<div dir="ltr"><div>Greetings, If anyone can help me reach a contact at LiquidWeb, there appears to be phishing on its network for 24 days now and I cannot get a response from them or an acknowledgement of receipt of our notices Yes, we filled our web forms as early as May 5. I can be reached at <a href="mailto:jonathan-m@riskiq.net">jonathan-m@riskiq.net</a> or if Liquid Web can just respond to the notice, that would be great! They just need to email <span style="box-sizing:border-box"><a href="mailto:notice335282@irt.riskiq.net">notice335282@irt.riskiq.net</a>. Thanks for any help you can provide here!</span></div><div><span style="box-sizing:border-box"><br></span></div><div><span style="box-sizing:border-box">By the way, I could not find the phish myself, but I preserved it at </span><span style="box-sizing:border-box"><a href="https://perma.cc/LR8N-SMTH">https://perma.cc/LR8N-SMTH</a> from a RiskIQ crawl that I just looked over internally.</span> The snapshot was taken Fri May 29 05:38:44 PDT 2020 From Chrome<br></div><div><span style="box-sizing:border-box"></span></div><div><br></div><div>Below is an example of what we are sending them:</div><div><br></div><div><div class="enforcement-messages-dialog-attributes" style="padding:15px 15px 10px;box-sizing:border-box;background:rgb(238,238,238);color:rgb(0,0,0);font-family:"open sans","helvetica neue",helvetica,arial,sans-serif;font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div class="detail-container detail-content-list " style="margin:0px;padding:0px 15px 0px 0px;box-sizing:border-box"><div class="detail-row detail-content-item" style="padding:0px 0px 5px;box-sizing:border-box"><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px">From</div><div class="detail-column-9 detail-content-item-value" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:438.75px"><span style="box-sizing:border-box">RiskIQ Incident Response Team <<a href="mailto:notice335282@irt.riskiq.net">notice335282@irt.riskiq.net</a>></span></div></div><div class="detail-row detail-content-item" style="padding:0px 0px 5px;box-sizing:border-box"><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px">To</div><div class="detail-column-9 detail-content-item-value" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:438.75px"><span style="box-sizing:border-box"><a href="mailto:abuse@liquidweb.com">abuse@liquidweb.com</a></span></div></div><div class="detail-row detail-content-item" style="padding:0px 0px 5px;box-sizing:border-box"><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px"><br></div><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px">Sent At</div><div class="detail-column-9 detail-content-item-value" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:438.75px"><span style="box-sizing:border-box">May 18, 2020 8:02 PM</span></div></div><div class="detail-row detail-content-item" style="padding:0px 0px 5px;box-sizing:border-box"><br></div><div class="detail-row detail-content-item" style="padding:0px 0px 5px;box-sizing:border-box"><br></div><div class="detail-row detail-content-item" style="padding:0px 0px 5px;box-sizing:border-box"><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px"><br></div><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px"><br></div><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px"><br></div><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px"><br></div><div class="detail-column-3 detail-content-item-name" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:110px;color:rgb(127,127,127);font-size:12px;text-align:left;line-height:19px">Subject</div><div class="detail-column-9 detail-content-item-value" style="margin:0px;padding:0px 15px;box-sizing:border-box;float:left;white-space:pre-wrap;width:438.75px"><span style="box-sizing:border-box">Important Notice - Phishing Materials on Your Network / Incident ID: 54873584 / IP Address: 69.167.190.92 / ASN: LIQUID-WEB-INC - Liquid Web, Inc., US</span></div></div></div></div><div class="enforcement-messages-dialog-messageBody" style="margin:0px;padding:20px 15px;box-sizing:border-box;color:rgb(0,0,0);font-family:"open sans","helvetica neue",helvetica,arial,sans-serif;font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div class="enforcement-messages-body" style="margin:0px;padding:0px;box-sizing:border-box;white-space:pre-wrap"><p style="margin:0px;padding:0px;box-sizing:border-box"><br></p><p style="margin:0px;padding:0px;box-sizing:border-box">2020-05-18 19:53:03 +0300</p><p style="margin:0px;padding:0px;box-sizing:border-box"><br></p><p style="margin:0px;padding:0px;box-sizing:border-box">Team, please see the notice below from our incident response team beneath my signature block. However, I need to point out a few things here.