How to shut down a phishing operation in 48 hours

DMCA / Correction Notice
- Advertisement -

The software industry’s response to phishing has previously mostly focused on flagging fraudulent email messages. But this is a short-sighted approach, not to mention a slow process.

- Advertisement -

According to the FBI’s Internet Crime Complaints Center (IC3), phishing accounted for 30,48% of all complaints received in 2020, making it the area with the highest number of victims. Around the world, officials are busy alerting the public to go extra crazy not to click on suspicious links. But what about criminals running websites – how is it possible that scamming operations often last for days, if not weeks?

Here’s my recent experience shutting down a phishing operation over two weekend days, and how the IT industry as a whole can improve its operations.

  • Check out our list of the best identity theft protection near us
  • Here is our list of the best endpoint protection software
  • These are the Best Firewall Software and Services

Why the current “solution” is incomplete


Most webmail sites provide one way or another to flag a message as phishing. For example, in Outlook, it’s at the top of the reading pane, where you can go to Junk > Phishing > . can select

- Advertisement -

report. In AOL you have little choice but to mark it as “junk”. This is called “report phishing” in Gmail – if you can see it* depends on the version of Gmail you’re on (but more on that later).

Let’s say you discover that an email is actually fake, click the “Report” option and get a false sense of virtuosity – a virtual “mission accomplished” banner blows up in your mind and you forget all about it. go. You might think that this email is now moved from your provider to a central database, and as soon as a certain threshold is reached, all further emails are “automatically flagged as spam” Potential phishing” with a giant banner displayed. Top, or not delivered at all, depending on the email provider’s policies.

But what about the website that was tempting the victims? Well, it goes on, waiting for more victims. Victims who are using *other* email services without actually having access to such reports, such as company/personal email domains and the like where messages will come directly to the inbox. So, as far as the perpetrator is concerned, flagging an email as phishing only slows down the speed of the message’s spread, not its honey pot and central repository of stolen information.

Event details

This writer faced such questions in May 2021, when he was faced with a phishing email that was up close and personal.

As you’ll see, the phishing operation’s website used to run in Chile, but masquerading as ANSES, the country’s social security administration, targeted people in neighboring Argentina by promising new payments to a government-issued COVID relief fund.

The legitimate-looking website sported the same header and typeface as the official government web page, but with a little extra detail: a “dot shop” junk TLD domain name.

A fake web site posing as Social Security – a dot-shop domain name should sound all alarm bells.
Presumably, the purpose of this whole exercise was to enter your debit card “to take advantage” (screenshot edited, translated from Spanish)

Gmail’s answer to phishing? from good to terrible

User interface is a very important part of the fight against phishing, malware and everything related to it infosec. If you complicate things, people won’t bother to report messages, won’t follow correct procedures, and won’t read warnings.

The lack of consistency in GUIs can be painful. In the words of a California lawyer turned consultant Bruce Burleso rant against Win10’s disappearing scroll bar, “So every day you start drinking earlier in the afternoon and before long you’re pushing little kids down when no one is watching. It’s a sad story”.

Gmail has a similar infuriating annoyance from Google, a service with Four Various user interfaces with a correct phishing report button One: This is a recipe for disaster.

Gmail’s desktop interface is the only interface that includes a separate option for reporting phishing. At rest you can just flag the messages as spam, which is the least useful for weapons against phishers, as there are no incident reports for later analysis.

To add insult to injury, two useful options “Download Messages” And “show original” Which are very useful for sending phishing reports to the authorities using the web report form, are apparently missing from the Gmail Android app.

A definite lack of compatibility: There are three user interfaces you can load in Chrome for Android. Only one passes the test regarding phishing reports.

As is the current situation, if you want to properly report phishing from Gmail then you need to load it in your mobile browser. But there are three versions of the Gmail site, and only in the desktop version do you get a personalized option labeled “Report Phishing.” In other browsers, the only option is to flag the message as spam. If you count the Gmail for Android app, that isAny of the four.

