InfoSec Guide: Taking Down Fraudulent Domains (Part 2)

by Cedric Pernet, Senior Threat Researcher
Trend Micro Cyber Safety Solutions Team

After monitoring and detecting suspicious domains before they can be used for fraud, now what? Affected businesses should deactivate them so fraudsters won’t be able to use them for their schemes. But how can these fraudulent domains be taken down?

First, consider the legal aspects: They play significant roles and differ per country. Some have laws that tend to make internet service providers (ISPs) actively react to online fraud while others don’t.

When fraudulent or abused domains are concerned, collaboration between multiple parties is key, from the IT/information security staff and system administrators who guard the company’s online perimeters down to the decision makers and ISPs themselves. The vast majority of ISPs, in fact, are actually very responsive and willing to help when it comes to combatting fraud, especially when it abuses their infrastructure and services.

When notified of cybercriminal or fraudulent activity, or even infringement of trademark in a domain name, ISPs are usually proactive in thwarting it on their side. Familiarity with how ISPs, Computer Security Incident Response Teams, and Computer Emergency Response Team (CSIRTs, CERTs) handle these cases also helps.

What’s in a (fraudulent) domain name?

A fraudulent domain (including its registration) is any domain name that in itself constitutes an infraction, or which was or is used to commit fraud. A domain name, for instance, can contain the name of a brand or company; the existence of a fraudulent domain itself already denotes trademark infringement. This is one of the easiest cases for domain takedowns, for obvious reasons.

A domain name, however, can also be unrelated to a company or brand, but used for cybercrime. It can be used to send malware-laden emails, for instance, or host fraudulent content, like spear-phishing.

Let’s imagine a domain name trend-m1cr0.com has been registered. Its operator starts hosting a fake banking company page for his phishing scheme. A banking company would probably want to have the domain deactivated as soon as possible to limit the fraud that may be carried out with it, even though the domain name is completely unrelated. Cybercrime can come in different shapes and sizes: hosting malware, phishing content and other scams, using it as command-and-control infrastructure, as a Simple Mail Transfer Protocol (SMTP) server for sending malicious emails, or as a repository of stolen data or illegal content. 

Who can help take down fraudulent domains?

Domain takedowns can only be done at the registrar level. The registrar who created the domain name is the party responsible for having it removed or deactivated when needed. However, if the registrar is unresponsive or if there’s a need for urgent action, other parties can step in, such as CSIRTs or CERTs who are used to dealing with domain takedowns. They also have the social network to help speed things up. Registrars accredited by ICANN are obliged to provide contact information and address reports of abuse or compromise.

Don’t forget content deactivation!

In cases where the scammers use domain names that point to fraudulent content, contacting the hosting company would be prudent. And more often than not, hosting companies are also the registrars.

In phishing, for instance, where fraudsters host a copy of a legitimate website on a server, it can be useful to contact the hosting company. They can promptly remove the content or close the hosting account once they’ve confirmed it.

Other hosting companies would first contact the account owner to warn him about the content hosted in his page. It makes sense especially if the compromised website's owner had no prior knowledge or consent. If attesting to the fraudulent activity proves challenging, it’s best to come prepared: For example, reporting phishing emails sent by a server but not sending a copy of the email (with full headers) will probably get a lukewarm response or request to provide more information.

The Takedown

Determining the registrar is one of the information needed to take down a fraudulent domain. A simple WhoIs request can take care of that: It can identify the registrar and even display contact information (email and phone) for reporting abuse. If the domain name was registered by a reseller, it is also identified in the WhoIs information, in which case contacting the reseller may also be a good idea. Note though that contact information on WhoIS may be masked (via Private Domain Registration/WhoIs masking) for privacy and security reasons, and are instead replaced with the contact information of a forwarding service. ICANN accordingly requires them to publish terms of service and points of contact in cases of abuse or infringement.

What does it take to request a fraudulent domain takedown? The process is actually straightforward:

Contacting the Abuse Team by email address

The first move should always involve sending an email to the Abuse team of the concerned registrar. Those services are generally 24/7 (at least for the big registrars), or at least available during working hours. Some have an automated ticketing system that can provide a reference for further contacts, which makes the whole process a bit faster because you don’t have to repeat the whole story every time you contact someone.

Note that in cases of phishing websites or similar content where the cybercriminals actually built up a website, contacting the hosting company and the registrar simultaneously is recommended. Odds are good that the hosting company reacts faster than the registrar and already removed the fraudulent content. Some hosting companies will advise that the content can only be modified by the customer, especially if the owner’s website is compromised. In that case, go for the website administrator and try to have the content taken down as soon as possible. Some registrars and hosting services actually have an abuse portal/form where response could be faster than email. 


Contacting the Abuse Team by phone and collaborating with CSIRTs if needed

It is also a good move to call the Abuse Team after sending an email, especially for urgent matters. You might have already received the ticket number from an automated email, and reaching them by phone can help spur a more proactive action. Some teams may handle incidents by number, and others might consider taking immediate action if the fraud is well-explained. In cases where the website is compromised, try contacting its owner by phone, too. If the first two steps have not provided immediate results, try searching for others who could help. Ask your own contacts if needed. This can also be a time to collaborate with a CSIRT team or a related public or private organization.

Explain your report in detail

Disclose your report with as much detail as possible. Are you an information security professional, or system administrator, who has encountered cybercriminal activity within your company’s online infrastructure? Did you stumble upon a malware hosted on your site? How does this report impact you or your organization? How did you uncover the fraud — and do you have the evidence of abuse to back it up? Does it need an urgent response and action?

When done in a timely manner, fraudulent domain monitoring, detection, and takedown help stops fraud in its tracks. It is often a collaboration between different teams — from compiling the necessary evidence and contacting and working with the appropriate people to disclosing your report. They can also be a deterrent: Once the cybercriminal realizes you’re keeping up with his tricks, he will call it quits and move on.

Apart from having a proactive — and ideally, automated — domain monitoring as part of the organization’s information security and risk management strategies, having a web reputation security mechanism within the online infrastructure also helps. This adds an additional layer of security for keeping malicious or fraudulent domains and websites at bay.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.