The Nerve of some people

[easyhosting]

i have a client sign up 18 months ago and their latest invoice remained unpaid for 2 months when they suddenly renewed then 2 days later i get this email

 

From: SecurityOperations@

Sent: Monday, November 07, 2011 9:02 PM

To: support@ ; abusenoc@

Cc: DC-OPS

Subject: [!! SPAM] Phish redirection site on your network (74.117.237.175) (MM #127586)

 

To Whom It May Concern:

 

It has come to our attention that you are hosting a redirection site

that points to a fraudulent "phish" website, which is attempting to

steal account information from customers of Western Union.

 

The redirection URL that points to the fraudulent site is as follows:

 

http://squom.com/simg/index.html

 

The IP address hosting the redirection site is 74.117.237.175.

 

The landing URL that is being redirected to is:

 

http://squom.com/.ssl/www.westernuni...ine/indexa.php

 

Please investigate and shut down this site immediately.

 

If possible, please send us a copy of any fraudulent files or relevant

excerpts of log files regarding this case.

 

Should you have any questions, please call us at +1-301-515-0820.

 

Thank you,

 

Konata Jackson

MM Ops Center

 

Note: As part of this action, we request that you redirect traffic to

an educational website provided by the Anti-Phishing Working Group

(APWG) at http://education.apwg.org/r/en/index.html. Information

about implementing a redirect to this page can be found at

http://education.apwg.org/r/how_to.html.

 

which after checking by myself and the DC this is proven 100% correct so immediatly terminated the account and marked the client as fraud as its a clear breach of our TOS wehich it would with most hosts i know.

 

today i get this message through support ticket when he used a different email and IP ( which i have blocked)

 

10/11/2011 07:53

I would like to know why my account has been terminated two days after i have paid to renew.?

This is not on as i hve not broke any terms or conditions.

I cant get through to anyone one the phone number supplied so i am getting very fustrated,

Sort it out asap please or send me my epp code and a refund.

Thanks

 

neither to say that when i terminated his account as he also got his domain through my domain account i locked the domain.

 

so he now wants the domain and a refund which i will not provide due to him breaching our TOS. i suppose he wants these so he can take to another host to do the same thing.

[m8internet]

Examine the server logs and copy these to notepad (or similar) for future reference

 

You should also be able to obtain a copy of the mass email as sent out

You can then forward this to the client and ask them to explain its purpose

* I had a client do this, but in error they also sent me a copy, had them bang to rights!

 

You now need to prove the incoming abuse and redirection, resulting in the abuse claim

 

Personally, I would simply refund the customer and release their account

If you refuse then the customer will simply commence chargeback procedures, claim under the DSR, or similar

 

Equally, why was the customers account suspended without notice?

I appreciate it is defined as abuse, but the customer could be completely unaware of the issue such as due to compromised FTP, etc

I normally suspend the account, create a new support ticket advising the customer of the issue and that they must respond within 7 days, failure to do so results in termination

Edited November 10, 2011 by m8internet

[easyhosting]

Examine the server logs and copy these to notepad (or similar) for future reference

 

You now need to prove the incoming abuse and redirection, resulting in the abuse claim

 

Personally, I would simply refund the customer and release their account

If you refuse then the customer will simply commence chargeback procedures, claim under the DSR, or similar

 

Equally, why was the customers account suspended without notice?

I appreciate it is defined as abuse, but the customer could be completely unaware of the issue such as due to compromised FTP, etc

I normally suspend the account, create a new support ticket advising the customer of the issue and that they must respond within 7 days, failure to do so results in termination

 

this was initially suspended until i heard back from the DC. my DC informed me this was a genuine phising redirect made by this client from his account. the server and/or his account was not compromised from any outside source.

 

i was informed to terminate his account or my server would be terminated. he may have just renewed his hosting but his invoices were 2 month overdue so his account was suspended and then unsuspended on renewal being paid.

 

His ticket to me asking why he was terminated was made using yet another .live email address and a proxy IP

 

our TOS clearly state

 

THE FOLLOWING ARE NOT ALLOWED:

 

Fraud websites

 

Phishing websites

 

Spamming

 

Gambling Websites

 

Nulled Scripts

 

IRC

 

Warez Hosting or storage (even if it is for private use, it is not allowed.)