To complicate matters further, the only way to switch between the user interfaces in a Gmail web page is to click on the often-missed page footer where you can access the HTML (correctly labeled “old version”) and a slow mobile connection. very useful for) , a more stylish lighter “mobile” version, and a full blown desktop version. To load the latter you need to go to the browser’s options menu, and select “Desktop Site”. Mainly because it wasn’t designed for mobile screen sizes and slow processors, but the workspace view – as Google likes to call it now – doesn’t seem to get the elusive “report phishing” button. is the only way.

Gmail for Android – Fisher’s Favorite

In this case, the phishing email arrived in my Gmail inbox, and I read it on my Android mobile device using the official Gmail app – probably exactly what the phishers wanted, as Google has a lot to improve in this area.

For starters, if you use the Gmail app, by default you don’t see the sender’s email address, just its “name.” Wonder! Fisher puts the name of a known firm there, even if the email address is actually [email protected] so you see “familiar name” No “[email protected]” which would be a big warning sign for most.

Hiding the sender’s email address. a very bad idea

Surely you must have known a father, sister or friend who has fallen for any such legitimate looking email, especially one with a hidden address.

Solution? Warning.

An IT and programming education teaches you how to turn every complex problem into a series of smaller problems, and tackle each one step by step – thus making the bigger problems easier to solve.

What follows is a brief rundown of the small steps I took in My Battle with the Fischers, including screenshots of each step, so you can hopefully do the same.

The first (and hopefully obvious) trick: Report a phishing email message to Google.

This helps Google flag a received message as unsafe, and if all goes well, it’s less likely to appear in anyone’s search results in the future.

But that alone is also a big “IF”, as most victims click on URLs received through email, WhatsApp, Telegram or other means. And if you have received it, probably thousands of other people will have received it too. Time is of the essence – are you going to rely on the cloud algorithm to try and “prioritize” it automatically? I would not.

Google’s Safe Browsing Report Form. typing time.

Google’s “Report Phishing” web page can be found at the domain, Here. Report the target URL you sent Click Copy-pasting the link from the email. the end of strike one!

second move: Following the sender of the email in every possible way.

As mentioned, it’s almost unforgivable that Gmail’s Android app makes things easier for phishers by hiding the sender’s email address. So regardless of your email provider, if you find its “report phishing” option, or you use an email client that has the option to flag individual emails as phishing, then by all means use it. Strike two!

As an added step, you can also manually report a message to the abuse team of the email provider to terminate the account. Be prepared to manually fill out another web form. In this case the culprit was a gmail account so it was quite easy, as gmail’s support page has an abuse report form Here. the end of Strike Three!

This time more coincidentally, the email campaign included a SendinBlue—email infrastructure provider—footer, so I immediately mentioned it on Twitter. Fortunately, someone from the firm was paying attention and told me they would look into the matter of analysis and termination of the account used for the mailings.

Strike Four!

As a last (nuclear) resort, you can forward the entire phishing email to US CERT at: [email protected]

(that would be strike five)

Yet it is worth remembering that even after these many manual steps, the fake website will still be live and collect data.

Final trick: Sync that site.

There are many tools that can be used for this step, this is what I had: Inspire Media web tools. By pasting the offending domain name – in this case “” – it reveals not only the obvious server IP address, but more importantly, the owner of that IP range. That’s exactly what you need to find the company and report the offending site to them – which in this case was a Chilean hosting firm from the city of Curico.

HostingChecker: If there is an IP address then there is a company that owns that netblock

Now this is where your luck comes in handy. There are responsive firms… and those that are not so fast. Luckily, nowadays world + dog has an online account on any social media platform – and I checked on Twitter and there they were. Reprimanding any firm…

- Advertisement -

Stay on top - Get the daily news in your inbox

Recent Articles

Related Stories