Have you ever tried reporting a phishing site through those legitimate channels?

I have, and my experiences have been that:

* The domain registrars are apologetic and well-meaning, but tend to explain that they aren't empowered to take this stuff down without being ordered to by Law Enforcement or similar. There typically isn't a mechanism available for getting LE to respond before the phish campaign is over.

* The hosting providers chosen by phishing sites are either "bulletproof hosts" who are tacitly complicit, or more commonly are so low-end that the support departments are massively underfunded and abuse reports take eons to be processed.

Either way, the phisher achieves their objectives before the site is taken down. That being the state of affairs then, although I don't choose to use the kind of tactics outlined in the blog myself, I find it pretty hard to condemn those who do.

EDIT: I do agree with you that submitting the URL/IP to abuse blacklists is a helpful and positive thing to do. Here are a couple of submission URLs (there are many more): https://pulsedive.com/submit/, https://www.abuseipdb.com/report.

I've had a similar experience. I ran into a scam that was masquerading as a popular Canadian clothing store (Roots) where everything was 50% off. I reported the domain to Namecheap and they said they're not responsible for the content since its hosted elsewhere. I pointed out that the domain itself was also trying to pass as legitimate and they told me unless I was the trademark owner they couldn't do anything. I also e-mailed the hosting provider but never heard back.

Fortunately I got ahold of Roots via Twitter and the scam seems to have been shut down.

Did you expect the domain company to take down the domain based on a copyright issue reported by an entity where they are not the copyright holder?

Think of all of the false take down requests registers would receive.

I had. My experience is mixed, sometimes all you wrote happens (like, it takes days to get processed), sometimes it doesn't (you might be surprised how fast some small providers can react, sometimes faster than bigger ones). If you want to speedup the process, contacting the legitimate owner is the way (and hope their response is faster).

I understand the will to take action, but doxing a phishing site can cause collaterals you did not foresee and you want to avoid, legally and otherwise. And it doesn't solve anything, as previously explained, it just temporarily turns them down, which leads to a comparison between the time invested by the adversary (who will block your source as first thing) and yours (and you don't want to go there). Definitely is not something to suggest to inexperienced people as "a good way to fight phishing" (which they'll take literally, because it looks cool). There might be exceptions to this (as in, calculated risks) but they go far beyond what makes sense for someone alone to do.

I agree in principle. But...

> Phishing sites can be / are often served by compromised hosts, so you might as well end up doxing a box who is not run by the bad guy, causing all sorts of mayem for the legitimate owners / admins (in addition to they be compromised).

Well, they are already compromised. If they were lucky, it was just an automated system that scanned for vulnerabilities and only dropped the phishing webserver – for now. It could be used as a jump box to compromise further systems in the host's network. Who knows what else may be running in the box. If it is being used for 'legitimate purposes', whatever purpose it is, it is at a large risk.

The fact that it is still compromised indicates that it is not actively/properly monitored.

Taking it out will draw much more attention to the system from their owners. If I had a compromised system that I didn't know about and it was taken out, I'd be thankful it wasn't left running for longer.

It's not the 'correct' thing to do, but I'm not convinced that putting the system out of comission is more harmful than leaving it running doing who knows what.

It becomes a defensive against hacking legimate sites.

Anyone could hack a site put malware and if they are caught claim they hacked in to remove the malware they put.

> A more appropriate response is to report the abuse who manages the infrastructure (most likely a legitimate provider) and the domain registar; both usually have appropriate channels and response procedures just for that.

Unless of course it's behind Cloudflare - then you cannot find out whose infrastructure the criminals are operating from and Cloudflare itself does not give a fuck. Best case scenario: they will forward your complaint to their customer - an unknown party to you who might be the criminals themselves, putting you in danger.

Thank you, Cloudflare.

They claim they will do all this for you if they are (allegedly) proxying malicious content. Source: their abuse form [1], selecting "Phishing & Malware". Did you have bad experiences with this? Might be worth sharing.

