Who to complain about a harmful resource? / Hebrew
Hello, Habre!
Today we will tell you where you can complain if you have encountered phishing or other malicious sites. This information will not help you completely remove such sites, but it will show you where to go to get them blocked.
Contents
Few basics
Domains originate from an American non-profit organization called ICANN. I will not describe the device of this NCO in detail, but I will send you an excellent article with a detailed description of the operation of the DNS system. In short, the hierarchy for domain names looks something like this:
In order to determine the meaning of the word “phishing”, we go to the official ICANN guide:
“Phishing” – eis the process of using email and/or websites to illegally obtain usernames, passwords, and financial information.
We need this definition because participants involved in domain blocking refer to it.
Someone to complain to?
OK, we decided on the term. And to complain to whom?
On the same help page, ICANN provides a list of resources and organizations to contact for resource blocking issues (punctuation and grammar preserved):
The list is great, but not exhaustive. We will try to supplement it, and sometimes even expand it.
Registrar and hoster
First of all, on the recommendation of ICANN, we will go to the host and registrar of the domain name with a request to block the resource. To simplify obtaining contacts, we refer to the WHOIS database:
In 99% of cases, in the received data we will find records like “abuse email” or “abuse contact” – specially allocated mailboxes/phone numbers, by which you can contact the registrar to complain about illegal content.
Sometimes some hosters accept complaints through specialized contact forms on their website. Sometimes this option is even better, because it allows you to add more different evidence of the harmfulness of the resource. Example:
Next, we need to prepare an effective complaint. And what are the main recommendations for writing an abuse letter?
We write a letter to the registrar:
-
We use an email address on our domain (if phishing is targeting your organization);
-
If we represent an attacked organization, we mark it for some reason;
-
URL to the malicious resource (screened)
-
Screenshot of the malicious resource
-
URL to the results of the Virustotal scan (if the resource distributes the virus).
Anti-phishing organizations
Anti-phishing organizations began to actively develop in the early 2000s, when the Internet became widely available and phishing attacks became a frequent phenomenon. Some of these organizations collect data about malicious resources to fill their own databases, while others create publicly available lists of such sites. Here are a few services that first come to mind, but this list is not exhaustive and may be supplemented by other organizations.
Google Safe Browsing is a global service that warns users about potentially dangerous and phishing sites (the same red screen). To file a complaint, you need to fill out a special form and specify the address of the suspicious web resource. If the complaint is confirmed, the website may be blocked in browsers that support this service.
Yandex has a similar service – a form for filing complaints about suspicious sites. Users can select a category, be it viruses, phishing or spam, and submit the resource for review. If the site turns out to be malicious, it will be removed from Yandex search results and will become unavailable for navigation in Yandex Browser.
By the way, Yandex allows you to use its database via API – link.
PhishTank is a platform where users can report phishing sites and check URLs already added to the database. All submitted sites are reviewed by both the community and experts, which ensures the relevance and reliability of the data.
Netcraft provides users with convenient anti-phishing tools. You can report suspicious sites by filling out an online form. After checking the entered data, the site will be blocked in systems that use Netcraft services.
CERT is a cybersecurity incident response team dedicated to identifying, analyzing, and remediating cyber threats such as phishing, IDPs, and more. There are many such teams and they exist at the national and international levels, which allows countries to fight cybercrime together. CERTs work with incidents at all stages: from investigation and identification of the source of the threat to elimination of consequences and prevention of future attacks.
There are various associations of such teams – FIRST, OIC-CERT, APCERT, TF-CSIRT
What does it give us? Usually, communication channels between CERT and other local Internet participants are well established, which gives us another leverage over the local host and registrar of the malicious resource. Once we know which jurisdiction the malicious resource is in, we can refer the evidence to the local CERT.
Contacting these organizations can be very helpful as they share information about the malicious resources they discover, both with each other and with the cybersecurity community. This allows you to inform end users about new threats faster.
Complain about resources in the .RU/.РФ/.SU zones
Netoscope – the project of the coordination center is aimed at combating malicious sites registered in the .RU and .RF zones, which are used for phishing, distribution of IDPs and other illegal activities. You can submit a complaint through the Domain Patrol website, specifying information about the malicious domain. The project works with the support of many large organizations, such as RU-CERT, Kaspersky, Yandex, Dr. Web and many others.
IS Antiphishing – this is a state initiative to combat phishing and harmful resources on the Internet. To submit a complaint, you must specify the URL of the malicious resource, the URL of the page from which the transition was made (if applicable), and the date of detection of the threat. Complaints are considered in accordance with the legislation of the Russian Federation. The platform supports sending data in Russian and provides the ability to quickly respond to threats.
Another method that should not be neglected is social networks. If your letters with requests to block malicious resources are successfully ignored by the Internet provider and all the above methods do not work, then it always makes sense to write private messages to hosters/registrars or publicly mark them in the feed. Companies that care about their brand will definitely respond to your message.
example
A site prepared for a targeted attack on a Russian state organization was discovered. One of the users noted the registrar of this malicious resource under the post, and within half an hour the phishing was blocked.
Result
For the fastest removal of resources with dangerous content, you should follow these rules:
-
The more places we complain to, the more the malicious site’s lifespan is shortened;
-
Do not neglect social networks;
-
The more evidence in the form of URLs, screenshots and antivirus engine verdicts (if the site is spreading malware), the better.
The Tinyscope project team was with you. We publish phishing and typosquatting domains registered daily in our Telegram channel – join us!