Home » Data Protection » Malware/Cybercrime

Death to Phishing

What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.

Companies can keep the takedown function in-house, and many large financial institutions do. But midsize and smaller companies often lack the resources to shut down the sites themselves. The process needs to be initiated at all hours. It also can get complicated, involving not only a website owner but also domain name registrars, Web-hosting companies and network providers around the world. That's where a growing number of vendors, including Brandimensions, Cyota and Cyveillance, have stepped in.

Their services have evolved. Jones remembers when Bank XYZ first put out an RFP for antiphishing services, around the time of that first phishing attack. "We had a vendor a year ago that said they wouldn't be able to shut down a site for us because that would be an act of war." She laughs, the idea ludicrous. "Back when we were trying to figure things out, so were vendors."

Nowadays, the attempt to do a takedown is standard fareâ¬so standard, in fact, that the Treasury Department's Office of the Comptroller of the Currency has issued guidelines about the steps banks should take to disable spoofed websites. (Takedown, which essentially just relocates the problem, may be the only defense that the targeted company has. Prosecutions of phishers have been next to nonexistent, due to the difficulty of tracing how personal information has been captured, sold and exploited.)

Many phishing sites are launched on hacked computers, so in a best-case scenario, taking down the site is simply a matter of contacting a website's owners, pointing them to the URL of the webpage, and asking them to remove the offending content (and patch their Web servers). "You say, Hey, did you know there's a URL on your website that's a phishing attack?" Brandimensions' Hyndman says. "They look at it and go, Oh my God, and they remove that website."
The reality, however, is usually much more complicated. Phishers are pros at hiding their tracks, and they often launch or route their attacks through countries where cybersecurity laws are lax and enforcement is next to impossible. If attempts to locate the website owners failâ¬or if the owners do not respond within an hourâ¬Brandimensions escalates the situation.

Basically, responders work their way up the network stream seeking someone who will shut down the site. They try to work with the ISP or Web hosting company, and then if necessary contact the domain name registrar that's directing the URL to a given IP address. They'll send e-mails and faxes they'll make phone calls. If necessary, they'll send notices threatening legal action. Often, when the site is hosted outside the United States, they'll seek help from local groups of first responders organized by CERT/CC at Carnegie Mellon.