InBoxRevenge KS Forum

How to Report an active phishing site



When you determine that you are seeing a phishing spam (where the scammer is spoofing an known brand, obscure or not. If the site is live, report it as soon as you can.


Determine if the phishing site is live

View this site either in a proxy, in a text browser, on a test box using VMWare or through a tool such as net.demon. As with other spam you do NOT want to view phishing sites casually. Many have malware installed on them by the phishers.

If you want to do a lot of digging, go up the folders to see if you can find other goodies, such as phish kits or other files that appear to be used to compromise the host. You may find all kinds of nasty things. (will elaborate later on that). You might even find more brands of phishing sites on a compromised host.

Determine if the phishing site is 1 of 3 things

Determine if the phishing site is there because of

1. A compromise, 2. A botnet 3. A fraudulent account setup.

Usually the compromise is indicated in a URL. Example mywebsite.com/images/paypal.htm This is one where the images directory was compromised due to open permissions on the folder.

For a botnet, you will find the phishing domain resolves to many IP addresses. These are harder to report. Many of them are rockphish websites.

A fraudulent account is usually easier to determine because they buy a domain with the spoofed brand often times in the domain is similar to this: cgi-ebay.com or paypal-login.net - phishers use URLs that may be a bit similar to logging into sites that are spoofed heavily.


If the phishing site is live. Run DNS on it to find the domain, IP, nameservers, and hosting company.

Submit it to phishtank.com and or castlecops.com/pirt

You need to figure out if the phishing site is a compromise, botnet or a fraud account because it gives you an idea to either report it to an ISP, webmaster of a legitimate site and or the registrar. For fraudulent accounts, you report to the registrar, so botnets and fraud accounts would be reported to the registrar.

Next, I will provide a template on how to report the phishing site(s).

Figuring out who to report the phishing site to:

You will want to notify, the host, the webmaster of the compromised website, and possible upstreams. You may want to include the brand that is being spoofed.

( WILL UPDATE MORE LATER: this is a sketch ) - Please let me know if you want to add anything, it is a work in progress.

Meep,

Is it possible that you can give me a template on how to report the active phishing site.

Thank you,

Former SIRT trainee

Phuoc

Sure, Phouc, I have some things I can add here. Let me dig through my old notes (may take some time). Thank you for asking.

I will continue to modify this, sketch for now.

This is an example for a phishing site that is on a compromised account.

It is important to make your subject line stand out, if you just put "phishing" or use lower case letters, it may not be seen. Abuse desks weed thru thousands of emails, so the key is to make it stand out.

one example:
subject: [ABUSE] PHISHING on 209.21.3.20 / sampledomain.com

Most important is to notify the webhost and the webmaster (IF YOU KNOW THE WEBSITE is LEGITIMATE)

You don't have to CC the spoofed brand, but if you have time, you could do that.


Example:

To: abuse@ ISP
CC: webmaster@domain
CC: spoofed bank example: abuse@bankofamerica.com
CC: reportphishing@antiphishing.org (APWG)

--
Subject line: PHISHING SITE on 209.21.3.20 / sampledomain.com
--

Body:

Please disable this phishing site spoofing Bank of America on

URL: http:// sampledomain.com/admin/phishpage.htm
IP: 209.21.3.20

This page was compromised and is hosting a phishing site. Please disable it immediately, take all measure to secure the website, or disable the website entirely if you are not able to secure it.

Thank you,

--

Nice!

I would of course underline the importance of reporting it to the web host as well.

In some countries you may be asked to re-format your request and provide information about yourself (I'm thinking about France), you will want to do this, as it is in order to allow the host to act in accordance with their laws on official complaints...

Thanks, forseti. I need to do one for fraudulently purchased domains for phishing sites. It would be different than the template above as I would include both the Registrar asking for disabling (client hold) and the webhost and possibly those who control the nameservers (could be a different entity).

meep,

Thank you so much for the sample template. It prove to be very helpful in getting the ISP and the domain adminstrator attention.

Somehow I really have a hardtime in getting the domain administrator locate in foreign country to cooperate with the request.

Is there any other way we can escalate or speedup the shutdown process?

Thank you

Phuoc

Thanks, Phuoc



Somehow I really have a hard time in getting the domain administrator locate in foreign country to cooperate with the request.

Sometimes there are private contacts used. At Castlecops' PIRT some private contacts were established for slow moving registrars. Of course, this was only for some and not inclusive. Phishing reporters have tried to establish relationships with some registrars in Asia for instance, where there may have been language barriers.

Sometimes emailing contacts that have close association might expedite take downs, but overall, there are still lots of unresponsive registrars.

Like to add one very simple way to report both malicious and phish sites.
Maybe not so effective but it may help somebody who arent so vice about threats.

1. Download and install Opera browser.
http://www.opera.com/browser/

2. Go to suspicious site and hit Alt+Enter
Following menu window will appear:


3. Just choose the approppriate choise and click OK
In both cases the simplest submission is just 2 mouse clics away.

NetCraft can take your mail and short description of the phish if you like.

Malicious sites are reported to Haute Secure and phishing to NetCraft not sure how PhisTank is involved here.
In both cases they do share this information with proper authorities and fraud protection lists.

P.S. I know visiting spammed or phish sites are against preferred policy and potentially dangerous.
SO DO USE THIS METHOD WITH CAUTION
On the other hand I have done this over a decade and never got anything malicious in my PC thru Opera! (fingers crossed)

Very valid points, Veka. If someone wants to view malware sites, including phishing or general spamming sites, it is advisable to view him to view with a text browser such as lynx or something similar and not in a regular browser on a Windows box as the Administrator user, even if the browser is alternative (not IE), examples including: FIrefox or Opera.

Firefox users can report a phishing site (for blocking) via Help | Report Web Forgery. You must be positioned on the phishing site to initiate the report.

Alternatively it is possible to do it by pasting in the site URL. I've done it, and it works. That way you don't have to be positioned on the site.

Hans

Netcraft offers an Anti-Phishing toolbar for IE and FF.

I've been reporting phishing sites here:
https://submit.symantec.com/antifraud/phish.cgi

Google has a phish reporting form too.
http://www.google.com/safebrowsing/report_phish/

I reported a Wells Fargo phish to spamcop, and not only does Wells Fargo want the spamcop reports, they want copies sent to US-CERT. They have a phish reporting address at [email protected]

I don't know the details of how they are handling them, but they could conceivably replace what PIRT was doing as far as investigating and taking down phish without regard to who the spoof target is.