I'm quite frightened as never had similar situation so i reach to you to see what's the best way to handle it.
I received few emails in past few weeks saying they found a vulnerability in my website.
and sent a forged email to my email address that appears to originate from my website because of a DMARC record
Vulnerability : DMARC Record issue
DMARC record lookup and validation for your site.
"DNS Record not found"
i systematically ignored them taking them as spam and eventually would stop, I was wrong! Today email changed tone more menacing and says
"We were expecting £100 for responsible disclosure of vulnerability.
Furthermore we would like to disclose vulnerability report on our blogs for research and educational purpose."
What would you advise? contact police? Rectify this Dmarc record to avoid problem on my site first?
Thank you in advance for your help
Thank you so much for reaching out to our community. My name is Olivia and I'm part of the Shopify Team.
I'm sincerely sorry to hear you are having this experience, I definitely understand how troublesome phishing attacks such as this can be. The only two email addresses you can expect us to contact you with are email@example.com and firstname.lastname@example.org. Though fraudulent emails can be deceivingly clever, there are a few tell tale signs to watch out for to recognize the validity of these communications. Some of these tell-tale signs include:
A phishing message might even ask you to complete the following tasks:
In case you did complete any of those requests, please make sure to delete any files downloaded to your computer, but also to change your password and enable 2 step authentication. Under no circumstance should you make a payment to unknown third-parties or share any banking information.
Once you have identified an email as spam/fraudulent, you may safely move them to a blocklist to block future contact attempts. Your email provider likely includes a setting to move the sender to your junk/spam folder and report them as described in this Gmail support link.
Shopify is growing everyday, and in turn, scammers and frauds target us and, in your case supplier policies such as DMARC (Domain-based Message Authentication, Reporting and Conformance), for their personal gain. Due to protect against this, we have very strict protocols, and security implementation in place. Not only are these very secure, but we are also growing our security team to continue protecting our merchants against phishing scams and fraudulent emails.
To help place preventative measures please forward any emails posing as Shopify as an attachment to email@example.com. Once we get those forwards from you we can work on increasing our defence strategy and further strengthening our processes.
Please let me know if I can offer any further advice,
thanks for your email, but I’m not sure the situation has been fully understood,
The emailer never posed as coming from shopify, simply says that he found vulnerability on my site, then asked for a reward for having me informed about this and now ask for £100 otherwise will share my website information and vulnerability on the net.
We've also been receiving these emails too. Again, not claiming to be from Shopify itself, but the wording is nearly identical. The only difference is our sender is demanding £150 from us. We'd also appreciate some clarification on how best to proceed in dealing with this. We've not responded to them at all as yet.
Whilst the sender is not claiming to be from Shopify - he is clearly targetting Shopify merchants.
Thanks for getting back to me, @Antonello!
I appreciate you providing me with that extra context, and I'm sorry to hear you are also facing this, @atomictea. Rest assured, even though these phishing attacks are not posing as Shopify, our number one priority is to keep your business safe and help you navigate this situation.
Let's discuss what DMARC is in further detail to help us understand the validity of this email and address any security concerns that have arisen from it.
DMARC: Domain-based Message Authentication, Reporting & Conformance, or DMARC, is a protocol that uses Sender Policy Framework (SPF), and DomainKeys identified mail (DKIM) to determine the authenticity of an email message. DMARC makes it easier for Internet Service Providers (ISPs) to prevent malicious email practices, such as domain spoofing in order to phish for recipients’ personal information.
DMARC was built by several large internet organizations to work on the problem of email spoofing - a social engineering attack where the target's trust is gained by crafting an email to appear as if it is coming from the legitimate source.
Services that use DMARC
- Yahoo (ymail, rocketmail, yahoo, etc)
- Hotmail (Microsoft)
- this list is growing everyday, for a full overview click here
How does this affect stores on Shopify?
Let's say the customer email address you added under Admin > Settings > General employs DMARC policies. This could potentially result in Shopify being prevented from sending emails as your domain (i.e. order confirmation emails) and be rendered undeliverable. When the email address you set up is with a custom domain, you want to ensure that all email is delivered to your customers in which case you might set up a SPF record. You will likely only do this if email deliverability is an issue for your store, and your emails are being marked as spam to your customers. This is described in great detail here.
Who should set-up a DMARC rejection record?
Only a handful of large, enterprise-size, merchants will need to set-up DMARC rejection records. This can lead to an increased number of bounces sent from the store email address. If you have a large store and or you have had problems with phishing in the past, then you may be inclined to set up these extra safety measures. Reports can then be monitored to understand if there is any unauthorized use of your domain. This set-up is not required for all merchants.
Learn more on the DMARC - FAQ page.
What should you do?
If you get any further messages you can respond by directing them to our official Shopify Bug Bounty program at https://hackerone.com/shopify. This allows direct contact with our security team for these individuals which is the best response. Do not engage with them any further than that.
Furthermore, The Federal Trade Commission (FTC) has important information on reporting phishing attacks. You can view their recommendations through their help page. You may also report the phishing attack through their website at: ftc.gov/complaint.
Please connect with me if you have further questions.
Thank you for your reply, i just checked the reporting link you attached https://hackerone.com/shopify it is not a free service, and with cost starting from $500 would be more convenient paying the hackers....
This experience is very frustrating like bumping on a rock all advices even from other sources directing me on other sites offering a DMARC but requiring a monthly payment! Not a straight answer or easy way to resolve this.