Forgot your password?
typodupeerror
The Internet Government The Almighty Buck The Courts News

When Webmasters Get Phished? 55

Posted by Cliff
from the gone-phishing dept.
SirJorgelOfBorgel asks: "Many of us run webservers. Some of us just for fun - hosting many of the 'less important' stuff around on the web, others professionally. Though you always try to keep your webserver secure there's always the possibility you get hacked. What do you do, then?" You would think that, by doing the right thing and reporting the incident to the proper authorities, they would do the right thing and go after the hackers, right? This may not be the case. Here's a cautionary tale on what may happen if you follow that line of reasoning. The real question here is: what else could SirJorgelOfBorgel have done to make things turn out as he expected?
"It happened to me a few months ago, and the hacker installed a phishing website. Of course I found that out within a few hours and removed it (and patched the used vulnerability). To be helpful, I packed the whole folder, relevant logs, etc, and sent them -- accompanied by a letter explaining what happened -- to the fraud reporting email address of the bank that was the target of the attempt. That's what we all would do, right?

To my surprise however, instead of them trying to found out who it was that made the attempt (an email address where the phished usernames/passwords were transmitted to was clearly visible in the source), they had me disconnected from the Internet and put on an ISP blacklist. Took me some cash and a lot of time to even get reconnected to the Internet. And there I thought they would be happy with this information.

In light of this, if you should ever notice a phishing attempt, would you still report it, knowing it might get yourself in a lot of trouble? I for one, probably won't.

Furthermore, though I know it is my own responsibility to make sure my PCs are well protected, would there be any legal action I should/could take to get reimbursed for my losses? (The bank is a US bank, I am not a US citizen.)"
This discussion has been archived. No new comments can be posted.

When Webmasters Get Phished?

Comments Filter:
  • they had me disconnected from the internet and put on an ISP blacklist. The sad truth is that for the average person, it's just a waste of time to try to contact the proper authorities in cases like this. Most of the time, they will simply ignore you, so you have expanded time, energy, and perhaps money for absolutely nothing but aggravation. Delete and move on...
    • If you have figured out a way to expand time, energy, and money, then I'd say the downtime was worth it and you'll make up your losses in short order.
    • It is simple actually. No "good deed" will go unpunished. Look out for number one. That bank's problem was not the webmaster's problem. Here is another example: If you go into a public restroom, and someone has trashed the place, do not point it out to management. They will only accuse you of doing it, so find another place to use the can.
  • US Banks (Score:5, Insightful)

    by SlackBastardNetworks (850208) on Sunday July 10, 2005 @04:22PM (#13027991)
    Having dealt with banks (and other industries) in the US many times in the past, I'd like to point out that the average bank has a limited IT department, and the people working there tend to be below par by Slashdot standards. Again, I'm talking about averages here, so keep the "i wok at bank weth fiv otur giys wee al expirts!!1!" flames to yourself.

    That said, it's important to remember that they're not going to actually read any explanations you attach to anything you send them. What they will do is look over the attachments, make their own determination as to what happened, and go tearing off in a random direction, convinced of the righteousness of their crusade.

    So how do you notify them of the phisher without being bitten yourself? Complain about phishing emails coming from the address in question. Don't mention a website. Certainly don't mention your own server. Is this dishonest? Yes, technically. But if you're competent and you know they're not (or at the very least suspect they're not) it's more a case of tailoring the information to suit the audience. You don't explain moral values and arguments to a guard dog, you simply point at the intruder and tell the dog to "sic 'em!".

    There are other US industries to be wary of, with regards to IT: insurance, legal offices, professional medical offices (hospitals, doctors, dentists, chiropractors, etc). The smaller offices tend not to know what's going on, the larger ones tend to push everything off on an IT department that's entirely too small for its own good (and may be staffed with less than the best), and they all tend to make demands that don't coincide with consensual reality.

    Why is it like ths? From what I've seen it's a matter of not having IT people, or letting someone who doesn't understand what's needed do the hiring. They end up with a lot of paper tigers, or worse. I remember one insurance office that had hired an agent's neighbor - a 13 year old self-proclaimed 'firewall expert'. It took me two weeks and nearly $1000 of their money to sort out the mistakes he'd made (and find/remove all the snoopers he'd left behind).

    In a nutshell, try not to use big words when dealing with US banks, and only give them the information they need to point them in the right direction. While your mileage may vary, it's a good practice, because it will protect you.

    I'm sorry, but I don't have any advice on how to recover your losses with regards to the actions the bank took.
    • Re:US Banks (Score:3, Informative)

      by clambake (37702)
      and the people working there tend to be below par by Slashdot standards

      Worked at a company that dealt with banks a couple of years ag, and I have to agree. MORE THAN ONE of them used the name of the bank backwards a the passwords to thier vpns... seriously people, BANKS!
      • Back before identity theft got popular, I was starting a business and stumbled across an incorp site that was obviously made out of FrontPage... Since I worked with FP at the time, I knew that it could empower the idiot masses, so I viewed the code. Low and behold, it was storing the form to the site. This form had everything you needed to take over someones life - Their name, business name, 2 addresses, CC info, shareholder info with their SSN's, cc info - everything.

