tl;dr

If you’ve identified a phishing site, you can submit an abuse report with the domain registrar to have the site taken down. Steps are outlined below and the image above is an example of what you’d want to see within hours after your request.

Background

Earlier this week, DomainGuard identified and reported on a phishing site impersonating a small American bank. When DomainGuard conveyed the threat details to the bank’s IT manager, the manager responded: “What do I do with this information?”.

As cyber-security experts, we’re used to seeing phishing sites and performing takedowns, but when we step out of our security bubble, we work with individuals who may not be familiar with what a domain or website takedown entails.

While some security vendors will charge for domain or phishing site takedowns, and while we offer this service for our clients, we also wanted to provide the public a guide on how to do this if they encounter a phishing website. The best part is: performing a takedown is not only free, it only takes a few minutes.

Performing The Takedown

Prerequisites

You’ve identified, and confirmed, that the site you’d like to takedown is a malicious phishing site.

You have adequate documentation in the form of screenshots or screen recordings of the phishing site, including the domain name, and the site or company being targeted.

Identify the Domain Registrar

The phishing site’s domain had to be registered with a domain registrar. GoDaddy and Namecheap are some of the more popular domain registrars you may have heard of. Registrars are required to have a method to allow the public to submit abuse reports if abuse (e.g., a phishing website) is identified with a domain purchased through the registrar. Once we identify the registrar, we can then submit our abuse report.

You can identify the registrar for your identified phishing domain using the following URL and entering the domain of the phishing site. https://lookup.icann.org/

In some cases, the ICANN response will include the registrar information and abuse point of contact. This isn’t always the case so we’re showing a series of repeatable steps that will work even if registrar information is not present. The example used here is a true phishing website that was identified, reported on, and taken down by DomainGuard.

Find IANA ID

You can see in the video below, we scroll down to the “Raw Registry RDAP Response” and identify the registrar by their IANA ID, which in our case is 1479.

Lookup Registrar by IANA ID

Once you’ve identified the registrar by their IANA ID, you can then look them up ICANN’s list of accredited registrars.

Navigate to the following URL: https://www.icann.org/en/accredited-registrars and enter the IANA ID we saw earlier.

In our example the IANA ID was “1479” and we now see the registrar is “NameSilo”.

Submit Abuse Report

Once you’ve identified the registrar by their IANA ID, you can then submit your phishing abuse report. To do this, you’ll need to click the link from the previous step to be navigated to the registrar’s website, or you can simply google the registrar’s name followed by “abuse report” and you should end up in the right place.

We are using NameSilo as an example, your registrar may be different and as such, you should submit the abuse report to the registrar you identified, NameSilo will not be able to handle an abuse report for a domain they are not responsible for.

Continuing on with our NameSilo example, we Googled for the registrar’s name followed by abuse:

Click on the first link, and you’ll be presented with an abuse report page.

Fill out the form, and attach the screenshot evidence you have of the phishing site.

Below is a snippet of the description we typically use:

DomainGuard has identified a phishing site at the following domain: phishydomain.com
The phishing site is impersonating legitimatedomain.com

Congratulations, you now know everything you need to be able to perform a phishing takedown request!

Other Steps You Can Take

The domain abuse report is certainly the most important and should be the first step taken. After you’ve done this, you can and should report the phishing website to Google SafeBrowsing.

Google Safebrowsing

Google’s safebrowsing is highly effective at preventing users from accessing the phishing site. Even if there is a delay on the registrars end, Google may be able to at least prevent users from navigating to the site by showing a jarring red page of doom. https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

Others

We’ve included a few additional links to places you can report a phishing website.

• https://us-cert.cisa.gov/report-phishing
• https://www.virustotal.com/gui/home/upload
• https://www.abuseipdb.com/