Internet Identity

Part of IID’s Takedown Taekwondo Series

In previous posts, we’ve discussed the roles of site owners and webhosts in getting Internet locations loaded with phish and malware taken down. But the list of resources available to take down malicious websites doesn’t stop there, and in this post we’re going to look at how ISPs (Internet Services Providers) can help rid the Internet of phish and malware. ISPs can have different relationships to the content on their services. In some cases, the ISPs are responsible for providing IP (Internet Protocol) space to the end customer, a site owner. In many other cases, ISPs provide IP space to downstream providers, like the webhosts we discussed previously. In either case, working with ISPs gives IID an alternative route to taking down websites loaded with phish and malware, which we pursue concurrently with other options.

Going Upstream

While working with a webhost to seek removal of phishing or malware content from their services, we might also ask the upstream ISP—that is, the ISP who provides that webhost with their IP space and connectivity—to apply pressure to their customer. If we contact a webhost who is uncooperative, we can report back to the upstream ISP to let them know that their reseller customer refuses to take action. Waiting for this process to work is slower than simply relying on webhosts to take action themselves, but when it becomes necessary, it can be a useful backup plan. The webhost might not want to respond to our reports of fraud, but you can bet they’ll be responsive to the ISP who owns the IP space they resell to their own customers. And when they’re not? ISPs have the power to null route an IP, effectively making anything on that IP inaccessible on the Internet. A webhost would be wise to rethink their inaction when they consider the alternative is a null routed IP that might have hundreds of other innocent web pages on it.

Like webhosts, ISPs have TOS (Terms of Service) agreements that include language about illegal content that their customers—whether they are webhosts or individuals—are required to observe. And again, like webhosts, ISPs have an interest in enforcing the TOS, as they want to avoid the notion that they are complicit in any fraud that might take place on their service. Knowing the ISP’s particular TOS language when contacting them for assistance in removing illegal content from their service can sometimes be helpful. Though it’s become an infrequent event these days, occasionally an explanation about why a phishing site should be removed is necessary, and being able to cite an ISP’s own TOS is a quick way to convey the importance of removing the threat.

The Upstream Provider—Just One Link in the Chain

If the ISP is able to take action, why not simply go upstream to them every time? Most ISPs are very large companies with especially high abuse volume, so getting prompt action is sometimes difficult and can contribute to a threat being able to live longer than if other avenues are simultaneously pursued. Hunting down the webhost reseller they resold the IP to is very important to reduce takedown times because it allows us to go right to the source. If we only contact the ISP, we are left waiting for the ISP to forward the pertinent information on to the webhost. Since contacting the webhost is something IID can do itself after a little investigation, it’s worth trying to get a faster response from them ourselves, even as we let the ISP do it’s part at the same time. Employing these multiple pressure points can often result in a quicker removal of that illegal content from the Internet.

From site owners to webhosts and ISPs, we’ve covered several routes to getting a hacked website loaded with phish or malware removed from the Internet. These are websites belonging to individuals or companies with a legitimate purpose for being on the Internet. Like the people the cyber criminal hopes to snare in their phishing trap, the site owner has been victimized by having their website hacked and used to host illegal content. But hacked websites are not the only vehicles for phishing and malware sites online. When we encounter fraud sites on domains that were registered solely for the purpose of fraud, we have to use a different set of tools to get them removed from the Internet. In our next Takedown Taekwondo blog post, we’ll talk about how we identify fraud domains and what steps we take to get them killed.