Educause Security Discussion mailing list archives

Re: Phishing take down notices.

From: Keith Hartranft <kkh288 () LEHIGH EDU>
Date: Wed, 21 Jun 2017 15:35:44 -0400

Bryan,

We did a presentation via Educause/RI last September called School of
Phish. Via Google Safebrowsing reporting and Phishtank these get into
Browser blocks very quickly if reported and verified. I'm kkh288 in PT and
would be happy to add verification assistance if you let me know your
reporting "handle". We track a few other edu reporters here that our team
assists with.

https://www.phishtank.com/user.php?username=kkh288

As for the domain itself ... different domains yield different results.
Forms places like Formcrafts and CognitoForms immediately 404 the site if
abuse is reported. I'd also look "nearby" as phishers using those sites set
up a number of similar forms. Others such as Weebly, WebHost, Yola, Wix do
process  takedowns ..... the time varies. Some "free build" sites are poor
and a compromised WP host can be really hit-or-miss. You might also try
reporting to the Netcraft plugin as they often do notification as well.

That's a quick hit primer but there's so much more. I'd be happy to chat
further with those seeking help.

Thanks,

Keith


On Wed, Jun 21, 2017 at 3:11 PM, Ford, Bryan <bryan.ford () ndus edu> wrote:

How are you reporting a takedown notice for a phishing site. Presently we
have no standard for takedown notices. We will notify the Domain owner most
times, but it seems to take them sometime to do it.

I know there is phishing reporting sites for just about every vender out
there. I tried Phishtank and the voting thing in my very novice view is
clunky at best. Is anyone a member of APWG and a phishing reporter ?

If so any wisdom on how it works. I see there a site in the APWG where you
can report phishing but you also need the header information,  90 % of the
time we don’t get when a user reports phishing.

We have been playing with the Netcraft toolbar extension and like the end
user ability to report phishing directly, but we are just evaluating it.  I
am in the belief that most anti phishing venders

use a feed from at least one organization to populate their databases.
Forgive me if this has be addressed but I could not find anything in
Educause on this subject.



Sincerely



Bryan







Bryan Ford

Information Security

NORTH DAKOTA

University System

Core Technology Services

4349 James Ray Drive

Grand Forks, ND 58203

   701.777.6484 <(701)%20777-6484> (o)

   cts.ndus.edu




-- 

*Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*
*Chief Information Security Officer*

*Lehigh University610-758-3994*

Current thread:

Phishing take down notices. Ford, Bryan (Jun 21)
- Re: Phishing take down notices. Haas, Mike (Jun 21)
- Re: Phishing take down notices. Keith Hartranft (Jun 21)
  - Re: Phishing take down notices. Ford, Bryan (Jun 22)
- Re: Phishing take down notices. Joel Anderson (Jun 21)
- Re: Phishing take down notices. Philip Webster (Jun 21)