New web service can notify companies when their employees get phished
Starting today, companies across the world have a new free web service at their disposal that will automatically send out email notifications if one of their employees gets phished.
The service is named "I Got Phished" and is managed by Abuse.ch, a non-profit organization known for its malware and cyber-crime tracking operations.
Just like all other Abuse.ch services, I Got Phished will be free to use.
How I Got Phished works
Any company can sign-up via the I Got Phished website. Signing up only takes a few seconds.
Subscribing for email notifications is done on a domain name basis, and companies don't have to expose a list of their employee email addresses to a third-party service.
Once a company's security staff has subscribed to the service, I Got Phished will check its internal database for email addresses for the company's email domain. This database contains logs from phishing operations, with emails for phished victims.
If I Got Phished finds an email address for that domain, they'll notify the company's security staff. The email notification looks like the sample below.
To prevent unauthorized individuals from hijacking a company's phishing notifications, I Got Phished will only send out notifications to official emails like: abuse@company.com, security@company.com, noc@company.com, or postmaster@company.com.
While Abuse.ch built the I Got Phished service, the idea came from a system administrator known on Twitter as @JayTHL, the same person who founded Cryptolaemus, a cyber-security group that keeps track of the infamous Emotet botnet.
The source of the data
The source of the data in the I Got Phished databases are logs collected by cyber-criminals conducting phishing operations. Many of these logs are stored online, in the web panels of command-and-control servers and phishing toolkits.
Some of these services are either not protected by a password, or are woefully insecure, containing vulnerabilities that allow security researchers to access the backend and retrieve information about who got phished.
Security researchers often collect this data and notify victims. Some do it through their employers -- cyber-security or antivirus companies -- while others do it privately, as a hobby, such as @JayTHL.
Seems someone "not one of the least important persons" at @NFL got phished. The creds were entered to the phishing site from the network of "National Football League".
— MalwareHunterTeam (@malwrhunterteam) January 15, 2020
If anyone reading this knows someone at NFL, let them know contact @JayTHL for details. Today would be great... pic.twitter.com/rnZ4tQP4pY
Abuse.ch said the I Got Phished database is made up by submissions from the cyber-security community. Currently, the I Got Phished database includes data on nearly 3,000 phishing victims, spread across more than 2,500 email domains.
"A vast amount of these domains belong to SMBs [small and medium-sized businesses] but also to big organisations who are listed at stock exchanges around the globe," an Abuse.ch spokesperson told ZDNet in an interview today.
"Sadly, phishing appears to be still a big issue even for Forbes Global 2000 companies," he added.
The I Got Phished website currently lists an email address and API that security researchers can use to submit new logs obtained from ongoing phishing operations.
Every time new data is added to the I Got Phished database, all subscribing companies also receive an alert, in near real-time.
This notification will allow security teams to reset passwords for any phished employee, reducing the window of time that hackers have at their disposal to abuse the compromised credentials.
According to Absue.ch, the service might expand in the future to include logs from other types of credential compromises, such as keyloggers or infostealers, however, there's no immediate timeline for such an expansion just yet.
Deploying 2FA should prevent most phishing attacks
Abuse.ch told ZDNet that many companies would easily mitigate the danger of employees falling to phishing attacks if they'd only deploy two-factor authentication for corporate accounts.
Microsoft encouraged companies to do the same last year. The company said that using multi-factor authentication blocks 99.9% of account hacks, including phishing attempts.
Phishing toolkits to bypass 2FA exist, but Microsoft said these attacks are so rare they don't even have statistics on them.