Reporting domains

← Back to main project page

This is a quick document explaining what I do, and what you can do if you find in the wild an unblocked domain:

Is it really phishing?

Many companies use a myriad of domains, with absurdly long names specially for advertisement purposes. So you probably want to make sure first it is really a phishing domain.

This is more of an art rather than a exact science, but usual telltale indicators are:

Adding to NOMS

You can send me a pull request on my GitHub repository, or if you aren’t technically skilled, contact me with details. This is the fastest but also the one that will reach the fewer amount of people.

Safe Browsing

Next you’ll want to report it to Google Safe Browsing. This malware and phishing list is used by all mainstream browsers such as Mozilla Firefox and Google Chrome (and probably also Microsoft Edge, or are they still using their own like with IE? Dunno).

This is pretty easy:

You just need to type in the address you found, pass the reCAPTCHA check, optionally type in a short description (ie “this is a phishing site for X bank”) and hit submit.

INCIBE

If you are based in Spain, consider also dropping an email to INCIBE, the national cypersecurity agency.

Their email is incidencias@incibe-cert.es, and you just need to type on a brief description of what you found, where, and the address of the phishing or malware site.

I am not sure if this actually does anything, but I tend to do it in case this speeds up the Google Safe Browsing report processing.

Domain registrar

You can also contact the domain registrar, aka the company the fuckers behind the phishing site used to register the domain.

For figuring that out, you can go to ICANN Lookup website, type in the domain name and you should see the “Abuse Contact Email” all registrars must publicly display and read, as per the ICANN rules.

ICANN sample

You can just drop them a short email like the following:

Hello,

I have received an email with the domain fake-contoso.com, which hosts a phishing website for Contoso company, whose real website is aaazzz.com, and targets Spanish citizens to gather user credentials. This is illegal and should be removed.

Best regards

Hosting provider

Finally, you might also want to contact the hosting provider. This is slightly harder than all of the above and depends on the hosting company they are using.

  1. Figure out the IP where the phishing website is hosted. You can use ping in the command line, which will resolve the domain and report its IP.

    IP from ping

  2. Use a ASN lookup page like neustar’s or Hacker Target. Type in the IP address and it will spit out the company owning that IP.

    Hosting information

    Of course, if the hosting provider is the same as the registrar, there’s really no point in reporting to them again.

  3. Finally, lookup in your favorite search engine [company name] abuse, and you should get a form or email where to report this case.

    Google abuse lookup

  4. Send them an email or form like the one for reporting to the domain registrar.

← Back to main project page