Reporting phishing to the "offending" domain


(Allan Brumer) #1

BEC and CEO Fraud, by definition, even if not in actual practice, presuppose that the cybercriminal has hacked into a corporate domain over which the corporation has control. We can reset passwords, delete/change accounts, etc… but how about when the attack is coming from outside our domain?
I have not yet encountered a vendor or corporate entity which provides any means for notifying them that someone on their domain is using an account for criminal purposes. Is this not a real thing?
Does anyone else think it should be?
I for one would want to know if someone within MY domain were using an account for illegal activity.


(Monika Johnson-McPherson) #2

Hi abrumer,

I find your post a perfect opportunity to discuss ‘monitoring of privileged accounts for criminal activity, or the very least, misuse.’

Implementing this type of monitoring is a very good way to be alerted to these types of things. What are your thoughts?

Respectfully,

Monika


(BJ Beier) #3

I agree, I would also like to know if one of my users accounts had been compromised. I guess the only thing that can be done right now is visit the website for the email account and try and contact someone. Some websites make this information easier to find. Be interested to hear others thoughts.


(Allan Brumer) #4

Ironically, this was why I started this post. I went to Comcast’s website to report activity which is unquestionably fraud, and there is no way I can find to tell Comcast that their email service is being used for illegal activity.


(P.) #5

my organization frequently gets phishing emails that "appear’ to be coming from our organization but are not.
if you got a phishing email from a gmail address and you had the ability to report it to Google, what would they be expected to do? How are they to know if hackers gained control of a legitimate account or if the account was setup to be a phishing account? If it was a legitimate account what steps does Google take?


(Allan Brumer) #6

I believe sending spam and phishing emails are violations of the terms of service for most providers. Accounts used for such purposes should be shut down.
If it is someone else’s compromised account, the provider should do everything reasonably possible to restore the account to the legitimate owner; failing that, shut it down.
How should they know this? Security questions, and 2FA.


(Allan Brumer) #7

Not exactly the direction I was heading.
If an internal account is being used for criminal activity it is entirely within our control to delete the account and fire the employee (assuming the employee was at fault).
I’m talking about notifying external corporations that THEIR accounts are being used for criminal activity.
I’m finding very little evidence that any corporate entity acknowledges this as a real thing. Blissful ignorance perhaps, or maybe concern that they may be held accountable beyond publishing a voluminous terms of services agreement.


(P.) #8

I know several people who practice bad password management (using the same password on multiple sites) and don’t use MFA on their hotmail or yahoo or gmail accounts. Yahoo failed to protect over 1 billion passwords from being compromised, you think they are capable of tracking down the legitimate owner of a compromised account?
None of this takes into account the possibility of spoofing an email address.
What if someone were spoofing your email address to send spam. We can report it to you (or your company admins) and what would they be able to do for a few hundred thousand spoofed emails that appear to be coming from you?


(Allan Brumer) #9

Yahoo does not have to track down the legitimate owner of any accounts. All they have to do is accept complaints that account xyz was used for illegal activity, and then shut it down.
Spoofing an email address does add another layer, but a provider can tell if the mail was actually sent from their servers, and tracing the IP will provide the real domain.


(P.) #10

so Yahoo failed to protect aunt Thelma’s email password, her account gets hacked, then used for spamming and, then shut down so she loses all her emails from her grandchildren. bad customer experience. 10 minutes later, the spammer has another account and initiates round 2 of spamming.

I agree, spoofing does not hide the actual sender but it clouds the waters so it takes more time and effort to uncover the actual sender who has already abandoned that email address and moved on to another email address and possibly another domain. Do you know how trivial it is to setup an email server that allows relaying and allows any domain? Is it worth the time of any admin at Google or Outlook or Yahoo to get these reports and shut down email accounts one after another?

What if a bad actor reported your email address as the sender of spam? Or worse, a bad actor reported your domain as sender of mass spam. You want your domain’s emails dumped to spam until it gets sorted out? Blacklists have been attempted in the past and haven’t worked.

email has been around for so long they have done all they can to decrease spam and phishing. until all email servers are using DMARC (which requires SPF and DKIM) spam is just the cost of doing business over email. adding the ability to report spam and requiring action from email administrators for addresses that are violating terms of service would only increase that cost… tremendously


(Greg Francis) #11

When I was working at a university, we had a requirement to have an address to report copyright violations. In absence of that address, I would connect with the technical or admin contact list in the WHOIS record for the domain. That won’t really help for large providers like Google, Yahoo or Microsoft, but it would likely help for smaller organizations.


