Phishing Website Takedown and Countermeasures

What is a Fraudulent Domain Name? 

As 2021 draws to a close, users will flock to the internet in greater numbers as they begin, or continue, their holiday shopping. What many don’t realize, however, is that fraudulent domains often lie in wait to scam unsuspecting users. Ultimately, this can hurt an organization’s bottom line as fraudulent domains can erode trust in a brand and provide potential customers with a negative experience. 

Fraudulent domains have become an increasingly-popular tool for cybercriminals because they are inexpensive to stand up, provide direct engagement with users and are profitable. These spoofed domains prey on common mistakes, like typos and user oversight, in order to steal customer data and personal information through financial transactions or phishing attacks. They often rely upon domain names that are similar to a major brand, mirroring collateral like brand logos and color schemes, in an attempt to pass them off as a legitimate website. 

How to Spot a Phishing Website 

While threat actors put much time and effort into creating fraudulent websites for conducting attacks, there are some things to be on the lookout for when determining if a website is fraudulent or not. Learning three common tactics will help users avoid phishing attacks associated with fraudulent domains:

• Copycatting occurs when threat actors develop a site that mirrors legitimate sites, often with domain names that could feasibly belong to an official webpage. This tactic lures users into a false sense of security prior to opening them up to increased risk of phishing attacks. 

• Piggybacking gets its name from “piggybacking” off of more recognizable brand names, including selling counterfeit goods. 

• Typosquatting and homoglyphs take advantage of common typos in domain names, or rely on similar looking homoglyphs, to trick a user into visiting a site. For example, a typosquatting domain related to ZeroFox could be ZeroF0x (with the number 0 in place of the letter o). As web domains don’t have spell check, a user could also visit a malicious site by accidentally entering in an incorrect domain name or URL, and not know until it is too late. 

Common Domain-Based Attack Vectors

In addition to fraudulent domain names, there are common attack vectors that are utilized for phishing attacks. Some of these common attack vectors for phishing include:

• Spoofed Sender messages often involve emails that are created with forged addresses. These messages may appear legitimate and open users to phishing attempts. 
• Messages with a Call to Action, like spoofed sender messages, look legitimate and from a trusted, known sender. These messages often utilize time-sensitive or urgent requests that may prompt a user to click a link or download a suspicious file. 
• Clone Phishing occurs when an email is intercepted and cloned by a threat actor. This cloned message may contain an attachment that looks legitimate, but is usually malicious. 

Phishing Website Takedown and Other Countermeasures

While the multiplicity of these tactics may be concerning, there are tools at the disposal of each individual user as they look to stand up to address a phishing website takedown, including:

• Verify email links, attachments and senders to ensure that the email is from someone you know and trust. Prior to clicking links or attachments in emails, hover over it and your browser will show its destination. This will allow you to confirm the link and attachment are what they appear.  
• Monitor newly-registered domains to ensure your organization’s brand, and web presence, are protected. If a similar domain is purchased, there is a chance it could be used for phishing as a fraudulent web domain.
• Leverage text, image and video analysis to quickly identify logo or brand abuse on fraudulent domains

• Authenticate incoming email traffic to verify if the message’s sender is from a trusted source. This can be done by verifying if the DKIM, SPF and DMARC passed and by analyzing the message’s content. If the message contains information that seems too good to be true, or out of character for the sender, then it probably is. 

It is important to note that if you suspect you may be the victim of a phishing attack, you should report it to your organization’s security team or IT department. The faster you report a phishing attack, even if it is suspected, the better your organization’s security team can work to mitigate any potential threats. Domain monitoring can help organizations avoid costly brand and security incidents, safeguard customer engagement and save time and money.

A Successful Phishing Website Takedown Requires Full Scale Disruption

Monitoring for newly-registered domains is a great first step as part of a larger take-down effort. Unless security teams are monitoring for them 24/7, some of these fraudulent domains may slip through the cracks. Once a fraudulent web domain has been uncovered, speed is key to prevent that domain from becoming weaponized in a phishing attack. The most efficient way to quickly take down a phishing domain is through a domain monitoring and protection service that will request a takedown on behalf of an organization.  

Defensively, it is important for organizations and their security teams to maintain a repository of owned domains and subdomains, as well as proactively register similar domain names. This will ensure that attackers can’t buy similar, look-a-like domains to mirror them.

Offload Complex Phishing and Malware Takedown with Domain Monitoring Service

Leveraging continuous domain monitoring and anti-phishing protection will help any organization reduce domain-based attacks and offload phishing website takedown needs, with the increased ability to speed up the takedown of fraudulent web domains. The ZeroFox Platform provides domain monitoring services needed to ensure your organization's online presence isn’t being compromised or used to phish unsuspecting users.

ZeroFox has a team of experts ready with to not only address phishing website takedown but full-scale adversary disruption. ZeroFox focuses on the attacker infrastructure, working with hosts, registrars and network providers to take down malicious domains at the time of registration in order to prevent future attacks. Click here to read more about our takedown and disruption services. If you would like to learn more about phishing read our Phishing 101 blog here, and don’t forget to subscribe to our blog to stay current on best practices, the latest research and breaking news.