Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document is provided for informational purposes only. CUISPA and the author make no warranties or representations as to the accuracy or completeness of such information and CUISPA and the author assume no liability or responsibility for errors or omissions in the content of this information. Your use of this information is AT YOUR OWN RISK and applies to all CUISPA legal notices and terms of use.
Overview Responding to phishing attacks has become a routine task for many credit union IT departments. Rapidly taking down these fraudulent websites is a prudent and often necessary measure for preventing losses. This presentation outlines some of the processes, challenges, and techniques involved in getting a fraudulent website, impersonating your institution, taken down.
Take-down Steps: 1)PREPARATION 2)DETERMINE THE SOURCE 3)RESEARCH THE DOMAIN 4)RECON / INTELLEGENCE 5)CONTACTING 3rd PARTIES 6)WORKING WITH LAW ENFORCEMENT
Prepare Environment Prepare your environment in advance. Remember that the site may host malicious code. Do not use a production machine that can’t afford to be compromised. Always use a test PC that can be “sacrificed.” If possible, do not use your production network. A separate broadband connection is preferable. Full Internet access (no proxy server or restricted ports) is advantageous. Useful common Internet tools: ping, traceroute, nslookup etc.
Helpful Tools VMware Workstation or Player Allows you to create a test environment without sacrificing a production PC. Disks can be “undoable” so you can get back to the original state without rebuilding from scratch.
Helpful Tools SandboxIE A freeware utility that allows you to launch an app, such as IE, in a controlled area, prohibiting writes to the hard drive and registry.
2) Determine the SOURCE The phishing site may be accessible via FQDN (Fully Qualified Domain Name) and/or IP address. Try to determine the FQDN if applicable, IP address, and path information
2) Determine the SOURCE If you have the phish , view the underlying source to determine the true link URL Example (FQDN): / Example (IP address):
3) Researching the DOMAIN The Domain often be contained in the FQDN Example: (domain is hackedsite.com) Use a WHOIS utility to determine information on the domain. WHOIS gives us: 1) Domain owner and contact information ( and hopefully a phone number) 2) Determine who is authoritative for DNS. May be owner, ISP, or DNS hosting service.
For US-based.com and common domains, start with: click on “whois” link. For a more expansive search, try one of the following: (free service from MarkMonitor) 3) Researching the DOMAIN
3) Research the DOMAIN ARIN: Start with ARIN (American Registry for Internet Numbers, WHOIS tool. Enter the IP address. If IP is not domestic, ARIN will tell you where to look next, ie: RIPE, APNIC, etc. If IP only leads back to site owner, use a traceroute to determine how packets get to the site. The IPs right before the site will be the ISPs and you can look them up.
3) Researching the DOMAIN If given an IP address only: 1.Any website that may be viewable from the IP only should be viewed on a safe test machine (ex: 1.PING –a
SAMPLE RESULTS FOR BOB’S INTERNET, BOBI-IPNET (NET ) My Credit Union BOBI-MYCU-1 (NET ) # ARIN WHOIS database, last updated :10 # Enter ? for additional hints on searching ARIN's WHOIS database. The above results tell us that “Bob’s Internet” owns the range of addresses from through A class “C” range (255 addresses from through ) are assigned to “My Credit Union”. In this case, you would try to contact My Credit Union as they are responsible for the IP address. You can always contact the ISP if you can’t reach the party immediately responsible for the IP address. 3) Research the DOMAIN
We now know: Who owns the domain Contact info for domain The ISP (may not be hosting but is at least providing connectivity) DNS provider RESEARCH COMPLETE!
4) RECON AND INTELLIGENCE Procede with caution Gathering intelligence is optional. You may not need any additional information. Further investigation calls upon some technical skills. Be cautious of the legal aspects of further investigation. Finger-printing tools can be deployed to determine OS, app, etc. Port scanners can determine if other services are running.
4) RECON AND INTELLIGENCE Example: Information from FTP service telnet FTP Server ready. 214-The following commands are recognized (* =>'s unimplemented). USER PASS ACCT* CWD XCWD CDUP XCUP SMNT* QUIT REIN* PORT PASV TYPE STRU MODE RETR STOR STOU* APPE ALLO* REST RNFR RNTO ABOR DELE MDTM RMD XRMD MKD XMKD PWD XPWD SIZE LIST NLST SITE SYST STAT HELP NOOP 214 Direct comments to
5) CONTACT PARTIES Try contacting Website owner first Try contacting ISP next If no luck and the site uses an external DNS service then try contacting them next. Have documentation available and provide it with your request. Request the fake site code for further reference.
5) CONTACT PARTIES To whom it may concern, URGENT REQUEST - Please read the following: Today a number of our credit union members received a phishing soliciting their personal account information. The link referenced in the e- mail returns to a site which is presenting itself as our Hudson Valley Federal Credit Union Web site. As such it is violating copyright laws and misrepresenting itself for the purposes of illegally collecting account information for financial gain. The compromised server is housing the spoof content at: IP = Please take this site down or remove the fraudulent content and respond when these changes have been implemented. If any financial loss is incurred we will be required to actively seek redress through local and national law enforcement bodies. I have attached a PDF capture of the spoofed site (rogue1.pdf). We would greatly appreciate it if you would us an archive of the fake site directory. Thank you for your prompt attention to this matter. Sample to ISP
5) CONTACT PARTIES Common difficulties: Time differences with overseas ISPs. Language barriers. ISP policies on take-downs
6) WORKING WITH LAW ENFORCEMENT Law enforcement can make request on your behalf or call on contacts abroad (ie: Interpol) Provide law enforcement with intelligence information: 1) They track it 2) You may provide a missing piece of a larger puzzle 3) Losses across organizations can be aggregated
CUISPA Educational Programs (512) Oakmont Blvd. Su.204 Austin, TX For comments on this presentation please send to: