Is there a fox in your hen house?

Is There A Fox in Your Henhouse?

  • You'll get resources for handling cyber security notifications fast.
  • Very low volume: we may email you about once in 3 months
  • We will not share your email address
  • Leave anytime

Who? We are a bunch of do-gooders with nothing to sell.

What? Research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) Scroll down to "Performers and Projects" and click the + sign, then scroll down to Dissect Cyber. You can also a video of a presentation we gave about the project, on the official DHS Science and Technology Directorate YouTube channel here:

Why? We want to help protect Critical Infrastructure (CI) in the United States. But first we need to find out what is getting in the way of good cyber security for small and medium sized companies that provide goods and services for CI.

I got a call saying we have malware that stole some login credentials. What's this about?

User names and passwords (login credentials) are stolen every day by criminals who want to gain access to your company's email accounts, vendor accounts, and sensitive data. Once they have the login to your email account they can find out every type of financial account you have and reset the password to one only they know. They can move money or get copies of contracts, proposals, customer lists, your plans, interactions with payroll companies, lawyers and accountants.

If you've used the same password at more than one website - the criminals can get into every website where you used the same password as the one they managed to steal from you.

We are often asked "How did you find out about this?". It's very common that the lists of stolen credentials are circulated on the Internet. We monitor for these Indicators of Compromise (IOC) and notify you when we see one for your company. Please note we are not selling anything.

The following websites provide some info about credential stealing malware:

If you have been notified that a particular user at your company has an Indicator of Compromise for stolen login credentials - have any computer, phone or tablet they use cleaned of malware and after that, change their passwords, using a different password at each different website. For our research, please let us know if you found an issue or not, resolved it, or needed more help.

I got a call about a look-a-like domain

Look-a-like domain names are being used in many scams: (wire fraud, executive impersonation, credential phishing).

The following websites explain the scams:

Options for addressing the look-a-like domain problem at your company

Hey, someone called me about a problem with one of our IP addresses

On the CBL Abuse At website you can find out some details about why someone would call you to report seeing a problem with an IP address at your company. There is no charge and is not selling anything.

Here is some detailed technical help for your IT department to track down network abuse issues. There is no charge and is not selling anything.

If your team doesn't find the problem or needs more help, please let us know

I was told that our website is the download site for malware?

Your website was broken into by cyber criminals and they are using your website to deliver malware to the rest of the world. You may not see any changes to your website, but the malware downloading activity is going on where you cannot see it. You may want to contact your web hosting company or website designer to resolve the issue.

Google has some resources:

Google also has a diagnostic page that could provide some info for your website hosting company or web designer:

How to tell the difference: Real notification or a Scammer

  • Scammers tell you to trust them and then give you instructions
  • Scammers dig for information they can use to gain trust or access
  • Or they will wind up remote controlling your computer to "help" you
  • Scammers gain access to your money or your passwords
  • Sometimes scammers are directly selling something
  • Do not follow instructions from someone who emails you or calls you

Get the current Model Policy for Cyber Security Notifications:

Download Draft
Model Policy
Provide Feedback


We cannot recommend what you should do because our role is just research. However, we can tell you what some companies are doing: