It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

The Spamhaus Project has released a blog criticizing Cloudflare — a content delivery network and cloud cybersecurity provider — for providing security services to abusive domains. These websites could contain spam, phishing links, malware, and even botnets.

The anti-spam watchdog organization reports: “10.05% of all domains listed on Spamhaus’s Domain Blocklist (DBL), which indicates signs of spam or malicious activity, are on Cloudflare nameservers. Spamhaus routinely observes miscreants moving their domains, which are already listed in the DBL, to Cloudflare to disguise the backend of their operation, be it spamvertized domains, phishing, or worse.”

By concealing fraudulent website authors, Cloudflare makes it harder for security researchers to identify them.

Cloudflare says it shouldn’t be responsible for mitigating abusive content because of its content-neutral policy, claiming that it does not host websites directly. The company states, “Everyone benefits from a well-functioning Internet infrastructure, just like other physical infrastructure, and we believe that infrastructure services should generally be made available in a content-neutral way.” Despite this, exceptions have been made for websites targeted by legal requests or in response to public campaigns. Read more here.

What you can do

We have previously covered the risks behind fraudulent websites. Although Cloudflare continues to service them, you can still protect yourself from unsolicited spam and phishing links. We recommend these general precautions:

• Consider adopting a domain blocklist for your personal email client. By doing so, your email provider will automatically sort out potential phishing attempts and spam emails. Spamhaus’ Domain Blocklist provides an excellent starting point.
• Be cautious of suspicious emails if you are not expecting them. Notify your email provider or IT administrator of suspected phishing attempts.
• Besides reporting malicious websites to Cloudflare, you can also report them to their registrar/host provider. Use the ICANN Lookup tool to find their contact information. You can also do so with a national law enforcement agency or Google's Report Phishing page.
• Be wary of typosquatting. Many phishing emails claim to be from reputable websites, but their URLs might be misspelled, or have additional words and letters before the domain name. For example, “fakewebsites[.]com” and “fakewebsitepatch[.]com” are typosquatting on “fakewebsite[.]com.”

Updates from our team

• Documentary filmmaking professionals: Make sure to sign up for our free digital security clinic before we close our application in the next few days Co-hosted with Field of Vision, this four-session course will feature practical training on how to keep your footage, subjects, and crew safe from preproduction to postpremiere. Participants will also have the option to sign up for free individual consultations with our digital security trainers. The clinic, which entails one 90-minute session each week, runs Aug. 13 through Sept. 3. Complete the intake form to participate and tell your friends! Reach out to [email protected] with questions.
• We are hiring a Monitoring, Evaluation, Research, and Learning (MERL) consultant to help us develop a monitoring and evaluation framework for our digital security training courses. We will close the application before long, so check out the job description and please share it widely.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,

Kevin

–

Kevin Pham

Digital Security Training Intern

Freedom of the Press Foundation