(Allan Brumer) #12

If Aunt Thelma set up the account two years ago, and has been using the account for legitimate communications and then all of a sudden Yahoo receives reports of spam/phishing originating from that account, they can conclude that the account has been compromised.
It takes minutes to determine if it’s a spoofed address.
It takes me roughly 90 minutes to build a box and install the software to setup an email server from scratch. I’m assuming there are others who can do it faster. However, unless they can modify their geographical location, the IP address will give it away.
I personally am not in the business of caring how much of an inconvenience I am to a company that is providing a service for which they charge. If the technology sector as a whole demands that more needs to be done, they will do it to protect their reputations or someone else will step up and take their customers.
I’m not willing to accept that it’s simply the cost of doing business and there’s nothing that can be done.
None of us should.


(P.) #13

They don’t need to modify their location.
Anyone can choose what country they wish to connect to a server from using the free Tunnel Bear VPN service.
Comcast is not interested in providing you a quick, easy way to report one of their users email address being used for spam. They won’t take action on it.
Do you have a gmail account? Have you looked in the spam folder? As soon as you report one email account a second one would already be in use. Are you willing to play the never ending game whack-a-mole? You’d need to hire additional staff for certain.
I find it laughable that you think Comcast would concern itself the ability of reporting spam in an effort to protect their reputation.
Comcast is ranked 15 of the top 20 most hated companies in America
You still failed to address how to handle false reports from the bad actors who abuse the system to report your email.
The technology sector has implemented solutions which allow companies like Google to send email directly to spam when they fail SPF and DKIM.


(Allan Brumer) #14

Or they could use Tor or they could use virtual machines set up at random locations around the world.
I’m disappointed that anyone could provide such a stream of reasons for doing nothing at all.
We could circle endlessly around the issue rather than accomplishing any forward progress.
Of course making a change costs money. Of course no one wants the expenditure to be their own.
Of course lazy people will lament how difficult, impossible, or inconvenient this is.

Now that you’ve provided all the reasons why this won’t work, can we get back to…

Does anyone else think this should be a real thing?
Does anyone else think putting more obstacles in the path of the bad guys is a good thing?


(Allan Brumer) #15

Apparently Apple agrees. Ref: https://support.apple.com/en-us/HT204759

Report phishing attempts and other suspicious messages to Apple
To report a suspicious email, forward the message to Apple with complete header information. To forward the email: In macOS Mail, select the email and choose Forward As Attachment from the Message menu at the top of your computer screen.

These email addresses are monitored by Apple, but you might not receive a reply to your report.

If you receive what you believe to be a phishing email that’s designed to look like it’s from Apple, please send it to reportphishing@apple.com.
To report spam or other suspicious emails that you receive in your iCloud.com, me.com, or mac.com Inbox, please send them to abuse@icloud.com.
To report spam or other suspicious messages that you receive through iMessage, tap Report Junk under the message.


(Allan Brumer) #16

And Google, https://support.google.com/mail/answer/8253?hl=en


(Allan Brumer) #17

And Microsoft, among others. https://technet.microsoft.com/en-us/library/jj723151(v=exchg.150).aspx


(P.) #18

I’m sorry that you feel my position is to do nothing at all. That is most certainly not what I intended. Having dealt with this for a few years and being the lead Google Admin at our organization, this issue has been severely frustrating as there is rarely any actual punishment for the spammers as they are generating random addresses on their own mail relays or stealing legitimate accounts for nefarious purposes. I administer the quarantine and update filters for our organization daily in an attempt to protect our users. This issue is near and dear to my heart as the amount of time I have spent on it. The implementation of SPF and DKIM and subsequently enabling DMARC reporting is the most promising solution I have been involved in. I would recommend everyone look into it.
As a side note, I spoke to a friend of mine last night about this issue. He is a network security analyst at a global financial institution and he reminded me that the solution you are looking for does exist and has existed since spam became an issue.
Try using Google to search for “How do I report phishing”. If there is a specific company you want to send the phishing email to, include that in the Google search like this “How do I report phishing to comcast