</p><p style="margin:0px;padding:0px;box-sizing:border-box">I personally spoke with your team on 2020-03-19 12:49:00 +0200, where we discussed you purchased Nexcess, and that is why there is a different technical abuse contact. I had also re-submitted a ticket referencing the prior ticket and someone at LiquidWeb was opening a ticket on the call to make sure they are on top of this.</p><p style="margin:0px;padding:0px;box-sizing:border-box">On 2020-03-24 20:13:44 +0200, Scott at LiquidWeb was investigating this tenacious event. I was told that if this is a repeat offender, you will terminate the account all together, but you woouldn't be able to share that info with us for privacy reasons. However, your team was conducting at the moment an internal investigation to see if they need to take different measures.</p><p style="margin:0px;padding:0px;box-sizing:border-box">At that time, Scott put me on hold while he reached out to the security team. </p><p style="margin:0px;padding:0px;box-sizing:border-box">At 2020-03-24 20:35:13 +0200, the Security supervisor was looking this over and it was going to take some time for them to decide best course of action. The site was then down. I was told that if it re-surfaces, we can list the UTC date and time stamps that it came back online and your team might then be able to take further action without a court order. You said that if you check the logs, and it doesn’t match up, we would have to get the courts involved.</p><p style="margin:0px;padding:0px;box-sizing:border-box">We have preserved a lot of evidence that the phishing has gone back up again after you took it down. For example, for your reference, we have uploaded a screenshot at <a href="https://perma.cc/SL7L-6XUE" style="box-sizing:border-box;color:rgb(0,160,223);font-weight:500;text-decoration:none">https://perma.cc/SL7L-6XUE</a></p><p style="margin:0px;padding:0px;box-sizing:border-box">This screenshot in the PERMA record captures hXXps://zionhighschools[.]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb</p><p style="margin:0px;padding:0px;box-sizing:border-box">Load Date: Mon May 18 08:13:18 PDT 2020</p><p style="margin:0px;padding:0px;box-sizing:border-box">IP Address: 69.167.190.92</p><p style="margin:0px;padding:0px;box-sizing:border-box">HTTP Method: GET<br style="box-sizing:border-box">Response Code 200<br style="box-sizing:border-box">Response Message OK<br style="box-sizing:border-box">Content Type text/htmlCharacter SetUTF-8Is <br style="box-sizing:border-box">HTML Page true<br style="box-sizing:border-box">Is From Cache false<br style="box-sizing:border-box">Local Content Length 2.00 K<br style="box-sizing:border-box">Overall Content Length 319.19 K<br style="box-sizing:border-box">Local Response Time 4.97 s<br style="box-sizing:border-box">Overall Response Time5.87 s<br style="box-sizing:border-box">CPU Time76 ms<br style="box-sizing:border-box">Dependent Requests 5<br style="box-sizing:border-box">Window Name: TopLevelWindow@79c734a4</p><p style="margin:0px;padding:0px;box-sizing:border-box">Please take appropriate action. See all the confirmed URLs in the notice below.</p><p style="margin:0px;padding:0px;box-sizing:border-box">Thanks,</p><p style="margin:0px;padding:0px;box-sizing:border-box">Jonathan Matkowsky , Vice President - Digital Risk (SME)*<br style="box-sizing:border-box">Incident Investigation & Intelligence (i3) <br style="box-sizing:border-box"><br style="box-sizing:border-box">Phone +1.888.415.4447 (USA) | +44 (0)203 282 7149 (UK) <br style="box-sizing:border-box">RiskIQ: World Leader in Attack Surface Management<br style="box-sizing:border-box"><br style="box-sizing:border-box"><br style="box-sizing:border-box">*GIAC-GLEG; IAPP-FIP; Active Attorney Admissions: NY, WA<br style="box-sizing:border-box">This email does not create an attorney-client relationship or constitute legal advice.</p><p style="margin:0px;padding:0px;box-sizing:border-box"><em style="box-sizing:border-box">**We have defanged URLs in this notice. In the identity and location of the phishing materials, please substitute "." for "[dot]", "http" for "hxxp", and "https" for "hxxps"**</em></p><p style="margin:0px;padding:0px;box-sizing:border-box"><strong style="box-sizing:border-box;font-weight:500">****** ***** ***** ****** *******</strong></p><p style="margin:0px;padding:0px;box-sizing:border-box"><strong style="box-sizing:border-box;font-weight:500">Summary</strong></p><p style="margin:0px;padding:0px;box-sizing:border-box"><u style="box-sizing:border-box">Threat Activity Type</u>: Phishing<br style="box-sizing:border-box"><u style="box-sizing:border-box">Industry Impact</u>: Financial<br style="box-sizing:border-box"><br style="box-sizing:border-box"><u style="box-sizing:border-box">Spoofed Brand</u>: American Express<br style="box-sizing:border-box"><br style="box-sizing:border-box"><u style="box-sizing:border-box">Date and Time of Abuse:</u>: 2020-05-05 06:32 AM PDT <br style="box-sizing:border-box"><br style="box-sizing:border-box"><u style="box-sizing:border-box">IP Address</u>: 69.167.190.92<br style="box-sizing:border-box"><br style="box-sizing:border-box"><u style="box-sizing:border-box">ASN</u>: LIQUID-WEB-INC - Liquid Web, Inc., US<br style="box-sizing:border-box"><br style="box-sizing:border-box"><u style="box-sizing:border-box">Identify and Location of Phishing Materials</u>:</p><p style="margin:0px;padding:0px;box-sizing:border-box"> </p><p style="margin:0px;padding:0px;box-sizing:border-box"> hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/ hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb </p><p style="margin:0px;padding:0px;box-sizing:border-box"> (individually or collectively, “<u style="box-sizing:border-box">Phishing Materials</u>”)</p><p style="margin:0px;padding:0px;box-sizing:border-box"> </p><p style="margin:0px;padding:0px;box-sizing:border-box"><strong style="box-sizing:border-box;font-weight:500">****** ***** ***** ****** *******</strong></p><p style="margin:0px;padding:0px;box-sizing:border-box">Greetings,</p><p style="margin:0px;padding:0px;box-sizing:border-box">Per the above summary, we write on behalf of American Express to request your assistance to mitigate a confirmed threat that appears to utilise your network resources for fraudulent purposes by hosting the Phishing Materials as identified above. </p><p style="margin:0px;padding:0px;box-sizing:border-box">We would appreciate it if you would take all reasonable and appropriate steps to ensure your network resources are no longer being used to facilitate or contribute to this confirmed threat, which may include temporarily suspending the account until the Phishing Materials have been removed.</p><p style="margin:0px;padding:0px;box-sizing:border-box"> If you need any support or additional information during the course of your investigation, please let us know by reply email at your earliest convenience.</p><p style="margin:0px;padding:0px;box-sizing:border-box">Thank you for your support in safeguarding the public.</p><p style="margin:0px;padding:0px;box-sizing:border-box">Sincerely,</p><p style="margin:0px;padding:0px;box-sizing:border-box">Digital Threat Incident Response Team</p><p style="margin:0px;padding:0px;box-sizing:border-box">RiskIQ, Inc.</p><p style="margin:0px;padding:0px;box-sizing:border-box">22 Battery St., 10th Floor, San Francisco CA 94111 USA<br style="box-sizing:border-box"><a href="http://www.riskiq.com">www.riskiq.com</a><br style="box-sizing:border-box">Incident 54873584</p></div></div></div></div>
<br>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>*******<br></span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply e-mail and delete this message. Thank you.</span><p style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"></p><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>*******</span>