 

Warez Linking

 

Child Porn (under 18)

 

Racist websites

 

Torrentflux, uTorrent, rTorrent, wTorrent, kTorrent, bittornado, or any form of P2P/torrents are not allowed on our VPS services.

 

Using a website for phishing or viral attack purposes is illegal and strictly prohibited. Any website found to breach this condition will be terminated and reported without delay. In any such event we reserve the right to disclose your personal details to any law enforcement agency in order to further investigate such matters.

 

Your services will be terminated with or without notice. No refund will be issued

Edited November 10, 2011 by easyhosting

[m8internet]

Simply explain that then to the customer, from all the collated evidence

Equally, I thought it was a phishing email, but it is actually the landing page

That file then is still on your server

I would save that file and require the customer to respond with details of its purpose

 

Just as an aside

The DC is in UK or USA?

The email is from the USA (+1-301-515-0820)

Ironically, their last comment asks you to redirect the phishing page to another website

From what I can see most people seem to ignore this request and simply disable / delete the account

 

Who are MM Ops Center?

They seem to get around quite a bit!

 

Finally, what payment method did this customer use?

If it was PayPal expect it to be returned as fraudulent or chargeback, for that reason I tend to just refund it knowing this might take place (putting your PayPal account in disabled status for some time, so this then avoids that)

Edited November 10, 2011 by m8internet

[easyhosting]

The DC is in the USA

 

i followed "Please investigate and shut down this site immediately." and not the footnote under his signature

 

MM Ops Center is markmonitor.co.uk

 

i checked with western union and they are used by them to monitor any abuse etc. of their sites/name.

 

 

the site was terminated, so their is nothing on the server now

[m8internet]

MM Ops Center is markmonitor.co.uk

i checked with western union and they are used by them to monitor any abuse etc. of their sites/name

It would appear most of the banks seem to use them

http://www.antiphishing.org/sponsors.html

Strangely the banks don't sponsor (americanised spelling) them or are members though, although it is good to see APACS is listed in there

 

Just checking my records and the last report I had was from SpamCop, November 2009

Edited November 10, 2011 by m8internet

[easyhosting]

It would appear most of the banks seem to use them

http://www.antiphishing.org/sponsors.html

Strangely the banks don't sponsor (americanised spelling) them or are members though, although it is good to see APACS is listed in there

 

Just checking my records and the last report I had was from SpamCop, November 2009

 

yup i spotted that.

 

i had to laugh when i got his message this morning

 

I would like to know why my account has been terminated two days after i have paid to renew.?

This is not on as i hve not broke any terms or conditions.

 

so setting up a phishing site on a server is not breaking any TOS and he wants to known why he was terminated, which is stange as the termination notice contained a copy of the email received from markmonitor.

[m8internet]

I hve not broke any terms?

Well, given the way that is spelt, that is correct!

 

You need to be careful how notices are sent out to customers

One slight spelling mistake and it can be quite costly

 

Sounds more like some juvenile that does not understand responsibility

Perhaps send him a link to Spiderman...

He is running a website and with power comes grear responsibility

He has neither, so no longer has a website

 

As above, when I suspended my customer following the report received from SpamCop we both spent several hours trying to establish what had gone wrong

Yes, to begin with he was angry at the lack of notice and not in breach of terms, but when I fully explained the reasons the tone changed

 

The previous one to that was not interested

I just processed a refund and never heard anything more about it; good riddance

Edited November 10, 2011 by m8internet

[easyhosting]

I hve not broke any terms?

Well, given the way that is spelt, that is correct!

 

 

this is the way he spelt it.

 

before my TOS/AUP were published i had them checked over by my local trading standards office and when they were finished with them it was like a total rewrite, but this made sure they were correct and complied with current legislations, even if i decide to make and changed i will check to see if the change can be made to comply with legislation.

 

each client has to accept these TOS when they order hosting, but i dare say people like this ex client wont bother with TOS as they will just set up with another host and do the same thing.

