Phishing: How To Take a Phishing Site Offline
CONGRATULATIONS, you just won a trip to the Bahamas!
Update your password now!
Please confirm your account information.
You have a tax refund waiting for you.
These are the common introductory statements you can find on phishing emails or phishing sites. In this day and age where all
transactions involving credit cards could be done online, phishing is becoming more common. It’s necessary for IT practitioners to
know how to take a phishing site down to protect their company’s information and to prevent scammers from using their details
for fraudulent activities.
The following process works very effectively in having phishing sites taken offline, suspended, and blocked by browsers and
content filters – usually within 24 hours.
Examine the fraudulent email for malicious domain links and email addresses and take note of them.
Copy the malicious URL of the phishing site and use it to report to the following anti phishing services
Use the web based GeekTools Whois http://geektools.com/whois.php to look up the phishing domain and take note of the details. (You can also use the whois command from within linux.) The output will look something like this:
Specifically we are looking for details of;
- 1) Name Servers
- 2) Registrant & Registrar
- 3) Abuse contacts
The name servers are normally associated with the organisation where the website is hosted, and this is the most important contact for a successful suspension of the account so we will repeat the whois lookup process on the name servers to find out how to contact them.
For malicious domains, contact the hosting service and the domain registry to notify them of the scam, requesting that they take action to suspend the account or take it offline. Often this email is sent to [email protected] Follow up with a phone call to both the hosting service and the domain registry with the request
Often with phishing sites, the actual domain is a legitimate business whose website has been hacked due to system vulnerabilities. The attacker uses this vulnerability to upload their phishing site to a subdirectory of the legitimate website. (And this illustrates why performing a penetration test on a website is a good idea so that the vulnerabilities can be found and patched before they are exploited by criminals.)
In this case where a legitimate business site has been hacked;
- Contact the business;
- Notify them of the phishing site hosted on their domain; and
- Ask them to take action to remove it
Where possible, it is also worth asking the business owner to provide a zipped up copy of the phishing site code for further analysis. Analysing this code can lead to further investigation as to how the phished data is processed, and provide more information for investigation such as email addresses in the code.
For malicious email addresses identified, contact the email provider and notify them of the email address/account which is being used for fraudulent purposes. This is often as simple as sending an email to [email protected]
Our final advice to you is be wary of suspicious sounding messages. And if you suspect that a website is not what it purports to be, LEAVE immediately. Perform the procedure outlined above, and have the website taken down if found to be malicious.
Also, if you’ve been hacked or if the security of your website has been compromised, seek expert assistance.
Core Sentinel’s mission is to help businesses, institutions, and organisations stay a step ahead of hackers. Our penetration testers are OSCE, OSCP certified and, CREST-qualified. Our consultants have worked for some of the world’s biggest brands, in a range of industries, including banking, finance, insurance, health, utilities, oil & gas, government and defence.
We are the ones with the right knowledge, tools and experience to guide you to the recovery of your website.