Last visit was: Sat Jul 05, 2014 11:19 am
It is currently Sat Jul 05, 2014 11:19 am

How to Report an active phishing site - [sketch]


All times are UTC - 5 hours [ DST ]


 [ 19 posts ]  Go to page 1, 2  Next
Author Message
 PostPosted: Thu Oct 02, 2008 4:55 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
How to Report an active phishing site



When you determine that you are seeing a phishing spam (where the scammer is spoofing an known brand, obscure or not. If the site is live, report it as soon as you can.


Determine if the phishing site is live

View this site either in a proxy, in a text browser, on a test box using VMWare or through a tool such as net.demon. As with other spam you do NOT want to view phishing sites casually. Many have malware installed on them by the phishers.

If you want to do a lot of digging, go up the folders to see if you can find other goodies, such as phish kits or other files that appear to be used to compromise the host. You may find all kinds of nasty things. (will elaborate later on that). You might even find more brands of phishing sites on a compromised host.

Determine if the phishing site is 1 of 3 things

Determine if the phishing site is there because of

1. A compromise, 2. A botnet 3. A fraudulent account setup.

Usually the compromise is indicated in a URL. Example mywebsite.com/images/paypal.htm This is one where the images directory was compromised due to open permissions on the folder.

For a botnet, you will find the phishing domain resolves to many IP addresses. These are harder to report. Many of them are rockphish websites.

A fraudulent account is usually easier to determine because they buy a domain with the spoofed brand often times in the domain is similar to this: cgi-ebay.com or paypal-login.net - phishers use URLs that may be a bit similar to logging into sites that are spoofed heavily.


If the phishing site is live. Run DNS on it to find the domain, IP, nameservers, and hosting company.

Submit it to phishtank.com and or castlecops.com/pirt

You need to figure out if the phishing site is a compromise, botnet or a fraud account because it gives you an idea to either report it to an ISP, webmaster of a legitimate site and or the registrar. For fraudulent accounts, you report to the registrar, so botnets and fraud accounts would be reported to the registrar.

Next, I will provide a template on how to report the phishing site(s).

Figuring out who to report the phishing site to:

You will want to notify, the host, the webmaster of the compromised website, and possible upstreams. You may want to include the brand that is being spoofed.

( WILL UPDATE MORE LATER: this is a sketch ) - Please let me know if you want to add anything, it is a work in progress.


Top
 Profile  
 PostPosted: Fri Jan 02, 2009 6:14 pm   
New member
User avatar

Joined: Wed Dec 24, 2008 2:27 pm
Posts: 8
Meep,

Is it possible that you can give me a template on how to report the active phishing site.

Thank you,

Former SIRT trainee

Phuoc


Top
 Profile  
 PostPosted: Fri Jan 02, 2009 6:59 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Sure, Phouc, I have some things I can add here. Let me dig through my old notes (may take some time). Thank you for asking. :)

I will continue to modify this, sketch for now.

This is an example for a phishing site that is on a compromised account.

It is important to make your subject line stand out, if you just put "phishing" or use lower case letters, it may not be seen. Abuse desks weed thru thousands of emails, so the key is to make it stand out.

one example:
subject: [ABUSE] PHISHING on 209.21.3.20 / sampledomain.com

Most important is to notify the webhost and the webmaster (IF YOU KNOW THE WEBSITE is LEGITIMATE)

You don't have to CC the spoofed brand, but if you have time, you could do that.


Example:

To: [email protected] ISP
CC: [email protected]
CC: spoofed bank example: abuse@bankofamerica.com
CC: reportphishing@antiphishing.org (APWG)

--
Subject line: PHISHING SITE on 209.21.3.20 / sampledomain.com
--

Body:

Please disable this phishing site spoofing Bank of America on

URL: http:// sampledomain.com/admin/phishpage.htm
IP: 209.21.3.20

This page was compromised and is hosting a phishing site. Please disable it immediately, take all measure to secure the website, or disable the website entirely if you are not able to secure it.

Thank you,

--


Top
 Profile  
 PostPosted: Tue Jan 20, 2009 4:37 pm   
New member
User avatar

Joined: Mon Jan 19, 2009 5:26 pm
Posts: 6
Nice!

I would of course underline the importance of reporting it to the web host as well.

In some countries you may be asked to re-format your request and provide information about yourself (I'm thinking about France), you will want to do this, as it is in order to allow the host to act in accordance with their laws on official complaints...

_________________
I'd rather be sailing


Top
 Profile  
 PostPosted: Tue Jan 20, 2009 9:29 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Thanks, forseti. I need to do one for fraudulently purchased domains for phishing sites. It would be different than the template above as I would include both the Registrar asking for disabling (client hold) and the webhost and possibly those who control the nameservers (could be a different entity).


Top
 Profile  
 PostPosted: Tue Feb 03, 2009 6:43 pm   
New member
User avatar

Joined: Wed Dec 24, 2008 2:27 pm
Posts: 8
meep,

Thank you so much for the sample template. It prove to be very helpful in getting the ISP and the domain adminstrator attention.

Somehow I really have a hardtime in getting the domain administrator locate in foreign country to cooperate with the request.

Is there any other way we can escalate or speedup the shutdown process?

Thank you

Phuoc


Top
 Profile  
 PostPosted: Wed Feb 04, 2009 11:20 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Thanks, Phuoc

Quote:
Is there any other way we can escalate or speedup the shutdown process?


Somehow I really have a hard time in getting the domain administrator locate in foreign country to cooperate with the request.

Sometimes there are private contacts used. At Castlecops' PIRT some private contacts were established for slow moving registrars. Of course, this was only for some and not inclusive. Phishing reporters have tried to establish relationships with some registrars in Asia for instance, where there may have been language barriers.

Sometimes emailing contacts that have close association might expedite take downs, but overall, there are still lots of unresponsive registrars.


Top
 Profile  
 PostPosted: Wed Feb 04, 2009 12:29 pm   
Spam Reporter
User avatar

Joined: Thu Jul 05, 2007 9:36 am
Posts: 247
Like to add one very simple way to report both malicious and phish sites.
Maybe not so effective but it may help somebody who arent so vice about threats.

1. Download and install Opera browser.
http://www.opera.com/browser/

2. Go to suspicious site and hit Alt+Enter
Following menu window will appear:


3. Just choose the approppriate choise and click OK
In both cases the simplest submission is just 2 mouse clics away.
Image
NetCraft can take your mail and short description of the phish if you like.

Malicious sites are reported to Haute Secure and phishing to NetCraft not sure how PhisTank is involved here.
In both cases they do share this information with proper authorities and fraud protection lists.

P.S. I know visiting spammed or phish sites are against preferred policy and potentially dangerous.
SO DO USE THIS METHOD WITH CAUTION
On the other hand I have done this over a decade and never got anything malicious in my PC thru Opera! ;) (fingers crossed)


Top
 Profile  
 PostPosted: Wed Feb 04, 2009 3:05 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Very valid points, Veka. If someone wants to view malware sites, including phishing or general spamming sites, it is advisable to view him to view with a text browser such as lynx or something similar and not in a regular browser on a Windows box as the Administrator user, even if the browser is alternative (not IE), examples including: FIrefox or Opera.


Top
 Profile  
 PostPosted: Thu Feb 05, 2009 3:22 am   
Spam Investigator
User avatar

Joined: Wed May 30, 2007 1:51 am
Posts: 253
Location: Tokyo, Japan
Firefox users can report a phishing site (for blocking) via Help | Report Web Forgery. You must be positioned on the phishing site to initiate the report.


Top
 Profile WWW  
 PostPosted: Wed Apr 01, 2009 12:17 am   
Spam Investigator
User avatar

Joined: Wed Feb 04, 2009 3:23 pm
Posts: 342
pwillener wrote:
Firefox users can report a phishing site (for blocking) via Help | Report Web Forgery. You must be positioned on the phishing site to initiate the report.


Alternatively it is possible to do it by pasting in the site URL. I've done it, and it works. That way you don't have to be positioned on the site.

Hans :wink:


Top
 Profile WWW  
 PostPosted: Fri Apr 03, 2009 2:08 pm   
Spam Reporter
User avatar

Joined: Thu Jul 05, 2007 9:36 am
Posts: 247
Netcraft offers an Anti-Phishing toolbar for IE and FF.


Top
 Profile  
 PostPosted: Thu Nov 26, 2009 11:15 pm   
Spam Reporter
User avatar

Joined: Fri Mar 23, 2007 4:16 pm
Posts: 206
I've been reporting phishing sites here:
https://submit.symantec.com/antifraud/phish.cgi

_________________
"The trouble with the world is that the stupid are cocksure
and the intelligent are full of doubt." -- Bertrand Russell


Top
 Profile  
 PostPosted: Wed Dec 02, 2009 1:28 am   
Spammer Killing Machine
User avatar

Joined: Thu Apr 03, 2008 4:33 pm
Posts: 590
Location: Florida
Google has a phish reporting form too.
http://www.google.com/safebrowsing/report_phish/

_________________
SpamPoison


Top
 Profile  
 PostPosted: Fri Dec 11, 2009 2:20 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
I reported a Wells Fargo phish to spamcop, and not only does Wells Fargo want the spamcop reports, they want copies sent to US-CERT. They have a phish reporting address at [email protected]

I don't know the details of how they are handling them, but they could conceivably replace what PIRT was doing as far as investigating and taking down phish without regard to who the spoof target is.


Top
 Profile  
 [ 19 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008