[thernes]

Did you never consider that your client could have been the victim of a hacker? We get notices like this now and then and we usually suspend the site first and notify the client that their website might have been hacked. If they get back to us, we usually delete the folders with the offending website, unsuspend the site and let the client check things out/update their software/etc. We usually never suspend a client directly like you have described above, but we all have our ways of doing things

[easyhosting]

Did you never consider that your client could have been the victim of a hacker? We get notices like this now and then and we usually suspend the site first and notify the client that their website might have been hacked. If they get back to us, we usually delete the folders with the offending website, unsuspend the site and let the client check things out/update their software/etc. We usually never suspend a client directly like you have described above, but we all have our ways of doing things

 

site was initially suspended and client informed along with a copy of the email we received to the reason why.

 

i checked the logs the DC checked the logs and could find no exploits or any signs of a hack, the client site files only had the 2 folders that were mentioned in the email within his account, so i was instructed by the DC to terminate hios account immediately or they would close down my server.

 

where the termination notice was sent to the client this also included a copy oif the email again.

so then the client eventally contacts me using a differnet .live email address and a proxy IP with this

 

I would like to know why my account has been terminated two days after i have paid to renew.?

This is not on as i hve not broke any terms or conditions.

 

they you have to laugh as he has the email we received twice explaining the problem and then to say he broke no terms.

 

i replied to him once again with a copy of the email and the reason why the site was terminated and so far he has no replied back, which i dare say if he genuinally had nothing to do with this he would of replied straight away as he would want his site back up running.

 

All the evidence points to him using our server for phising.

[easyhosting]

just got this from resellerclubs compliance team

 

Hello,

 

Instead of locking the domain name, you may disable the privacy protection service and suspend the domain name to prevent spreading phishing over the internet.

 

Regards,

PDR Compliance Team

 

so it looks like i can suspend the domain which will prevent him from moving the domain or amend any details on the domain.

 

also messaged the client to say if this had nothing to do with him then forward a fresh copy of the site so this can be check out and we may reinstate him, but after 2 days no reply which to me is enough proof that he knew exactly what he was doing and just played dumb.

[m8internet]

I'm not sure you can do that with the Domain Name, unless instructed to do so by the registering authority (Verisign, Nominet, etc)

Domain Name privacy remains in effect as the customer has paid for it

However, it would no longer apply if the invoice lapses (for reasons outlined above)

I've had this happen once, and their advice was to simply remove the privacy and transfer the contact details to my own

This I did then placed the Domain Name pointing to my own website, until it expired

 

Refer to ICANN abuse policy, it is so vague...!

They will disable a website reported to them for abuse by APWG (presumably where the host does not respond) but they will not amend the WHOIS record

 

Equally, the "closedown" refers only to the link, page, or files

It does not apply to the WHOLE website, need to be careful on this one

Edited November 12, 2011 by m8internet

[easyhosting]

I'm not sure you can do that with the Domain Name, unless instructed to do so by the registering authority (Verisign, Nominet, etc)

Domain Name privacy remains in effect as the customer has paid for it

However, it would no longer apply if the invoice lapses (for reasons outlined above)

I've had this happen once, and their advice was to simply remove the privacy and transfer the contact details to my own

This I did then placed the Domain Name pointing to my own website, until it expired

 

Refer to ICANN abuse policy, it is so vague...!

They will disable a website reported to them for abuse by APWG (presumably where the host does not respond) but they will not amend the WHOIS record

 

Equally, the "closedown" refers only to the link, page, or files

It does not apply to the WHOLE website, need to be careful on this one

 

well if you read my last post it have been instructed by resellerclubs PDR compliance team who are the registar for the domain

 

Domain Name: SQUOM.COM

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

[m8internet]

well if you read my last post it have been instructed by resellerclubs PDR compliance team who are the registar for the domain

They are the registrars, not the authority

As a .com this comes under ICANN

 

Again, the registrar is suggesting / recommending action to take, it is not their policy (ie you MUST perform a specific action)

 

I put this to ICANN some time ago and their response was so vague I didn't the matter further

Try a search for phising policy at ICANN, and the results are quite shocking!

