Phishing Site Takedown & Countermeasures

Once a bank has been alerted to the fact that it is the subject of a phishing attack, the race is on to close the target phishing site as quickly as possible. However, professional fraudsters will take steps to ensure that the process is as difficult and time consuming as possible: your time is their money.

Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivise the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service.

Netcraft’s countermeasures service helps banks and other financial organisations to combat these techniques. Once a phishing site has been detected, Netcraft immediately responds with a set of actions which will significantly limit access to the site, and will ultimately cause the fraudulent content to be eliminated.

Netcraft’s approach is distinguished from other providers of takedown services through its ability to immediately block access to the site for users of a wide range of technologies, and to provide information back to the bank that will identify compromised accounts.

Uptime Graph for Takedown

Countermeasures

Netcraft Toolbar Community and Phishing Feed

Netcraft’s phishing site feed is consistently recognised in third party reviews as the most effective blocking mechanism for protecting customers against phishing, and is licensed by leading browsers, anti-virus and content filtering products, firewall and network appliance vendors, mail providers, registrars, hosting companies and ISPs.

Consequently, once the phishing site has been accepted into the feed, access to the site will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the phishing site even before it has been removed.

Additionally, Netcraft will receive notification of some phishing attacks through its Netcraft Toolbar community in advance of reports received by the bank directly, and thereby can reduce the lifetime of the phishing site.

Extensive Automation and Preparation

Netcraft’s countermeasures are extensively automated, with local language translations available for every country that has hosted more than five phishing sites in the last six months [September 2008] and an extensive database of contacts at hosting companies, DNS providers, registrars and ISPs set up such that effective countermeasures can be started within seconds of a report being verified.

Additionally, Netcraft continues to monitor a phishing URL after it becomes unavailable, and if it reappears, perhaps because the host is compromised and the fraudster is able to replace the phishing content after the site owner removes it, then the countermeasures are restarted.

Hosting Company and Registrar Interaction

Netcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies and domain registrars are Netcraft customers.

Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity.

Upstream Bandwidth Providers

Netcraft’s geographically-distributed performance collectors can trace multiple routes to the server hosting the fraudulent content. This allows the upstream bandwidth providers to be identified and notified. If the upstream connectivity providers perceive that their business may be damaged through being identified as providing connectivity for a fraud site or larger fraud hosting operation, they may black hole the individual site, or withdraw their services from the hosting location.

Local Law Enforcement Agency

Netcraft will identify, contact and liaise with the law enforcement agency in the hosting company’s local jurisdiction.

Fraudster’s Infrastructure

Netcraft can also report back IP addresses which are under the control of the fraudster. This can be used to lock accounts accessed from those IP addresses, and to block further access from the fraudster’s machines once identified.

Netcraft also engages with hosting companies to preserve & retrieve any data files, logs or other information left by the fraudster. Information identifying affected customers is very useful in mitigating the impact of the attack, and minimising monetary loss.

Transparent Progress Reporting

The takedown process is easy to follow for clients, who can track progress by web, electronic mail or RSS feed. The availability of the phishing site is monitored and graphed and new attacks are notified via mail, SMS and optionally SMS-to-voice.

Takedown Progress

Complementary Services

Netcraft’s Scamalert service uses Netcraft’s extensive collection of DNS and web content to search for and pre-empt fraud and phishing attacks. Netcraft can additionally provide security testing for a company’s own website to search for vulnerabilities which may assist fraudsters, such as cross site scripting, and supply a range of reputation feeds to assist banks’ authentication processes.

Bespoke Options Available

Additional bespoke anti-fraud activities are also available.

Next Steps

Please contact us sales@netcraft.com, +44-1225-447500, to discuss your requirements.