Re: Network attack from S1 Corporation

["Kelvin" <kelvin () sec33 com>]

Wow, was that a lot of email...

To answer as many questions as I can;

If you remember the articles posted on sec33.com about Internet Banking and
such then you get a little clearer picture of what has been going on. The
articles stirred up a little bee's next in one particular vendor (S1) and
since those articles were posted I began to get quite a bit of attention
from them. I have ignored most of the malicious traffic until lately.

The emails were sent to: security () s1 com ; security () qup com | The email
addresses were confirmed before sending, as well as a hidden <image> was
placed in the body of the message. The image was picked up from my webserver
several times, for the two addresses that it was sent to, the images were
requested 5 times, so either they opened the message several times or
forwarded it.

I don't plan on attacking them back as some people have asked, I would just
assume that they understand that they can't do this.

Just since the posting of the log file information, the domain admin for
sec33.com received an email from the S1 Corporation stating that they would
investigate the issue.

It's obvious that they were blowing it off until it went public, then they
responded. But I have not heard anything since. It is possible that it is
just 1 person is doing it alone and others in the company are not aware, or
there has been a compromised machine(un-likely). But if that were the case,
I would have thought they would have acted after the first notification.

Almost forgot. No, I did not call.

Outline:

[Several weeks of spidering of sec33]
[Small DoS attacks on sec33]
[Email requesting the cease of scanning sent to S1] -> No response
[Re-directed their sec33.com HTTP requests to http://www.whitehouse.com]
[They got angry and attacked sec33.com]
[I drafted the email with the log information and made it public]
[Received email from S1 - investigating the issue]
[Different IP's are now continuously refreshing sec33.com]

<grin> And if it is any of ya'll messin with me after you read the email...
Damn You! <grin>

Thanks for all of the responses. - I swear next time I will think of every
conceivable question before posting.

./Kelvin

----- Original Message -----
From: "H C" <keydet89 () yahoo com>
To: "Kelvin" <kelvin () sec33 com>; "Sonny Samson" <sonofsamson () excite com>
Cc: <incidents () securityfocus com>
Sent: Thursday, July 26, 2001 3:38 PM
Subject: Re: Network attack from S1 Corporation


> Hhhmmm...
>
> > Interesting point,
>
> I'd say it's an interesting point, all right.  How
> long has this whole 'strike-back' discussion been
> going on?  Hasn't the fallacy (lunacy) of such a
> tactic already been beat to death?
>
> > An email was sent to the IT department at
> > S1 inquiring about the
> > spidering but was never responded to, I waited
> > another 4 days or so,
>
> If you don't mind me asking, do you remember the
> address you used?  Here's why I asked the question...I
> handle some of the more interesting 'abuse@' emails
> that come into my organization.  Even with all the
> discussion I've seen on the Internet that strongly
> recommends sending an email to "abuse@" or "security@"
> within the 'offending' organization, some folks come
> up with some of the strangest addresses to send
> reports to.  Some send them to 'ipadmin@'...and those
> that arrive there that have nothing to do with what
> IPAdmin really does just get sent to the bit bucket.
> Sometimes, I'll eventually hear about an incident, and
> call the complainant.  I'll get an earful, and when
> (if) they calm down, I finally try to get the email
> address that they sent their reports to...only to
> found out from our email admins that no such account
> exists.
>
> Even using email listing from NSI can be tricky, as a
> company may not keep the contact info up to date.
>
> So, I guess my next question is...if you felt so
> strongly about the situation, did you ever try calling
> the company directly, and getting someone in the IT
> department?  I've done that, with quite a bit of
> success.
>
> > At this point, I thought if the situation were
> > reversed this is would be
> > very straight forward.
>
> > From my understanding of the convential wisdom on this
> issue, attacking someone back often does more harm
> than good.
>
> > They use random machines
> > that belong to employees
> > to scan and DoS the site.
>
> It almost definitely sounds more like compromised
> machines than it does a 'spidering' effort.
>
> > I wonder if they think that they are untouchable,
> > and in many cases they may
> > be. I am going to leave it lay for a while. Unless
> > anyone has any better
> > ideas on how to handle it. Maybe they will get
> > bored. ;-\
>
> Maybe they aren't even doing it intentionally.
>
> Have you tried calling the company?
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com