How to deal with Phishing, Spam and Cyber Crime
WARNING
Cybercrime activities are mostly part of organized crime and the people behind them are not squeamish when their business model is in jeopardy. Knowing the dangers and vulnerabilities to stay away from them is the surest way to deal with them.
It seems to have become normal to be bombarded with unwanted ads on a daily basis and the tendency towards attempted data theft is increasing sharply.
The role of the employer and limits of responsibility
As an employer, you are responsible for ensuring that your own employees and customer are not harmed during worktime. Even if it sounds annoying, there is no way around regular training for targeted, conscious perception of the points of attack.
A real-life situation
Some time ago I received an SMS, supposedly from a bank, with a reference to a security problem and a request to check my photo TAN procedure. On the one hand I was not a customer of this bank, on the other hand it was clear from the URL that this is not a page from the bank mentioned:
https://<BANKNAME>-photoTAN<cryptische ID>.web.app/
Danger
Please do not copy, since calling up the page can exploit existing security gaps in your own system.
Out of curiosity, I used a safe test environment to call the page and was pleasantly surprised by the design and accuracy. I was also sure a lot of people would fall for it. So what to do?
Bank customer support via chat
The bank didn't have a separate contact category for reporting phishing attacks, so I tried using regular chat support. The communication went something like this:
Me: Hello, I am not a customer of your bank and received a clear phishing SMS today. Can I give you the sender's phone number and phishing URL so you can use the information to notify law enforcement. Support: Thank you for your inquiry. There are currently many phishing attacks, please do not click on the link or enter any account access data there. Me: Yes, I know and I'm not a customer of your bank either. Do you want the data? Support: Normally this is of no use and the investigations come to nothing. Me: And what's next here? Support: We are not liable for any damage if you pass on your account access data to third-party websites. Me: I see. Would you like to have the data to actively protect your customers? Support: Glad I could help you. Goodbye.
At this point I was appalled and wondered if all banks were reacting this way.
Federal Network Agency
Since the SMS came from a cell phone number, I wanted to report abuse of the number to prevent further phishing attempts. The form didn't have a phishing category, but I tried my luck. About 2 hours later I received an email with the following content:
From your description of the facts, no violation of telephone number misuse or unauthorized telephone advertising to be prosecuted by the Federal Network Agency can be identified. The Federal Network Agency can therefore not intervene under the specific circumstances. (There are no discernible advertisements. Phishing or suspected crime are not phone number abuse.)
Note: Unlike the police, the Federal Network Agency is not authorized to investigate suspected criminal offenses or to receive criminal charges. It is our job to take action against calls/messages in which consumers are harassed, for example, with illegal advertising.
Online criminal complaint to the police
Filing a criminal complaint online is fairly easy these days, but here's a clear warning that if you accuse someone of a crime and it turns out to be untrue, claims for damages could result. In this specific case, I did not suffer any damage and I could not determine with certainty whether there was actually a suspicion of a criminal offence.
Examination of the facts by the hosting provider
As was easy to see from the domain, the application was operated by Google GCP. All major public cloud providers offer a very straightforward process for reporting suspicious offers, and they usually have a dedicated team that investigates these reports very quickly.
To find out where the phishing site is operated, you can consult the public whois database
Link
- Link to copy yourself: https://www.whois.com/whois
- Direct link https://www.whois.com/whois
AWS
- Link to copy yourself: https://aws.amazon.com/forms/report-abuse
- Direct link: AWS: https://aws.amazon.com/forms/report-abuse
GCP
- Link to copy yourself: https://support.google.com/code/contact/cloud_platform_report
- Direct link: https://support.google.com/code/contact/cloud_platform_report
Azure
- Link to copy yourself: https://portal.msrc.microsoft.com/en-us/engage/cars
- Direct link: Azure: https://portal.msrc.microsoft.com/en-us/engage/cars
Lessons learned
As a recipient of a phishing attempt
- no bank, no matter which one, will ever ask you to sign up via SMS or email
- block the number on your cell phone in case of phishing attempts
- never call the link, even for testing purposes, as this can directly exploit security vulnerabilities
As Employer
- The company has a responsibility to regularly train its own employees, enabling them to not become victims of such attacks in the workplace
- Customer service needs to be explicitly trained to handle such reports from customers and non-customers alike. Everything else is negligent.
- Provide a form on the website or email contact where suspicious activity can be reported and provide feedbackin a timely manner, see On Promise Cloud - Report Abuse
- Provision of a security.txt
about Germany
Each of the different authorities has a local focus and obviously has no obligation to deal with such issues comprehensively. Organized crime takes advantage of this by spreading individual problems across different jurisdictions, countries and continents.