LiquidWeb contact re phishing 24 days

Greetings, If anyone can help me reach a contact at LiquidWeb, there appears to be phishing on its network for 24 days now and I cannot get a response from them or an acknowledgement of receipt of our notices Yes, we filled our web forms as early as May 5. I can be reached at or if Liquid Web can just respond to the notice, that would be great! They just need to email Thanks for any help you can provide here!

By the way, I could not find the phish myself, but I preserved it at from a RiskIQ crawl that I just looked over internally. The snapshot was taken Fri May 29 05:38:44 PDT 2020 From Chrome

Below is an example of what we are sending them:

RiskIQ Incident Response Team <>


Sent At
May 18, 2020 8:02 PM

Important Notice - Phishing Materials on Your Network / Incident ID: 54873584 / IP Address: / ASN: LIQUID-WEB-INC - Liquid Web, Inc., US

2020-05-18 19:53:03 +0300

Team, please see the notice below from our incident response team beneath my signature block. However, I need to point out a few things here.

I personally spoke with your team on 2020-03-19 12:49:00 +0200, where we discussed you purchased Nexcess, and that is why there is a different technical abuse contact. I had also re-submitted a ticket referencing the prior ticket and someone at LiquidWeb was opening a ticket on the call to make sure they are on top of this.

On 2020-03-24 20:13:44 +0200, Scott at LiquidWeb was investigating this tenacious event. I was told that if this is a repeat offender, you will terminate the account all together, but you woouldn’t be able to share that info with us for privacy reasons. However, your team was conducting at the moment an internal investigation to see if they need to take different measures.

At that time, Scott put me on hold while he reached out to the security team.

At 2020-03-24 20:35:13 +0200, the Security supervisor was looking this over and it was going to take some time for them to decide best course of action. The site was then down. I was told that if it re-surfaces, we can list the UTC date and time stamps that it came back online and your team might then be able to take further action without a court order. You said that if you check the logs, and it doesn’t match up, we would have to get the courts involved.

We have preserved a lot of evidence that the phishing has gone back up again after you took it down. For example, for your reference, we have uploaded a screenshot at

This screenshot in the PERMA record captures hXXps://zionhighschools[.]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?

Load Date: Mon May 18 08:13:18 PDT 2020

IP Address:

HTTP Method: GET
Response Code 200
Response Message OK
Content Type text/htmlCharacter SetUTF-8Is
HTML Page true
Is From Cache false
Local Content Length 2.00 K
Overall Content Length 319.19 K
Local Response Time 4.97 s
Overall Response Time5.87 s
CPU Time76 ms
Dependent Requests 5
Window Name: TopLevelWindow@79c734a4

Please take appropriate action. See all the confirmed URLs in the notice below.


Jonathan Matkowsky , Vice President - Digital Risk (SME)*
Incident Investigation & Intelligence (i3)

Phone +1.888.415.4447 (USA) | +44 (0)203 282 7149 (UK)
RiskIQ: World Leader in Attack Surface Management

*GIAC-GLEG; IAPP-FIP; Active Attorney Admissions: NY, WA
This email does not create an attorney-client relationship or constitute legal advice.

We have defanged URLs in this notice. In the identity and location of the phishing materials, please substitute “.” for “[dot]”, “http” for “hxxp”, and “https” for "hxxps"

****** ***** ***** ****** *******


Threat Activity Type: Phishing
Industry Impact: Financial

Spoofed Brand: American Express

Date and Time of Abuse:: 2020-05-05 06:32 AM PDT

IP Address:

ASN: LIQUID-WEB-INC - Liquid Web, Inc., US

Identify and Location of Phishing Materials:

hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/? hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/ hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/? hxxps://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/? hxxp://zionhighschools[dot]com/wp-content/themes/ivy-school/vc_templates/american-express/home/?

(individually or collectively, “Phishing Materials”)

****** ***** ***** ****** *******


Per the above summary, we write on behalf of American Express to request your assistance to mitigate a confirmed threat that appears to utilise your network resources for fraudulent purposes by hosting the Phishing Materials as identified above.

We would appreciate it if you would take all reasonable and appropriate steps to ensure your network resources are no longer being used to facilitate or contribute to this confirmed threat, which may include temporarily suspending the account until the Phishing Materials have been removed.

If you need any support or additional information during the course of your investigation, please let us know by reply email at your earliest convenience.

Thank you for your support in safeguarding the public.


Digital Threat Incident Response Team

RiskIQ, Inc.

22 Battery St., 10th Floor, San Francisco CA 94111 USA
Incident 54873584

Replied offlist.