Reporting a Phishing Website

The domain

The real identifier of a website is it’s domain. Phishing websites will often have a domain that looks much like the real website. In this case we have:

A Runescape phishing Wesbite.

Now I didn’t want to post the text link for several obvious reasons. The biggest one being I don’t want google black listing my blog just because it detected the link here. In the future we will have a database to store this information.
Anyways, the point here, is the first part of this domain (secure[.]oldschool.com-rs.cz) is the phishing website in question. This is the part of the URL we will need to focus our efforts on. If we navigate to the base URL, we get redirected to the Runescape website, so not much to see there. What we do need to do is start getting this URL onto spam lists and black lists so users are alerted in their browsers when they attempt to navigate to the fake website.

Reporting

The first thing you should do is see if the company has a way to report phishing to them. In this case, Jagex seems to have an email that you can use to report phishing websites. Ideally, you would want to send them the entire URL, and the source of the link. You can report phishing to Jagex here:
reportphishing@jagex.com
Jagex at the moment also seems to have a forum where they are tracking phishing links. You can post the phishing url in the following thread:
https://secure.runescape.com/m=forum/c=V*NNQFXD7Bc/forums?254,255,624,66141790,goto,1

Google is one of the largest search engines in the world. They also moderate YouTube where lots of phishing scams start. You should report the URL to google here:
https://safebrowsing.google.com/safebrowsing/report_phish/

Just like Google, Microsoft (with Bing) also has a very large search engine. You can report phishing links to Microsoft here:
https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site

You can email the Anti-Phishing Working Group: phishing-report@us-cert.gov
Here the website will be looked at by experts that work for the governments of the world.

You can report it to ESET, a commercial security solution: https://phishing.eset.com/en-us/report

You can report it to NetCraft, A UK based company that provide commercial security solutions in the UK: https://phishing.eset.com/en-us/report

Report it to phish tank, a website that records, tracks and has a database of phishing websites. https://phishtank.org/

Report it to AbuseIPDatabase

Last of all, you can report phishing to the FBI here: https://www.ic3.gov/Home/ComplaintChoice

Report Abuse

Now we can ping the url within any command prompt or linux shell by issuing the command:
ping bad-website-name.org
By doing this for the above website, we get the IP: 93.158.239.18.
You can preform a ICANN lookup on the IP here: https://lookup.icann.org/en/lookup
This gives us the domain registrar and where we can go there to report abuse on the website.
We simply email the abuse email with the domain/url, and information about the phishing activity.
Not to spoil a future post, but digging into the registrar reveals some more dark details about this whole operation. For now though, we will report abuse here.

Domain registrar for 93.158.239.18

Hackers Hate Bad Attention

This is the first step of our dive into the Runescape phishing websites. I think it’s appropriate to start here, as this is what every user can and should do when they find these websites. Later, we will be going deeper and investigating, but we must start out by doing the basics. Next we will be doing some domain OSINT, and gather as much information on the domain itself. The biggest thing here is attention. The people pulling these scams do not want attention to the site. It makes the site go down faster, and makes them more likely to get caught in the long run. By consistently reporting these websites, Jagex, the governments, and companies start to form a record and pattern of behavior. This is bad news for the bad actor. So talk about it, report the website, and lets get some attention on these scams/domains.