17

I have been under attack last week and I was able to trace down the attacker and get his IP address. The attacker was located in Germany but I live out of Europe?

From your experience what is the best way to report an international cyber crime? is it worth reporting at all?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
HEX
  • 521
  • 2
  • 4
  • 11

4 Answers4

23

There's always an "Abuse" email address on the whois of a netblock for reporting misuse of an IP address.

You can use http://whois.domaintools.com/ to do a whois lookup to get the address.

Is it worth your time? That's your call. Will it lead to anything? Nothing you'll ever see. But many of the sites I fix come from people who were first alerted of the problems on their server by someone sending the hosting company an "abuse" notification email. So it definitely can make a difference.

Note that the IP address you track down is almost never the attacker himself but rather a hacked server or computer that he's using as a relay. So keep that in mind. You're not alerting the authorities on the whereabouts of a miscreant; you're notifying someone that his computer has been compromised.

EDIT TO ADD

You give the information you have to the appropriate authority, and then you're done. That it. As a rule, hosting companies will not share personal information of their clients unless you are local law enforcement with the appropriate warrant or court order. It's their liability if they do otherwise.

Don't expect a follow-up report from them, don't expect names or arrests or anything more than an acknowledgement that they heard you -- sometimes not even that. These companies often deal with dozens of these reports a week or more. Their abuse team will deal with it, and they appreciate your assistance as they want to keep their network clean, and your report will probably trigger several days worth of activity. But they have a clear-cut policy that they follow to the letter for liability reasons, and it intentionally doesn't include reporting back the original reporter. Nothing against you specifically.

Also, remember that though you found the hacker, It's almost certainly not his account on the server.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 1
    I have contact the company and they agree that the attack was lunched from their server. They have blocked that account. I want to report this issue to authorities (police) but the hosting company did not share the personal information of the guy who lunched the attack from their servers. In this case I have to report the hosting company. will the authorities do anything? Im not sure... and thats why Im thinking if it is worth my time to report this case. :S – HEX Sep 03 '12 at 15:30
  • 6
    Report it to the authorities in your country as a criminal complaint, then leave it at that. It's all you can do. Even if you report it to the German authorities they will almost certainly do nothing because you're outside the country, and it's quite possible that the law wouldn't pursue the company in any case as the laws are such that it would be difficult to prove fault. – GdD Sep 03 '12 at 15:51
  • @HEX Edited for followup – tylerl Sep 03 '12 at 16:57
  • @tylerl You have to clarify that you are talking about experienced and high skilled computer hackers. Skids (script kiddies) are a whole different story. – NlightNFotis Sep 23 '12 at 20:43
  • 1
    @NlightNFotis I'm talking specifically about the datacenters, irrespective of the level of skill of the attacker. You have to deal with the DC because they're your point-of-contact for the server. Then they take it from there. Maybe they'll catch him, maybe they won't. But it's not your fight. Sure, you play an important role, but you play your part and then you move on. – tylerl Sep 24 '12 at 05:42
0

You can also report it to ic3.Gov They will ask for all info about any ip attacks, threats etc. You will have to provide your name and info which will be confidential to them. In return you will recieve a confirmation number via email. If they need to contact you they will. Hope this helps.

Private
  • 1
0

www.abuseipdb.com has been compiling a list of "evil" IP addresses.

I don't think they do anything other than make the address available and the number and type of abuse. They have both a web page and an API for automated reporting and queries.

DGerman
  • 11
  • 2
  • 2
    *AbuseIPDB is now maintained and supported by Marathon Studios Inc. and Proud Development, based in Pennsylvania, USA*. Hardly an 'authority' - so you are not answering the question. –  Oct 19 '16 at 06:27
0

If you want to report a dropper (or even second-stage) delivered as part of a drive-by download (even if it initially came from a phish or any other source), please use URLHaus. This site specializes in providing back to the community in several ways, especially if you are a security professional with a Twitter handle involved in malware takedowns. The ability to see the history of the domain, IP, and/or URIs involved is helpful, as is the tagging, overall organization, and links out to VirusTotal, etc. After URLHaus has dealt with the submission and closed the issue, reporting it to Google Safe Browsing Report Badware and Microsoft Windows Defender Security Intelligence are good moves.

If you want to report a C2 Server, check out Shodan's Malware Hunter project.

If you want to report a web skimmer (such as a credential or payment-card stealer), please submit it first to urlscan.io and then to Google Safe Browsing, Bing Delister, Palo Url Filtering, FortiNet WF Ratings, BrightCloud CR, Borderware Domain Lookup, Cisco Talos Reputation, McAfee TrustedSource, and Symantec Site Review. This can definitely include cryptojacking as well as anything that requires user input over the web.

Really any phish should be submitted to Google Safe Browsing Report Phish as well as PhishTank and Microsoft. Listing it with PhishTank gets it listed with OpenDNS and into the Cisco ecosystem.

If you want to report an EK, DoS/DDoS source, or fumbler, I would suggest levering a commercial Threat Intelligence Platform (TIP), such as Anomali ThreatStream or RecordedFuture. There used to be EK Hunter resources, but they are down now and I do not know why -- maybe because EKs just aren't as popular as they used to be. If you don't have a TIP, use your upstream provider's, or perhaps the X-Force Exchange.

If you want to report beaconing, botnets, or C2 Connect, it might be best to go directly to the abuse handlers for the IP space and the domain name registration, if not checking the domain directly on their website(s) for security and abuse contacts. When all else fails, this probably should work!

atdre
  • 18,885
  • 6
  • 58
  • 107