Fighting phishing for everyone's good
Today I spend a few minutes to report phishing mails and domains that I collected with my various email addresses. Since I think many people will face a similar problem at some point, the question “What do I do with this information?”
Before you start make sure: If you don’t feel comfortable opening a phishing email, don’t do it. Always open it in plain text and configure your environment that links aren’t clickable.
Step one: Informing the NCSC / a government agency
The UK’s NCSC runs a fantastic program for reporting phishing and scam emails. It has detailed instructions on how to handle them, allows you to forward emails to them, report websites/URLs and even malicious ads.
Go to the reporting page and follow the instructions.
Although this may seem like the least effective step, it provides government agencies with data that can help pushing for regulations. It’s also easier for government authorities to get companies to act.
If your government offers a similar program, use it, but the NCSC is a good catch-all.
Step two: Protecting at scale
The next place to report the same URL to is Google Safe Browsing.
Go to Google’s Report Phishing Page and follow the instructions.
Google Safe-Browsing is built into all major browsers and if the page can be blocked there, it will protect billions of people, especially those who may not have any browser extensions installed.
Step three: Informing those who care, but have limited resources
For larger campaigns it can be useful to block the URLs using uAssets badware list, which will trigger blocks in all browsers that run uBlock Origin or reference the lists.
Create a pull request to the uAssets badware list.
Bonus round: URLhaus phishing reports with automation
If you feel like automating things URLhaus is a good address. They offer the ability to automatically submit URLs in bulk, but since they require authentication1, I’ll keep them as bonus.
Visit the URLhaus browsing page and log in to submit data. You can also obtain an API token and submit it using their bulk API.
According to their website, this will also automate step 2:
Submissions to URLhaus are being shared with security solution providers, antivirus vendors and blacklist providers, including:
- Google Safe Browsing (GSB)
- Spamhaus DBL
- SURBL
The default configuration of uBlock Origin integrates the malware feeds from URLhaus. This also automates step 3.
Thoughts
Fighting phishing emails is not easy, reporting things to the right places can be a challenge, but with a crowd sourced effort it might be possible to fight back against scammers and phishers.
This is currently a very manual process, and the use of CAPTCHAs and account requirements probably reduce its effectiveness, but it’s a start.
More governments should provide programmes like the NCSC that make it easy for people and companies to delegate these problems to the government and let them fight these threats with authority and international cooperation.
This is probably an amateur’s guide to the problem, but at least it is actionable.
-
Be aware: Their documentation often talks about requiring a Twitter account, but at the time of writing they have diversified their login options to include Google, GitHub and LinkedIn. ↩