Introduction

Every year, more and more Australian companies are confronted with website and email spoofing worldwide. The recent Annual Cyber Threat Report 2023-2024 revealed that the Australian Signals Directorate’s Domain Takedown Service made more than 189,000 requests for removals, up 49% from the previous year.

Cyber criminals use fake websites and fake email accounts for phishing, spear phishing and social engineering attacks to commit fraud, redirect web traffic, or manipulate search engine rankings. The disarming, or takedown, of these fake domains is a real challenge for more and more security teams. This is because cyber criminals are becoming increasingly professional in their spoofing activities.

Takedowns are crucial operations that involve the removal of malicious websites, such as phishing sites, to protect users and organisations from cyber threats. These actions are vital in mitigating the risks posed by cyber criminals, preserving sensitive information, and maintaining trust in digital environments. By swiftly identifying and dismantling fraudulent domains, takedowns play a pivotal role in safeguarding the integrity of online services.

Spoofing Wave Almost Unstoppable

Attackers today often outsource this activity to highly specialised cyber criminals who know how and where to best set up fake domains to make takedowns as difficult as possible for the cyber security teams of their clients’ victims. As these teams are usually not very experienced in detecting and eliminating fake domains and have little practical experience, it is often easy for cyber criminals to keep the fake domains running for a long time and use them as a starting point for a wide variety of attacks, including:

• Active phishing websites: These websites are fraudulent websites designed to deceive visitors into providing sensitive information, such as passwords or credit card numbers, by pretending to be legitimate entities like banks or well-known companies.
• Unauthorised redirects: This occurs when a website automatically sends a user to a different site without their consent. This can be used maliciously to lead users to phishing sites, ads, or other unwanted content. Attackers can also redirect a domain to the client’s official website to build trust within a domain that is then used for phishing emails.
• Websites using proprietary code or design: These sites maliciously replicate elements from the client’s official site — such as code, design, templates, and buttons — to deceive users into believing they are associated with a familiar brand.
• Domains involved in phishing campaign: This is a scam created by threat actors to attempt to steal sensitive data using manipulative emails, social media platforms, or messaging systems to trick the victim into disclosing sensitive information.

Takedowns As a Way Out

Attacks today operate in large volumes, from hundreds to thousands of domains targeted in a single campaign. The perpetrators are highly skilled, quick and agile in redirecting upon detection, crossing several countries, language barriers and jurisdictions making it more difficult for cyber security teams.

As cyber threat actors continue to leverage more and more sophistication in phishing attacks and other cases of fraud targeting customers and consumers, organisations will need to be more and more on alert regarding these types of threats and be ready to respond when those threats are identified.

There are several proactive steps that organisations can take to stay ahead.

• Incident Response Plan: Establish and regularly refine a plan outlining procedures for security breaches, including containment, communication, and recovery. Conduct regular drills to ensure team readiness.
• Client Communication: Maintain open channels with clients, educating them about phishing threats and implementing tools to detect and warn about potential phishing sites. Additionally, work closely with victims to secure copies of phishing emails and domains and provide explanations about addressing such threats.
• Maintain an Abuse Inbox: Establish a dedicated email account designed to receive reports of abuse, such as phishing, spam, and other malicious activities. It acts as a central hub for collecting evidence crucial for takedown efforts allowing for effective action.
• Collaboration with Cyber Security Providers: Partner with experienced providers to help proactively detect and manage threats, benefiting from real-time alerts and expert support.
• Swift Takedown Activation: Enable rapid elimination of phishing threats by partnering with a dedicated takedown team, ensuring efficient threat mitigation with 24×7 monitoring.
• Respond to Domain Targeting: Aim for a complete server shutdown to effectively neutralise the risk and prevent further harm.