My Crusade Against Phishing Emails Part Two: Reporting and the Aftermath (I actually got a response!)
If you haven’t read part one of my story, then please check there first.
Reaching out to the Dutch Company
I am hoping that considering that this is a tech company that they will take me seriously. I haven’t been able to find the email address of anyone in the company (except the ones in the phishing email), but I did find the address for both “support” and “info” on their website. I sent support the following message with info as a cc.
To whom it may concern,
I am an independent information security researcher. I recently received a phishing email from an email address [REDACTED]. Upon looking at the original email, it appears that [REDACTED] is the email address used to send this email. The server it originated from has the IP address [REDACTED].
This email informed me that I had been selected for a position at an oil and natural gas company in Colorado. Considering that you are based in the Netherlands and are in the business of IOT, I doubt that you are hiring any managers for oil exploration.
I do not know if this confirms that your security has been breached, but I do believe that this is cause for an investigation.
I am happy to forward the email for you to look at for yourself. I’m not looking for compensation other than permission to mention this investigation on my blog.
All the best,
Now it’s possible that considering that my subject line reads “Phishing Email Originating from Your Domain”, my email might go straight to the trash can. I sincerely hope that I get some kind of response.
Reaching out to the American Media Company
After a bit of Googling, I discovered that other people have had issues in the past with phishing emails from this domain. This gives me reason to believe that either this company doesn’t seem to find it to be a big enough issue to worry about, or the attackers have found their way back in to their systems.
I wasn’t able to find an email address to contact them, so I ended up calling them. After some time on hold, I was connected to someone who wanted to know my account information for their service.
I am not a customer of theirs, so I just gave a quick pitch of why I was calling. It went along these lines:
Hi! I am not a customer of yours. I’m calling today because I’ve received some phishing emails from [REDACTED].com. That’s one of your domains, right?
…
Is there any way that you could put me in touch with someone from your data security department or the like? Is there an email address that I can contact, perhaps?
To no surprise of mine, I was placed on hold so that person could find that information for me. After more waiting, I was connected to an entirely different person, and we had the same conversation. This person, however game me an “abuse” email that I could contact.
I forwarded them the email and attached a note.
To whom it may concern,
I received this phishing email. After some research, I discovered that the origin domain ([REDACTED].com) is connected with your company. I am happy to share more information with you if that will be of use.
I am a security researcher, so out of curiosity I am interested in any developments that follow or actions that you take.
All the best,
I don’t feel optimistic about them responding to me, but there’s always a possibility that they could.
Reaching out to the American Small Business
In this instance, the business is a clothing boutique. Their website has no email or contact information on the front end, but I found a complaint against them on the BBB’s website. Running a small business isn’t easy, folks.
I don’t think that its a coincidence that the “censored” part of the email address has the same amount of asterisks as the contact first name has characters. I’ll attempt to contact what I guess to be the email address of the owner and see if it goes through.
Hi [REDACTED],
I am an independent cyber security researcher. I’m contacting you because I received a few phishing emails that appear to be using email addresses hosted on your domains [REDACTED] and [REDACTED] to receive emails from the victims of their phishing campaign.
If you aren’t familiar with phishing, it is an attempt by a scammer to act as someone else in order to obtain someone’s personal information. Phishing is quite a common attack these days, and it isn’t unusual for a business’s domains to be abused for this purpose.
I don’t want this email to cause you any alarm, but I recommend alerting this issue to whomever manages your website and domain names.
If you have time, I am interested in hearing about any developments for my own curiosity. I can also forward you these emails or send screenshots if you want to look at them yourself or pass them along to whoever manages your site.
All the best,
My suspicions were correct about the email (thanks, OSINT skills!). It went through without issue.
I reckon that this person has enough to worry about already with running a business during the pandemic, so I tried my best to be friendly and helpful in the email.
I initially was most looking forward to the Dutch company’s potential response, but I’ve developed a soft spot for this person since I’m an advocate for small business.
I hope that I get a response from at least one of these parties.
I got a response!
The first person to write back was someone from the Dutch company.
I responded by thanking them for their response, and I sent the original text of the email. To my surprise, they got back to me again rather quickly.
Well, apparently they tackled this issue (or at least claim that they have) in about half an hour. Check the timestamp.
Of course, I am dying to know what the issue is/was and what they did to resolve it. I am a little skeptical that the matter is resolved in full, but in their defense, the email did say should be resolved. It’s also possible that they had already detected this issue and had resolved it before I reached out.
To be honest, what’s going on within their company is none of my business anyway. Why would I need to know? Oh, but I am curious!
“We are grateful for the message as this helps us improve our security.
Have a wonderful day.”
This made me pretty happy. It is a somewhat anticlimactic ending to this case, but I do feel validated. Mission accomplished, I guess.
Closing Remarks
If you don’t know what you’re doing (or don’t have the risk tolerance), then don’t click on anything in a suspicious email. Do NOT respond, either. Please do not.
It’s been four days since I got in touch with these three parties. The only email that I know for a fact was read was the one that I sent to the Netherlands. I’m grateful that someone took the time to respond to and thank me for my email.
My theory for the American media company’s lack of response is that they either don’t have the time, don’t have the resources, or simply don’t care about doing anything about it. It’s also possible that they got my email and don’t believe that it warrants a response (after all, it isn’t any of my business). That being said, I also discovered similar complaints about this domain in my research dating a few years back. Make of that what you will.
The fact that the small business owner didn’t respond could be for a variety of reasons. It’s possible that the email I contacted isn’t their primary email anymore. It’s also possible that they contacted whoever takes care of their web and email services and let that person do their thing. It’s also possible that they have enough on their plate already and either don’t know what to do about this or they just can’t be bothered to act right now (if ever).
In conclusion, I had a blast analyzing these phishing emails that I found in the wild. I figured that more often than not, the recipients of such emails are the ones who we think about first when attempting to mitigate the damage that the crooks behind phishing campaigns can do. I decided to contact the owners of the domains that were being abused out of courtesy, but also curiosity — I kind of just wanted to see what would happen. If there are any further developments to this story, then I will update this article. For now, I’ll consider this investigation to be finished.
Thank you for reading. If you’d like to get in touch, please contact me via LinkedIn or my personal website. Please leave a comment or some applause on this article if you see fit. Stay safe, and stay secure!
