Hi Swinogers
It's not an actual case where we are involved in, nor did it happen in switzerland, but I'm in contact with a registrar and hoster that probably is in this situation.
A customer registered a domain and booked a web and email service. The booking were made in the name of an apparently newly created company. Everything looked legit, the domain owner wanted his privacy protected by a whois proxy provider.
That company sent emails to various recipients, that led those recipients to their website to download some documents.
Those documents were infected with the locky ransomware. It's clear that this is not a hacked site, but a site built purposefully to distribute that malware and make it look legitimate.
The hoster reacted quicky to complaints, took the site offline and removed the DNS entries to prevent further damage.
But what can the hoster/registrar do next? Can he contact his government's CERT team or the authorities and hand them over the customer data, ip addresses used to upload the site etc. to try to get hold of the gang behind that fraud as quickly as possible? Or would that break the privacy laws and they have to wait to get a subpoena, which could take several weeks and give the gang enough time to clear all traces?
-Benoît Panizzon-
Hi Benoit, Zwingers
Am 16.12.2016 um 08:44 schrieb Benoit Panizzon benoit.panizzon@imp.ch:
Hi Swinogers
It's not an actual case where we are involved in, nor did it happen in switzerland, but I'm in contact with a registrar and hoster that probably is in this situation.
This is unfortunately common and realistic case. We had about 40 to 50 domain names in .ch and .li alone that where registered to operate TorentLocker. As the operators make a lot of money with ransomware, they can afford buying domain names and hosting, even if they can use them only a few days.
A customer registered a domain and booked a web and email service. The booking were made in the name of an apparently newly created company. Everything looked legit, the domain owner wanted his privacy protected by a whois proxy provider.
That company sent emails to various recipients, that led those recipients to their website to download some documents.
Those documents were infected with the locky ransomware. It's clear that this is not a hacked site, but a site built purposefully to distribute that malware and make it look legitimate.
The hoster reacted quicky to complaints, took the site offline and removed the DNS entries to prevent further damage.
But what can the hoster/registrar do next? Can he contact his government's CERT team or the authorities and hand them over the customer data, ip addresses used to upload the site etc. to try to get hold of the gang behind that fraud as quickly as possible? Or would that break the privacy laws and they have to wait to get a subpoena, which could take several weeks and give the gang enough time to clear all traces?
You should inform the responsible CERTs, in Switzerland MELANI, the registry, (for .ch and .li SWITCH cert@switch.ch) and the registrar if you are not a registrar yourself. Basicly to inform them about the malicious registrations and allow them to detect similar cases.
Handing over the logs to a CERT for victim notification doesn’t make so much sense in this case as victims will most likely notice that they are infected.
I think you should also contact KOBIK/FEDPOL and report the case as you are a victim. You should first ask them what data they need to investigate the case and then make your decision on handing over the data.
Best regards
Michael
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
------------------------------------ Michael Hausding, Competence Lead DNS & Domain Abuse SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 77, incident phone +41 44 268 15 40 michael.hausding@switch.ch http://securityblog.switch.ch
[ Dear awesome folks from MELANI: Please present on this subject "being a good netizen" / "What&How to report to MELANI" at next SWINOG :) ]
On 2016-12-16 08:44, Benoit Panizzon wrote: [..]
But what can the hoster/registrar do next? Can he contact his government's CERT team or the authorities and hand them over the customer data, ip addresses used to upload the site etc. to try to get hold of the gang behind that fraud as quickly as possible? Or would that break the privacy laws and they have to wait to get a subpoena, which could take several weeks and give the gang enough time to clear all traces?
Awesome question, better to ask beforehand than after ;)
Below all with IMHO and IANAL or working for MELANI etc.....
Reporting to CERT/authorities (read for Switzerland _calling_ MELANI) that you have in you network such an instance is a the required thing to do if one is a a good netizen (and we all are on SwiNOG :) ).
Inform them that you have noticed suspicious XYZ and that you want them to look at it.
They'll likely ask for a variety of things, at which point authorities are asking you to release data about your network: - IP address(es) - hostnames / domaines - date stamps (UTC, NTP synced) - Netflow/IPFIX/sFlow logs
*Flow is a standard 'accounting' procedure, thus having it, is there to account but also to provide logging. Of course make sure there is a little blurb in whatever EULA that you can change every day.
At one point they'll ask for customer details, at which point, if they claim they are allowed to do so, you could.
Thus: informing of the event is great; I assume that directly sharing the IP/hostname is a standard detail nowadays (all the abuse trackers and other mitigation things do so) might even be considered 'legal'
Greets, Jeroen