NEW WEBINAR: Watch Netcraft's latest deep dive into P2P messaging scams like never before. Watch now  

Platform Overview > Disruption & Takedowns
Team of developers working together in the office review information on a computer.
Yellow bugs icon

Disruption & Takedowns

Minimize the impact of cyber attacks by blocking and removing malicious content using Netcraft’s automated takedown platform

A woman sits at a desk nook facing a window. She is looking at something not visible on her laptop screen.

Detecting and disrupting cyber threats to mitigate risk

Once a cyber attack—a phishing website, fake social media profile, or fraudulent email, for example—has been detected through Netcraft’s cybercrime detection or by your own team and validated with our threat intelligence process, Netcraft blocks access to the attack and begins the takedown process.

Once blocked, users of the Netcraft apps and extensions are immediately protected. Netcraft also licenses its feeds to browsers and antivirus companies along with internet infrastructure companies, protecting billions of internet users from potential exposure while Netcraft’s automated takedown services work to rapidly take the attack offline completely.

Defeating cyber attacks with unmatched scale and effectiveness

Netcraft’s online brand protection operates 24/7 to discover phishing, fraud, scams, and cyber attacks through extensive automation, AI, machine learning, and human insight. Our disruption & takedown service ensures that malicious content is blocked and removed quickly and efficiently—typically within hours.

Blocked Attacks Icon

0%

of the world’s phishing attacks taken down

Website Host Icon

0M+

threat reports and suspicious URLs analyzed every day

Content Sites icon

0M

cybercrime attacks blocked to date

Global Phishing Icon

0M+

attacks taken down and growing

Rapid takedown of malicious content

Netcraft’s takedown service leverages extensive automation to:

  • gather and present convincing evidence of the malicious content
  • identify hosting providers, domain registrars, webmasters, social media platforms, and others involved in the attack’s infrastructure
  • send notifications to each party using email, API, partner contact, and other escalation channels
  • monitor attacks, during and after the takedown process to ensure it is truly eliminated

Essential to Netcraft’s success is our transparent evidence-driven approach combined with the respect and trust we have earned over decades of experience. This enables productive relationships to disrupt and takedown attacks swiftly.

Disruption and Takedown diagram
Woman with suit jacket reviewing information on a tablet.

Technology is only part of the story

Netcraft services are designed and built by our team of cybercrime experts, who have the agility and experience to adjust to new threats and attack types as they emerge.

While the platform’s automation is designed to operate at scale and around the clock, our technical operational teams can step in to help with escalated website and domain takedowns adding a human touch—including making phone calls and liaising with webmasters, hosting companies and social media platforms.

Frequently Asked Questions

Combining both takedowns and blocking in Netcraft’s threat intelligence feeds together allows cyber attacks to be mitigated most effectively. While Netcraft’s apps and extensions benefit from the full range of blocked attack types, not everybody has these installed and active. Collectively, Netcraft’s threat data partners—which includes browsers and antivirus companies—protect billions of people within minutes and this provides a second layer of protection. That protection is, however, at the discretion of each partner. Some may take longer than others to act and others may vary the protection level across desktop and mobile platforms.

By complementing blocking with takedowns, Netcraft ensures a proactive approach by promptly removing the malicious content at its source, regardless of the devices or systems in use.

Cybercriminals can make use of a variety of different hosting platforms, domain names, and other infrastructure to power their attacks, including:

  • Webmasters: in the case of a compromised website, the webmaster may be entirely unaware of their own website being taken over by a criminal and will be able to respond decisively. In other cases where a lookalike domain has been used, the webmaster is the criminal and contacting them may be actively harmful. 
  • Domain registrars and registries: a domain name registrar handles the purchase and registration of domain names. You can find a website’s registrar information using a database like WHOIS or RDAP. Domain name registries, those that directly control a whole TLD like .fr, can also be involved in some circumstances.
  • Hosting companies: a hosting company provides the platform and services required to keep a website online. Often, a hosting company can provide valuable data, logs, and information left behind by the criminal that can help identify impacted customers and mitigate damage caused by the attack. 
  • Social media platforms: for fake social media profiles, ads, and posts, there is often only a single party with influence over the attack—the social media platform itself.
  • Email providers: Email providers can disable accounts used to disseminate fraudulent emails, including those that link to malicious content. It’s often necessary to have access to the full email, including its mail headers, which detail the origin of the email.
  • Upstream providers: The upstream provider is an internet service provider (ISP) that provides bandwidth and facilitates the connection to a smaller network. In some circumstances, particularly where whole networks appear to be controlled by an attacker, upstream providers may be able to discontinue service. 
  • Law enforcement agencies: Depending on the type and impact of the attack, you may need to contact the law enforcement agency in the hosting company’s local jurisdiction. 

Infrastructure providers need detailed evidence about the attack before they act. The more information provided, the better positioned we are to expedite the takedown. Evidence includes the:

  • URLs and domain names involved in the attack
  • IP address (or addresses)
  • screenshots and videos of the attack
  • known access restrictions. For example, an attack may only be visible on mobile networks in the targeted country. If not provided, the provider will not be able to confirm the attack and will not be able to act on the request.

Netcraft takes an evidence-based approach, leading to the respect and trust we have earned over decades of experience. This enables productive relationships to disrupt and takedown attacks swiftly.

We automatically identify hosting providers, domain registrars, social media platforms, webmasters and others, and determine how to notify them most effectively (via email, API, private contact, or otherwise). We then gather and present evidence of the cyberattack to demonstrate the problem to those with the ability to remove the attack.

Attacks are monitored for seven days after they are taken down, and if malicious content returns, the takedown process is restarted.

Netcraft can remove over 100 different attack types, including phishing, malware, fraudulent social media profiles, fake shops, and brand infringement.

Yes. Our web platforms and flexible APIs integrate with external threat intelligence and enterprise systems, making it simple to track and share critical incident data and events.

Insights

Blog

Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit

Key data  This article explores Netcraft’s research into Xiū gǒu (修狗), a phishing kit in use since at least September … Read More

Learn More

Blog

Hook’d: How HookBot Malware Impersonates Known Brands to Steal Customer Data 

Key data  This article explores Netcraft’s research into the HookBot malware family and associated attacks on Android devices, including examples … Read More

Learn More

Schedule time with us

Learn more about Netcraft’s powerful brand protection, external threat intelligence and digital risk protection platform