roam/daily/2020-07-13.org

2020-07-13

• Ops Initiative Workshop
• Compromised Account Credentials

Ops Initiative Workshop

• Migration to common RabbitMQ

  • EDELIV parent ticket: https://jira.aweber.io/browse/EDELIV-4083
  • Eric to look into CoreAPI changes needed for common-rabbitmq migration.

  • Looking at Sites RabbitMQ publishing

    • Enlightener
    • Billing
    • Also updating with new control-panel credentials
    • Sites (docker) common-rabbitmq migration changes: https://gitlab.aweber.io/CP/applications/sites/-/merge_requests/5258
    • Sites (Puppet) common-rabbitmq migration changes: https://gitlab.aweber.io/PSE/config-management/puppet/-/merge_requests/158

Compromised Account Credentials

Tom Kulzer Today at 1:03 PM @MeghanN @correlr we are seeing major issues with account credentials being compromised by someone that’s sending phishing emails. @Josh Smith ID’d that they are likely using bots to test credentials from other site data compromises and catching people that have logins where they use the same email/pswd elsewhere. Our data on the login dashboard appears broken.. https://aweber.slack.com/archives/CF62W5U10/p1594645641053600 https://grafana.aweber.io/d/000000530/account-logins?orgId=1&refresh=5m Does anyone have suggestions on how we can be preventing or catching these kind of compromises better?

Ian Ratti The PayPal phishing abuser is now logging into old accounts to send phishing notices. Some recent accounts: https://admin.aweber.io/account/index/1515621# https://admin.aweber.io/account/index/1506549# https://admin.aweber.io/account/index/1516301# Now logging in from Egypt and promoting the same phishing page links (https://wlpork.co.za/ ) on these two older accounts starting 7/11/20 that were previously inactive for years: https://admin.aweber.io/account/index/247035# https://admin.aweber.io/account/index/304061# (sent in a request to close due to the compromise, found this via the 8 huge imports waiting in review)

Tom Kulzer 21 minutes ago thoughts I’ve had:

• sift.com has an account takeover product that we’re not using and could potentially, but it’s expensive and wouldn’t have the historical data on these accounts that’d be necessary to catch these specific bad actor instances.
• email alerts when someone logs in with an IP or region different than they’ve done in the past.
• do some sort of cross match on publicly available compromised account password files to see if we have crossover and force reset pswds on those users.
• force an email verification click when someone logs in from a different region than they’ve historically logged in from.

I’m not sure on other ideas.

Brian H has been tackling this so far: https://jira.aweber.io/browse/CCPANEL-10593