SOCRadar® Cyber Intelligence Inc. | How To Takedown Phishing Domains for Free

Resources

Oct 25, 2020

7 Mins Read

How To Takedown Phishing Domains for Free

Phishing – tricking people since “forever”

Scammers have always existed, luring people into giving them their valuables or simply tricking them to achieve their goals. Before early technological inventions, you had to be more creative to scam someone, as you are familiar with Frank Abagnale’s story. However, with the developments in technology, ‘improvements’ in scam/fraud/phishing (call it what you will) have come to light, and imposters have more and more options to find prey.

This year, a new topic concerning everybody on the planet – the pandemic – has become one of the most common themes luring users to engage in phishing activity. With the workforce transferring to the digital world, as well as the young generation having to continue their education online, possibilities to catch prey have risen high.

How to spot phishing?

Spotting a phishing website can be tricky sometimes. Threat actors use typosquatting with the hope that users won’t catch the difference between the legitimate domain and the impersonating one. A typosquatting domain usually differs from the original one with simple typos:

A doubled letter that users might overlook,
A missing letter like “i”, “l”, “t”, etc. won’t make a big difference when users (uncarefully) look at the domain.
Or even misplaced letters – typos that users usually make when in a hurry

Another type of phishing is top-level domain cybersquatting. Here, there is no typo, the domain may look legitimate, yet the TLD (which is the extension to the trademark name, so .com, .org, .edu) is not.

Of course, threat actors use social engineering techniques, and advanced hacking methods to create or completely clone a website. In these cases, users need to be careful and check if there are any spelling or grammar errors. This can indicate a phishing website because no organization is that incautious to make these kinds of errors. Don’t worry, you don’t need to scan the whole website, they usually are visible in titles as well.

Another indicator you can check is the SSL/TLS certificate. There are online tools to verify the existence of a certificate, but you can make a shortcut by checking the prefix of the URL given in the browser. The letter “s” in “https://” indicates security for the user visiting the website. However, threat actors keep advancing, and they have already found a solution to addressing this issue – nowadays you can find many phishing websites encrypted by SSL/TLS.

In many cases, slightly more advanced (but still publicly available) tools are needed to verify a website’s legitimacy. Date of creation, domain’s registrant, IP address, and anything else suspicious can be checked in the whois records. Also, the contact email in the “Contact us” section can be verified if valid and be checked for a bad reputation.

It’s time to report that website

Once you are done with the investigation and are completely sure a website is phishing, you can proceed with the takedown process. End-users might choose to ignore this step and simply avoid visiting the website. However, this write-up is intended for companies mainly, and having a website similar to yours, which targets your customers can lead to severe consequences – like data breaches for example, which lead to further issues, like high fines.

If you are a company with a good reputation in the industry, you will most likely be a target of phishing campaigns. Therefore, a specific team to address this issue is needed. As soon as a phishing domain is spotted, significant steps are to be taken to take the domain down.

4 steps to successfully take down a phishing domain

1. First off, make sure it is phishing

Use the previously-mentioned recommendations to verify if a domain is phishing or not. Sometimes, a phishing domain is obvious just by looking at the domain name, some other times further investigation is required.

You can use urlscan to find out if the site is phishing. urlscan.io is a free service to scan and analyse websites. When a URL is submitted to urlscan.io, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates. If the site is targeting the users one of the more than 400 brands tracked by urlscan.io, it will be highlighted as potentially malicious in the scan results.

2. Notify the authorities

Once you are done with the investigation, and you are sure a domain is phishing, it’s time to notify the right authorities. It is quite often for malicious/phishing domains to be attached in the phishing emails. Threat actors use ever-changing techniques and great social engineering skills to make these emails look less suspicious.

US-cert partners with APWG (Anti-phishing working group) to analyze these phishing emails, and interpret those analyses in reports to help users not to become victims of phishing. – they have specific email addresses where users can forward suspicious emails.

3. Report phishing

The next step is to report the phishing domain in the right place. One thing worth mentioning is that these phishing domains can be taken down with one report (if you get a reply right away), yet sometimes it can take multiple reports, and takedown can still be far from finalization.

There are two main types of reporting:

You can report the phishing website and request it to be blocked. Some authorities that can do this are G o ogle Safe Browsing, Microsoft Security Intelligence Phishing Sites, Symantec Anti Fraud, and others.
You can contact the hosting service and/or the domain registry of the phishing domain to let them know it is phishing.

In case you are an end-user, intending to request takedown of a domain you could be a victim of, you need to clarify why you find it suspicious
In case you are an organization, whose brand name/logo is being used in the phishing website, you need to verify this information.

The registrar and the hosting provider can be found in the whois record of the domain. Usually, every registrar has an email specifically created to get abuse-reporting from users, some can also provide a report form that you can fill and submit for further evaluation.

4. Follow up the process

Due to advanced hacking skills threat actors use, it can be difficult to verify if a domain is phishing or legitimate. The authorities might not be convinced right away as well, thus companies/end-users reporting phishing, need to follow up the process, and if needed, report again and again until the right proof is found.

There are other situations when a legitimate website is hacked by exploiting vulnerabilities in the system. In these cases, the company, whose site has been hacked in the first place, needs to take action. To avoid these troublesome situations, obviously, the company needs to apply the right patches to exploitable vulnerabilities as soon as detected. SOCRadar detects all the services its customers use, therefore is able to notify in case there are high-risk vulnerabilities in those services.

SOCRadar integrated takedown service

SOCRadar Digital Risk Protection platform’s Integrated Takedown module is designed to act rapidly and minimize the impact of threat actors on your brand reputation and cybersecurity posture by utilizing its worldwide contact network to request removal. It allows users to initiate this process with a simple one click. It includes no additional legal or procedural burden. Furthermore, the process is easily monitored in the platform or you can contact the dedicated analyst to request more detailed information. SOCRadar’s trained takedown analysts consider several aspects for initiation ranging from the geographical region where the illegitimate content is hosted to the type of evidence for submission to speed up the takedown process. Remove the procedural hurdles by taking advantage of SOCRadar’s integrated service.