Phishing Site Takedown & Countermeasures

Once a bank has been alerted to the fact that it is the subject of a phishing attack, the race is on to close the target phishing site as quickly as possible. However, professional fraudsters will take steps to ensure that the process is as difficult and time consuming as possible: your time is their money.

Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivize the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service.

Netcraft’s countermeasures service helps banks and other financial organizations to combat these techniques. Once a phishing site has been detected, Netcraft responds with a set of actions which will significantly limit access to the site immediately, and will ultimately cause the fraudulent content to be eliminated.

Netcraft’s approach is distinguished from other providers of takedown services through its ability to block access to the site for users of a wide range of technology immediately, and to provide information back to the bank that will identify compromised accounts.

Countermeasures

Netcraft Toolbar Community and Netcraft Phishing Feed

Netcraft’s phishing site feed is consistently recognized in third party reviews as the most effective blocking mechanism for protecting customers against phishing, and is licensed by leading browsers, anti-virus and content filtering products, mail providers and ISPs.

Consequently, as soon as the phishing site has been accepted into the feed, access to the site will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the phishing site even before it has been removed.

Additionally, Netcraft will receive notification of some phishing attacks through its Netcraft Toolbar community in advance of reports received by the bank directly, and thereby can reduce the lifetime of the phishing site.

Hosting Company Interaction

Netcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies are Netcraft customers.

Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity.

However, some hosting companies offer fraud hosting as a service whereby they are incentivized to keep the site up as long as possible, and this necessitates more extensive action.

Local Law Enforcement Agency

Netcraft will identify, contact and liaise with the law enforcement agency in the hosting company’s local jurisdiction.

Upstream Bandwidth Providers

Netcraft’s geographically-distributed performance collectors can trace multiple routes to the server hosting the fraudulent content. This allows the upstream bandwidth providers to be identified and notified. If the upstream connectivity providers perceive that their business may be damaged through being identified as providing connectivity for a fraud site or larger fraud hosting operation, they may black hole the individual site, or withdraw their services from the hosting company. This type of action effectively makes the hosting company unreachable from a proportion of the Internet, even though it may be reachable from others.

Fraudster’s Infrastructure

Netcraft can also report back IP addresses which are under the control of the fraudster. This can be used to lock accounts accessed from those IP addresses, and to block further accesses from the fraudster’s machines once identified.

Netcraft also engages with hosting companies to preserve & retrieve any data files, logs or other information left by the fraudster. Information identifying affected customers is very useful in mitigating the impact of the attack, and minimizing monetary loss.

Transparent Progress Reporting

The takedown process is transparent to clients, who can track progress by web, electronic mail or RSS feed. The availability of the phishing site is be monitored by a live graph with notification of new attacks via mail, SMS, and voice.

Bespoke Options Available

Additional bespoke anti-fraud activities are also available.

Next Steps

Please contact us sales@netcraft.com, +44-1225-447500, to discuss your requirements. Netcraft provides additional services to search for and pre-empt frauds and phishing attacks.