Slashdot Mirror
When Webmasters Get Phished?
SirJorgelOfBorgel asks: "Many of us run webservers. Some of us just for fun - hosting many of the 'less important' stuff around on the web, others professionally. Though you always try to keep your webserver secure there's always the possibility you get hacked. What do you do, then?" You would think that, by doing the right thing and reporting the incident to the proper authorities, they would do the right thing and go after the hackers, right? This may not be the case. Here's a cautionary tale on what may happen if you follow that line of reasoning. The real question here is: what else could SirJorgelOfBorgel have done to make things turn out as he expected?
"It happened to me a few months ago, and the hacker installed a phishing website. Of course I found that out within a few hours and removed it (and patched the used vulnerability). To be helpful, I packed the whole folder, relevant logs, etc, and sent them -- accompanied by a letter explaining what happened -- to the fraud reporting email address of the bank that was the target of the attempt. That's what we all would do, right?
To my surprise however, instead of them trying to found out who it was that made the attempt (an email address where the phished usernames/passwords were transmitted to was clearly visible in the source), they had me disconnected from the Internet and put on an ISP blacklist. Took me some cash and a lot of time to even get reconnected to the Internet. And there I thought they would be happy with this information.
In light of this, if you should ever notice a phishing attempt, would you still report it, knowing it might get yourself in a lot of trouble? I for one, probably won't.
Furthermore, though I know it is my own responsibility to make sure my PCs are well protected, would there be any legal action I should/could take to get reimbursed for my losses? (The bank is a US bank, I am not a US citizen.)"
To my surprise however, instead of them trying to found out who it was that made the attempt (an email address where the phished usernames/passwords were transmitted to was clearly visible in the source), they had me disconnected from the Internet and put on an ISP blacklist. Took me some cash and a lot of time to even get reconnected to the Internet. And there I thought they would be happy with this information.
In light of this, if you should ever notice a phishing attempt, would you still report it, knowing it might get yourself in a lot of trouble? I for one, probably won't.
Furthermore, though I know it is my own responsibility to make sure my PCs are well protected, would there be any legal action I should/could take to get reimbursed for my losses? (The bank is a US bank, I am not a US citizen.)"
they had me disconnected from the internet and put on an ISP blacklist. The sad truth is that for the average person, it's just a waste of time to try to contact the proper authorities in cases like this. Most of the time, they will simply ignore you, so you have expanded time, energy, and perhaps money for absolutely nothing but aggravation. Delete and move on...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
That's only right if in fact he had not already removed the phishers site. He was trying to do the bank a favor after having already cleaned up the mess on his end. He also claims to have provided them with everything the phisher site had including logs. This type of information can be invaluable in tracking down who/where the person originating the site was from and protecting anyone that was dumb enough to use the phishing site. Instead of taking note that the phising site was down and that this person had diligently done what he could they took a knee jerk reaction and had his site not only shut off by his ISP, but blacklisted. Those actions shouldn't have even been possible, and they certainly aren't right.
The fact that the intruders put a phishing website on SirJorgelOfBorgel's machine, perhaps?
What does reading have to do with this? Or do you even know what that means?
I suffer from attention surplus disorder.
Having dealt with banks (and other industries) in the US many times in the past, I'd like to point out that the average bank has a limited IT department, and the people working there tend to be below par by Slashdot standards. Again, I'm talking about averages here, so keep the "i wok at bank weth fiv otur giys wee al expirts!!1!" flames to yourself.
That said, it's important to remember that they're not going to actually read any explanations you attach to anything you send them. What they will do is look over the attachments, make their own determination as to what happened, and go tearing off in a random direction, convinced of the righteousness of their crusade.
So how do you notify them of the phisher without being bitten yourself? Complain about phishing emails coming from the address in question. Don't mention a website. Certainly don't mention your own server. Is this dishonest? Yes, technically. But if you're competent and you know they're not (or at the very least suspect they're not) it's more a case of tailoring the information to suit the audience. You don't explain moral values and arguments to a guard dog, you simply point at the intruder and tell the dog to "sic 'em!".
There are other US industries to be wary of, with regards to IT: insurance, legal offices, professional medical offices (hospitals, doctors, dentists, chiropractors, etc). The smaller offices tend not to know what's going on, the larger ones tend to push everything off on an IT department that's entirely too small for its own good (and may be staffed with less than the best), and they all tend to make demands that don't coincide with consensual reality.
Why is it like ths? From what I've seen it's a matter of not having IT people, or letting someone who doesn't understand what's needed do the hiring. They end up with a lot of paper tigers, or worse. I remember one insurance office that had hired an agent's neighbor - a 13 year old self-proclaimed 'firewall expert'. It took me two weeks and nearly $1000 of their money to sort out the mistakes he'd made (and find/remove all the snoopers he'd left behind).