        I emailed the site owner and even gave
    • i wok at bank weth fiv otur giys wee al expirts!!1!

      I find so many phishing sites still up a week after the email timestamp, when I finally check my phishy-email folder.

      I email the url, and email to the site contacts, ISP, lots of other info. I am thinking of making a firefox plugin called ' report phish ' which will email from a whois lookup, the nameserver admin, the webserver admin, the hosting guys, any personal email found on that root site, also the reply to address or any valid address in the site,
  • I don't know about your state, but I reported a phisher to my state bureau of investigation, because the phisher was targetting a state employee credit union, and the sbi pursued it.

    I think your only liability is not to report it. Just report it to law enforcement instead.

    If someone intentionally interferes with your business, yes, you should sue the fuck out of them. Especially if they have the ability to pay, like a bank.

    However, I'm puzzled by this vulnerability you patched to prevent phishing. I, too
  • To be helpful, I packed the whole folder, relevant logs, etc, and sent them - accompanied by a letter explaining what happened - to the fraud reporting email address of the bank that was the target of the attempt. That's what we all would do, right?
    What seems quite likely is that these actions really had nothing to do with it.

    When I get a phishing attempt, I generally report them to the institution being impersonated, especially if it's more convincing than normal. I imagine that some other people do the same. It's entirely possible that other users reported `your' phishing site, and the bank was already in the process of getting it shut down when they received your email.

    ... if they ever received your email. Lots of places don't really read their abuse@ addresses, or filter it so heavily that most everything gets filtered.

    And if they did get your email, and it was received by the right people, they probably don't care. Your site cost them money, even if you claim that you weren't directly responsible, and they'll do what they can to stop it from happening again.

    Ultimately, the right answer is to keep your system secured enough so this doesn't happen. Your email after the fact was the Right Thing [tm] to do, at least morally, but I'll bet if you had checked with your attorney, he'd have suggested not sending it at all. as it could be used as evidence if the bank decided to sue you.

    It's not right, but it's the way things are ... being a Good Guy [tm] just doesn't pay anymore.

  • NAME NAMES! (Score:3, Insightful)

    by Anonymous Coward on Sunday July 10, 2005 @06:03PM (#13028531)
    When you have a story like this, backed up with documented facts (I hope), and you go to the "press" (slashdot is the "press", sad but true), you need to state the names of all companies involved.

    I need to know your company's name, so I avoid your insecure web servers.

    I need to know the bank's name, so I can avoid ever reporting anything to them.

    And I need to know your ISP's name so I can double-check any contracts I might have with them.

    What's the point of posting this when we have no idea who it is, or even if you made it up or not?
    • Re:NAME NAMES! (Score:1, Insightful)

      by wik (10258)
      Ironically, you posted this request as an anonymous coward.

      Name yourself so I can avoid you!
    • Yes Slashdot is "the press", however it's an Ask Slashdot and not really an article that's been posted as "news" so the information is incidental to it's main task.

      I'll concede that knowing the bank involved and other details about this incident would be nice to have, but as an Ask Slashdot the information isn't "needed".

  • Are you sure that -

    1) It was the bank that had you disconnected (it might have been a phishing victim doing the complaining to someone else,

    2) It was because you notified them that they had you disconnected (they might have already gotten phishing complains and had the disconnect in the works while you were still gathering the evidence)

    I'd like to hear the bank's side of the story.

    I know, in /.-think that makes me weird, because we all know it's Yet Another Example of Evil Businesses Keeping the Man Dow
  • Was it Fleet Bank? I hate them so much.

    Their collection department used to call me up looking for their delinquent customer. The phone line was new to me, but apparently the number used to be owned by a real deadbeat.

    When I explained the situation about the phone line, they told me that they were putting all my excuses into my record. Heh. Finally, I told them that they were fucking idiots, and hung up.

    Next day they called back and asked why 1) I haven't paid them their money, and 2) why I was so rude to
    • Well, the funny thing is Fleet barely exists as a bank any more, they are in the process of being absorbed by Bank of America.

      http://www.fleet.com/bankofamerica/ [fleet.com]
    • Sadly, I completely understand...

      I was flagged in Verizons customer database. Flag stated that I was rude, cursed a lot and actually knew what I was talking about... Aparently the new supervisor I chewed up and spit out after a week long DSL outage didn't like me.

      Oddly enough, I found this out when I worked for them as a contractor a year after I closed my account - they keep their customer records for far too long.

      I'd rather eat my own poop rather than do business with them. - thanks for the laugh...
  • It's easy to understand the bank's actions if you pretend you are a bank President.

    You've shown that your system can be used to hurt his bank, so he will try to prevent that from happening ever again. The FBI will arrive shortly to impose a Mitnick order (that you must never use a computer ever again).

    (What kind of world did you think you lived in, anyways?)

"There are things that are so serious that you can only joke about them" - Heisenberg

Working...