LiquidWeb contact re phishing 24 days

• Previous message (by thread): LiquidWeb contact re phishing 24 days
• Next message (by thread): AS hijacking (Philosophy, rants, GeoMind)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Replied offlist.

On 5/29/20 11:27 AM, Jonathan M wrote:
> Greetings, If anyone can help me reach a contact at LiquidWeb, there
> appears to be phishing on its network for 24 days now and I cannot get a
> response from them or an acknowledgement of receipt of our notices Yes, we
> filled our web forms as early as May 5. I can be reached at
> jonathan-m at riskiq.net or if Liquid Web can just respond to the notice, that
> would be great! They just need to email notice335282 at irt.riskiq.net. Thanks
> for any help you can provide here!
> 
> By the way, I could not find the phish myself, but I preserved it at
> https://perma.cc/LR8N-SMTH from a RiskIQ crawl that I just looked over
> internally.  The snapshot was taken Fri May 29 05:38:44 PDT 2020 From Chrome
> 
> Below is an example of what we are sending them:
> 
> From
> RiskIQ Incident Response Team <notice335282 at irt.riskiq.net>
> To
> abuse at liquidweb.com
> 
> Sent At
> May 18, 2020 8:02 PM
> 
> 
> 
> 
> 
> 
> Subject
> Important Notice - Phishing Materials on Your Network / Incident ID:
> 54873584 / IP Address: 69.167.190.92 / ASN: LIQUID-WEB-INC - Liquid Web,
> Inc., US
> 
> 
> 2020-05-18 19:53:03 +0300
> 
> 
> Team, please see the notice below from our incident response team beneath
> my signature block. However, I need to point out a few things here.
> 
> I personally spoke with your team on 2020-03-19 12:49:00 +0200, where we
> discussed you purchased Nexcess, and that is why there is a different
> technical abuse contact. I had also re-submitted a ticket referencing the
> prior ticket and someone at LiquidWeb was opening a ticket on the call to
> make sure they are on top of this.
> 
> On 2020-03-24 20:13:44 +0200, Scott at LiquidWeb was investigating this
> tenacious event. I was told that if this is a repeat offender, you will
> terminate the account all together, but you woouldn't be able to share that
> info with us for privacy reasons. However, your team was conducting at the
> moment an internal investigation to see if they need to take different
> measures.
> 
> At that time, Scott put me on hold while he reached out to the security
> team.
> 
> At 2020-03-24 20:35:13 +0200, the Security supervisor was looking this over
> and it was going to take some time for them to decide best course of
> action. The site was then down. I was told that if it re-surfaces, we can
> list the UTC date and time stamps that it came back online and your team
> might then be able to take further action without a court order. You said
> that if you check the logs, and it doesn’t match up, we would have to get
> the courts involved.
> 
> We have preserved a lot of evidence that the phishing has gone back up
> again after you took it down. For example, for your reference, we have
> uploaded a screenshot at https://perma.cc/SL7L-6XUE
> 
> This screenshot in the PERMA record captures
> hXXps://zionhighschools[.]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&amp%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&amp%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
> 
> Load Date: Mon May 18 08:13:18 PDT 2020
> 
> IP Address: 69.167.190.92
> 
> HTTP Method: GET
> Response Code 200
> Response Message OK
> Content Type text/htmlCharacter SetUTF-8Is
> HTML Page true
> Is From Cache false
> Local Content Length 2.00 K
> Overall Content Length 319.19 K
> Local Response Time 4.97 s
> Overall Response Time5.87 s
> CPU Time76 ms
> Dependent Requests 5
> Window Name: TopLevelWindow at 79c734a4
> 
> Please take appropriate action. See all the confirmed URLs in the notice
> below.
> 
> Thanks,
> 
> Jonathan Matkowsky , Vice President - Digital Risk (SME)*
> Incident Investigation & Intelligence (i3)
> 
> Phone +1.888.415.4447 (USA) | +44 (0)203 282 7149 (UK)
> RiskIQ: World Leader in Attack Surface Management
> 
> 
> *GIAC-GLEG; IAPP-FIP; Active Attorney Admissions: NY, WA
> This email does not create an attorney-client relationship or constitute
> legal advice.
> 
> ***We have defanged URLs in this notice. In the identity and location of
> the phishing materials, please substitute "." for "[dot]", "http" for
> "hxxp", and "https" for "hxxps"***
> 
> ******* ***** ***** ****** ********
> 
> *Summary*
> 
> *Threat Activity Type*: Phishing
> *Industry Impact*: Financial
> 
> *Spoofed Brand*: American Express
> 
> *Date and Time of Abuse:*: 2020-05-05 06:32 AM PDT
> 
> *IP Address*: 69.167.190.92
> 
> *ASN*: LIQUID-WEB-INC - Liquid Web, Inc., US
> 
> *Identify and Location of Phishing Materials*:
> 
> hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
> hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/
> hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
> hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
> hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
> 
> 
> (individually or collectively, “*Phishing Materials*”)
> 
> ******* ***** ***** ****** ********
> 
> Greetings,
> 
> Per the above summary, we write on behalf of American Express to request
> your assistance to mitigate a confirmed threat that appears to utilise your
> network resources for fraudulent purposes by hosting the Phishing Materials
> as identified above.
> 
> We would appreciate it if you would take all reasonable and appropriate
> steps to ensure your network resources are no longer being used to
> facilitate or contribute to this confirmed threat, which may include
> temporarily suspending the account until the Phishing Materials have been
> removed.
> 
> If you need any support or additional information during the course of your
> investigation, please let us know by reply email at your earliest
> convenience.
> 
> Thank you for your support in safeguarding the public.
> 
> Sincerely,
> 
> Digital Threat Incident Response Team
> 
> RiskIQ, Inc.
> 
> 22 Battery St., 10th Floor, San Francisco CA 94111 USA
> www.riskiq.com
> Incident 54873584
> 

-- 
James Shank
Senior Security Evangelist; Chief Architect, Community Services
Team Cymru, Inc.
jshank at cymru.com; +1-847-378-3365; http://www.team-cymru.com/

• Previous message (by thread): LiquidWeb contact re phishing 24 days
• Next message (by thread): AS hijacking (Philosophy, rants, GeoMind)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]