Website Takedown Strategy: In an increasingly complex threat environment, maliciously registered domain names and compromised websites pose significant threats to online security.
Understanding these two very different attack methods, strategies, nuances and escalations for effectively taking down these cyber threats is crucial for protecting your brand and users.
In this article, we delve into the different approaches to addressing malicious domains and compromised websites. We review the escalation options and provide brand owners with actionable insights to enhance their cybersecurity efforts and quickly remove infringing content from wide world web.
Maliciously Registered Domain Names
A maliciously registered domain name is one that has been intentionally created with the purpose of engaging in illegal or unethical activities. These domains are often designed to resemble legitimate websites, using similar names or slightly altered spellings to deceive users into thinking they are accessing a trusted site. We have written extensively on malicious domain names that you can read here, but the primary aim of these domains is to conduct phishing attacks, distribute malware, commit fraud, or steal personal information. Malicious actors may use these domains to imitate reputable brands, leading to significant reputational damage and financial losses for the affected entities.
The anatomy of a malicous domain name has not evolved much over the years. Bad actors often target brands with malicious domain names using tactics such as typosquatting, combosquatting, and homograph attacks. Typosquatting involves registering domains with minor misspellings or typos of a brand’s official domain, like “goolge.com” instead of “google.com,” to catch users who mistype the URL. Combosquatting adds extra words or characters to a brand’s domain, such as “secure-google.com” or “google-login.com,” to appear legitimate. Homograph attacks exploit characters from different alphabets that look similar to standard Latin letters, like using the Cyrillic “а” instead of the Latin “a,” creating domains that are visually identical to the official site. These tactics deceive users and can lead to significant security breaches.
Compromised Websites
A compromised website is a legitimate site that has been infiltrated by malicious actors, often without the knowledge of the site owner. This can occur through various means such as exploiting vulnerabilities in the website’s software, using weak passwords, or employing social engineering tactics. Once compromised, the website can be used to distribute malware, launch phishing attacks, redirect visitors to malicious sites, or steal sensitive information. The compromise of a website not only jeopardizes the security of its users but also undermines the trust and integrity of the legitimate business or organization that owns it.
Bad actors employ various tricks to remain hidden on compromised websites, making detection and remediation challenging. They may limit their activities to a few specific URLs within the compromised site, use GEO IP blockers to restrict access based on location, and implement no-follow tags to prevent search engines from indexing malicious pages. Additionally, they use user-agent filtering to serve malicious content only to specific browsers or devices, time-based attacks to activate malicious payloads intermittently, and obfuscation techniques to hide malicious code. Conditional redirection ensures only certain users are sent to phishing or malware-laden pages, while IP whitelisting allows attackers to control the site undetected. Dynamic content generation and stealthy malware that activates under specific conditions further complicate efforts to identify and eliminate these threats. Often finding these hidden pages comes down to customer complaints or reviewing referral page logs through various threat intelligence tools.
Different Takedown Strategies
Taking down infringing sites or pages requires a strategic approach that varies depending on whether the domain is maliciously registered or the site is compromised.
For maliciously registered domains, the first step is collecting information about the domain name registration itself, such as WHOIS data, DNS records, and hosting details. Documenting evidence of the malicious activity is crucial. This evidence is then used to liaise with the domain registrar, leveraging their responsibility under the Registrar Accreditation Agreement (RAA) and their own Terms of Service (ToS) to get the malicious domain name suspended. Relevant RAA clauses, such as Section 3.18 which mandates registrars to investigate reports of abuse, can be quoted to reinforce the request. If the registrar does not comply, escalation to ICANN is an option. ICANN will review the complaint and can potentially force the registrar to address the matter, as failure to comply could impact their accreditation status.
On the other hand, dealing with compromised websites can be slightly more tricky, as there is no governing agreement tying web hosts together. To get a compromised page removed, you need to go through the web host’s abuse page, presenting evidence of the abuse, usually in the form of a screenshot or logs. The host will then liaise with the website owner. Often, it makes sense to liaise with both the owner and host simultaneously. If neither responds, several other options are available—reporting the page to Google SafeBrowsing, submitting the domain to a blacklist, and requesting a delisting from Google. These additional steps help mitigate the risks posed by the compromised website while awaiting action from the host or owner.
FAQs for Website Takedown Services
1. What’s the difference between a malicious domain and a compromised website?
Malicious domains are specifically registered to carry out scams, phishing, or other harmful activities by imitating legitimate brands. In contrast, compromised websites are genuine sites hacked by attackers to distribute malicious content without the site owner’s knowledge.
2. How can I tell if a website is malicious or compromised?
Malicious domains often resemble legitimate sites with slight spelling changes or added words. Compromised websites, however, are typically genuine websites that attackers secretly use to distribute malware or phishing content.
3. What steps are involved in taking down a malicious domain?
Taking down a malicious domain involves gathering evidence of misuse (WHOIS data, DNS records, etc.), contacting the registrar to enforce their abuse policies, and, if necessary, escalating the issue to ICANN if the registrar doesn’t respond.
4. How is a compromised website removed?
For a compromised website, the process involves reporting the abuse to the hosting provider, presenting evidence, and sometimes reaching out to the website owner. If no action is taken, additional steps include reporting to Google SafeBrowsing or blacklisting the domain to reduce the threat.
5. What actions can I take if my brand is being impersonated online?
First, document the impersonation, gather evidence, and report it to the relevant platform or registrar. Working with a takedown service can streamline this process and enhance the chances of quick removal.
6. How quickly can I expect action on a website takedown?
Response times vary by platform and registrar. While some actions can be immediate, others may take longer depending on the complexity of the case and the cooperation of the involved parties.
Remove Phishing Content Quickly and Effortlessly with Unphish
Sign up for early access to Unphish Beta and experience best in class takedown service
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.