Breakdown of Takedown: An Overview of Tackling Phishing Threats

Every year, more and more companies are confronted with website and email spoofing worldwide. Cyber criminals use fake websites and fake email accounts for phishing, spear phishing and social engineering attacks to commit fraud, redirect web traffic, or manipulate search engine rankings. The disarming, or takedown, of these fake domains is a real challenge for more and more security teams. This is because cyber criminals are becoming increasingly professional in their spoofing activities.

Takedowns are crucial operations that involve the removal of malicious websites, such as phishing sites, to protect users and organizations from cyber threats. These actions are vital in mitigating the risks posed by cyber criminals, preserving sensitive information, and maintaining trust in digital environments. By swiftly identifying and dismantling fraudulent domains, takedowns play a pivotal role in safeguarding the integrity of online services.

BlueVoyant carries out takedowns on behalf of its Digital Risk Protection customers to counter sophisticated cyber attacks carried out through active phishing domains and malicious phishing emails. Let’s take a look at how this practically works.

Targets of a Takedown

BlueVoyant uses a multi-pronged strategy to combat phishing threats. After proprietary analytics first identify a phishing domain, threat analysts employ various tactics to remove them, addressing several types of malicious websites that target clients.

Types of Malicious Websites/Domains

• Active phishing websites: These websites are fraudulent websites designed to deceive visitors into providing sensitive information, such as passwords or credit card numbers, by pretending to be legitimate entities like banks or well-known companies. 
• Unauthorized redirects: This occurs when a website automatically sends a user to a different site without their consent. This can be used maliciously to lead users to phishing sites, ads, or other unwanted content. Attackers can also redirect a domain to the client's official website to build trust within a domain that is then used for phishing emails.  
• Websites using proprietary code or design: These sites maliciously replicate elements from the client's official site — such as code, design, templates, and buttons — to deceive users into believing they are associated with a familiar brand. 
• Domains involved in phishing campaign: This is a scam created by threat actors to attempt to steal sensitive data using manipulative emails, social media platforms, or messaging systems to trick the victim into disclosing sensitive information. 

Below is an example of an active live phishing site:

Below is an example of a malicious domain using proprietary design:

In the above example, the top picture designed the bottom domain, owned by a reputable financial institution, to look similar. 

In all of these cases, swift and effective takedowns are crucial to prevent the misuse of brand assets and protect customers. BlueVoyant offers unlimited takedown services for all types of the websites described. 

The Takedown Process

A successful takedown should result in the removal of malicious content, including but not limited to the active phishing site. 

This is achieved by issuing a notification to the hosting entity of the malicious content, or in the case of a phishing domain (that is, where a registered domain has been set up to enable fraud), contacting a domain registrar to request its suspension. 

The Internet Assigned Numbers Authority (IANA) and the Internet Corporation for Assigned Names and Numbers (ICANN) are responsible for the global coordination of IP addresses, domain names, and other protocol resources as well as policies related to domain name allocation which ensures the stable and secure operation of the internet. IANA and ICANN allow for easier investigations of malicious actors by enhancing the domain name system (DNS). All reputable registrars and hosting companies have terms and conditions that forbid hosting malicious content, sending phishing emails, or distributing malware in compliance with ICANN’s policies. If one can prove with evidence that one of their customers has done this, then the hosting company/registrar will review the request. If the request for removal is accepted, the recipient will remove it from the internet.  

Well-established relationships with registrars and access to fast-lane procedures, along with the ability to automatically generate supporting evidence are required to expedite take downs and shorten the time to remediation. 

The takedown process begins with client approval. BlueVoyant employs advanced tools to track IP addresses and analyze DNS records, mapping the infrastructure of malicious domains. By examining DNS query patterns and IP address associations, they identify clusters of malicious activity. Takedown analysts inspect URLs for malicious content and send requests to registrars and hosts, including evidence of fraudulent use. BlueVoyant’s strong relationships with registrars and hosting providers facilitate cooperation, ensuring persistent efforts until domains are deactivated. Continuous monitoring and real-time alerts keep track of domain status, offering unlimited takedown services. Takedowns are crucial to prevent threat actors from repeatedly targeting the brand with continuous cyber attacks through complete server shutdowns. 

It is recommended to use comprehensive solutions to combat various types of malicious campaigns targeting clients and address phishing emails sent through lookalike domains as well as legitimate email services. By uncovering malicious content, organizations can initiate the takedown process using the evidence and report fraudulent activities. BlueVoyant works closely with clients to ensure that these threats are effectively mitigated, safeguarding their interests and reducing risks. 

BlueVoyant's Takedown Process

As cyber threat actors continue to leverage more and more sophistication in phishing attacks and other cases of fraud targeting customers and consumers, organization will need to be more and more on alert regarding these types of threats, and be ready to respond when those threats are identified. There are several proactive steps that organizations can take to stay ahead.

Recommendations and Takeaways for Resilience 

• Incident Response Plan: Establish and regularly refine a plan outlining procedures for security breaches, including containment, communication, and recovery. Conduct regular drills to ensure team readiness. 
• Client Communication: Maintain open channels with clients, educating them about phishing threats and implementing tools to detect and warn about potential phishing sites. Additionally, work closely with victims to secure copies of phishing emails and domains and provide explanations about addressing such threats. 
• Maintain an Abuse Inbox: Establish a dedicated email account designed to receive reports of abuse, such as phishing, spam, and other malicious activities. It acts as a central hub for collecting evidence crucial for takedown efforts allowing for effective action. 
• Collaboration with Cybersecurity Providers: Partner with providers like BlueVoyant to help proactively detect and manage threats, benefiting from real-time alerts and expert support. 
• Swift Takedown Activation: Enable rapid elimination of phishing threats by partnering with a dedicated takedown team, ensuring efficient threat mitigation with 24x7 monitoring.  
• Respond to Domain Targeting: Aim for a complete server shutdown to effectively neutralize the risk and prevent further harm. 

To find out more about BlueVoyant’s takedown process and what it practically looks like when a successful takedown occurs, check out our latest report, The Phishing Threat: A Takedown Tale.