Storage spoofing is a persistent, port-specific form of cybercrime that continues to plague our industry. The 11th FERM Port Cyber Café took place on Thursday 23 May. At the meeting, which was all about cyber incidents, we again reflected extensively on tank storage spoofing.
[this article in Dutch? Click here]
Part of the Port Cyber programme was a presentation by Willem van Aken, HSSE Manager at HES, in which he gave a brief explanation for those as yet unfamiliar with the term ‘spoofing’ or ‘Tank Storage Spoofing’ and the many unpleasant consequences of the trade in non-existent goods via a fake website resulting in various physical and other consequences at the port. Fake websites are also an often-used tool to mislead you with deals relating to non-existent storage. As we already wrote in our coverage of the cyber session, Willem shared his complete presentation with us, including various practical tips on how to handle such websites, so that we can return to this in detail.
Storage Spoofing
Storage Spoofing is a collective term for the sale of non-existent storage capacity and stocks of raw materials and other materials in terminals in the Rotterdam port area. The target groups are, first and foremost, national and international entrepreneurs and potential buyers who are offered products that apparently do not exist. Some companies with storage terminals in the port area have also been potential victims of this form of fraud, as their name and network can be misused by cyber criminals. You can read all about this on ferm-rotterdam.nl/storage-spoofing.
Fake websites
Willem’s presentation showed how these websites generally work and focused particularly on his own approach. False websites, often a copy or an imitation of established names and domains, are often the starting point. Willem’s story focused on what companies confronted with this can do to try to take such websites offline – something that, unfortunately, happens fairly frequently to such large international companies as HES.
Step-by-step plan: how to take a false website offline
Falsified contracts are offered on fake websites. The websites are generally partial or complete copies of existing websites, in which image material, location details and even company names are copied. An example from the HES presentation used the domain name https://botlektankterminals .net (deliberately made not clickable to prevent the website from receiving a higher Google ranking). The website is currently still online.
NB. We already discussed how to recognise fake websites extensively in this article, so we will leave out that part of the presentation. We’ll focus now on a step-by-step plan for anyone wanting to take a fake website offline.
You can see that the fake website even has an https URL, but no name is displayed in the browser bar. As comparison, on an official HES website, https://hesinternational.eu, HES International B.V. is stated next to the URL at the top. This is called an EV (Extended Validation) SSL certificate, which gives websites a professional and reliable look. It also increases conversion rates. You can also find that same certificate on the FERM website: Havenbedrijf Rotterdam NV is stated in the browser bar, because ferm-rotterdam.nl is one of the Havenbedrijf (Port Authority) domains.
Domain registration
The registration of domain names is organised on a top-down basis. In the first instance, a website is registered with ICANN, the Internet Corporation for Assigned Names and Numbers. They are responsible for the generic top-level domains, such as .nl and .com, but also for such as .nokia and .netflix. Then you have the TLDs, the Top-Level Domain registrars. For the .nl domain that is SIDN (Stichting Internet Domeinregistratie Nederland).
All top-level domain names can be found on https://www.iana.org/domains/root/db. You can also see who the TLD manager is. The .nl domain in the list on that page indeed shows that SIDN is the TLD manager.
Then there are the registrars, companies who register a domain name on behalf of companies, institutions or persons. Registrars also often provide a DNS service. Registrars compete to provide the best service and price.
Step 1: find the registrar and/or hosting platform
A website comprises two elements: the domain name (www.ferm-rotterdam.nl) and the content, such as the text you are currently reading. The domain name is registered with the registrar; the content is saved at the hosting platform. In other words, the registrar is only responsible for registering the URL, while the host has control over the content. The latter is therefore the most important, but you should ideally approach both parties.
To find the hosting platform, you can carry out a domain name search on the following commonly used websites:
– https://whois.icann.org
– https://www.sidn.nl/whois
– https://hostingchecker.com
– https://godaddy.nl/whois
Step 2: check how to approach the hosting platform
The next step is to check on the hosting platform’s website how they handle complaints. A hosting platform will have an e-mail address such as abuse@hoster.com or legal@hoster.com that you can contact, but they could also have a ‘Report Abuse’ button or an online form that you need to complete.
In the HES example, Namecheap is the hosting platform of the fake website, which can be found https://www.namecheap.com. The ‘Report Abuse’ button can be found at the bottom right on this website beneath the footer, under the heading Support.
Step 3: collect documentation about the fake website
To make a case at the hosting platform, you should collect incriminating material about the false website. For instance, take screenshots and copy these to a Word document so that you can indicate what is incorrect: a company name is being misused, an old logo is being used on the website, the contact details are incorrect, etc. You should always do this in English.
Use your Word document to make the differences clear between the/an official website from your company and the fake version that you want to take offline. Use a heading such as ‘phishing’ or ‘NTD’, which stands for Notice and Take Down, as these can strengthen your case and hosting platforms are sensitive for this. Also produce an overview of copyright violations, intellectual property, unauthorised use of text, images, slogans, banners, etc. Finally send a copy of your company’s Chamber of Commerce details.
An online form (such as the one after the ‘Report Abuse’ button) does not always offer the option to submit your evidence, either because it does not allow you to add an attachment or because there is no free text field. In such cases, request a response by e-mail so that you can send this information later. It also helps to notify the hosting platform/registrar of the fact that they are now informed of the fraud and therefore have a responsibility to act on your request; in other words, do everything possible to take the website concerned offline.
The result? Check out botlektankterminal.nl – because this is now offline! And the same currently applies to botlektankterminal .com, .net, iffavourites .com and a handful of others in which the HES or Botlek Tank Terminal company names were being misused. A version with an added s, botlektankterminals .net, appeared a few weeks ago and is currently going through the HES step-by-step plan….
It is, unfortunately, a time-consuming and frustrating business, but it does work.
You can find our complete series on Storage Spoofing here
