Last Updated: 2018-07-19 20:12:00 UTC
by Kevin Liston (Version: 1)
Back in 2010 I wrote up a quick diary on how to report malicious websites at the end of your incident reponse process (https://isc.sans.edu/forums/diary/How+Do+I+Report+Malicious+Websites/8719/) John C, a reader, asked for an update. Let's see how munch has changed in the past 8 years...
Let's start with a framework. Reports and notifications may fall into one of the following categories: takedown, protecting others, and engaging law enforcement. Takedown is to help stop the problem at the source, but failing that, alerting others and adding it to block lists will help folks downstream. Engaging law enforement is more for tracking purposes and to aid them in working larger cases.
For takedown, contacting the abuse contact for the domain is a good first step. Especially if it's an instance of a compromised site hosting malicious code. If you think the host was set up in bad faith, contacting the hoster's abuse contact and the domain registar is where you would want to go. Despite GDPR, abuse contact email addresses should still appear in the public records. Nowadays, cloud is more likely to be involved so here are the abuse reporting pages for the big ones:
- Amazon AWS: https://aws.amazon.com/forms/report-abuse
- Microsoft Azure: https://portal.msrc.microsoft.com/en-us/engage/cars
- Google Cloud: https://support.google.com/code/contact/cloud_platform_report?hl=en
- Salesforce: https://www.salesforce.com/company/abuse/
- Tencent: has an acceptable use policy - https://cloud.tencent.com/document/product/301/9245
You may also run into something hosted on a Content Delivery Network.
- Cloudflare: https://www.cloudflare.com/abuse/
- Akamai: email@example.com
Generally for takedown request it's best to stick to just the facts, and perhaps cite the terms of service and leave it at that. Threat's of legal action or law enforcement just routes your request over to the company's legal team and your request doesn't get worked. Should you not get the response that you were hoping for, it's time to move on to phase two...
Participate in improving herd immunity by reporting the malicious URL to various protection mechanisms. These break down into the following classes:
- Search Engines
- Browser Plugins
- AV and Proxy services
- DNS services
Flagging a site in a search engine will help future folks from stumbling on the site.
- Google Safe Browsing: http://www.google.com/safebrowsing/report_badware/
- Bing is integrated with Internet Explorer, you can submit a url under Tools / SmartScreen Filter / Report Unsafe Website
Browsers mostly inherit protection from their sponsor, Windows Defneder for internet explorer, Google Safe Browsing for Chrome, etc. There are some plugins dedicated to this task. Plugins also help, those like web of trust (https://www.mywot.com/) and Adblock Plus(https://adblockplus.org) Both offer reporting options within their tools.
Anti-virus and proxy tools. While there are plenty of options to install blockers, not a lot still accept reports, but digest numerous feeds. Some notable execptions:
- Windows Defender: https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site
- Norton Safe Web: https://safeweb.norton.com/
- Symantec/Bluecoat Site review: http://sitereview.bluecoat.com/
DNS services like OpenDNS (now Cisco Umbrella) allow reclassification request, but only via their application. Folks using Google's Public DNS will enjoy protection from SafeSarch, see above.
Local security appliances like pi-hole, or fingbox or circle get their feeds from multiple sources, so submitting to a popular one should trickle down to these users as well.
Engaging Law Enforcement
If you also want to report the activity to law enforcement, I recommend the FBI's Internet Crime Complaint Center (https://www.ic3.gov/default.aspx) Reports will be correlated and used to build larger cases.
Phishing Specific Reports
Much of the available abuse reporting is still phishing-specific. For reporting phishing sites, you may want to also inform anti-phishing groups like:
- Phishtank: https://www.phishtank.com/
- Anti-Phishing Working Group: email firstname.lastname@example.org
Aditionally alerting the abuse contact of the brand that is being phished can also be useful. They can make a trademark-infringement claim upon the site to get it taken down.
BEC or Business Email Compromise
While technically unrelated, this is so rampant these days that we'll cover it here too. If you're company has received emails from domains that attempt to mimic your domain, you may also report this activity using the process above. If they share banking details in the email, the banks involved in the attempted fraudlent transfer will also be quite interested.
Bitcoin Addresses Involved in Fraud, Ransomware, or Extortion
Bitcoin is all the rage these days, so it shows up in abuse cases as well. The only public list that I'm aware of for bitcoin is: https://bitcoinwhoswho.com/
What Did I Miss?
This is just a starting point, and I'm certain I've missed things. Try to focus on sites used to report activity in the comments below...
If you have more information or corrections regarding our diary, please share.