Incident response to a medium scale phishing attack whereas the targets are not from our company?

Our company suffered a phishing attack yesterday. While investigating about the attacker and the potential employees of ours who might have been phished, we ended up with the attacker database of phished users.

This database include user email and passwords (~40) from multiple companies (~10) who seems to be sharing the same phishing attack as us. Moreover, it seems that the target are high profile.

So far, here is what we have been accomplishing :

  • Contact targeted companies and list phished users
  • Contact websites where the phishing attack is happening (it is happening on multiple hacked websites so it’s hard to stop it)

However, we’re not sure this is the best way to deal with the following situation, here is why :

  • More and more users still enter their credentials and this is not our role to secure other companies users and we would like to stop wasting time on this (most of the companies following up to our email or calling us asking for more details).

  • We are worried that some companies (targeted companies being in the same industry as us) might not understand us well and think we are in some way associated to that phishing attack because we are one of their competitors

  • We are doing security for our competitors (so we’re spending money for them)

One solution could be to publish a blog post but it has downsides too such as being seen as a toxic player because we would be pointing fingers at our competitors security. Another solution would be not to contact this companies and let them get compromised.

What would be the best way to react to this phishing attack ?

I work with a company and another developer posted this and wanted us all to run it. i’m noob with things like this

I don’t really trust the guy and i’m trying to take my time to learn everything about it, but what do you guys think?

generate_ssl.sh

#!/bin/bash  name=ourwebdomain.local openssl req \   -new \   -newkey rsa:2048 \   -sha256 \   -days 3650 \   -nodes \   -x509 \   -keyout $  name.key \   -out $  name.crt \   -config <(cat <<-EOF   [req]   distinguished_name = req_distinguished_name   x509_extensions = v3_req   prompt = no   [req_distinguished_name]   CN = $  name   [v3_req]   keyUsage = keyEncipherment, dataEncipherment   extendedKeyUsage = serverAuth   subjectAltName = @alt_names   [alt_names]   DNS.1 = $  name   DNS.2 = *.$  name EOF  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ourwebsitdomain.local.crt  

This was accompanied by two other files, so here

file ./* generate_ssl:          ASCII text ourdomain.local.crt: PEM certificate ourdomain.local.key: ASCII text 

I’m not that worried i’m more curious. oh then he added this file to our github repo a bit ago, he’s just been acting very weird recently and i’d like to Understand what he’s doing.

mynaems-MacBook-Pro% file dump.rdb dump.rdb: data myname-MacBook-Pro% ls -lh | grep rdb  

-rwxr–r– 1 myname staff 92B Aug 29 22:44 dump.rdb