In a nutshell, try not to use big words when dealing with US banks, and only give them the information they need to point them in the right direction. While your mileage may vary, it's a good practice, because it will protect you.
I'm sorry, but I don't have any advice on how to recover your losses with regards to the actions the bank took.
Because your server is impervious 100% of the time right? And this could NEVER happen to you.
Photos.
I don't know about your state, but I reported a phisher to my state bureau of investigation, because the phisher was targetting a state employee credit union, and the sbi pursued it.
I think your only liability is not to report it. Just report it to law enforcement instead.
If someone intentionally interferes with your business, yes, you should sue the fuck out of them. Especially if they have the ability to pay, like a bank.
However, I'm puzzled by this vulnerability you patched to prevent phishing. I, too, don't think you know what it means.
When I get a phishing attempt, I generally report them to the institution being impersonated, especially if it's more convincing than normal. I imagine that some other people do the same. It's entirely possible that other users reported `your' phishing site, and the bank was already in the process of getting it shut down when they received your email.
And if they did get your email, and it was received by the right people, they probably don't care. Your site cost them money, even if you claim that you weren't directly responsible, and they'll do what they can to stop it from happening again.
Ultimately, the right answer is to keep your system secured enough so this doesn't happen. Your email after the fact was the Right Thing [tm] to do, at least morally, but I'll bet if you had checked with your attorney, he'd have suggested not sending it at all. as it could be used as evidence if the bank decided to sue you.
It's not right, but it's the way things are ... being a Good Guy [tm] just doesn't pay anymore.
I think the Original Post meant that his website had been taken over as part of a phishing scam, and he patched the vulnerability that allowed the takeover.
Better yet...
:)
Do the one thing the bank will do nearly anything to prevent... Publicize it far and wide. Let everyone know the bank, their name, and the cities affected wherein people whose information was compromised live. Once their customer base is all over their phone lines demanding information that only you can provide.
Of course, unless you signed an NDA in which case...ignore me.
#!/Jerald
Great idea. That will prove that his intentions were honorable, and the bank's actions were misguided.
I used to be all militant about that too. Then I realized it didn't really make any difference at all. MacOS always called them folders. With Windows 95, the MS world changed to that term too (albeit slowly). Frankly, it's a more accurate term for the metaphor, as a directory is a list, rather than a container. And it's faster and easier to say and type. The world changes. I decided to quit yelling at the tide.
jX [ Make everything as simple as possible, but no simpler. - Einstein ]
Dont read too much into it, sometimes i forget myself and call directories folders (and hope nobody notices ^_^ ).
Bush and Blair ate my sig!
No sympathy huh?
Post your server's IP address and lets see who's insecure.
Dude, don't expect anything to change if you don't post the name of the bank, the name of the ISP that bent over for them, and details such as the names of any individuals you talked to.
Hell, I could be doing business with these guys right now, and you are not even going to warn me ?
Of course, people may choose not to care.
chl
I too call them back and forth (I was a dos (directory) then windows(folder) now unix(directory)). But most people don't care what you call them even on KDE 3.4 they call them folders. I prefer directory personaly.
When you have a story like this, backed up with documented facts (I hope), and you go to the "press" (slashdot is the "press", sad but true), you need to state the names of all companies involved.
I need to know your company's name, so I avoid your insecure web servers.
I need to know the bank's name, so I can avoid ever reporting anything to them.
And I need to know your ISP's name so I can double-check any contracts I might have with them.
What's the point of posting this when we have no idea who it is, or even if you made it up or not?
This is so correct - a bank is not interested in seeing the law served, it is interested in seeing their business served. Those two are rarely the same. Probably some lame misguided attempt to just make the whole thing "go away"
People who think they know everything are a great annoyance to those of us who do.
You're the one that apparently left the server with a known vulnerability and didn't patch it until it was attacked. Why would should anybody reimburse you for that?
Great idea. That way you'll only be inconvenienced by a libel/slander lawsuit if the bank is so inclined. Even if it has no grounds, you'll still have to spend time/money until it's thrown out of the court.
No sig
I think that's a shitty attitude and so I've hacked your website at 127.0.0.1, asshole.
Sounds to me like you ran IIS on a public-facing machine, in which case you deserve everything you got.
.Net you can just as easily do in PHP or Perl.
Yes, of course, everyone running IIS is completely incompetant. There is no good reason ever to run IIS. Everything you can do in
I am a Unix guy, I don't run Windows on my personal machines. I don't run Windows on my (primary) work machines. I do, however, know that it is very possible to run a site of reasonable security on IIS.
