Reporting a scam site


  • SockDev

    One of my co-workers came across a scam site whose domain name is a misspelling of the domain of one of our affiliates. Luckily, she was savvy enough not to fall for it, and I was able to confirm it was a scam site. Thing is, I'd like to report the site to the correct people so it can be shut down (and ideally, the domain re-registered with the affiliate), but I don't know who to contact.

    Any ideas?




  • SockDev

    @zecc said in Reporting a scam site:

    Tell Google? :person_shrugging:

    https://safebrowsing.google.com/safebrowsing/report_phish/?

    Forgot about that :blush: That's now done.

    What about reporting it to the affiliate in question? Is it worth it?



  • @raceprouk said in Reporting a scam site:

    What about reporting it to the affiliate in question? Is it worth it?

    I'd do so if I could. They may choose to warn their users.



  • Unfortunately, to get the domain name, I think the affiliate has to file a UDRP request with an ICANN approved organization, such as the World Intellectual Property Organization.

    In the interim, you could probably contact the ISP that hosts the server that hosts the fake site and have said site taken down. If the IP is from Europe, RIPE should have a lookup to find out what organization owns the IP in question.


  • SockDev

    @powerlord said in Reporting a scam site:

    In the interim, you could probably contact the ISP that hosts the server that hosts the fake site and have said site taken down. If the IP is from Europe, RIPE should have a lookup to find out what organization owns the IP in question.

    The IP is in the British Virgin Islands, and the domain details are protected by a Vietnamese company.


  • Discourse touched me in a no-no place

    @raceprouk said in Reporting a scam site:

    but I don't know who to contact

    Do a whois on the IP address hosting the site and contact the abuse address, presuming it's listed of course. The addresses reported are usually the upstream provider, and not the people running the site. e.g. for the forums here:

    [localhost ~]$ dig  what.thedailywtf.com 
    
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1 <<>> what.thedailywtf.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37222
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;what.thedailywtf.com.          IN      A
    
    ;; ANSWER SECTION:
    what.thedailywtf.com.   600     IN      A       158.69.225.103
    
    ;; Query time: 15 msec
    ;; SERVER: 10.255.255.3#53(10.255.255.3)
    ;; WHEN: Fri Jul 28 11:08:02 2017
    ;; MSG SIZE  rcvd: 54
    
    [localhost ~]$ whois 158.69.225.103
    [Querying whois.arin.net]
    [whois.arin.net]
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # https://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    
    
    #
    # Query terms are ambiguous.  The query is assumed to be:
    #     "n 158.69.225.103"
    #
    # Use "?" to get help.
    #
    
    #
    # The following results may also be obtained via:
    # https://whois.arin.net/rest/nets;q=158.69.225.103?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
    #
    
    NetRange:       158.69.0.0 - 158.69.255.255
    CIDR:           158.69.0.0/16
    NetName:        HO-2
    NetHandle:      NET-158-69-0-0-1
    Parent:         NET158 (NET-158-0-0-0-0)
    NetType:        Direct Allocation
    OriginAS:       
    Organization:   OVH Hosting, Inc. (HO-2)
    RegDate:        2015-06-15
    Updated:        2015-06-15
    Ref:            https://whois.arin.net/rest/net/NET-158-69-0-0-1
    
    
    OrgName:        OVH Hosting, Inc.
    OrgId:          HO-2
    Address:        800-1801 McGill College
    City:           Montreal
    StateProv:      QC
    PostalCode:     H3A 2N4
    Country:        CA
    RegDate:        2011-06-22
    Updated:        2017-01-28
    Ref:            https://whois.arin.net/rest/org/HO-2
    
    
    OrgAbuseHandle: ABUSE3956-ARIN
    OrgAbuseName:   Abuse
    OrgAbusePhone:  +1-855-684-5463 
    OrgAbuseEmail:  abuse@ovh.ca
    OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE3956-ARIN
    
    OrgTechHandle: NOC11876-ARIN
    OrgTechName:   NOC
    OrgTechPhone:  +1-855-684-5463 
    OrgTechEmail:  noc@ovh.net
    OrgTechRef:    https://whois.arin.net/rest/poc/NOC11876-ARIN
    
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # https://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    

    abuse@ovh.ca is who you'd contact to complain in this instance.



  • @pjh What's the difference between contacting the upstream provider and the domain registrar? Because I thought that contacting the registrar was the first step.


  • Discourse touched me in a no-no place

    @atazhaia said in Reporting a scam site:

    @pjh What's the difference between contacting the upstream provider and the domain registrar? Because I thought that contacting the registrar was the first step.

    They're two different entities dealing with different parts of getting to a website.

    1. Domain registrar deals with converting the hostname into an IP address.
    2. Upstream deals with what's at that IP address.

    Basically two attack vectors. If the registrar is lethargic about removing the DNS entry, if you can get upstream to take the actual site down (at least until the scammer changes the IP address with the registrar) then no-one gets scammed.

    Rough phone analogy[1]: (1) is asking for the name to be delisted from the phone directory, (2) is asking for the phone line on the current number to be cut.


    [1] all analogies are leaky. Don't pick at it.



  • @raceprouk Report it to who? For what purpose?

    I think the best you can do here is get it removed from search indexes (Google and Bing.)

    Here's Google's URL: https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

    Here's Bing's URL: https://www.microsoft.com/en-us/concern (Bing calls them "concerns", which is cute)

    You can try reporting it to law enforcement, but they likely won't (and possibly won't *be able to) do jack about it. If you can track down the hosting company, you could report it to them, but they likely don't care until law enforcement gets involved.


  • SockDev

    Google: "Tell us the URL of the phishing site."

    Done. Actually did that this morning.


    Microsoft: "Tell us the URL of the phishing site and a whole bunch of your personal information."

    I'm reporting a scam site. Why do you need to know my name? Also, I didn't find it via Bing, or any search engine for that matter: it was found via a typo. What do I put in for the search term?

    Anyway. Whatever. I'll fill that in.

    And now I have a support ticket number. Woo. Good to know a customer service drone in on the task, i guess.



  • @raceprouk Sorry for trying to help you. Christ.


  • SockDev

    @blakeyrat I was ranting about MS, not you


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.