All You Need to Know About Phishing Website Takedowns

All You Need to Know About Phishing Website TakedownsAll You Need to Know About Phishing Website Takedowns

All You Need to Know About Phishing Website Takedowns

Cyberspace permeates every aspect of our lives today, and our reliance upon it is growing exponentially. There has never been a time when the internet was more important to commerce or fundamental human rights (e.g., freedom of speech). Unfortunately, this same cyberspace is heavily populated by criminals who exploit this interconnectivity for their gain, whether through stealing information like credit card numbers or banking information, identities, spamming schemes, etc.

No corner of cyberspace is exempt from criminal activity (even government websites are being hacked into / hijacked!). Some cybercriminals have even used legitimate services, such as social networking sites that rely on user-submitted content, to launch massive cyberattacks against the U.S. and foreign government websites that were politically critical of their administrations. The defence against such attacks is rapidly evolving, and I hope to provide some insight into this fascinating world.

What is a Fraudulent Domain Name?

A fraudulent domain name is a website that mimics a legitimate one to deceive users who visit it to illegally acquire personal information from them (which they then use to steal money or identities).

Fraudulent domains have been around for over ten years now, but recently there has been an increase in their usage due to the proliferation of social networking sites which many people see as safe havens online where they can share content with their friends and families without worrying about being scammed by criminals who lurk therein.

How to Spot A Phishing Website

A phishing website attempts to illegally acquire personal information from you by mimicking another more popular website (e.g., PayPal), tricking you into thinking it is the legitimate website of a bank (e.g., Bank of America) or other services (e.g., Apple).

Some phishing websites are simple clones, while others are much more complex, containing accurate content and graphics which make them look exactly like their legitimate counterparts.

They usually contain links on their pages that take you to the actual website they are spoofing, so your browser’s address bar will be changed during this process to show you were directed there legitimately. But any personal information submitted through these links will go directly to the criminals who launched the attack!

Common Domain-Based Attack Vectors

The most popular domain-based attack vectors (methods by which hackers launch their phishing and malware attacks) currently are:

  • Typosquatting, where a hacker purchases a set of common misspellings hoping users will go there instead of their intended target.
  • Typosquatting on social networks like Facebook, hoping people will mistakenly end up at a malicious website hosted on such platforms.
  • Compromised domains.

Compromised domains occur when attackers hack into websites or computers and steal their databases/content to use them as legitimate sites to launch these types of attacks from.

One example is to imagine you owned a company named Acme Corporation. One day a hacker breaks into your firm, gains access to your database/datastore, and uses it to build a clone website of your company.

But the only difference is their web page would contain links that send users directly to malicious websites, likely hosting malware designed to steal money or identities from them (or worse).

These URLs may be hidden deep in the source code using HTML comments, Javascript obfuscation, etc.

This technique has been used extensively in recent years and was one of the primary attack vectors behind Operation Emmental, “A Swiss Army Knife,” which successfully attacked over 1600 firms worldwide by compromising their legitimate sites and launching their phishing attacks from there.

Phishing Website Takedown and Other Countermeasures

There are various ways to counter these types of attacks. Still, they all require a government law enforcement agency to request takedowns from the major domain name registrars, VeriSign, Comodo, and so on. In some countries/jurisdictions, this can be done quickly, but in others, it may take weeks or months for a site to be removed from DNS servers.

This means while a phishing website is live, its attack surface increases significantly, making it very attractive if you’re a criminal looking to launch an attack.

As such, there has been much interest by criminals lately in setting up phishing websites that only exist for hours, if not less, before being shut down (e.g., using JavaScript timers), making them logistically challenging to track.

This has prompted many webmasters to seek out advanced solutions like On-Demand Phishing “Live Attacks” to increase their chances of success, precisely the goal of adversaries looking to set up phishing sites with minimal residual risk.

A Successful Phishing Website Takedown Requires Full-Scale Disruption

If you’ve ever experienced a website outage (including partial/temporary blocking), even for minutes at a time, you know how frustrating it can be not having access to critical information (e.g., news articles, financial data, etc.). Imagine this same scenario for your company’s homepage or another key online asset that must always remain available 24/7.

When criminals launch attacks against your firm, they may use compromised or typosquatting domains to bypass your content filters and hijack user sessions.

For example, if you’re a bank trying to defend against phishing attacks, hackers will likely purchase common misspellings of your domain name (e.g., www.ebank1.com instead of the real www.ebank1bank.com) and then use them planning on gaining access to user information, account login credentials, etc.

But what if they decide to use their typosquatting domains on several web hosting companies one day, which causes some or all of them to go down for hours? Or do big Internet backbone providers like Level 3 Communications prevent them from getting online altogether? If this happens, users will not reach those sites causing significant brand damage. It could also lead to your employees losing productivity and money by not accessing the sites they need. As such, you must deploy a full-scale disruption solution on typosquatting domains set up by criminals to ensure their attacks are blocked before users get tricked into falling for them.

Offload Complex Phishing and Malware Takedown with Domain Monitoring Service

If you’ve ever dealt with attempting takedowns on phishing websites yourself, you know how challenging and time-consuming they can be, especially if multiple government law enforcement agencies are involved in the process (depending on where the site is hosted).

This usually takes weeks or months of back and forth communication which quickly gets expensive and slows down your incident response times. As such, it’s in your best interests to use a

phishing site takedown service that offloads complex phishing and malware takedowns so you can focus on what matters most, protecting your customers.

This means not only detecting phishers’ typosquatting domains but also getting them immediately blocked by major web hosting companies across the globe, something no one else is doing today.

And so long as criminals continue to create new phishing sites often, this service will automatically block their sites before they get online, giving you an immediate advantage over adversaries looking to set up attacks using common domain name spellings (e.g., www1.yourdomainnamehere).

Conclusion

Phishing websites make it increasingly difficult for web admins to protect users against fraudulent activities while increasing risks to their brand value. As such, it’s essential to use advanced solutions that provide security-driven views of domains criminals are using for nefarious purposes, regardless of whether they’re typosquatting or typosquatting domains set up by adversaries looking to gain access to your systems and networks.

Offloading complex phishing takedowns with a managed service allows you to stay focused on the most critical tasks at hand while reducing costs associated in addition to that. Lastly, unless you have 100% confidence in your web application security controls (e.g., WAFs), do not hesitate to deploy professional website monitoring services designed specifically for spotting phishing websites before they get online. Regardless of whether users fall victim to them or whether the attacks are via web pages embedded within spam emails, social networking websites, or other user-driven means.

Bhanu Garg: