SBN

How to take a malicious website down – The hard way

How to take a malicious website down - The hard way

The setup

If you have an online presence, chances are your brand, or more specifically your Internet domain, is a target for cybercriminals. As we highlighted in previous blogs, cybercriminals have a distinct advantage using typosquatting techniques to stage high-volume web-based attacks. Check out our earlier blog What Every CISO Should Do to Fight Typosquat Attacks for more on that topic.

So how do you take these sites down? Well, the short answer is not easily, especially if there are a lot of malicious sites to contend with and you plan to do it manually. But let’s say you are a glutton for punishment and do try to take it on. Here’s how to take a malicious website down, the hard way. Keep in mind these steps are for just one site. If you have multiple sites to take down, you'll need to repeat these steps for every site.

The 5 not-so-easy manual steps to take a malicious website down

Step 1: Find malicious site. Sure, it’s the obvious starting point for this exercise, but finding a malicious site is not necessarily easy. Some compare it to trying to find a needle in a haystack. The best way to find a malicious site is by having a Domain Risk Management practice in place, to proactively discover and track the weaponization of a site that is now candidate for takedown. Without a practice in place, malicious sites will go undetected until they’re live and doing their damage. Either way, by finding it proactively (hopefully) or while under attack, you’ll need the URL (or set of URLs) to launch your investigation.

Step 2: Inspect URL. With URL in hand, the next step is to inspect it for signs of phishing or fraud. For this, do not simply open up a browser and key in the URL. Use a proper URL scanning tool like CheckPhish (www.checkphish.ai) to properly and safely inspect the URL. With CheckPhish you’ll get an instant verdict with detailed evidence including all the network and hosting provider information, geo-location, plus a screenshot of the site. This information will serve as your critical evidence when building the case for a site takedown.

How to take a malicious website down - The hard way

Figure 1. Sample scan results: CheckPhish Insights Page  –  Scan a URL yourself at: www.checkphish.ai

Step 3: Report abuse, submit evidence. With evidence collected, next step is to report abuse and pursue a site takedown. If you visited CheckPhish and did a URL scan you’ll see there is a field for Abuse Contact. You’ll need that to start the email process. Include in the email as much evidence as you can supporting the site takedown: signs of credential theft (login fields), logo abuse, invalid URL. Additional supporting evidence such as Passive DNS information, presence of phishing kits and more can be found as part of the CheckPhish scan results to help bolster your case.

How to take a malicious website down - The hard way

Figure 2. Abuse Contact example found on CheckPhish Insights Page

Step 4: Wait. With evidence submitted it’s now a waiting game. Action could occur within a few hours if you’re lucky, but chances are this step will take days. Hosting providers will act the fastest when presented with phishing sites and solid evidence. But in many cases, and especially when evidence gets murky, the process can be quite drawn out. It’s not uncommon for this step to take a week or two, or even longer. Persistence will be the name of the game to see things through to a successful takedown.

Step 5: Monitor takedown. If you’ve gotten to this point, and successfully taken a site down, the next step is to monitor the Internet to make sure the site doesn’t simply reappear on another hosting provider’s network. Many describe it as a potential game of whac-a-mole—take a site down, see it pop back up somewhere else, take it down again, see it pop up yet somewhere else, take it down  yet again. Without monitoring the takedown for reoccurrence, this game will persist, leaving you chasing your tail.

Step 6. Repeat for other malicious sites. Most likely, if you’ve come across a malicious site stepping on your brand and business, there are more. Hopefully you’re able to find them. And for the ones you do find, repeat Steps 1-5.

When things get tricky

The above steps will work for the most part with time and patience, but things can get tricky. Here’s when:

First, if you’re dealing with a brand or trademark infringement, or even counterfeit sales, the takedown process will invariably take longer and reporting abuse alone will not be sufficient. In many of these cases you will need to enlist Legal support to also issue ‘cease and desist’ notifications to various parties. This will invariably require more time and of course more money. But don’t lose hope, there are some techniques that you can enlist, and you can be successful, just expect it to be time-consuming and costly.

Situations can also get tricky if you’re looking to takedown a site hosted in a not-so-friendly place in the world. I won’t name names here, but you will find that some countries are less stringent about enforcing abuses making takedowns more challenging unless you know the ins and outs of various country operations. In some cases, you may need to work with country-specific anti-abuse authorities to report abuse and see a site through to takedown. Here especially seeking professional assistance with the takedown, or set of takedowns, is highly recommended.

Other options?

What if the hosting provider is entirely unresponsive, you may ask can you go up the food chain to the registrar that issued the domain? The answer here is yes but working with registrars will be time-consuming, especially if you have no prior relationships. The initial steps will be the same, gather evidence, report abuse. To get the abuse contact for the registrar, you can do a simple ‘whois’ on the malicious domain. Then start the process.

You may also ask about Uniform Domain-Name Dispute-Resolution Policy (UDRP) style takedowns, and whether that approach can be employed. The short answer is ‘possibly’. UDRP takedowns are time-consuming and can be costly since they are resolved by agreement, court action, or arbitration before a registrar will cancel, suspend, or transfer a domain name. So, if you are under attack and have a lot of sites to contend with it will not be the fastest approach to employ.

And what about a Digital Millennium Copyright Act (DMCA) style takedown you may ask? Is that an option? Short answer here is ‘yes, but’. A DMCA Takedown Notice is a specific type of takedown for copyright infringements in the United States. DMCA takedowns are effective, but they are time consuming, and enforceable only in the United States. Some countries will comply based on copyright abuse, but there is no legal obligation. To start, you'll need proof of the copyrighted content. Additionally, since a DMCA takedown notice is a legal notice, specific legal language and information is required, including location of the original copyrighted works, location of the infringing content, a “good faith belief” statement and “under penalty of perjury” statement.

Final thoughts, for now

Hopefully through this blog you’ve come to appreciate the steps and evidence required to take a malicious website down manually. With time and patience, it can be done. But, if you’re dealing with a lot of sites, or sites in geos where abuse is harder to enforce, or what is often the case, a combination of both, then you should really consider enlisting professionals. In the next blog we’ll introduce the easy way to do all this using Bolster’s auto-takedown service.


Learn more:

Bolster Auto-Takedown solutions
Bolster Domain Protection solutions
Bolster Brand Protection solutions
Bolster Phishing & Fraud Protection solutions

Request a demo & free trial: Free trial


Whac-a-mole is a registered trademark of Mattel, Inc.

*** This is a Security Bloggers Network syndicated blog from Bolster Blog authored by Jeff Baher. Read the original post at: https://bolster.ai/blog/how-to-take-a-malicious-website-down-the-hard-way/