2020-05-18 19:53:03 +0300
Team, please see the notice below from our incident response team beneath my signature block. However, I need to point out a few things here.
I personally spoke with your team on 2020-03-19 12:49:00 +0200, where we discussed you purchased Nexcess, and that is why there is a different technical abuse contact. I had also re-submitted a ticket referencing the prior ticket and someone at LiquidWeb was opening a ticket on the call to make sure they are on top of this.
On 2020-03-24 20:13:44 +0200, Scott at LiquidWeb was investigating this tenacious event. I was told that if this is a repeat offender, you will terminate the account all together, but you woouldn't be able to share that info with us for privacy reasons. However, your team was conducting at the moment an internal investigation to see if they need to take different measures.
At that time, Scott put me on hold while he reached out to the security team.
At 2020-03-24 20:35:13 +0200, the Security supervisor was looking this over and it was going to take some time for them to decide best course of action. The site was then down. I was told that if it re-surfaces, we can list the UTC date and time stamps that it came back online and your team might then be able to take further action without a court order. You said that if you check the logs, and it doesn’t match up, we would have to get the courts involved.
We have preserved a lot of evidence that the phishing has gone back up again after you took it down. For example, for your reference, we have uploaded a screenshot at https://perma.cc/SL7L-6XUE
This screenshot in the PERMA record captures hXXps://zionhighschools[.]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
Load Date: Mon May 18 08:13:18 PDT 2020
IP Address: 69.167.190.92
HTTP Method: GET
Response Code 200
Response Message OK
Content Type text/htmlCharacter SetUTF-8Is
HTML Page true
Is From Cache false
Local Content Length 2.00 K
Overall Content Length 319.19 K
Local Response Time 4.97 s
Overall Response Time5.87 s
CPU Time76 ms
Dependent Requests 5
Window Name: TopLevelWindow@79c734a4
Please take appropriate action. See all the confirmed URLs in the notice below.
Thanks,
Jonathan Matkowsky , Vice President - Digital Risk (SME)*
Incident Investigation & Intelligence (i3)
Phone +1.888.415.4447 (USA) | +44 (0)203 282 7149 (UK)
RiskIQ: World Leader in Attack Surface Management
*GIAC-GLEG; IAPP-FIP; Active Attorney Admissions: NY, WA
This email does not create an attorney-client relationship or constitute legal advice.
**We have defanged URLs in this notice. In the identity and location of the phishing materials, please substitute "." for "[dot]", "http" for "hxxp", and "https" for "hxxps"**
****** ***** ***** ****** *******
Summary
Threat Activity Type: Phishing
Industry Impact: Financial
Spoofed Brand: American Express
Date and Time of Abuse:: 2020-05-05 06:32 AM PDT
IP Address: 69.167.190.92
ASN: LIQUID-WEB-INC - Liquid Web, Inc., US
Identify and Location of Phishing Materials:
hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&%3bid=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&%3bsession=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/ hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?cmd=www.ssaonline-account-service.com-update_submit&id=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb&session=93dd5ecd270aecd21435f29da5626bcb93dd5ecd270aecd21435f29da5626bcb
(individually or collectively, “Phishing Materials”)
****** ***** ***** ****** *******
Greetings,
Per the above summary, we write on behalf of American Express to request your assistance to mitigate a confirmed threat that appears to utilise your network resources for fraudulent purposes by hosting the Phishing Materials as identified above.
We would appreciate it if you would take all reasonable and appropriate steps to ensure your network resources are no longer being used to facilitate or contribute to this confirmed threat, which may include temporarily suspending the account until the Phishing Materials have been removed.
If you need any support or additional information during the course of your investigation, please let us know by reply email at your earliest convenience.
Thank you for your support in safeguarding the public.
Sincerely,
Digital Threat Incident Response Team
RiskIQ, Inc.
22 Battery St., 10th Floor, San Francisco CA 94111 USA
www.riskiq.com
Incident 54873584