2

My company is suffering from a phishing campaign. Over the last two months we have tried to issue a take down to the ISPs (publicdomainregistry.com and confluence-networks.com) – both of them seem to have connections. However, after bunch of e-mails and phone calls nothing changes, and the fraudulent websites still exist, and continue to collect valuable information from the customers and even replicate to new domains.

Can someone help me out and tell me what to do if ISP is not cooperative ?

Xander
  • 35,525
  • 27
  • 113
  • 141
Adam
  • 21
  • 1
  • 2
    Have your lawyers send more persuasive take-down notices to the ISP, and have them contact the domain registrars as well to get the domains revoked. – Xander Jul 28 '16 at 14:59
  • 1
    Flood the phishing pages with bogus credentials until the legal solutions work. And better train your users so they don't get phished, or only give them credentials that can't be phished (smart cards, or 2-factor authentication everywhere). – André Borie Jul 28 '16 at 16:31
  • 2
    you need to at least plan for the possibility they will never go away, and start taking pro-active measures, like reminding uses what you will/won't do via email, redesigning the site, buying an EV SSL cert, and maybe user icons that load between the username and password entry. – dandavis Jul 28 '16 at 16:46
  • 1
    I find this to be an interesting question. It looks like it will soon be closed though. Are questions about contacting ISPs/Registrars of fraudulent persons off-topic here? I can see how such a question would apply to Spam, Phishing, DoS, and other situations... – 700 Software Jul 28 '16 at 18:14
  • Well the thing is: I have tried both registrars and domain holders, both the same company. I try to avoid using lawyers yet. I want infosec department to be fully operational on its own. Hence this is the first really resilient and annoying case that I cannot solve. – Adam Jul 28 '16 at 18:19
  • 1
    Related: [Where to report malicious URLs, phishing, and malicious web sites?](https://security.stackexchange.com/q/1728/32746) – WhiteWinterWolf Jul 28 '16 at 22:02

2 Answers2

1

Did you try the Goverment CERT in your country? In my experience they can be pretty helpful in such cases and usually have the right contacts at ISPs to initiate a takedown

securityPM
  • 63
  • 2
0

The preliminary target for complaints is always abuse@ISP, and normally they take abuse seriously enough, however depending on the quality of the ISP. There are also the totally ignorant ones. Making the abuse public is a next step.

Usually the fear of getting a Spamhaus listing is rather efficient, especially if it is a (virtual, multiple-client) server with mail. Then an (x)BL will affect negatively multiple of the ISP's paying customers, which the ISP cannot accept. Does the phishing page send mails? If so, check the "Received from" and mail header, grab the server/IP address, check if it belongs to the same ISP who hosts the phishing page.

  1. Try to get your hands on the ISP's Terms of Service.
  2. Create solid evidence of the spammers actions, including screenshots, IP-addresses, dates, etc etc, and prove that the spammer violates the ISP's TOS.
  3. Send to the ISP's abuse@ email address.
  4. If that does not help, and if the spamming domain (fake pages) is country-specific, contact that countrys or your local Data Protection Ombudsman, if available, with the same material, and make a complaint. Ask them if the spammer violates the local law. Demand that they contact the (local) spammer or ISP. This may take months, depending on country.
  5. If the domain is country-specific, contact the authority who manages the domains, and make a complaint. Ask them to cancel the domain address. Not easy.
  6. If that doesn't help... now it depends on your country. I might try to get in touch with your de-facto spamblogger, who hopefully has further connections to the blocklist keepers, or may give you more specific advice.
  7. Also: Find out the email address of the ISP's management, and send a complaint there. There is nothing wrong in sending to the CEO, and remember to include as many of the managing personnel as possible, preferrably also include members of the board. This has turned out to be efficient in some cases. Oh, and tell them you will make this public. The word "spam" in the first hit of a google search is a nightmare for the ISP :-).

5 cents

Edit: Ther scammer will eventually get kicked from the ISP and move over to next, so get ready to repeat. Unfortunately...

Stormwind
  • 101
  • 1