The email report template is currently very sparse compared with all the data available on the analysis/case page.
At a minimum it’d be useful to include data like:
- Resolved IP addresses (where relevant)
- Screenshot of the site
Within the email itself. Or, do something like Netcraft does where there’s a special “evidence” page that can be linked to from the report email.
We use our own template, however it is still very basic.
Our team is still investigating potentional ways to include those infos to providers.
However, people should know that some shady ISP-s or Server providers do not allow submitting pics to their abuse email addresses
Good to know! Yeah this is a really tricky point: you’ve got to be really careful not to get your emails blocked (this is why we defang URLs so heavily so they aren’t flagged as malicious by security filters)
We do get our emails blocked occasionally.
It’s not that big of a deal, since a human can rewrite the email.
hi, I find better results if we include also the screenshot link
and include the target of the phishing site, so could you add a field [ target of the phishing (if applicable) ]
so it can be included in the email.
I am unsure how we could do that.
“Target of XYZ” however, How are you going to determine the target of the attack?
If the site matches an IOK rule then there’s a target tag that we could use.
Otherwise, would you be open to manually tagging sites you report with the company it’s targeting? @omar8000?
sorry mabe i wasent clear since english my 2 langwage .
i meant to say we add to the offical site to the email like this:
this site[ https://sar.hhr.qyz] is a phising site
the official site is https://sar.hhr.sa
That is what we understood
How are you going to determine the target of the attack?
I think it should be optional and up to the person who report to determine the target. I usually visit the Phishing site and know what they try to pretend to be.
I’m not sure screenshots are needed.
I mean, Some providers just block the domains without any screenshots.
I’ve gotten better results using the above mentioned way -
Phishing site is xyz.com
Real official website it is impersonating is aaa.com
I add stuff manually to the email template and always add a screenshot of the phishing site and have just started adding additional shot of the real official site for comparison.
Have been burnt too many times by places like namesilo etc. not taking sites down even with a plethora of evidence. Nowdays when I report I also have to add, 'I will be tweeting this info/proof of phishing and also tagging your company as proof.
NiceNIC_NET are the absolute worst. Recently have been getting emails back from them refusing takedowns and ‘customer has been notified and we are awaiting their response’ rubbish.
Namecheap and Cloudflare are similiar to NiceNIC_NET too, I haven’t got an response from them.
We do get responses from NiceNIC, however they mostly tell us to contact the hosting provider instead.
Yeah, that’s bad, since we’re supposed to report it to them.
Simple, Threaten them ICANN.
Fun fact: We called up ICANN’s global support phone number and we were given the advice of “Threaten them with a complain with ICANN Contractual Compliance”, That’s exactly what the representative said on the phone.
It worked on RU-Center, They now respond to our abuse complaints now. If they managed to sit down on their bumm and actually do the investigations then, It will surely work on NiceNIC.
Brilliant. Maybe we can alter the Phish Report email reporting script to include this info and any other legalities that would otherwise have them dragging heels across the board.
Edit - “As a domain name registrant, you have certain obligations for your domain name registration and its usage, governed by your agreement with the registrar.”
Found this gem on the ICANN website here - Spam, Phishing, and Website Content - ICANN
I’ll send you the details here, that discusses how registrars are required to investigate abuse complaints.
You messaged just as I was editing post.
The more legalese lingo we can throw in the templates the better to scare them into compliance. I’m thinking they fear ICANN because they have x amount of strikes with them then they get pulled.
Edit again - Found more. (Trademark Claims Notice - ICANN) Still digging, but it looks like new domain names ‘should’ be run through a trademark database upon registration and ‘if’ X company or organization, the registrar is notified that new domain name is violating trademark…?
Not sure if I’m reading this right, but orgs need to buy subscription too trademark clearinghouse. Can’t seem to find a way to search which orgs are using this service though.