Suspected server or data vulnerability and reporting a fraud site

Two days ago someone created a website that has the exact same domain of the company I work for, but missing one letter, and sent a mail campaign to many people that there is a promotion on the website, when you go to the website you (as professional IT people) would immediately identify it as a scam site, many people won't anyway, so they'd transact on that site, and they won't receive anything they paid for.

So we switched to panic mode to try and figure out what to do, and what I did as a DevOps is:

  1. Reported the website to PayPal (the only payment method available on the site), but apparently it takes long time and many disputed transactions to close a website.
  2. Reported the website to the domain registration company, they cooperated but stopping the website needs a legal order from a court or the ICANN.
  3. Reported the website to the hosting company, no response yet.
  4. Checked the WHOIS data, it's invalid they copied our company info and changed two digits in the postal code and the phone number.
  5. Reported the website to local police in Dubai but it also takes a lot of time and investigations to block a website.
  6. Sent an email to our customer base telling them to be aware and always check they're on our HTTPS site and check the domain name when they're purchasing.

My main concern was that many people who reported they got the email (more than 10) are on our mailing list, so I was afraid somebody has got some information out of our server, so I:

  1. Checked the system access log to make sure no one accessed our SSH.
  2. Checked the database access log to make sure no one tried and accessed our DB.
  3. Checked the firewall log to make sure no one accessed the server anyhow.

After that my concern switched to the mailing software we're using to send our email campaigns, we used MailChimp before and I don't think they would have accessed it, but now we're using Sendy, and I was afraid they accessed it, I checked the site forum and couldn't find that anyone has reported a vulnerability using Sendy, and also many emails registered in our mailing list reported they didn't get the email from the fraud site, so I got a little bit comfortable that no body got to our data.

So my questions are:

  1. What more can I do to make sure that no one got hold of our mailing list or data?
  2. What more can I do to report and maybe take down the site?
  3. Is there a panic mode list when you suspect unauthorized access to your server or data?
  4. How can you prevent future incidents like this?

  • question 2

It looks like the name servers and actual host for that domain are registered through ENOM, Inc. The site is hosted at EHOST-SERVICES212.COM. Try sending both spam reports and DMCA takedown notices to eNom and the server host. eNom abuse page is http://www.enom.com/help/abusepolicy.aspx

  • question 4 : Honeytokens

Seed your mailing list and database with one or more fake accounts that direct to email addresses or payment accounts you control.

If you get email or charges to the fake account, you can reasonably suppose the mailing list or database has been compromised.

See the Wikipedia article on honeytokens.


Seems you did really well so far.

Here are a few more hints :

  • 1 What more can I do to make sure that no one got hold of our mailing list or data?

Read application log, if any.

  • 2 What more can I do to report and maybe take down the site?

Make a whois on their IP adress and contact their ISP( according to comments "get your lawyer to draw up a 'cease and desist' type of letter threatening legal action"). In this case ENOM and DemandMedia.

whois 69.64.155.17

Report the scammer's site to as many institutions as possible (mozilla, google, ...) : They can add warnings in their applications to help mitigating the scam.

Make a dedicated web page on your site telling about this story.

  • 3 Is there a panic mode list when you suspect unauthorized access to your server or data?

Be sure to also read How do I deal with a compromised server? . There are lots of good advices in this question, even if your server has not been compromised indeed.

  • 4 How can you prevent future incidents like this? Educate your customer on the way you usually behave (eg : "We won't ever send mail content directly but rather a link you a custom page on our website")

It's hard to get a spoof/fraud site taken down, not impossible but usually very hard. There are third parties like MarkMonitor who can help out with this, but they are expensive. We've found them rather effective though, especially if the fraud side is clearly fraud/impersonating.