Educause Security Discussion mailing list archives

Re: Phishing take down notices.

From: "Ford, Bryan" <bryan.ford () NDUS EDU>
Date: Thu, 22 Jun 2017 19:39:01 +0000

Thank you everyone for your responses looks like Google reporting seems pretty popular. Not surprised by phishtank glad 
to know Keith can help out with that.  Will have
to look at the others some great ideas.

Thanks

Bryan



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keith 
Hartranft
Sent: Wednesday, June 21, 2017 2:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing take down notices.

Bryan,

We did a presentation via Educause/RI last September called School of Phish. Via Google Safebrowsing reporting and 
Phishtank these get into Browser blocks very quickly if reported and verified. I'm kkh288 in PT and would be happy to 
add verification assistance if you let me know your reporting "handle". We track a few other edu reporters here that 
our team assists with.

https://www.phishtank.com/user.php?username=kkh288

As for the domain itself ... different domains yield different results. Forms places like Formcrafts and CognitoForms 
immediately 404 the site if abuse is reported. I'd also look "nearby" as phishers using those sites set up a number of 
similar forms. Others such as Weebly, WebHost, Yola, Wix do process  takedowns ..... the time varies. Some "free build" 
sites are poor and a compromised WP host can be really hit-or-miss. You might also try reporting to the Netcraft plugin 
as they often do notification as well.

That's a quick hit primer but there's so much more. I'd be happy to chat further with those seeking help.

Thanks,

Keith


On Wed, Jun 21, 2017 at 3:11 PM, Ford, Bryan <bryan.ford () ndus edu<mailto:bryan.ford () ndus edu>> wrote:
How are you reporting a takedown notice for a phishing site. Presently we have no standard for takedown notices. We 
will notify the Domain owner most times, but it seems to take them sometime to do it.
I know there is phishing reporting sites for just about every vender out there. I tried Phishtank and the voting thing 
in my very novice view is clunky at best. Is anyone a member of APWG and a phishing reporter ?
If so any wisdom on how it works. I see there a site in the APWG where you can report phishing but you also need the 
header information,  90 % of the time we don’t get when a user reports phishing.
We have been playing with the Netcraft toolbar extension and like the end user ability to report phishing directly, but 
we are just evaluating it.  I am in the belief that most anti phishing venders
use a feed from at least one organization to populate their databases.  Forgive me if this has be addressed but I could 
not find anything in Educause on this subject.

Sincerely

Bryan



Bryan Ford
Information Security
NORTH DAKOTA
University System
Core Technology Services
4349 James Ray Drive
Grand Forks, ND 58203
   701.777.6484<tel:(701)%20777-6484> (o)
   cts.ndus.edu<http://cts.ndus.edu>




--
Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP
Chief Information Security Officer
Lehigh University
610-758-3994

Current thread:

Phishing take down notices. Ford, Bryan (Jun 21)
- Re: Phishing take down notices. Haas, Mike (Jun 21)
- Re: Phishing take down notices. Keith Hartranft (Jun 21)
  - Re: Phishing take down notices. Ford, Bryan (Jun 22)
- Re: Phishing take down notices. Joel Anderson (Jun 21)
- Re: Phishing take down notices. Philip Webster (Jun 21)