When Webmasters Get Phished?

SirJorgelOfBorgel asks: "Many of us run webservers. Some of us just for fun - hosting many of the 'less important' stuff around on the web, others professionally. Though you always try to keep your webserver secure there's always the possibility you get hacked. What do you do, then?" You would think that, by doing the right thing and reporting the incident to the proper authorities, they would do the right thing and go after the hackers, right? This may not be the case. Here's a cautionary tale on what may happen if you follow that line of reasoning. The real question here is: what else could SirJorgelOfBorgel have done to make things turn out as he expected? "It happened to me a few months ago, and the hacker installed a phishing website. Of course I found that out within a few hours and removed it (and patched the used vulnerability). To be helpful, I packed the whole folder, relevant logs, etc, and sent them -- accompanied by a letter explaining what happened -- to the fraud reporting email address of the bank that was the target of the attempt. That's what we all would do, right?

To my surprise however, instead of them trying to found out who it was that made the attempt (an email address where the phished usernames/passwords were transmitted to was clearly visible in the source), they had me disconnected from the Internet and put on an ISP blacklist. Took me some cash and a lot of time to even get reconnected to the Internet. And there I thought they would be happy with this information.

In light of this, if you should ever notice a phishing attempt, would you still report it, knowing it might get yourself in a lot of trouble? I for one, probably won't.

Furthermore, though I know it is my own responsibility to make sure my PCs are well protected, would there be any legal action I should/could take to get reimbursed for my losses? (The bank is a US bank, I am not a US citizen.)"

Re:They sound justified

That's only right if in fact he had not already removed the phishers site. He was trying to do the bank a favor after having already cleaned up the mess on his end. He also claims to have provided them with everything the phisher site had including logs. This type of information can be invaluable in tracking down who/where the person originating the site was from and protecting anyone that was dumb enough to use the phishing site. Instead of taking note that the phising site was down and that this person had diligently done what he could they took a knee jerk reaction and had his site not only shut off by his ISP, but blacklisted. Those actions shouldn't have even been possible, and they certainly aren't right.

US Banks

[SlackBastardNetworks]

Having dealt with banks (and other industries) in the US many times in the past, I'd like to point out that the average bank has a limited IT department, and the people working there tend to be below par by Slashdot standards. Again, I'm talking about averages here, so keep the "i wok at bank weth fiv otur giys wee al expirts!!1!" flames to yourself.

That said, it's important to remember that they're not going to actually read any explanations you attach to anything you send them. What they will do is look over the attachments, make their own determination as to what happened, and go tearing off in a random direction, convinced of the righteousness of their crusade.

So how do you notify them of the phisher without being bitten yourself? Complain about phishing emails coming from the address in question. Don't mention a website. Certainly don't mention your own server. Is this dishonest? Yes, technically. But if you're competent and you know they're not (or at the very least suspect they're not) it's more a case of tailoring the information to suit the audience. You don't explain moral values and arguments to a guard dog, you simply point at the intruder and tell the dog to "sic 'em!".

There are other US industries to be wary of, with regards to IT: insurance, legal offices, professional medical offices (hospitals, doctors, dentists, chiropractors, etc). The smaller offices tend not to know what's going on, the larger ones tend to push everything off on an IT department that's entirely too small for its own good (and may be staffed with less than the best), and they all tend to make demands that don't coincide with consensual reality.

Why is it like ths? From what I've seen it's a matter of not having IT people, or letting someone who doesn't understand what's needed do the hiring. They end up with a lot of paper tigers, or worse. I remember one insurance office that had hired an agent's neighbor - a 13 year old self-proclaimed 'firewall expert'. It took me two weeks and nearly $1000 of their money to sort out the mistakes he'd made (and find/remove all the snoopers he'd left behind).

In a nutshell, try not to use big words when dealing with US banks, and only give them the information they need to point them in the right direction. While your mileage may vary, it's a good practice, because it will protect you.

I'm sorry, but I don't have any advice on how to recover your losses with regards to the actions the bank took.

Re:Report to someone who can do something about it

[Questy]

Better yet...

Do the one thing the bank will do nearly anything to prevent... Publicize it far and wide. Let everyone know the bank, their name, and the cities affected wherein people whose information was compromised live. Once their customer base is all over their phone lines demanding information that only you can provide.

Of course, unless you signed an NDA in which case...ignore me. :)

NAME NAMES!

When you have a story like this, backed up with documented facts (I hope), and you go to the "press" (slashdot is the "press", sad but true), you need to state the names of all companies involved.

I need to know your company's name, so I avoid your insecure web servers.

I need to know the bank's name, so I can avoid ever reporting anything to them.

And I need to know your ISP's name so I can double-check any contracts I might have with them.

What's the point of posting this when we have no idea who it is, or even if you made it up or not?

Re:NAME NAMES!

[wik]

Ironically, you posted this request as an anonymous coward.

Name yourself so I can avoid you!

Re:Folder?

[xrayspx]

Sounds to me like you ran IIS on a public-facing machine, in which case you deserve everything you got.

Yes, of course, everyone running IIS is completely incompetant. There is no good reason ever to run IIS. Everything you can do in .Net you can just as easily do in PHP or Perl.

I am a Unix guy, I don't run Windows on my personal machines. I don't run Windows on my (primary) work machines. I do, however, know that it is very possible to run a site of reasonable security on IIS.

Unix people (mainly noobs) with militant "you deserve what you get" attitudes are a serious detriment here. Plenty of OSS apps get badly hacked as well. Lately we've seen stats programs, and even freaking ZLIB expose remote code execution vulns.

I'm not saying "don't trust open apps", I'm saying "don't blanket condemn closed apps", especially when someone asks a simple question which deserves a simple answer. Show me where he says "I run IIS".

Are you sure of cause and effect?

[Monte]

Are you sure that -

1) It was the bank that had you disconnected (it might have been a phishing victim doing the complaining to someone else,

2) It was because you notified them that they had you disconnected (they might have already gotten phishing complains and had the disconnect in the works while you were still gathering the evidence)

I'd like to hear the bank's side of the story.

I know, in /.-think that makes me weird, because we all know it's Yet Another Example of Evil Businesses Keeping the Man Down.