Once you have been alerted to the fact that your company is the subject of a phishing attack, the race is on to close the target phishing site as quickly as possible. However, professional fraudsters will take steps to ensure that the process is as difficult and time consuming as possible: your time is their money.
Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivise the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service.
Netcraft’s countermeasures service helps organisations to combat these techniques. Once a phishing site has been detected, Netcraft immediately responds with a set of actions which will significantly limit access to the site, and will ultimately cause the fraudulent content to be eliminated.
Netcraft’s approach is distinguished from other providers of takedown services through its ability to immediately block access to the site for users of a wide range of technologies.
Netcraft Anti-phishing Community and Phishing FeedNetcraft’s phishing site feed is consistently recognised in third party reviews as the most effective blocking mechanism for protecting customers against phishing, and is licensed by leading browsers, anti-virus and content filtering products, firewall and network appliance vendors, mail providers, registrars, hosting companies and ISPs.
Consequently, once the phishing site has been accepted into the feed, access to the site will be blocked for the low billions of people downstream shortly afterwards, significantly reducing the effectiveness of the phishing site even before it has been removed.
Additionally, Netcraft will receive notification of phishing attacks through its community of reporters and industry feeds in advance of reports received by you directly, and thereby can reduce the lifetime of the phishing site.
Extensive Automation and PreparationNetcraft’s countermeasures are extensively automated, with local language translations available for every country that has hosted more than six phishing sites in the last six months and an extensive database of contacts at hosting companies, DNS providers, registrars and ISPs set up such that effective countermeasures will be started within seconds of a report being verified.
Additionally, Netcraft continues to monitor a phishing URL after it becomes unavailable, and if it reappears, perhaps because the host is compromised and the fraudster is able to replace the phishing content after the site owner removes it, then the countermeasures are restarted.
Hosting Company and Registrar InteractionNetcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies and domain registrars are Netcraft customers.
Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity.
Upstream Bandwidth ProvidersNetcraft’s geographically-distributed performance collectors can trace multiple routes to the server hosting the fraudulent content. This allows the upstream bandwidth providers to be identified and notified. If the upstream connectivity providers perceive that their business may be damaged through being identified as providing connectivity for a fraud site or larger fraud hosting operation, they may black hole the individual site, or withdraw their services from the hosting location.
Local Law Enforcement AgencyNetcraft will identify, contact and liaise with the law enforcement agency in the hosting company’s local jurisdiction.
Netcraft also engages with hosting companies to preserve & retrieve any data files, logs or other information left by the fraudster. Information identifying affected customers is very useful in mitigating the impact of the attack, and minimising monetary loss.
Transparent Progress ReportingThe takedown process is easy to follow for clients, who can track progress by web, electronic mail or RSS feed. The availability of the phishing site is monitored and graphed and new attacks are notified via mail, SMS and optionally SMS-to-voice.