[1] https://www.cloudflare.com/abuse/form

I had recently a (b/s)ad experience with them. I am hosting the demo site for my open source image hosting solution (pictshare) behind cloudflare and had the CASM tool (that searches automatically for child pornography) enabled. Felt safe enough but after a while I noticed a TON of traffic.. like gigabytes an hour through cloudflare

Turned out someone uploaded like 1000 child pornography images to the demo site, cloudflare didn't once send me anything or block an image before being uploaded.

I wrote their support and they pointed me to the abuse form you mentioned (which would had reported the content to myself?)

I thought they'd look into their logs and send interpol the uploaders IP addresses but no, they didn't do anything.

In the end I got interpol and the local BKA (Federal Criminal Police Office) and they were so awesome and I prepared excel sheets for them with all ip addresses and log entries of every consumer and uploader.

i used the form and emailed abuse@ (for sites blatantly impersonating relief effort organizations at the onset of covid-19)

all attempts got responses like "cool, but we don't do any of that. please contact google safe-site(tm) beta or something and get it blocked on the browser via that".

Everyone here posting that they replied probably used email from a domain that is an expensive paid customer from them. I used a @gmail one.

Pardon me but I've contacted multiple times Cloudflare and they always shut them down.

https://i.imgur.com/9pUiR4J.png

I would be wary about sending a warning email from an email address that could be traced back to me. Some people panic, and assume that you're the person responsible, or lash out at the only person they can strike - you.

The infrastructure provider (if any) has likely seen more of these than you can imagine and again, they have proper channels for this and the people who monitor them know how to handle it, they won't lash out on you. Same goes for the domain registar.

As per the box legitimate owner, while I agree that there is all kind of crazy out there and you can avoid this if it makes you uncomfortable (abuse-at-provider will most likely contact them shortly without involving you), I don't see the lash out or strike at you scenarios likely, in my experience usually you get a thank you.

To be clear, I'm not suggesting email "Bro, you are compromised, bye", I mean, you can just inform them that you received the link and were taken to a phishing site that looks like hosted on his machine, attach screens, advice them on next steps if you want to go the extra mile in niceness. You're doing them a favour without breaking any law, why would they get mad at you?

I had a similar situation happen to me. Someone was catfishing (dogfishing?) using my dog; they have him listed for sale...

I phished the seller into giving me their Zelle email which was a full name and presumably tied to a legit bank account with a legit person associated with it.

I reported them, will all the facts I'd collected to the AG office in the state I believed them to be in (OH- b/c they offered shipping to anywhere + local delivery in Cleveland). I reached out to other dog owners that I could identify and urged them to also file reports.

I passed along this information to a friend who works in cyber crimes law enforcement (specifically in crimes against children). He verified the information I provided to the best of his ability and passed to his peers in another agency.

Months later, nothing except an automated thanks from the AG office and the site is still up.

The main issue I'm told is I don't have any victims who actually tried to purchase and never receive a puppy.

https://www.qualitygreatdanepuppies.com/available-puppies

"Johnny" is my dog. That photo is in front of my old apartment.

I do not condone this approach of striking back, but I am frustrated that even when I identify the culprit of a scam, theres nothing I can do.

> "Johnny" is my dog. That photo is in front of my old apartment.

I've successfully used the DMCA against spammers who used my photos in their spam. Hosting providers and platforms usually have process in place to deal with copyright infringement even if they're turning a blind eye to fraud.

Unfortunately, that is the only success I've had against them.

I used to report these things but ran into some issues: 1) There is no way I can see to contact anyone at Ali Cloud to report abuse and no expectation they will do anything and I've seen an increasing number of scams hosted on offshore providers with no apparent abuse reporting system. 2) Some registrars and hosting providers want you to sign up with an account first to be able to create a support ticket to report abuse which is very time consuming. 3) I would probably be spending hours per week reporting abuse and it never seems to end. It feels like trying to empty the ocean with a thimble. So now I just ignore phishing scams.

You should be able to find the registar abuse contact information in the whois, in the fields "Registrar Abuse Contact Email" and "Registrar Abuse Telephone Number". Registrars are required to provide these for the accreditation to ICANN [0]. Both email and valid phone number are required.

[0] https://www.icann.org/resources/pages/faqs-2013-11-26-en

yes, I meant that more for hosting providers. However, I have never received a response from a registrar when I have contacted them about abuse so I am not sure how useful it is.