There are lots of threads about ‘Identity Theft’ and such popping up, so I figured it might be time for another thread.
My background: I’ve worked for a major US ISP for 7 1/2 years. I have 4 years of experience as an Abuse Investigator (spamming, viruses, hacking), 2 years of experience as a Fraud Investigator (phishing, identity theft, fraudulent accounts), and 1 1/2 years of experience as a Protection Software Product Manager for an anti-phishing toolbar. I’ve recently returned to Fraud Investigation after my hiatus in Product Management/Marketing. It was very interesting and enlightening to see how The Darkside (as I affectionately refer to Marketing) works, but Investigations is where my passions lie.
What information should a person include when notifying you of [insert fraud/abuse]?
In particular, I find that if I turn iptables off (which I do sometimes because I’m too lazy to write the new rules I need to open certain local ports), there’s a rather startling number of port scanning and ssh login attempts being made (damn script-kiddies). Often, I’ll capture some packets and do a whois to trace the IP, then send an email to the ISP’s abuse address about it. I’m just not sure what they’d find helpful – a dump of the packets? Just the IP address? Time and date? Anything else? Also – and this is totally in the realm of your opinion – would anything actually be done?
Reports comprised of firewall logs are usually going to fall under the Abuse umbrella. Some networks have people dedicated to such things, and some networks have an administrator or two who will handle any Abuse complaints that happen to come in along with their other administrator duties.
Complaints of Abuse need to include:
[ul]
[li]A date/time stamp, including the timezone in which the logs are generated.[/li][li]The IP from which the Abuse originated.[/li][li]A description of the abusive activity (in the case of firewall logs, this requirement is satisfied by the source/destination ports).[/li][/ul]
There are a couple of ways of providing this required information, depending on how interested you are in being ‘hands on’ and keeping tabs on the shadier areas of the internet.
If all you’re interested in is getting the right information to the right people so that they can put a stop to the unwanted traffic, I recommend downloading the myNetWatchman agent software. Here is an overall explanation of the (free) service, and here is the registration form. I can’t recommend this service enough.
If you’re interested in becoming as intimately aquainted as possible with every detail of the Abuse Investigation process, you should get out more.
In all seriousness, first I’d crawl around on the myNetWatchman site, read everything you can, and if you still have questions or want more information, come back to the thread or email me and I’ll be happy to continue the discussion with you.
For those reading who are more interested in submitting complaints about abusive emails you’ve received (like spam or phishers or from your online stalker) the extended email headers include all of the above 3 bullets of required information. The tricky part is figuring out how to view the extended headers within your particular email client. The even trickier part is correctly interpreting those headers to determine the individual networks responsible for either originating or otherwise routing the mail. Those are the networks that need to recieve your complaint.
The vast majority of unwanted firewall traffic these days comes from compromised systems that are infected with malware, and often infected with many more than just one kind. Compromised systems on a network are a liability. Such systems spew spam that can get the network blocked as a sender by other networks. Such systems host phisher pages, and other illegal content that attract the interest of Law Enforcement. Such systems infect more systems. There are many names for them: bots, zombies, drones, etc. I call them the root of all evil.
Any network that wants to be able to connect with other networks (kinda the whole point of the internet) takes such systems (and the complaints that lead to their discovery) seriously. You may or may not receive much correspondence about your complaints, or what exactly is being done with them, but every piece of data makes it more obvious where the vulnerabilities lie. You can’t detect and secure what you don’t know is there.
Thanks, that looks like a great service. I’m finally getting around to setting up my shiny new box (and thus, finally configuring iptables properly). Once I do, I’ll look into it more.
Another question that occurs to me: what are some of the non-obvious or more devious techniques you’ve encountered? Particularly those that even those who know about computer security wouldn’t think of. For instance, a friend of mine had a Linux box set up as a router/gateway for his home network. He never set up a firewall, opting instead to make sure that only port 22 (ssh) was open. In scanning his logs, he found (or at least guessed) that someone set his IP address as their gateway, which allowed them to then scan the computers on his internal network. The way I understand it is that he was running a naming service that (obviously) also maintained entries about local IP addresses; the gateway allowed unfettered access from “outside”.
Needless to say, he’s now running iptables. Any others come to mind?
It has been a few years since I’ve been dealing with the emerging threats on the Abuse side of the house. I’ll need to do a little research and get back to you. My stories are a bit outdated.
Brief version: would my computer show up in something like “whois” as belonging to my ISP?
Long version: every time I have an ISP in Spain that’s not Telefónica or cable (but NOT when it’s Telefónica or cable), I get “port runs” on Saturday mornings. This has happened for years. Telefónica isn’t a cable provider, but for regular modem or DSL they’re the real providers and everybody else is just a reseller. Whois gives me the owner of the ip’s as being Telefónica Research and I would bet my 'puter it really is Telefónica Marketing Research; their business practices are about as clean as Hitler’s colon. But could it be someone whose ISP is Telefónica?
and I would bet my 'puter it really is Telefónica Marketing Research; their business practices are about as clean as Hitler’s colon. But could it be someone whose ISP is Telefónica?