Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Reporting Malicious Websites in 2018

Published: 2018-07-19
Last Updated: 2018-07-19 20:12:00 UTC
by Kevin Liston (Version: 1)
1 comment(s)

Back in 2010 I wrote up a quick diary on how to report malicious websites at the end of your incident reponse process (https://isc.sans.edu/forums/diary/How+Do+I+Report+Malicious+Websites/8719/)  John C, a reader, asked for an update.  Let's see how munch has changed in the past 8 years...

Let's start with a framework.  Reports and notifications may fall into one of the following categories: takedown, protecting others, and engaging law enforcement.  Takedown is to help stop the problem at the source, but failing that, alerting others and adding it to block lists will help folks downstream.  Engaging law enforement is more for tracking purposes and to aid them in working larger cases.

Takedown Requests

For takedown, contacting the abuse contact for the domain is a good first step.  Especially if it's an instance of a compromised site hosting malicious code.  If you think the host was set up in bad faith, contacting the hoster's abuse contact and the domain registar is where you would want to go.  Despite GDPR, abuse contact email addresses should still appear in the public records.  Nowadays, cloud is more likely to be involved so here are the abuse reporting pages for the big ones:

You may also run into something hosted on a Content Delivery Network. 

Generally for takedown request it's best to stick to just the facts, and perhaps cite the terms of service and leave it at that.  Threat's of legal action or law enforcement just routes your request over to the company's legal team and your request doesn't get worked.  Should you not get the response that you were hoping for, it's time to move on to phase two...

Protecting Others

Participate in improving herd immunity by reporting the malicious URL to various protection mechanisms.  These break down into the following classes:

  • Search Engines
  • Browsers
  • Browser Plugins
  • AV and Proxy services
  • DNS services

Flagging a site in a search engine will help future folks from stumbling on the site. 

Browsers mostly inherit protection from their sponsor, Windows Defneder for internet explorer, Google Safe Browsing for Chrome, etc.  There are some plugins dedicated to this task.  Plugins also help, those like web of trust (https://www.mywot.com/) and Adblock Plus(https://adblockplus.org) Both offer reporting options within their tools.

Anti-virus and proxy tools.  While there are plenty of options to install blockers, not a lot still accept reports, but digest numerous feeds.  Some notable execptions:

DNS services like OpenDNS (now Cisco Umbrella) allow reclassification request, but only via their application.  Folks using Google's Public DNS will enjoy protection from SafeSarch, see above.

Local security appliances like pi-hole, or fingbox or circle get their feeds from multiple sources, so submitting to a popular one should trickle down to these users as well.

Engaging Law Enforcement

If you also want to report the activity to law enforcement, I recommend the FBI's Internet Crime Complaint Center (https://www.ic3.gov/default.aspx)  Reports will be correlated and used to build larger cases.  

Phishing Specific Reports

Much of the available abuse reporting is still phishing-specific.  For reporting phishing sites, you may want to also inform anti-phishing groups like:

Aditionally alerting the abuse contact of the brand that is being phished can also be useful.  They can make a trademark-infringement claim upon the site to get it taken down.

BEC or Business Email Compromise

While technically unrelated, this is so rampant these days that we'll cover it here too.  If you're company has received emails from domains that attempt to mimic your domain, you may also report this activity using the process above.  If they share banking details in the email, the banks involved in the attempted fraudlent transfer will also be quite interested.

Bitcoin Addresses Involved in Fraud, Ransomware, or Extortion

Bitcoin is all the rage these days, so it shows up in abuse cases as well.  The only public list that I'm aware of for bitcoin is: https://bitcoinwhoswho.com/

What Did I Miss?

This is just a starting point, and I'm certain I've missed things.  Try to focus on sites used to report activity in the comments below...

Keywords:
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Request for Packets: Port 15454
Jul 18th 2018
1 day ago by Kevin Liston (1 comment)

Oracle Critical Patch Update Release
Jul 18th 2018
1 day ago by ScottF (0 comments)

Searching for Geographically Improbable Login Attempts
Jul 17th 2018
2 days ago by Xme (5 comments)

Extracting BTC addresses from emails
Jul 16th 2018
3 days ago by DidierStevens (0 comments)

Video: Retrieving and processing JSON data (BTC example)
Jul 15th 2018
4 days ago by DidierStevens (1 comment)

Retrieving and processing JSON data (BTC example)
Jul 14th 2018
4 days ago by DidierStevens (0 comments)

Cryptominer Delivered Though Compromized JavaScript File
Jul 13th 2018
6 days ago by Xme (0 comments)

New Extortion Tricks: Now Including Your Password!
Jul 12th 2018
1 week ago by Johannes (5 comments)

View All Diaries →

Latest Discussions

Windows Long File Path
created Jul 19th 2018
17 hours ago by Shishir (0 replies)

Windows Long File Path
created Jul 18th 2018
1 day ago by Shishir (0 replies)

Botnet brute forcing mail accounts?
created Jun 22nd 2018
3 weeks ago by Anonymous (0 replies)

Simple SMTP/network routing questions
created Jun 14th 2018
1 month ago by Anonymous (0 replies)

HTTP Headers Illicit Characters
created Jun 13th 2018
1 month ago by David (2 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
11 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
7 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
11 months ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
10 months ago by Renato (0 comments)