Replied offlist. On 5/29/20 11:27 AM, Jonathan M wrote: > Greetings, If anyone can help me reach a contact at LiquidWeb, there > appears to be phishing on its network for 24 days now and I cannot get a > response from them or an acknowledgement of receipt of our notices Yes, we > filled our web forms as early as May 5. I can be reached at > [email protected] or if Liquid Web can just respond to the notice, that > would be great! They just need to email [email protected]. Thanks > for any help you can provide here! > > By the way, I could not find the phish myself, but I preserved it at > https://perma.cc/LR8N-SMTH from a RiskIQ crawl that I just looked over > internally. The snapshot was taken Fri May 29 05:38:44 PDT 2020 From Chrome > > Below is an example of what we are sending them: > > From > RiskIQ Incident Response Team <[email protected]> > To > [email protected] > > Sent At > May 18, 2020 8:02 PM > > > > > > > Subject > Important Notice - Phishing Materials on Your Network / Incident ID: > 54873584 / IP Address: 69.167.190.92 / ASN: LIQUID-WEB-INC - Liquid Web, > Inc., US > > > 2020-05-18 19:53:03 +0300 > > > Team, please see the notice below from our incident response team beneath > my signature block. However, I need to point out a few things here. > > I personally spoke with your team on 2020-03-19 12:49:00 +0200, where we > discussed you purchased Nexcess, and that is why there is a different > technical abuse contact. I had also re-submitted a ticket referencing the > prior ticket and someone at LiquidWeb was opening a ticket on the call to > make sure they are on top of this. > > On 2020-03-24 20:13:44 +0200, Scott at LiquidWeb was investigating this > tenacious event. I was told that if this is a repeat offender, you will > terminate the account all together, but you woouldn't be able to share that > info with us for privacy reasons. However, your team was conducting at the > moment an internal investigation to see if they need to take different > measures. > > At that time, Scott put me on hold while he reached out to the security > team. > > At 2020-03-24 20:35:13 +0200, the Security supervisor was looking this over > and it was going to take some time for them to decide best course of > action. The site was then down. I was told that if it re-surfaces, we can > list the UTC date and time stamps that it came back online and your team > might then be able to take further action without a court order. You said > that if you check the logs, and it doesn’t match up, we would have to get > the courts involved. > > We have preserved a lot of evidence that the phishing has gone back up > again after you took it down. For example, for your reference, we have > uploaded a screenshot at https://perma.cc/SL7L-6XUE > > This screenshot in the PERMA record captures > hXXps://zionhighschools[.]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb > > Load Date: Mon May 18 08:13:18 PDT 2020 > > IP Address: 69.167.190.92 > > HTTP Method: GET > Response Code 200 > Response Message OK > Content Type text/htmlCharacter SetUTF-8Is > HTML Page true > Is From Cache false > Local Content Length 2.00 K > Overall Content Length 319.19 K > Local Response Time 4.97 s > Overall Response Time5.87 s > CPU Time76 ms > Dependent Requests 5 > Window Name: TopLevelWindow@79c734a4 > > Please take appropriate action. See all the confirmed URLs in the notice > below. > > Thanks, > > Jonathan Matkowsky , Vice President - Digital Risk (SME)* > Incident Investigation & Intelligence (i3) > > Phone +1.888.415.4447 (USA) | +44 (0)203 282 7149 (UK) > RiskIQ: World Leader in Attack Surface Management > > > *GIAC-GLEG; IAPP-FIP; Active Attorney Admissions: NY, WA > This email does not create an attorney-client relationship or constitute > legal advice. > > ***We have defanged URLs in this notice. In the identity and location of > the phishing materials, please substitute "." for "[dot]", "http" for > "hxxp", and "https" for "hxxps"*** > > ******* ***** ***** ****** ******** > > *Summary* > > *Threat Activity Type*: Phishing > *Industry Impact*: Financial > > *Spoofed Brand*: American Express > > *Date and Time of Abuse:*: 2020-05-05 06:32 AM PDT > > *IP Address*: 69.167.190.92 > > *ASN*: LIQUID-WEB-INC - Liquid Web, Inc., US > > *Identify and Location of Phishing Materials*: > > hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb > hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/ > hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb > hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb > hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb > > > (individually or collectively, “*Phishing Materials*”) > > ******* ***** ***** ****** ******** > > Greetings, > > Per the above summary, we write on behalf of American Express to request > your assistance to mitigate a confirmed threat that appears to utilise your > network resources for fraudulent purposes by hosting the Phishing Materials > as identified above. > > We would appreciate it if you would take all reasonable and appropriate > steps to ensure your network resources are no longer being used to > facilitate or contribute to this confirmed threat, which may include > temporarily suspending the account until the Phishing Materials have been > removed. > > If you need any support or additional information during the course of your > investigation, please let us know by reply email at your earliest > convenience. > > Thank you for your support in safeguarding the public. > > Sincerely, > > Digital Threat Incident Response Team > > RiskIQ, Inc. > > 22 Battery St., 10th Floor, San Francisco CA 94111 USA > www.riskiq.com > Incident 54873584 >
-- James Shank Senior Security Evangelist; Chief Architect, Community Services Team Cymru, Inc. [email protected]; +1-847-378-3365; http://www.team-cymru.com/
