Guide on Taking Down Malicious Sites and Reporting Phishing

Most of us receive multiple phishing e-mails and text messages and come across malicious sites from time to time.

But what can we do to protect others from getting scammed?

Taking down the sites can be quite a long process, but first we can do other things to prevent people from accessing the malicious URL by accident.

Microsoft SmartScreen and Google Safe Browsing

These anti-phishing and anti-malware tools are built in on most browsers and can hereby help the most people. They essentially hold a database of all the malicious sites and give a warning before entering the site.

You can report links to:

Antivirus Providers

A lot of AV providers also have a way to report these sites, here is a short list:

Avast: avast.com/report-malicious-file
Norton: submit.norton.com
ESET: phishing.eset.com
Avira: avira.com/en/analysis/submit
Bitdefender: bitdefender.com/support
Spam 404: spam404.com/report
Symantec: sitereview.bluecoat.com / symsubmit.symantec.com
Bright Cloud: brightcloud.com/tools/change-request
Netcraft: report.netcraft.com
SpamCop: spamcop.net
Palo Alto: urlfiltering.paloaltonetworks.com
TrendMicro: global.sitesafety.trendmicro.com
McAfee: sitelookup.mcafee.com
Forcepoint: csi.forcepoint.com

National Reporting Sites

E-mail Phishing

Phishing/malicious e-mails can be forwarded to:

Full Takedown

If you don't only want a warning before people enter the site but want the site to be gone from the World Wide Web, you can report the domain to the Registrar and report the site to the hosting provider or proxy service.

Registrar

Most sites have a domain name like "google.com" or "jeroengui.be". Sometimes the domains are obfuscated to make them look legit. If you don't know how to find the domain from a URL you can use this tool: goforpost.com/tools/domain-extractor

These domain names have to be registered with a registrar. To find the registrar of a site, you can use a whois tool like:

Or install whois on your Linux installation and use the whois domainname.com command.

When using the whois command you can find the registrar and also often an e-mail where you can report abuse of their services. Just e-mail them explaining that you encountered the phishing site that you are trying to report. If you don't find an e-mail in the whois you can also search on the registrar's site for an abuse form.

Hosting Provider / Proxy Service

Every site needs to be hosted on a server somewhere in the world. Often scammers use a hosting provider that hosts the site for them. To find the hosting provider, you can use a site like who-hosts-this.com or sitechecker.pro/hosting-checker.

For the Linux users: use the host domainname.com command followed by the whois command with the first IP address from the output.

As with the registrar, find an abuse e-mail or look up the site of the hosting provider for an abuse e-mail or form.

Not every site is hosted directly by the company that you just reported to — sometimes they are just a proxy service like Cloudflare. Nonetheless they need to take action and report the site to the actual host and stop providing the proxy service for the malicious site.

Final Note

After taking all these steps and often waiting for some days, the site will be gone, or the malicious content deleted. Sometimes no action will be taken, but don't worry about it — you did everything you could to make the internet a safer place.

If all this seems a little bit much for you, you can still send any scam links, screenshots from SMS and forward any suspicious e-mail to [email protected]. I automated part of the above process and when I find the time I will complete the other part manually.

If you have any questions, if I got something wrong, or if I forgot something: feel free to contact me.