Beware HN: The rise of weaponized "abuse" reports
The most unscrupulous reputation management company I've ever dealt with (izoologic) has apparently figured out that "phishing" is the best way to get what they want. They claimed a user-generated page on my site was phishing for credentials (because it happened to mention their client's name and had a login form on it). I got this from Namecheap:
""" We are writing from the Namecheap Legal and Abuse team.
It has come to our attention that phishing content is displayed on your website at the link:
[URL to an entirely innocent page]
As a reminder, phishing is expressly prohibited by our Universal Terms of Service Agreement, paragraph 7. "Acceptable Use Policy (AUP)" at https://www.namecheap.com/legal/universal/universal-tos.aspx
We need you to act promptly in removing the reported content within the next 24 hours. While we always try to avoid having to interrupt our customers' services, if we receive no response from you or no action is taken within the mentioned time frame, unfortunately, we will be forced to suspend the domain until the matter is resolved. """
From my logs, I can see Namecheap didn't even visit the page before requiring me to take it down within 24 hours. If I had been on vacation, apparently my domain would have been suspended.
If you accept user generated content, you need to be vigilant about handling these weaponized abuse complaints. They can take down your business in a day if you are not paying attention.
29 comments
[ 0.41 ms ] story [ 14.3 ms ] threadThey almost always use some ridiculous cyber-scare language. "Confirmed digital threat incident", is one of my favorites.
Like the false DMCA spammers, I doubt they review the content in question before sending their boilerplate.
""" The preceding report appears to have been sent to you in error. Please accept our apologies for the mix-up and the false positive alert.
Please let us also assure you that we do value our long-term partnership with you and value you as our loyal customer. The situation experienced is no more acceptable to us than it was to you.
Such a time frame was specified in our initial email as phishing is considered to be a time-sensitive issue. However, we try to extend the time frame provided to our loyal customers to the maximum possible extent. Hence, the 24-hour time frame would have been extended in case of no-response from your side and we would tried to reach you again. """
I CC'd the CEO, but haven't heard anything direct. I can't have my domains with a company that has their trigger finger glue to the "suspend" button. I just don't know who else to register with. It's all a race to the bottom in terms of service and pricing. There doesn't seem to be a middle ground between MarkMonitor and Namecheap.
I contacted their support and after 1 hour of no one possibly accepting that it was a bug (just insisting over and over I clear my cache, use a specific version of Chrome etc) I got fed up. I’m a front end dev. I could see clearly one of their APIs the page depended on was serving a 500.
Anyways I transferred my domains and haven’t missed anything. I was already using cloud flare for DNS though.
sure they are not as bad as godaddy at the moment, and maybe they are better than nanecheap at abuse complaints, but I'm not sure of that.
They have ejected customers over complaints, and they have stated they now actively inspect what your users post and report things to three letter places with chains and guns, as well as censor / eject customers based upon a shifting view free speech / well, not all speech but most, depending on the year.
My recent report to cloudflare of a customer of using cloudflare to hijack one of my domains led me to a loop of "we are experiencing a heavy load of support requests and our company is suffering with reduced support staffing for (cant remember, the freeze in tx? covid or something?) - not a huge deal but whatever - similar to google, when you don't spend a lot of money for support it's hard to complain about it I guess.
As the original poster mentioned user generated content, it would not be hard to create issues and weaponize cloudflare's censoring / reporting hammer imho.
Indeed it is a tough to beat combo, but not for the issues the OP was describing imho.
And I'm well aware it's against guidelines to even comment about this on HN, but it's directly relevant to the content of the post and the health of HN as a whole.
Dropped from 37 to 41 in the minute it took to write this.
I also wondered if this would be related tot he deluge of bad things from the forChaan harass book. No it's not fun learning from the receiving end on what they call the forChaan party vaan, and the other associated weaponization of things around all that.
In my experience, some takedown groups send emails to the hosting company, the contacts for the site and google. Google has a non-transparent site downranking based upon some hidden percentage of complaints for something.
One of my sites actually has something in the search results mentioning complaints and is essentially gone.
Many ways to hurt people from afar using tech, I'm not even sure many of the people sending complaints know the ripple damage that can occur. Just one of the joys of non-decentralized / non-transparent interwebs.
1. Fraudster buys a "phish kit" - a crappy PHP script with a skinned login page that emails them credentials
2. Fraudster finds one or more compromised websites (read: small WordPress blogs) and sticks the phish kit there on some new page
3. Fraudster spams a bunch of people with a link to the phish kit
Most of their responses will probably be collected within 24 hours. Most webmasters of exploited sites don't pay attention or have a clue how to remediate issues. This means that it's standard practice to also send phishing reports to registrars and hosting companies in addition to contacting the site's owner and reporting to unified blacklists.
Some phish kits block certain IP ranges to make them harder to detect (e.g. a PayPal phish kit might block PayPal's corp IP range).
There was an incident a few years ago where an article talked about Facebook changing its login system. This article ended up being the top Google result for the search "Facebook login". What happens? Hundreds of angry comments asking "Why did you change the login page?!? "How do I login to Facebook, this is so complicated", etc, etc.
The "reputation management company" shouldn't have a case, but well, idiotically, they have a little one.
Another thing I've seen is a blog article talking about how to cancel Amazon Prime. In its comments: several dozen people writing "My Amazon prime account is XYZ, I would like to cancel it please."...