• About the Institute
  • Innovation
  • Education
  • Collaboration
  • Events
  • Blog
  • Contact
  • Events
  • Contact
  • Blog
  • NetBeacon
  • DNSAI Compass
DNS Abuse Institute

ABOUT US

Discover who we are and what we do

INNOVATION

Learn about our innovative solutions to strengthen the DNS.

EDUCATION

Access our resources and discover our projects and research.

COLLABORATION

Learn how to join, contribute, and participate!

Article

  • Home
  • Blog
  • Article
  • Best Practice: Making Phishing Reports Useful

Best Practice: Making Phishing Reports Useful

  • Posted by Rowena Schoo
  • Categories Article, Best Practice, DNSAI Compass, News, Resources
  • Date December 13, 2022

Making Phishing Reports Useful

Many service providers in the internet ecosystem are, unfortunately, recipients of phishing reports. This includes domain name registrars, resellers, and registry operators.  

Phishing reports may be submitted by end users, internet security organizations, law enforcement, or other service providers. Depending on circumstances, providing a high-quality report may be the difference between a prompt successful mitigation and a delayed or ineffective response. 

This best practice document attempts to provide a plain language description of phishing and help guide both reporters and report recipients toward the content that makes for a high-quality, actionable report.

You can download a PDF version of this report here.

What is phishing?

Phishing is an attempt to trick people into sharing important or sensitive information—for example logins, passwords, credit card numbers or banking information—in either a personal or business context. 

So what does this look like in real life, and what facts might provide evidence to support mitigation? 

One way to think about phishing is firstly in terms of an attempt to trick people, and secondly, in terms of the purpose of collecting credentials. 

The attempt to trick takes place through some form of communication, often via an email, but sometimes via other media such as SMS or a calendar invitation, from a sender that is impersonating a trusted entity or person. For example, a bank, a company, a government agency, or even your boss. Frequently the message will also include some sort of ‘call to action’ –a positive or negative incentive designed to encourage you to act (e.g. reset your password, deny a transaction, claim a refund or a reward). It is possible for a phishing to take place without a distribution mechanism, but sending a communication to potential victims is a tactic used to drive traffic to the website. 

Secondly, the collection of information often happens via a website asking you to enter your email address, passwords, or financial information. This website is often linked in an email, and often sent to a large number of potential victims. The goal is to obtain important information from the recipient of the phish. This information can then be sold, or used to defraud the victim (or the victim’s employer). It could even be used to create further victims, for example, by impersonating that person. If the phishing attack targets credentials and the victim uses the same credentials for multiple logins, the impact can increase very quickly. 

In some situations, a phishing message can be confused with a spam message. While it is true that all phishing emails or SMS messages are spam (that is, unsolicited), the inverse is not true. That is, not all spam messages are phishing. There are plenty of spam messages that, while both unwanted and annoying, are not designed to trick the recipient into revealing sensitive information. 

Mitigation at the DNS level 

Just as phishing comes in a variety of forms, the ways in which a domain name might be involved in phishing can vary. A domain name could be used to send an email, or it could be associated with the website that is collecting personal information, or both. But regardless of how a domain name might be used in phishing, it’s important to distinguish between malicious domain name registrations and compromised domain name registrations. 

A malicious domain name registration is one where the domain name has been registered for malicious purposes (i.e., to carry out phishing). Malicious registrations are generally more suited to mitigation at the DNS level than compromised registrations. A malicious registration is generally more likely to be a newer registration. The domain name is probably going to bear a close resemblance to the organization or institution the attacker is pretending to be in order to gain trust (e.g. the bank, public service, etc). The website associated with that domain name for a malicious registration is generally not being used for any other legitimate purpose, and it could be the same website used for the phishing attack. 

A clear indication that phishing is associated with a malicious registration is where there is an obvious, unambiguous impersonation in both the domain name and the content on the website the domain name is pointing to. For example, the domain name could be confusingly similar to a government agency–perhaps HM Revenue & Customs (hmrc.gov.uk) in the UK, or the Internal Revenue Service (IRS) in the US (irs.gov). The website associated with that domain name  would likely use convincingly similar branding, colors and style to the original official government website. This combination of a domain name and website that impersonate a trusted entity make it possible for an attacker to collect information from unsuspecting visitors.

Disabling a maliciously registered domain name at the DNS level is less likely to come with collateral damage (such as impacts on a legitimate registrant) and is typically more appropriate for DNS level mitigation, with the registrar being the first point of contact. All of this typically requires a report with sufficient evidence to justify this intervention.

A compromised domain name registration is a benign domain name that has been compromised at the website, hosting, email, or DNS level. Compromised in this context means that someone else has taken some control over their website, and/or hosting, and/or email, and/or domain name. Often compromise is the result of poor website security practices(1). With a compromised registration, there is often an innocent registrant, who may themselves be a victim of phishing activity. If the website is otherwise being used for a legitimate purpose, taking action at the DNS level could result in unacceptable collateral damage. 

