by Cedric Pernet, Senior Threat Researcher
Trend Micro Cyber Safety Solutions Team
After monitoring and detecting suspicious domains before they can be used for fraud, now what? Affected businesses should deactivate them so fraudsters won’t be able to use them for their schemes. But how can these fraudulent domains be taken down?
First, consider the legal aspects: They play significant roles and differ per country. Some have laws that tend to make internet service providers (ISPs) actively react to online fraud while others don’t.
When fraudulent or abused domains are concerned, collaboration between multiple parties is key, from the IT/information security staff and system administrators who guard the company’s online perimeters down to the decision makers and ISPs themselves. The vast majority of ISPs, in fact, are actually very responsive and willing to help when it comes to combatting fraud, especially when it abuses their infrastructure and services.
When notified of cybercriminal or fraudulent activity, or even infringement of trademark in a domain name, ISPs are usually proactive in thwarting it on their side. Familiarity with how ISPs, Computer Security Incident Response Teams, and Computer Emergency Response Team (CSIRTs, CERTs) handle these cases also helps.
What’s in a (fraudulent) domain name?
A fraudulent domain (including its registration) is any domain name that in itself constitutes an infraction, or which was or is used to commit fraud. A domain name, for instance, can contain the name of a brand or company; the existence of a fraudulent domain itself already denotes trademark infringement. This is one of the easiest cases for domain takedowns, for obvious reasons.
A domain name, however, can also be unrelated to a company or brand, but used for cybercrime. It can be used to send malware-laden emails, for instance, or host fraudulent content, like spear-phishing.
Let’s imagine a domain name trend-m1cr0.com has been registered. Its operator starts hosting a fake banking company page for his phishing scheme. A banking company would probably want to have the domain deactivated as soon as possible to limit the fraud that may be carried out with it, even though the domain name is completely unrelated. Cybercrime can come in different shapes and sizes: hosting malware, phishing content and other scams, using it as command-and-control infrastructure, as a Simple Mail Transfer Protocol (SMTP) server for sending malicious emails, or as a repository of stolen data or illegal content.
Who can help take down fraudulent domains?
Domain takedowns can only be done at the registrar level. The registrar who created the domain name is the party responsible for having it removed or deactivated when needed. However, if the registrar is unresponsive or if there’s a need for urgent action, other parties can step in, such as CSIRTs or CERTs who are used to dealing with domain takedowns. They also have the social network to help speed things up. Registrars accredited by ICANN are obliged to provide contact information and address reports of abuse or compromise.
Don’t forget content deactivation!
In cases where the scammers use domain names that point to fraudulent content, contacting the hosting company would be prudent. And more often than not, hosting companies are also the registrars.
In phishing, for instance, where fraudsters host a copy of a legitimate website on a server, it can be useful to contact the hosting company. They can promptly remove the content or close the hosting account once they’ve confirmed it.
Other hosting companies would first contact the account owner to warn him about the content hosted in his page. It makes sense especially if the compromised website's owner had no prior knowledge or consent. If attesting to the fraudulent activity proves challenging, it’s best to come prepared: For example, reporting phishing emails sent by a server but not sending a copy of the email (with full headers) will probably get a lukewarm response or request to provide more information.
Determining the registrar is one of the information needed to take down a fraudulent domain. A simple WhoIs request can take care of that: It can identify the registrar and even display contact information (email and phone) for reporting abuse. If the domain name was registered by a reseller, it is also identified in the WhoIs information, in which case contacting the reseller may also be a good idea. Note though that contact information on WhoIS may be masked (via Private Domain Registration/WhoIs masking) for privacy and security reasons, and are instead replaced with the contact information of a forwarding service. ICANN accordingly requires them to publish terms of service and points of contact in cases of abuse or infringement.
What does it take to request a fraudulent domain takedown? The process is actually straightforward:
Contacting the Abuse Team by email address
Contacting the Abuse Team by phone and collaborating with CSIRTs if needed
Explain your report in detail
When done in a timely manner, fraudulent domain monitoring, detection, and takedown help stops fraud in its tracks. It is often a collaboration between different teams — from compiling the necessary evidence and contacting and working with the appropriate people to disclosing your report. They can also be a deterrent: Once the cybercriminal realizes you’re keeping up with his tricks, he will call it quits and move on.
Apart from having a proactive — and ideally, automated — domain monitoring as part of the organization’s information security and risk management strategies, having a web reputation security mechanism within the online infrastructure also helps. This adds an additional layer of security for keeping malicious or fraudulent domains and websites at bay.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale