Reporting Malicious Websites in 2018

Published: 2018-07-19
Last Updated: 2018-07-19 20:12:00 UTC
by Kevin Liston (Version: 1)
2 comment(s)

Back in 2010 I wrote up a quick diary on how to report malicious websites at the end of your incident reponse process (https://isc.sans.edu/forums/diary/How+Do+I+Report+Malicious+Websites/8719/)  John C, a reader, asked for an update.  Let's see how munch has changed in the past 8 years...

Let's start with a framework.  Reports and notifications may fall into one of the following categories: takedown, protecting others, and engaging law enforcement.  Takedown is to help stop the problem at the source, but failing that, alerting others and adding it to block lists will help folks downstream.  Engaging law enforement is more for tracking purposes and to aid them in working larger cases.

Takedown Requests

For takedown, contacting the abuse contact for the domain is a good first step.  Especially if it's an instance of a compromised site hosting malicious code.  If you think the host was set up in bad faith, contacting the hoster's abuse contact and the domain registar is where you would want to go.  Despite GDPR, abuse contact email addresses should still appear in the public records.  Nowadays, cloud is more likely to be involved so here are the abuse reporting pages for the big ones:

You may also run into something hosted on a Content Delivery Network. 

Generally for takedown request it's best to stick to just the facts, and perhaps cite the terms of service and leave it at that.  Threat's of legal action or law enforcement just routes your request over to the company's legal team and your request doesn't get worked.  Should you not get the response that you were hoping for, it's time to move on to phase two...

Protecting Others

Participate in improving herd immunity by reporting the malicious URL to various protection mechanisms.  These break down into the following classes:

  • Search Engines
  • Browsers
  • Browser Plugins
  • AV and Proxy services
  • DNS services

Flagging a site in a search engine will help future folks from stumbling on the site. 

Browsers mostly inherit protection from their sponsor, Windows Defneder for internet explorer, Google Safe Browsing for Chrome, etc.  There are some plugins dedicated to this task.  Plugins also help, those like web of trust (https://www.mywot.com/) and Adblock Plus(https://adblockplus.org) Both offer reporting options within their tools.

Anti-virus and proxy tools.  While there are plenty of options to install blockers, not a lot still accept reports, but digest numerous feeds.  Some notable execptions:

DNS services like OpenDNS (now Cisco Umbrella) allow reclassification request, but only via their application.  Folks using Google's Public DNS will enjoy protection from SafeSarch, see above.

Local security appliances like pi-hole, or fingbox or circle get their feeds from multiple sources, so submitting to a popular one should trickle down to these users as well.

Engaging Law Enforcement

If you also want to report the activity to law enforcement, I recommend the FBI's Internet Crime Complaint Center (https://www.ic3.gov/default.aspx)  Reports will be correlated and used to build larger cases.  

Phishing Specific Reports

Much of the available abuse reporting is still phishing-specific.  For reporting phishing sites, you may want to also inform anti-phishing groups like:

Aditionally alerting the abuse contact of the brand that is being phished can also be useful.  They can make a trademark-infringement claim upon the site to get it taken down.

BEC or Business Email Compromise

While technically unrelated, this is so rampant these days that we'll cover it here too.  If you're company has received emails from domains that attempt to mimic your domain, you may also report this activity using the process above.  If they share banking details in the email, the banks involved in the attempted fraudlent transfer will also be quite interested.

Bitcoin Addresses Involved in Fraud, Ransomware, or Extortion

Bitcoin is all the rage these days, so it shows up in abuse cases as well.  The only public list that I'm aware of for bitcoin is: https://bitcoinwhoswho.com/

What Did I Miss?

This is just a starting point, and I'm certain I've missed things.  Try to focus on sites used to report activity in the comments below...

Keywords:
2 comment(s)

Comments

You might want to add https://urlhaus.abuse.ch/ as well :-)
Under protecting others (and yourself) depending on the situation, reporting to various filtering platforms/organization can help.
When we have a typo-squatter domain appear trying to be mistaken for us, in addition to working for a takedown, I often will submit it for classification to some of these:
https://community.opendns.com/domaintagging/
sitereview.bluecoat.com
https://urlfiltering.paloaltonetworks.com/query/
https://www.brightcloud.com/tools/change-request-url-categorization.php#

there are probably others...

Also, where there should be an abuse@ contact provided, in those cases where I couldn't find one I've had some success using some of these:
privacy@ , security@ , security-team@ and legal@ .

- Steve

Diary Archives