How to Report an active phishing site - [sketch]

Phishing operations, including perpetrators, how to report them and get them shut down.

How to Report an active phishing site - [sketch]

Postby meep » Thu Oct 02, 2008 4:55 pm

How to Report an active phishing site



When you determine that you are seeing a phishing spam (where the scammer is spoofing an known brand, obscure or not. If the site is live, report it as soon as you can.


Determine if the phishing site is live

View this site either in a proxy, in a text browser, on a test box using VMWare or through a tool such as net.demon. As with other spam you do NOT want to view phishing sites casually. Many have malware installed on them by the phishers.

If you want to do a lot of digging, go up the folders to see if you can find other goodies, such as phish kits or other files that appear to be used to compromise the host. You may find all kinds of nasty things. (will elaborate later on that). You might even find more brands of phishing sites on a compromised host.

Determine if the phishing site is 1 of 3 things

Determine if the phishing site is there because of

1. A compromise, 2. A botnet 3. A fraudulent account setup.

Usually the compromise is indicated in a URL. Example mywebsite.com/images/paypal.htm This is one where the images directory was compromised due to open permissions on the folder.

For a botnet, you will find the phishing domain resolves to many IP addresses. These are harder to report. Many of them are rockphish websites.

A fraudulent account is usually easier to determine because they buy a domain with the spoofed brand often times in the domain is similar to this: cgi-ebay.com or paypal-login.net - phishers use URLs that may be a bit similar to logging into sites that are spoofed heavily.


If the phishing site is live. Run DNS on it to find the domain, IP, nameservers, and hosting company.

Submit it to phishtank.com and or castlecops.com/pirt

You need to figure out if the phishing site is a compromise, botnet or a fraud account because it gives you an idea to either report it to an ISP, webmaster of a legitimate site and or the registrar. For fraudulent accounts, you report to the registrar, so botnets and fraud accounts would be reported to the registrar.

Next, I will provide a template on how to report the phishing site(s).

Figuring out who to report the phishing site to:

You will want to notify, the host, the webmaster of the compromised website, and possible upstreams. You may want to include the brand that is being spoofed.

( WILL UPDATE MORE LATER: this is a sketch ) - Please let me know if you want to add anything, it is a work in progress.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Postby phuocngo » Fri Jan 02, 2009 6:14 pm

Meep,

Is it possible that you can give me a template on how to report the active phishing site.

Thank you,

Former SIRT trainee

Phuoc
phuocngo
New member
 
Posts: 8
Joined: Wed Dec 24, 2008 2:27 pm

Postby meep » Fri Jan 02, 2009 6:59 pm

Sure, Phouc, I have some things I can add here. Let me dig through my old notes (may take some time). Thank you for asking. :)

I will continue to modify this, sketch for now.

This is an example for a phishing site that is on a compromised account.

It is important to make your subject line stand out, if you just put "phishing" or use lower case letters, it may not be seen. Abuse desks weed thru thousands of emails, so the key is to make it stand out.

one example:
subject: [ABUSE] PHISHING on 209.21.3.20 / sampledomain.com

Most important is to notify the webhost and the webmaster (IF YOU KNOW THE WEBSITE is LEGITIMATE)

You don't have to CC the spoofed brand, but if you have time, you could do that.


Example:

To: abuse@ ISP
CC: webmaster@domain
CC: spoofed bank example: abuse@bankofamerica.com
CC: reportphishing@antiphishing.org (APWG)

--
Subject line: PHISHING SITE on 209.21.3.20 / sampledomain.com
--

Body:

Please disable this phishing site spoofing Bank of America on

URL: http:// sampledomain.com/admin/phishpage.htm
IP: 209.21.3.20

This page was compromised and is hosting a phishing site. Please disable it immediately, take all measure to secure the website, or disable the website entirely if you are not able to secure it.

Thank you,

--
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: How to Report an active phishing site - [sketch]

Postby Forseti » Tue Jan 20, 2009 4:37 pm

Nice!

I would of course underline the importance of reporting it to the web host as well.

In some countries you may be asked to re-format your request and provide information about yourself (I'm thinking about France), you will want to do this, as it is in order to allow the host to act in accordance with their laws on official complaints...
I'd rather be sailing
User avatar
Forseti
New member
 
Posts: 6
Joined: Mon Jan 19, 2009 5:26 pm

Re: How to Report an active phishing site - [sketch]

Postby meep » Tue Jan 20, 2009 9:29 pm

Thanks, forseti. I need to do one for fraudulently purchased domains for phishing sites. It would be different than the template above as I would include both the Registrar asking for disabling (client hold) and the webhost and possibly those who control the nameservers (could be a different entity).
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: How to Report an active phishing site - [sketch]

Postby phuocngo » Tue Feb 03, 2009 6:43 pm

meep,

Thank you so much for the sample template. It prove to be very helpful in getting the ISP and the domain adminstrator attention.

Somehow I really have a hardtime in getting the domain administrator locate in foreign country to cooperate with the request.

Is there any other way we can escalate or speedup the shutdown process?

Thank you

Phuoc
phuocngo
New member
 
Posts: 8
Joined: Wed Dec 24, 2008 2:27 pm

Re: How to Report an active phishing site - [sketch]

Postby meep » Wed Feb 04, 2009 11:20 am

Thanks, Phuoc

Is there any other way we can escalate or speedup the shutdown process?


Somehow I really have a hard time in getting the domain administrator locate in foreign country to cooperate with the request.

Sometimes there are private contacts used. At Castlecops' PIRT some private contacts were established for slow moving registrars. Of course, this was only for some and not inclusive. Phishing reporters have tried to establish relationships with some registrars in Asia for instance, where there may have been language barriers.

Sometimes emailing contacts that have close association might expedite take downs, but overall, there are still lots of unresponsive registrars.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: How to Report an active phishing site - [sketch]

Postby Veka » Wed Feb 04, 2009 12:29 pm

Like to add one very simple way to report both malicious and phish sites.
Maybe not so effective but it may help somebody who arent so vice about threats.

1. Download and install Opera browser.
http://www.opera.com/browser/

2. Go to suspicious site and hit Alt+Enter
Following menu window will appear:
Image

3. Just choose the approppriate choise and click OK
In both cases the simplest submission is just 2 mouse clics away.
Image
NetCraft can take your mail and short description of the phish if you like.

Malicious sites are reported to Haute Secure and phishing to NetCraft not sure how PhisTank is involved here.
In both cases they do share this information with proper authorities and fraud protection lists.

P.S. I know visiting spammed or phish sites are against preferred policy and potentially dangerous.
SO DO USE THIS METHOD WITH CAUTION
On the other hand I have done this over a decade and never got anything malicious in my PC thru Opera! ;) (fingers crossed)
User avatar
Veka
Spam Reporter
 
Posts: 247
Joined: Thu Jul 05, 2007 9:36 am

Re: How to Report an active phishing site - [sketch]

Postby meep » Wed Feb 04, 2009 3:05 pm

Very valid points, Veka. If someone wants to view malware sites, including phishing or general spamming sites, it is advisable to view him to view with a text browser such as lynx or something similar and not in a regular browser on a Windows box as the Administrator user, even if the browser is alternative (not IE), examples including: FIrefox or Opera.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: How to Report an active phishing site - [sketch]

Postby pwillener » Thu Feb 05, 2009 3:22 am

Firefox users can report a phishing site (for blocking) via Help | Report Web Forgery. You must be positioned on the phishing site to initiate the report.
User avatar
pwillener
Spam Investigator
 
Posts: 253
Joined: Wed May 30, 2007 1:51 am
Location: Tokyo, Japan

Re: How to Report an active phishing site - [sketch]

Postby HansTheBlueFrog » Wed Apr 01, 2009 12:17 am

pwillener wrote:Firefox users can report a phishing site (for blocking) via Help | Report Web Forgery. You must be positioned on the phishing site to initiate the report.


Alternatively it is possible to do it by pasting in the site URL. I've done it, and it works. That way you don't have to be positioned on the site.

Hans :wink:
HansTheBlueFrog
Spam Investigator
 
Posts: 343
Joined: Wed Feb 04, 2009 3:23 pm

Re: How to Report an active phishing site - [sketch]

Postby Veka » Fri Apr 03, 2009 2:08 pm

Netcraft offers an Anti-Phishing toolbar for IE and FF.
User avatar
Veka
Spam Reporter
 
Posts: 247
Joined: Thu Jul 05, 2007 9:36 am

Re: How to Report an active phishing site - [sketch]

Postby Bobster » Thu Nov 26, 2009 11:15 pm

I've been reporting phishing sites here:
https://submit.symantec.com/antifraud/phish.cgi
"The trouble with the world is that the stupid are cocksure
and the intelligent are full of doubt." -- Bertrand Russell
Bobster
Spam Reporter
 
Posts: 207
Joined: Fri Mar 23, 2007 4:16 pm

Re: How to Report an active phishing site - [sketch]

Postby ahoier » Wed Dec 02, 2009 1:28 am

Google has a phish reporting form too.
http://www.google.com/safebrowsing/report_phish/
ahoier
Spammer Killing Machine
 
Posts: 593
Joined: Thu Apr 03, 2008 4:33 pm
Location: Florida

Re: How to Report an active phishing site - [sketch]

Postby AlphaCentauri » Fri Dec 11, 2009 2:20 am

I reported a Wells Fargo phish to spamcop, and not only does Wells Fargo want the spamcop reports, they want copies sent to US-CERT. They have a phish reporting address at phishing-report@us-cert.gov

I don't know the details of how they are handling them, but they could conceivably replace what PIRT was doing as far as investigating and taking down phish without regard to who the spoof target is.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Next

Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron