41

There are serious tools and services such as Google Safe Browsing for malicious and phishing websites, and others fully dedicated to phishing websites such as Phishing.org.

What is done against these websites (especially the ones that distribute malware, with drive-by download attack, for instance) once they are publicly flagged so ? Are they blocked later or something like that ? For example there has been a multi-national action against the GameOver Zeus Botnet. Is there something like that against the malicious websites ?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320

5 Answers5

62

Okay, personal anecdote time.

I'm a sysadmin in real life, working for an ISP that primarily caters to small to medium businesses.

One of our larger customers operates, among other things, an exceptionally cheap and completely automated shared webhosting service. You sign up, pay a couple of bucks via credit card, and plonk your site down. No human interaction required of any sort.

As the AS that controls their IP block, we used to get phishing site complaints regarding that server like clockwork. We immediately forward those to the NOC of the company, who then investigate and delete the site... But by the time that's done the phishing site is already being hosted somewhere else entirely.

The credit card numbers used to pay usually turn out to be stolen (of course) and the registration request rarely comes from the same IP address more than once.

So what do you propose should be done about this? Laws?

Whose laws?

  • The law of the country the server is in? Neither us (the ISP) or the company that runs the webhosting service is doing anything wrong. We're providing a perfectly legitimate service and respond as fast as reasonable when someone abuses said service for criminal purposes. I hate phishing and scammers as much as the next sysadmin who's had to deal with one dozen spambots too many, but we're already doing all we can and passing laws won't really change that.

  • The law of the country the scammer is in? Chances are, that country already has laws that deal with this. The only problem is, which country? Like I said, the origin IP is rarely the same twice and likely a proxy running on another compromised host, most likely someone's bot-infected desktop computer. ISPs don't exactly keep logs of every connection going in or out of all systems in their IP range, so even if we could get everyone's cooperation by the time we'd start looking the trail has gone cold.

You're also laboring under the mistaken impression that it's single site or easily isolated group of culprits. It isn't; between the myriad cheap registrars and webhosting services -- both of which are ultimately good things -- it's more like a crazy multiplayer game of Whack-A-Mole.

Terrestrial law enforcement can sometimes catch a break, but they do that by following the money, not the IP traffic.

Shadur
  • 2,495
  • 21
  • 19
  • 4
    Would it not be reasonable to hold your customer, the web-hosting company, responsible for not doing their due diligence when signing on new customers. Such as doing additional identity checking, besides just accepting a credit cart. I would not find it unreasonable to block your IP block, because you are not requiring your customer to do what is in their power to prevent malicious websites from being set up. – bjarkef Aug 13 '14 at 10:56
  • 27
    @bjarkef I think the availability of anonymous webhosting is far more important than a few idiots who get phished. – CodesInChaos Aug 13 '14 at 12:50
  • 20
    @bjarkef They *do* perform due diligence by checking that the credit card number is valid at the time, and by manually investigating when a phishing site is reported. As codes points out a little abrasively, there is no law requiring non-anonymity for website builders, and there *shouldn't be*. – Shadur Aug 13 '14 at 12:54
  • 13
    @CodesInChaos Calling everyone who's ever fallen for a particularly clever phishing scam idiots isn't constructive. At best, it's a backhanded way of asserting smug superiority for yourself, at worst it's victim-blaming. – Shadur Aug 13 '14 at 12:55
  • 19
    @bjarkef you're going down a slippery slope if you expect the legitimate people to be responsible for malicious activity involving their infrastructure. Should the web host be condemned? The user who got their CC stolen, or their bank for letting it happen? The malware-infected machine whose IP was used to register? The people who wrote the OSes of involved systems? The people who did the electronics that carried bits that allowed badness to happen? If you accept such a fallacy at the Web hosting level, where do you stop? – Steve Dodier-Lazaro Aug 13 '14 at 14:54
  • 4
    @bjarkef, look at Chris Murray's response below to see why your suggestion is a bad idea in practice. – Shadur Aug 14 '14 at 09:46
18

Microsoft recently got the ability to penalise a dynamic domain host that was seen to be hosting sites that deliver malware. They pursued legal action, and did gain possession of all of Vitalwerks domains.

Within two days, Microsoft quickly realised how impossible the task of keeping nefarious uses off the service was and about faced and gave the domains back to Vitalwerks, even reversing their public position and stating “Vitalwerks was not knowingly involved with the subdomains used to support malware.” after previously suing them for precisely the opposite.

Look here for further details: https://www.eff.org/deeplinks/2014/07/microsoft-and-noip-what-were-they-thinking

Chris Murray
  • 1,275
  • 11
  • 17
5

It depends on how the vendor treats it.

If Google detects the malware, the host is penalized in SEO or even de-listed from all Search results.

The ISP hosting the malware website or malware server is often contacted as well, but a surprisingly large number of ISPs don't even respond.

Jeff-Inventor ChromeOS
  • 1,313
  • 9
  • 10
  • 9
    Although even when we *do*, chances are by the time someone receives the notification and reacts to it the malfeasants have already moved on to the next badly secured website and all we can do is clean up the mess they leave behind. – Shadur Aug 13 '14 at 08:28
2

Both search engines (the big ones) and some anti virus down rank the site that is know to contain/distribute malware.

http://www.rainbodesign.com/seo-tips/google-ranking-drop.php

Additionally, ISP and/or hosting providers could take action against the site.

0

It highly depends on the region and availability of adequate laws.

Normally many countries (By National CSIRT/CERT teams) are tracking their country's top level domain for frauds and scams. Depending on the attack type, they may take actions. Many countries will take immediate actions on terrorism and child abuse related issues.

If the websites' host country, owners and attackers are living in same area it may be possible to take actions against frauds, scams. But if things goes cross boarders, it is very unlike to happens.

Kasun
  • 784
  • 2
  • 5
  • 13