The Wonderfulness of Victim Abuse Notification

“Victim notification isn’t as straight forward as you think – some anecdotal stories as I vent a little.”

So you discover a botnet or victim log files, or perhaps a sinkhole to monitor C&C traffic.  Do you then attempt to notify the users registered to the hosts seen communicating with the C&C?  If it’s just a handful that makes sense, but what if it’s in the thousands or millions?  It can get complicated quick!  On the eve of our celebrated holiday July 4th I’ve been helping with victim notification related to espionage.  It feels good to make a difference for country, for businesses, for the right reasons.  It was not a simple process and did chew up a lot of time, which I think some of my readers will enjoy reviewing:

  • I called specific organizations easily identified within WHOIS for an IP beaconing to a C&C.  In most cases you get a generic call center type person or admin who is not technical. I got questions like “Could you say that again”, or “Now who are you with?”, or my favorite, “How did you discover this?”.  I answered one individual with a few details about espionage the campaign to which you could easily hear the pin dropping in the background as they are likely thinking, “this is Friday, what the heck is this call all about, espia’ what?!?”.
  • When I asked to talk to a chief geek, IT or manager I was put on eternal hold by one organization.  So much for direct notification.
  • I was successfully transferred to an IT/Security staff member at one organization who immediately informed me that he didn’t trust me and that this was social engineering.  I had to correct him stating that social engineering requires that I’m acquiring something and that, in this case, I’m simply providing him an IP and some IOCs to qualify a threat on his own network not asking for anything.  It’s great that some of our IT/Security staff are aware, but handling cold incoming calls is not our industry strength 🙂
  • I did send off notifications to a kagillion addresses linked to registered owners of IPs but most go to cable/network providers that may or may not handle it properly.
  • Years ago when I was performing victim notifications I found that the first person on the list was actually the fraudster himself.  That’s when I changed over to a non-attributable phone for notifications, and a fake identity, to protect myself in case fraudsters had tested their own C&C comms and/or set me up for that type of notification to themselves.
  • Sometimes providers simply forward abuse emails to registered owners within their network. In some cases that means that all abuse records, along with information on who is reporting the abuse, is sent to the fraudsters themselves.  Nice – your policy and governance related to abuse notifications within your network needs some serious updating!  This is why fraudsters often use certain networks, because of poorly administered or enforced policies such as this.

Every now and then you connect with someone on their A game.  They get it, they take notes, they remove the threat, they are thankful.  It reminds me of the story where thousands of sea stars are washed up on the shore.  A man is throwing them back into the ocean.  Another says, “Your crazy, you can’t save them all.”  His response is, “I saved that one.”  Here’s to the good ol’ red white and blue as we celebrate the 4th, our freedom, and our great country.  Let us all resolve to help someone else out and do our best, to fight the good fight, with honor and integrity, and give thanks to those who have and are serving to make and keep our country free.