Articles about website spoofing, cybersecurity trends, and how to protect your customers from hackers.
Some brand protection services make fancy claims about their web takedowns, sometimes calling them “virtual” or “automated.” When you learn of a fraudulent website impersonating your brand and targeting your customers, what matters most is rendering it inaccessible to as many people as possible as quickly as possible. To help CISOs and other cybersecurity professionals and brand protection teams make informed decisions about online brand abuse detection and protection solutions, this article will clarify what a website takedown is, as well as, explain why a takedown can almost never be automated.
A takedown results in its target, the problematic content, being removed from the internet. A website hosting service will remove problematic content or a domain registrar will cancel or suspend a domain registration in response to allegations that the content on their servers (web host) or the registered domain (registrar) is illegal. Reasons web content may be illegal include, but are not limited to, it being deceptive or infringing on a registered trademark or copyright.
We can consider web content or a site taken down if it’s effectively “unplugged” from the internet. But unplugging the content from the internet isn’t as easy as simply sending a notification to a web hosting service or domain registrar.
No – a website takedown can almost never be automated. There’s more to a takedown than simply sending a notification. The receiving web host or registrar needs to investigate each takedown request to determine its validity. That takes time and requires a human in the loop. In addition, we can’t assume that all hosting providers and registrars are responsive to such requests.
In fact, some providers (referred to as bullet-proof hosts) position themselves as willing to host content other providers will not and do not respond to requests to remove content. As you might imagine, fraudsters don’t want it to be easy to take down their scam sites. They prefer a bullet-proof hosting provider over a web host with a clear notice-and-takedown policy and well-publicized complaint/abuse contacts.
In an ideal world hosting providers and registrars would remove any and all malicious websites from the internet. That, of course, is easier said than done. So, while a takedown is the ideal, there are other effective response measures that make websites inaccessible to a majority of internet users.
Let’s talk about some of the ways businesses can fight websites that impersonate their brand – starting with detection all the way through to takedown.
The first step in fighting online fraud is identifying a site that’s impersonating your brand before it begins luring victims. Attackers have built toolkits and adopted infrastructures to quickly create scam sites, and they’ve developed evasion tactics to make it more difficult for security teams to find their illicit sites as well.
For example, some advanced phishing kits do not display the phishing page if a cloud service provider is the source of the page visit. A consumer accessing the site from their home will not present from an AWS network. The profile of the device, web browser, and location of the request is analyzed by the malicious website to ensure it has captured an authentic, unsuspecting user.
Make no mistake, the detection of fake websites must be automated. Doing anything close to a thorough job of detecting online brand abuse must scale beyond human capacity. Humans simply cannot cover the entirety of the ground afforded by the internet, only artificial intelligence-based detection systems can.
As soon as a fake website is identified, Allure Security can take action to disrupt the attacker’s scheme by automatically stuffing seemingly legitimate, though ultimately useless, decoy data into username, password, and other fields on a malicious website.
This glut of data can lead to a number of outcomes:
The goal of this decoy data injection is to upset the economics of the attacker’s scheme so that they receive no return on their investment.
One way to prevent users from accessing a fraudulent website is to submit the site to myriad blocklists maintained by various companies (Google Safe Browsing or McAfee SiteAdvisor being just two examples). Multiple web browsers ingest Google Safe Browsing feeds including the leading web browsers in the world (Chrome, Safari, and FireFox being the top three in January 2022). So submitting a fraudulent website to the Safe Browsing list effectively prevents more than 87% of internet users from accessing the scam, typically in minutes.1
In some cases, scam websites can be submitted to companies like Google and anti-virus vendors via API and in an automated fashion. Adding a website to a blocklist is a powerful mitigation protecting the majority of internet users very quickly. But, just because a site is blocked doesn’t mean the mitigation and cleanup process is complete.
Block a website or take it down, the crucial thing is preventing innocent users from accessing it. If a true takedown is your goal, a request must be submitted to the company hosting the website, or the domain registrar that registered the domain (provided there is a place to send such requests).
As explained above, one can automatically send an email to a web hosting service provider informing them of a malicious site and requesting it be taken down. Sending a takedown request does not mean the takedown is executed. Responses can take hours, days or weeks – if a response comes at all. Many hosting providers require their own personnel to investigate a website takedown request to determine whether a takedown is warranted.
In other frustrating cases, a fraudulent web page might be hosted in subdirectories of a legitimate but unsuspecting host. For example, perhaps a coffee shop in Vietnam is running their own website on their own server. At the same time, and unbeknownst to coffee shop employees, a fake banking website is also operating on that same domain within a subdirectory. To whom should the takedown request be sent in this case? Sending an e-mail to the barista asking them to fix the issue after they finish grinding beans for the day is unlikely to have much effect. Contacting the web hosting service won’t be much help either. The web hosting service can’t take just a single page offline, and they’re unlikely to take down the entire coffee site to solve the problem.
Crucial to the process is diligent, persistent follow up on a takedown request. From our experience, simply waiting for a takedown request to be executed is not effective. Time is of the essence and some hosts and registrars are slow to respond without persistent follow up, and in some cases other avenues must be explored.
Whether a takedown is “automated” or not matters less than making scam sites inaccessible to the largest number of people as quickly as possible. A takedown is really only the final step in cleaning up an incident of brand impersonation, and by their very nature website takedowns cannot be automated. Be wary of vendors that promise automatic takedowns or takedown times that sound too good to be true. Scrutinize their definition of a takedown to be sure you can trust that you’ll get what you pay for and need in your particular case.
Posted by Salvatore Stolfo