Internet Identity

Part of IID's Takedown Taekwondo Series

We have shown you how to identify a malicious Internet location and how to determine where it lives in our ongoing Takedown Taekwondo series. But what do you do with that information? Today in our continued education about taking down phishing websites and sites loading malware, we will show you how IID alerts site owners and/or administrators about fraud hosted on their domains.

Phishing sites are sometimes located on domains that were registered by cyber criminals solely for the purpose of perpetrating fraud, and generally speaking, the registrar who sold that domain will get involved to kill the site once fraud is established. Other times, cyber criminals will forgo the registering of their own fraudulent domains and will instead hack into the legitimate websites of businesses or individuals in order to add a phishing page to the already-existing domain. For a cyber criminal with the technical skill, hacking an existing website makes things a little easier, as hacking doesn’t require stolen credit card information or setting up a brand new domain. Instead, the phisher just quickly adds a file to the legitimate website and spams out the new URL.

Looks like a legit site

Typically, the innocent owners of hacked websites are blissfully unaware that anything is amiss. After all, their websites look just as they always did because the owners are not looking for anything out of the ordinary. For example, typing www.familyphotographs.com into a browser’s address bar brings up the unaltered website that the owner would expect to see. Only those clicking to the site from a URL in a spam email will end up on the phishing site located at www.familyphotographs.com/yourbank. The site owner would never even know that this directory had been added to their site unless they went looking for it. And why would they go looking? As far as they know, their site is secure.

Reaching out to site owners

Making contact with the site owners is always a primary goal when seeking to remove phish from hacked websites. Site owners have ultimate authority to make changes to their own sites, including removing fraudulent content. Not only do they have the authority, but of course, they have an incentive, too. Removing phishing pages from their websites eliminates a likely violation of terms of service with their hosting provider and clears up their good name in regards to fraud that might otherwise appear to be on their website intentionally. Contacting the site owner can even give you a jump on getting the phishing site killed if they are located in a different part of the world than the ISP where the site is hosted. You might catch the site owner awake and ready to help even if it’s non-business hours at their ISP.

Finding the right contacts for the site owner can take a bit of investigative creativity. Some site owner contact information can be found in the domain whois , providing that the owner of the domain didn’t register it with a privacy service. But even if that information is unavailable, there are other methods to track a site owner down. The website itself—that is, anything but the added phishing page—might have contact information for the site owner, webmaster or administrator. There might be a “Contact Us” section or link, a comments section at the end of an entry, or a link to a social networking site that the site owner uses. In one case, an IID Fraud Analyst even tracked a site owner down through the online game World of Warcraft after noticing that the site owner posted information about the game on his website. If the site owner is a business, other company contacts are generally accessible, and even if those contacts aren’t the people who have administrative access to the website, they’ll know how to get in touch with the person who does. Websites belonging to an individual—perhaps it’s a personal blog or similar site—might even list a home phone number for the owner.

When a site owner gets a call from an IID Fraud Analyst about a phishing website on their domain, they are typically surprised by the news that they are hosting criminal content on their website, and eager to help get the content taken down. Our dealings with site owners may be as simple as alerting them to the phishing site and leaving it to them to take action to remove it. Site owners are often savvy enough to maneuver through their own websites, making changes to content. Other times, the site owner may be unsure of how to take action, but can pass the message on to their webmaster, site designer or webhost to take care of the technical details.

When the site owner can’t (or won’t!) help

Very rarely, a site owner might refuse to help remove the fraudulent content on their website. In most cases, this is because the site owner is suspicious of the call they’ve received out of the blue telling them they need to make a change to their website. Sure sounds dubious to the uninitiated. Site owners—and Internet users as a whole—are wise to use caution in their dealings on the Internet. We know that just because we deal with fraud every day doesn’t mean the site owners receiving our calls and emails are equally familiar with the kind of fraud we’re telling them they’ve got on their sites. If site owners have questions about our legitimacy, we’ll direct them to the IID website and to the website of the Anti-Phishing Working Group (APWG), of which we are a known member. Wary site owners can even compare the logo shown on our own website to the one shown on the APWG website to verify our involvement in the anti-phishing industry.

When a site owner or administrator is unavailable or unable to help, for whatever reason, we’ve got other tricks up our sleeves. While working with the site owner, we’ve been simultaneously pursuing other avenues that we can turn our full attention to if needed. We’ll tackle these methods and reveal some tricks to spotting domains that belong to the cyber criminals themselves in other upcoming Takedown Taekwondo posts.