Things get complicated when a compromise is present, because in certain circumstances the website is providing a useful, or even critical, service for the wider community. For example, if the website is the primary source of news information for a country or offers critical services for people in physical or mental crisis, suspending the domain name may cause more harm than the phishing risk we are trying to mitigate. 

Disabling a compromised domain name registration at the DNS level is more likely to cause collateral damage and it is typically less appropriate for DNS level mitigation. The appropriate course of action is usually to refer the issue to the hosting provider or registrant for a more precise intervention and if applicable, a solution to the vulnerability that has been exploited. All of this typically requires a report with sufficient evidence to justify this intervention. 

Providing sufficient evidence 

If you encounter phishing, you can report it. We provide a free service– NetBeacon –to help make reporting easier. To make a report, we ask for specific evidence to be provided to help the registrar assess whether phishing is taking place. 

The minimum information we ask for is: 

  • The date on which you encountered this harm
  • The name of the company or organization being impersonated
  • A brief description of the issue

These details help the registrar understand the behavior, assess whether impersonation is occurring, and provide context. The registrar may need to make a judgment call as to whether what is taking place is a breach of their terms and conditions, and if so, which course of action (if any) is most appropriate. This judgment call is not risk-free. Providing high quality information is crucial to help the registrar investigate and make a decision.

Ideally, it’s helpful to provide some additional information: 

  • Where you were generally located when you encountered the phish
  • The website (URL) of the company or organization being impersonated (if applicable)
  • Any screenshots that might help an investigation
  • If the phish was sent via email, the sender’s email address 
  • The email message headers and the email message body

Phishing attacks can often be geographically targeted; trusted organizations and institutions are different depending on local context and knowledge. It’s also useful to know where the phishing was encountered in case the registrar tries to verify the report and cannot reproduce the results. 

If the phish is sent via email, it doesn’t always come from the same domain name that is linked to the website being used to collect personal information. To help the registrar make sense of this, getting the email message headers and the email message body is very much appreciated. This step can be a little complex, so here is some information to help. 

Email headers and message body

The trickiest part of this list is the email headers and message body text. This is different from screenshotting what is displayed when you view the message in your email app/client. It takes a little bit of work and the exact details vary based on the email app/client, but it is really important to those who research phishing reports.  

Every email message is made up of an email header and a message body. An email header is the section of the email message that contains details such as a record of mail servers, time-stamps, IP addresses, sender and recipient information. It’s sort of like the envelope of a letter. An email message body is sort of like the letter inside the envelope. It will look a little like the content of the email you see in your email client, but it is typically sent as a combination of raw text and formatting codes, for example any hyperlinks will be included in full (although unformatted “plain text” email does exist in certain situations). 

These email headers and the “raw” source text aren’t something you typically see from just looking at the email in your inbox. The process for finding them is different depending on which email client (program/app/interface) you are using (e.g. Outlook, Gmail, Hotmail etc). 

Finding this information will help the registrar understand where the email is really coming from and, if the email is asking you to follow a link, where that link is really sending you. Originating email addresses can be spoofed (faked), and hyperlinks can be disguised. The email header and message body will provide more information than is typically visible to the user. 

To capture the email header, generally, what you’re looking for is an option (in your email client) to ‘view’ or ‘show’ the ‘source’ / ‘message source’ / ‘headers’ / ‘message details’ / ‘internet headers’ / ‘original’ / ‘raw source’. 

This option lives in different places depending on your email client. You can try, right clicking on an email, going into ‘options’, clicking on drop down arrows (sometimes located next to ‘reply all’), or clicking the menu icon (perhaps three little vertical dots, three horizontal bars, or a 3×3 grid of small squares, depending on the client) for more options. 

There are various guides online to help you with specific instructions. Sometimes a quick web search using the name of your email client and ‘get email header and message body’ will also help. 

Example 1

In Outlook on Apple, right click on the message, then click ‘View Source’. This will open a new window with text in it. You can copy and paste the text into NetBeacon or take a screenshot. 

Example 2

In Gmail, you can right click on the email, and select ‘Open in new window’. Then click the three dot menu and select ‘Show original’. You may also need to allow pop ups from mail.google.com 

Once you display the headers and body, you will likely see text that is readable, but probably seems nonsensical. You will likely see familiar email addresses and may recognize snippets of the message. You can then copy and paste all of this into the reporting process. Just be conscious that your personal email address and the message details will also be in here as the email recipient, so make sure you’re comfortable sending this information. If you’re not, you may choose to remove some details from the text – just try to limit your edits.  A helpful technique is to replace removed text with a marker like “REDACTED” rather than just deleting it. 

You can use this information to put quality reports into NetBeacon, this will help ensure your report is as actionable as possible. You could do this by copying and pasting text, or by taking a screenshot. On an Apple computer, you can press (Shift-Command-5) to take a screenshot, on Windows, you can use the Snipping Tool.  

Summary

Phishing is an attempt to trick people into sharing important or sensitive information— for example logins, passwords, credit card numbers or banking information – in either a personal or business context. 

A domain name can be involved in a phishing attack. This could be through a malicious registration— a domain registered for malicious purposes (i.e., to carry out phishing), or a compromised domain name registration is a benign domain name that has been compromised at the website, hosting, email, or DNS level. 

A malicious registration is more likely to be suitable for mitigation action at the DNS level. To report phishing to registrars, you can use our free service NetBeacon.

To make an actionable phishing report, it’s important you provide sufficient evidence. It’s worth learning how to extract the email header and message body. There are great resources available to help you in this process of understanding more about your email client/app. 

 

(1) For more information on how to make sure your website is secure, see our previous article: https://dnsabuseinstitute.org/secure-your-website-save-the-internet/

Tag:DNS Abuse, DNS Abuse Institute, DNS Abuse Reporting, dnsai best practice, phishing

  • Share:
author avatar
Rowena Schoo

Previous post

Best Practice: Anti-Fraud Tools and Registration Flows for Registrars
December 13, 2022

Next post

DNSAI Compass: Six Months of Measuring Phishing and Malware
February 16, 2023

You may also like

Challenges in Measuring DNS Abuse
2 November, 2023

From the creation of DNSAI Compass (“Compass”), we knew that measuring DNS Abuse* would be difficult and that it would be beneficial to anticipate the challenges we would encounter. With more than a year of published reports, we are sharing …

Introducing Compass Dashboards
24 October, 2023

Compass Dashboards empower registries and registrars with data to understand phishing and malware trends in their zone, over time, and compared against peers. The DNS Abuse Institute (“DNSAI” or the “Institute”) is pleased to announce the general availability of DNSAI …

注册商和注册机构的《通用滥用政策》
30 August, 2023

最近,一位注册商联系我,他们真切关注采取更多措施来解决 DNS 滥用的问题,但不确定应该从哪里开始着手。DNS 滥用是一个复杂的问题,没有明确的切入点来着手解决。不止这一家注册商,许多注册机构和注册商越来越担心滥用行为,并需要帮助来着手解决这一问题。 本文是三部分系列文章的第一篇,该系列文章旨在为制定反滥用实践的关键组成部分提供合理、简明的介绍。第一篇文章致力于提供合理的法律依据,或者说基本的 DNS 滥用政策,以解决滥用问题。接下来的两篇文章将讨论管理 DNS 滥用的有效手段以及实际缓解程序。 本政策是与互联网和司法管辖区政策网络 (I&J) 共同制定的,我们对他们的贡献和支持表示感谢。I&J 在这一领域有很多非常好的内容,其中包括他们的 Toolkit: DNS Level Action to Address Abuses(工具包:DNS 层面应对滥用的行动),我建议任何对减少滥用感兴趣的人士都要读一下。DNS 滥用研究所也是 I&J 域名联络小组的积极参与者。  DNS 滥用具体政策 大多数注册商都会在其网站上发布某种形式的“服务条款”或“可接受的使用政策”。这些政策条款通常赋予注册商出于多种原因而终止服务的自由裁量权。 发布和采用特定的滥用政策提供了几个优势,主要是在于明确性和保护性方面。明确的滥用政策以及对其执行的声誉,可以对不良行为者使用该服务构成威慑。如果注册商或注册机构的相关政策涵盖了滥用行为,那么在对滥用行为采取行动时也会得到更有力的法律保护。  在我们详细介绍通用政策如何发挥作用之前,我想先说明一下它是如何制定的。首先,我们专门制定了这一通用政策,这样所有注册商或注册机构都可以根据具体情况来使用/修改/实施此政策。这就是为什么该政策采用创意共享许可,特别是 CC By 4.0 license(CC By 4.0 许可)的原因,这些许可允许任何人在注明 DNSAI 的情况下分享和调整材料。其次,我们正在将其转换为 Markdown 格式并将存放在 …

Search

Categories

  • Article
  • Best Practice
  • Bulletin
  • DNSAI Compass
  • News
  • Newsletter
  • Report
  • Research
  • Resources
logo-public-interest-registry-dns-abuse-institute

The DNS Abuse Institute

Providing innovative solutions and information that ensure the DNS is safe and secure worldwide.

Institute

  • About the Institute
  • Innovation
  • Education
  • Collaboration

Quick Links

  • Blog
  • Contact
  • Privacy Policy
  • NetBeacon
  • DNSAI Compass

Connect With Us

Newsletter

Get the latest DNS Abuse Institute news delivered to your inbox.


PIR will only use the personal data you submit via this form to contact you regarding the DNS Abuse Institute Newsletter. The information will not be used for any other purpose.

Please be aware that if you do not consent to the use of your email for this purpose we will not be able to fulfill your request.

Opt-In *

* indicates required

© 2022 Public Interest Registry. All rights reserved.