Phishing awareness gone wrong: Facebook tries to seize websites set up for staff security training

Where is human decision making?

In another thread* Google's use of automated decision making is covered.

In this one we must assume a human chose to pursue this matter against a valid security training company.

But the outcome is broadly the same- a bloody stupid decision is made without any sense of human common-sense, case-by-case, judgement.

I had joked in that thread that maybe there weren't any humans and they were really being run by computer.

But I'm starting to think it wasn't a joke.

----------------------------------------------------------------------------------------------------------------------------

* https://www.theregister.com/2021/02/08/terraria_developer_cancels_stadia_port/

Clickable links

Where I work we get fairly regular phishing test emails from seemingly legitimate sources with seemingly legitimate links, no problem with that.

If you are caught you then get an email with a link directing you to take a training course.

That email comes from a seemingly legitimate source with a seemingly legitimate link.

I report those emails to the phishing team and don't click on the link.

It has been like this for years.

Why they can't email me saying something like 'log in to your personal training portal on the intranet where a course link will be available'?

That would seem sensible to me.

Just a personal rant I know, but as I can't go to the pub El Reg is my new best mate ever.

Cybersquatting anyone?

Cybersquatting is a real problem and training people to pay attention to what they type and the site itself is a good idea.

Differences in law?

In the UK, a trademark is fundamentally attached to a business class (essentially its type of activities), so for example "knots" could in principle be trademarked independently by a string tangling service and a marine speedometer manufacturer.

Maybe it's different in the USA, but it would seem that the activities of farcebook and Wombat are sufficiently different not to cause confusion (at least I would, hope so).

Are they both 'right'?

Facebook, Instagram etc. are rightly protective of their registered names, and do not want anyone pretending to be them. Proofpoint and Wombat security provide security training to companies, which includes spoof phishing emails, and there are lots of actual phishing e-mails pretending to be from Facebook and Instagram (I even got one purporting to be from the UK's MI5 at work once).

Surely the solution is for 'responsible' organisations to register some of these mis-spelt domains for the use of security training and allow companies like Proofpoint to use them for training? That way the actual decoy websites used by criminals can be blocked, the training ones left as allowed at the firewalls and everyone is happy?

The problem is that Proofpoint should have asked for permission from Facebook and Instagram first.

Not so clearcut

Assume that it has come to your attention that someone has registered a domain that is obviously designed to be mistaken for your company domain. Would you (a) assume that it must be a security training company (b) someone wanting to trade on your company's goodwill or (c) someone intending to launch a phishing scam?

Personally I would think it could be any of those possibilities.

Who should be responsible for finding which of the three situations is the case? Bearing in mind that just because the web page accessed by the URL "www.theregitser.com/login" takes you to a page saying that it is a security test does not mean that there is not another page with the URL "www.theregitser.com/accounts/payments" that is a phishing attack. Or just because the person who registered the domain goes under the name of "Security Consultants Ltd" does not mean that they must be one of the good guys. Believe it or not, there are blackhats who masquerade as whitehats. (Are we allowed to use those terms these days?)

Is it not easier to just pull the plug on the domain and let the registrant fight to get it back by proving innocent intent than to conduct an in-depth investigation?

Anyway, maybe someone should register "proofpoirt.com" and see whether the company in question has any objections.

NameCheap

I'm not defending either Facebook or ProofPoint on this issue but from my own personal experience, if you DID want to create a malicious phishing website... NameCheap is the go-to registrar for such a thing.

Proofpoint just wants a good sales pitch

Phishing and legitimate emails are indistinguishable today because businesses and spammers are using the same "customer loyalty" companies. Oracle and SendGrid are big and there must be hundreds of fly-by-night trackers on AWS. I've configured my mail server to refuse those networks for it's own health and survival.

I don't like Facebook

But...

A) Nowadays you don't need any real domain name to do phishing. Most phishing is done by people clicking the wrong links in an email or by malware infecting a legitimate site or the web browser. Infecting Apps or doing fake Apps is also becoming more and more common.

B) Any time those domains could either be seized by bad actors or infected by malware.

Proofpoint are doing it wrong

Let's say you want your staff to have some training to recognise dodgy links. Why do www.instagum.com & www.fakebook.com actually have to exist on the internet? Shirley you would use your internal DNS to point them at a local server.