|
| 1 | +--- |
| 2 | +title: Incident Reporting and Analysis |
| 3 | +icon: lucide/headset |
| 4 | +--- |
| 5 | + |
| 6 | +# :lucide-headset: Incident Reporting and Analysis |
| 7 | + |
| 8 | +!!! Abstract "Incident Reporting" |
| 9 | + |
| 10 | + - Save the original email (.eml) and related materials/evidence. |
| 11 | + - Send the original email as an attachment to <ssd@ocf.tw>. |
| 12 | + |
| 13 | +The following outlines the accepted reportable scenarios, as well as key steps and evidence-collection guidelines for reporting phishing and scam emails, to help you provide information safely and effectively. |
| 14 | + |
| 15 | +## Reportable Incident Types |
| 16 | + |
| 17 | +### Fake or malicious websites |
| 18 | + |
| 19 | +- Impersonating government, schools, healthcare, banks, shopping, or fundraising sites, or short links redirecting to suspected phishing pages. |
| 20 | +- What to include in your report: full URL (including parameters), screenshots, and time discovered. If available: DNS/WHOIS information, TLS certificate fingerprint or serial number. |
| 21 | + |
| 22 | +### Fake social media accounts/pages |
| 23 | + |
| 24 | +- Impersonating official accounts or customer service, fake investment groups, fake giveaway campaigns. |
| 25 | +- What to include in your report: account or post links, screenshots, snippets of suspicious direct messages. |
| 26 | + |
| 27 | +### Malicious apps or distribution of fake apps |
| 28 | + |
| 29 | +- Impersonated government or banking apps; unofficial APK download pages. |
| 30 | +- What to include in your report: store page or download page link. If available: file hash (SHA-256), signature/developer info, screenshots (do not execute the file). |
| 31 | + |
| 32 | +### Account security anomalies |
| 33 | + |
| 34 | +- Suspected compromise of official accounts, unusual login alerts from other locations, or your organization appearing on suspected leak lists (PTT, Dcard, forums, Telegram channels). |
| 35 | +- What to include in your report: source link or screenshots, affected platform and account ID, and time. |
| 36 | + |
| 37 | +### DDoS or service availability anomalies |
| 38 | + |
| 39 | +- Widespread simultaneous connection failures, multiple reports from users in the same area, DNS resolution anomalies. |
| 40 | +- What to include in your report: time window, location or ISP. If available: error screen/code, brief traceroute/dig results. |
| 41 | + |
| 42 | +### Extortion/threat emails and deepfake voice |
| 43 | + |
| 44 | +- Impersonation of government agencies or supervisors, sextortion emails, AI deepfake voice scams. |
| 45 | +- What to include in your report: raw email files (.eml, .msg), audio files, caller number and call log screenshots. |
| 46 | + |
| 47 | +!!! warning "Evidence Collection and Safety Reminders" |
| 48 | + |
| 49 | + - Do not click suspicious links, enable macros, or run unknown files. |
| 50 | + - If you have obtained a file, do not open it. |
| 51 | + - If there is immediate financial loss or payment fraud, first call the 165 Anti-Fraud Consultation Hotline, or report to the police (110) as appropriate, and notify us at the same time for assessment. |
| 52 | + |
| 53 | +## Phishing and Scam Email Reporting Guidelines |
| 54 | + |
| 55 | +1. Common preliminary indicators |
| 56 | + - Suspicious sender domain; looks similar to the official domain but is different (e.g., letter substitution). |
| 57 | + - Urgent call to action (update account, sign in again, make a payment) with a link or attachment. |
| 58 | + - Displayed link differs from the actual destination; uses URL shorteners or unusual domains. |
| 59 | + - Attachments are executables or macro-enabled documents (.exe, .scr, .js, macro-enabled Office files). |
| 60 | + - Urgent tone, messy formatting, grammatical errors, or unreasonable requests. |
| 61 | + |
| 62 | +2. What to include in your report |
| 63 | + - Raw email file: .eml or .msg with full headers and body (see the next section for how to export/package the email). |
| 64 | + - Screenshots: the received message view, the actual URL shown when hovering over links, attachment filename and size. |
| 65 | + - Basic info: time received (including time zone), sender address, subject line, and the email service/client and version you use. |
| 66 | + - If the email contains links or files: provide the link text and the actual URL (copy via right-click), and the file hash (SHA-256; do not execute the file). |
| 67 | + |
| 68 | +3. How to export the raw email |
| 69 | + - Gmail (web): Open the email → More (three dots) in the top-right → Show original → Download Original (.eml). |
| 70 | + - Outlook (Windows desktop): Open the email → File → Save As → choose Outlook Item (.msg). For headers: File → Properties → copy Internet headers. |
| 71 | + - Outlook on the Web (OWA): Open the email → More (three dots) → View → View message details (you can copy headers). Some versions support downloading .eml (Download). |
| 72 | + - Apple Mail (macOS): Select the email → File → Save As… → choose “Raw Message” or .eml. Or View → Message → All Headers. |
| 73 | + - Mozilla Thunderbird: Select the email → File → Save As → File (.eml). |
| 74 | + |
| 75 | +!!! info "Gmail (web)" |
| 76 | + |
| 77 | + - For Gmail (web), you can refer to [this page](https://ssd.ocf.tw/help/index.html){target="_blank"} for the steps. |
| 78 | + |
| 79 | +## How We Handle Your Report |
| 80 | + |
| 81 | +- Upon receipt, we immediately assign a case ID, perform initial malicious-file screening, and de-identify data. |
| 82 | +- Expert analysis and community collaboration: Without involving personal data or sensitive operational information, we share publishable threat indicators (e.g., domains, IPs, file hashes, sample characteristics, attack techniques) with trusted security communities and academic/research partners for joint analysis; NDAs or restricted sharing are used when necessary. |
| 83 | +- Cross-entity notification and referral: After confirmation, we notify affected parties according to roles and responsibilities, refer cases to platform providers or competent authorities as needed, and provide the community with updates on remediation progress and mitigation guidance. |
| 84 | +- External feedback and information release: Once handling is complete, we provide concise feedback and publishable [IoCs](https://www.cloudflare.com/learning/security/what-are-indicators-of-compromise/){target="_blank"} (indicators of compromise; no personal data) and regularly compile trend insights and protective recommendations. Where appropriate, we include de-identified indicators in public/shared threat intelligence systems (e.g., [STIX/TAXII](https://www.cloudflare.com/learning/security/what-is-stix-and-taxii/){target="_blank"}) to help the ecosystem quickly block propagation. |
| 85 | +- Transparency and protection: We strictly comply with personal data and legal requirements, share only the minimum necessary information, and protect reporter identities and sensitive details. |
| 86 | + |
| 87 | +## How to Report |
| 88 | + |
| 89 | +1. Prepare the raw email or materials required for the relevant scenario above. |
| 90 | +2. Send the raw email and materials as email attachments to <ssd@ocf.tw>. |
0 commit comments