It's as if they don't know what to do since first discussing the matter in 2008

Even their most recent meeting resulted in no policy being set

ICANN wants registrars to take responsibilty, the registrars want a policy to adhere to, and it just seems to keep going round in circles

[easyhosting]

originally i was told to keep the domain locked by the compliance team until they consulted with ICANN, i assume they have conulted with them when they said to suspend the domain.

 

I know Nominet are more clear in these situations with uk domains as they would revoke the domain

[m8internet]

originally i was told to keep the domain locked by the compliance team until they consulted with ICANN, i assume they have conulted with them when they said to suspend the domain.

 

I know Nominet are more clear in these situations with uk domains as they would revoke the domain

Exactly, with Nominet you know exactly where you stand

They take the Domain Name away from you and you have nothing more to do with it

 

With a .com you seem to receive conflicting advice (and that is all it seems to be)

[easyhosting]

Exactly, with Nominet you know exactly where you stand

They take the Domain Name away from you and you have nothing more to do with it

 

With a .com you seem to receive conflicting advice (and that is all it seems to be)

 

that is true and all i can go off is what i am told by the registrar.

 

contact ICANN and they just tell you to contact one of their agents, which the last time i checked they want $1500. no wonder nowone reports domain disputes with .com domains

[merlinpa1969]

I can tell you that if we had to terminate every WP site that gets hit with a fishing hack we could lose 3 servers worth of people...

 

We atleast do the job of verifying the report and the DC can tell you to deal with it or they will suspend service, once you inform them it has been dealt with they close their abuse complaint....

[Damo]

I can tell you that if we had to terminate every WP site that gets hit with a fishing hack we could lose 3 servers worth of people...

 

Really? Maybe you could do with reviewing your password policies and hardening the servers some more. Phishing (not fishing) isn't that difficult to protect your clients against - of course, you can't protect everything and you can't protect some people against themselves

 

(This isn't an attack against you by any means, the post just caught my attention)

[merlinpa1969]

Actually the only way we are going to get past this is to outlaw wordpress,

they are isolated issues on crappy insecure software that you cant really tell users they can not use

[easyhosting]

well if you read my post you will se that this was checked by myself and the DC and their was no exploits or hacks made against this account shown in any reports and as these were the only 2 folders that were on the account then i was informed by the DC to terminate this account or they would close down my whole server, due to the seriousness of the abuse.

 

once the site was terminated the DC and markmonitor were informed that this was dealt with

[m8internet]

Actually the only way we are going to get past this is to outlaw wordpress,

they are isolated issues on crappy insecure software that you cant really tell users they can not use

Isn't just wordpress, there are loads of methods available for phishing

 

The simplest method is to hide the URL within content (typically email) and redirect the visitor

This is the method being referred to by the OP

In this case they were the receiving redirection media

 

The only way to prevent this would be to switch off the internet, there will be a small (and it's a very small element) of people that will look for exploits

Edited November 13, 2011 by m8internet

[easyhosting]

Isn't just wordpress, there are loads of methods available for phishing

 

The simplest method is to hide the URL within content (typically email) and redirect the visitor

This is the method being referred to by the OP

In this case they were the receiving redirection media

 

The only way to prevent this would be to switch off the internet, there will be a small (and it's a very small element) of people that will look for exploits

 

in my case both the page used to redirect and the phishing page were both in the clients account.

 

but i agree this is not just a WP issue. currently facebook are having major security issues and then a couple years ago the e107 script was exploited to a point we will no longer allow this script on our servers.

[bear]

neither to say that when i terminated his account

 

Apparently all is forgiven now, and the site is once again on line?

 

Domain Name: SQUOM.COM

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

Name Server: NS1.NICEDAY-HOSTING.COM

Name Server: NS2.NICEDAY-HOSTING.COM

Status: clientTransferProhibited

Updated Date: 12-nov-2011

 

Showing as a dating site from here.

Basically, you appear to have "outed" one of your customers as being an illegal "phishing" site creator...then allow him to keep his account? Nice privacy policy there, by the way.