources are no longer being used to
facilitate or contribute to this confirmed threat, which may include
temporarily suspending the account until the Phishing Materials have been
removed.

If you need any support or additional information during the course of your
investigation, please let us know by reply email at your earliest
convenience.

Thank you for your support in safeguarding the public.

Sincerely,

Digital Threat Incident Response Team

RiskIQ, Inc.

22 Battery St., 10th Floor, San Francisco CA 94111 USA
www.riskiq.com
Incident 54873584

-- 
*******************************************************************
This 
message was sent from RiskIQ, and is intended only for the designated 
recipient(s). It may contain confidential or proprietary information and 
may be subject to confidentiality protections. If you are not a designated 
recipient, you may not review, copy or distribute this message. If you 
receive this in error, please notify the sender by reply e-mail and delete 
this message. Thank you.


*******************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200529/0ff8c934/attachment.html>

• Previous message (by thread): LF Microsoft Bing/Cache (edge) contact?
• Next message (by thread): LiquidWeb contact re phishing 24 days
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]