Unix people (mainly noobs) with militant "you deserve what you get" attitudes are a serious detriment here. Plenty of OSS apps get badly hacked as well. Lately we've seen stats programs, and even freaking ZLIB expose remote code execution vulns.
I'm not saying "don't trust open apps", I'm saying "don't blanket condemn closed apps", especially when someone asks a simple question which deserves a simple answer. Show me where he says "I run IIS".
I like music
You bastard! That's my site, too!
Are you sure that -
/.-think that makes me weird, because we all know it's Yet Another Example of Evil Businesses Keeping the Man Down.
1) It was the bank that had you disconnected (it might have been a phishing victim doing the complaining to someone else,
2) It was because you notified them that they had you disconnected (they might have already gotten phishing complains and had the disconnect in the works while you were still gathering the evidence)
I'd like to hear the bank's side of the story.
I know, in
Was it Fleet Bank? I hate them so much.
Their collection department used to call me up looking for their delinquent customer. The phone line was new to me, but apparently the number used to be owned by a real deadbeat.
When I explained the situation about the phone line, they told me that they were putting all my excuses into my record. Heh. Finally, I told them that they were fucking idiots, and hung up.
Next day they called back and asked why 1) I haven't paid them their money, and 2) why I was so rude to them on the phone yesterday.
I responded by telling them that I pay for the phone line and I'll fucking swear on it if I want to, and BY THE WAY, can you transfer me to the people who can cancel my credit card issued to fleet bank.
By the end of it, you had better fucking believe that Fleet Bank knew that I wasn't the person they were looking for, and my actual record there does indeed note that I like to swear at stupid people.
The best thing is that they've called me back several times trying to interest me in various financial services. Each time, I ask to speak to a manager, and they get the full story of what fucking idiots they are, and how I'd rather eat my own poop rather than do business with them.
I also have told at least 30 people in person about what asses Fleet Bank are, and many more through Internet postings like this one.
It's a true story, and truth is an affirmative defense against both libel and slander, so fuck 'em.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Because then you'd be haressed and possibly brought up on charges that you conspired in haveing your own equipment hacked because of your *lack* of secure software!!
What happened to you should be proof enough that this is not outa the question with amerikan *authorities* and their simplton thinking.
I'm sure your not laffing tho, as these type of things are becoming the norm in this hell whole of a country.
You've shown that your system can be used to hurt his bank, so he will try to prevent that from happening ever again. The FBI will arrive shortly to impose a Mitnick order (that you must never use a computer ever again).
(What kind of world did you think you lived in, anyways?)
of course, the grandparent should really just let typos like that go. this is slashdot, after all.
And you just happen to have access to a few hundred online bank accounts...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Errr.. Let me see... 127.0.0.1
May I use your sig please?
That way you'll only be inconvenienced by a libel/slander lawsuit if the bank is so inclined
From TFA (or TF Post, or whatever):
"(the bank is a US bank, I am not a US citizen)"
Last thing I checked, US civil judgments still weren't enforceable abroad. Slander away, Mr. Sulu...
Cole's Law: Thinly sliced cabbage
I have very little symphathy for people who expect perfection of everyone and go around putting themselves on a high horse. Before you go around making rude comments about someone else's perceived shortcomings, I would like you to honestly state that your server has never gotten hacked, you've never had a computer virus or downloaded a piece of spyware, and never had any sort of computer security accident. I'd be willing to bet the the VAST majority of people on this website have had some peice of computer equipment compromised in some way. And while this isn't desirable, it is certainly understandable - we're not perfect. At some point, everyone is going to install some bad software, click on a bad attachment, forget to close something on their server, be a bit slow off the mark with the patches etc. Mistakes and accidents happen, and it doesn't necessarily mean that the person is stupid or a bad admin.
On a slightly different note, what if the poster was just learning about server administration? Would you be absolutely intolderant of mistakes made there too? Is there no room for a learning curve or do we now expect people to be all-knowing computer geniuses from birth? Tell me honestly that you've never before made a single error and then maybe you'll be allowed to make arrogant and rude remarks to people about how they're not good enough for your high standards.
...no two people are not on fire.
"Folder" rolls off the tongue more easily, being only 2 syllables as opposed to 4 syllables in "directory". OTOH, in written form when posting on *nix mailing lists, I shorten it to "dir" as in "How do I do XYZ to all the files in dir 'foo'?"
When telling my wife where I saved a document, I tell her what "folder" it's in because that's the metaphor her gui (kde) uses.
I remember some desktop gui I used back in the eighties used drawers rather than folders. Can't recall where I saw that.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.