Two days ago someone created a website that has the exact same domain of the company I work for, but missing one letter, and sent a mail campaign to many people that there is a promotion on the website, when you go to the website you (as professional IT people) would immediately identify it as a scam site, many people won't anyway, so they'd transact on that site, and they won't receive anything they paid for.
So we switched to panic mode to try and figure out what to do, and what I did as a DevOps is:
- Reported the website to PayPal (the only payment method available on the site), but apparently it takes long time and many disputed transactions to close a website.
- Reported the website to the domain registration company, they cooperated but stopping the website needs a legal order from a court or the ICANN.
- Reported the website to the hosting company, no response yet.
- Checked the WHOIS data, it's invalid they copied our company info and changed two digits in the postal code and the phone number.
- Reported the website to local police in Dubai but it also takes a lot of time and investigations to block a website.
- Sent an email to our customer base telling them to be aware and always check they're on our HTTPS site and check the domain name when they're purchasing.
My main concern was that many people who reported they got the email (more than 10) are on our mailing list, so I was afraid somebody has got some information out of our server, so I:
- Checked the system access log to make sure no one accessed our SSH.
- Checked the database access log to make sure no one tried and accessed our DB.
- Checked the firewall log to make sure no one accessed the server anyhow.
After that my concern switched to the mailing software we're using to send our email campaigns, we used MailChimp before and I don't think they would have accessed it, but now we're using Sendy, and I was afraid they accessed it, I checked the site forum and couldn't find that anyone has reported a vulnerability using Sendy, and also many emails registered in our mailing list reported they didn't get the email from the fraud site, so I got a little bit comfortable that no body got to our data.
So my questions are:
- What more can I do to make sure that no one got hold of our mailing list or data?
- What more can I do to report and maybe take down the site?
- Is there a panic mode list when you suspect unauthorized access to your server or data?
- How can you prevent future incidents like this?