Why Phishing Takedowns Can Be Hard, and How to Simplify Them

Allow us to set the scene: It’s Wednesday morning, and one of your cyber threat analysts Slacks you to report a profile on social media that is impersonating your organization. The analyst has verified that the threat is part of a phishing campaign and wants to talk about how to approach a phishing takedown.

Now, as threats go, this is probably not one that will have you spitting out your coffee. Content linked to phishing threats that is hosted on a third-party social media platform certainly needs to be addressed. But it’s not going to ruin your day in the way that, say, a major data leak or the discovery of malware deep inside your IT environment might.

Yet, as you talk to the analyst about how to remove the malicious content, you realize that taking down the threat is more challenging than you recognized at first – and you start to appreciate why planning ahead for this type of scenario, and possibly leveraging a phishing takedown service, would have made your life easier.

The challenges of phishing takedowns

At first glance, removing content linked to phishing campaigns may seem as simple as contacting the owners of the platform hosting the content and asking them to take it down.

If only it were actually that easy. In reality, removing phishing content in response to this type of threat can prove deepling challenging and time-consuming, for several reasons.

1. Lack of platform owner response

For starters, not all platform owners will work with you efficiently to remove malicious content. Some don’t provide channels for reporting abusive content, and even if they do, the response might be too slow to prevent harm to your business. Your request might even be ignored completely! According to researchers at the University of Cambridge, phishing takedown “is not fast enough to completely mitigate the problem.”

Just because your analyst identified the phishing threat quickly doesn’t mean you can mitigate it quickly. Phishing takedowns could take several days or weeks in some cases. The longer abusive content sits out in the wild, the greater the risk that it will cause harm to your organization.

2. Too many platforms

Compounding the problem just described is the fact that malicious content can lurk in many places: Domain registrars, web hosting services, cloud service providers, DNS providers, social media platforms, chat applications, web forums, paste bins, online marketplaces, and app stores, to mention just some of the contexts that threat actors target.

With so many locations where abusive content could appear, it’s virtually impossible to build the relationships with all platform owners that are necessary to take down phishing content quickly.

Worse, it can prove deeply challenging in some cases merely to figure out who the responsible party is for hosting abusive content. You might, for example, see your content hosted on a domain that was registered with Google, leading you to assume that you can report domain abuse to Google to request a takedown. But when you do, Google might tell you they only handle the domain name, not the website content – so unless the abuse is directly linked to the domain, they can’t do anything, and you need to identify the content’s Web hosting service instead.

3. Obfuscated malicious content

Let’s thicken the plot of the scenario we described above: Imagine that when you go to view the content your analyst identified, you get a 404 error, even though your analyst (who’s working from a different location) swears she sees it on her laptop – and even shares her screen in a short video call to prove it!

This can happen in cases where threat actors take steps to obfuscate content, an increasingly popular strategy. For example, they could use geoblocking mechanisms to cause malicious content to be viewable only by users based in certain regions. This is the most common technique but cyber criminals use many other methods to avoid detection.

Obfuscation adds another layer of complexity to phishing takedowns. It also makes it difficult to establish which level of threat content poses because you lack an efficient way of determining exactly which users are able to view the content.

4. Localization and language barriers

Even challenges as simple as localization and language barriers can complicate phishing takedown. Many content hosting services are localized, with different staff assigned to a given country or region.

That means that if your company is based in, say, San Francisco, but threat actors have placed malicious content on a social media account localized for the Philippines, getting the content removed could prove tricky. Even if the social media platform’s main office is right next door to you in San Francisco, you may need to figure out how to contact the Filipino branch of the platform to have the content removed. And if they don’t speak a language you understand, or vice versa, explaining the problem and having the content taken down becomes that much harder.

Phishing takedown service: A better approach to handling malicious content

Faced with the harsh realities described above, what’s a cybersecurity leader or fraud manager to do to ensure that phishing takedowns happen quickly enough to prevent serious harm?

The answer, for many businesses, is to leverage a type of solution known as a phishing takedown service (in Cyberint’s case our phishing takedown service is just one use case of our platform). With this approach, you get access to a partner that has the experience, relationships and technology necessary to take down phishing content, stat.

The result is faster takedowns because the partner organization can leverage relationships to request takedown through channels not available to the public at large. For example, whereas it might take you weeks to get a response from a large hosting provider, at Cyberint, we typically hear back within an hour when we contact providers about malicious content on behalf of our customers.

This leads to shorter takedown times. Our median takedown time is 12 hours – a tiny fraction of the average takedown time of 21 days. We often remove malicious content for clients in under two hours.

Working with an established cybersecurity and phishing protection partner also means that you benefit from a team that focuses exclusively on having malicious content taken offline. Instead of assigning the task to an analyst who has less experience in figuring out how to remediate this type of issue, you can work with seasoned experts.

Likewise, the ability of experienced analysts who specialize in this domain to gain extra information about phishing threats can accelerate takedowns. At Cyberint, we continuously scan for malicious content from 80 locations, allowing us to determine who can view abusive content and where the content is hosted. With that information, we can assess the severity of each threat and work quickly to find the right people to remove them.

The fact that our team speaks many languages is the icing on the cake. Whether the staff who have the power to take down phishing content speak English, Russian, Arabic, Chinese, Japanese, Tagalog or any of the other 22 languages we communicate in, we’ve got you covered for a fast and efficient takedown experience.

Proactive protection against phishing

Helping clients take down phishing content after they’ve identified it is only one of the services we provide at Cyberint. We also scan the Web to locate instances where threat actors have cloned a business’s Web pages, for example, or used its logs on a third-party social media account.

With that insight, we can alert clients to malicious content they didn’t even know existed, then streamline the response.

Phishing takedown in practice

This is why companies like Terex, an international manufacturer, choose Cyberint to protect them against phishing. After being the target of repeated phishing campaigns, Terex sought a means of proactively identifying phishing and other threats against its assets.

Cyberint provided the solution. Based on data culled from across the open, deep and dark Webs, Cyberint was able to identify phishing threats that Terex faced, then work with the company to mitigate them. The result is a lower risk profile and higher confidence levels among Terex’s cybersecurity leadership about their ability to contain phishing threats.

To learn more about how Cyberint’s technology and teams provide business with the ability to identify malicious content proactive and take it down rapidly, request a demo.