A practical Guide to Removing Spoof Websites
Overview
Web spoofing 1 is a type of internet fraud where fake websites are set up to mimic well-
established companies. The victim will enter credit card details and other valuable
personal financial information believing it to be a genuine site.
Web spoofing scams are a growing problem that not only affect the profits and reputation
of businesses, but also contribute to a rise in identity theft, credit card fraud and other
internet frauds.
What we would like you to do
The Alert includes information on how to protect your business by providing:
A methodology of how spoof sites are created.
General advice to your customers.
The takedown process.
Annex A - Sample notice to an Internet Service Provider (ISP).
This document should only act as a guide for the basic steps your company should follow
in the event of a compromise and should not deter a decision by you to report this matter
to the police.
Spoofing: Synonymous with deceiving, impersonating, masquerading or mimicking (for example, attempt to gain access to a system by posing as an authorized user).
2
Information Report
Spoofing frauds involve criminals creating copies of legitimate websites in an attempt to
make internet users believe that they are securely connected to a trusted website. To
facilitate this fraud criminals infringe trademarks, logos and UK copyright laws in a bid to
convince individuals to provide personal or financial information; the effect of which causes
reputational and financial damage to businesses worldwide.
Some of the biggest names in the dotcom world as well as a number of high-street banks
and companies have been targeted by spoofing. A recent example highlighted a deception
in which an individual who responded to an online advert from an employment agency was
redirected to a spoof website. This website was deliberately created to deceive the victim
by using genuine graphics and logos for a leading hotel chain, which successfully obtained
their personal and financial data.
Methodology
Web spoofing reproduces the exact domain name of a site controlled by the fraudster, in
doing so it can manipulate all forms of transaction that go through a certain website.
There are three essential elements on how a fraudster can set themselves up to
impersonate and have exclusive rights to all transactions relating to a legitimate
company’s website.
Domain name which is the main identity of the site. Domain names can usually
be purchased online from several sources for a fee. A domain name consists of
characters such as letters, numbers and ‘dash’ which stands for the name of the
site.
Content for the purpose of publishing on a site. The most important factor to
consider here is the HTML and streaming media.
Web hosting to finalise the plan. The fraudster will not only claim the site through
a web host, but also serve as the directors of the company and employees.
3
General advice to customers using your website
We also suggest that you provide the following advice to your customers who use your
website.
Always update your information online by using the process you’ve used before, or
open a new browser window and type in the website address of the legitimate
company’s account maintenance page.
Be wary of unfamiliar website addresses, as they may not be genuine. Only use
the address that you have used before or start at your normal homepage.
Always report fraudulent or suspicious e-mails to your ISP. Reporting instances of
spoof websites will assist in shutting down these bogus sites before they can do
further harm.
Take note of the header address on the website. Spoof sites are more likely to
have an excessively long line of characters in the header, with the business name
somewhere in the string, or possibly not at all.
If you have any doubts about an e-mail or website make a copy of the questionable
website’s URL address and send it to the legitimate business to verify it is genuine.
Website takedown process
In the event that your company is affected by spoofing, in the first instance we recommend
that you contact the host Internet Service Provider (ISP) and request a takedown of the
spoof website.
There are two methods of approaching an ISP in order to request a take down of a
spoofed website which, depending on the circumstances, will have a varying degree of
success.
An informal approach by the affected company to the ISP which is hosting the
spoofed website. This may simply be a phone call or email. Annex A is provided
as a template for email wording. Some of the details can be obtained from a
WHOIS search (see below). Contact details for the ISP can also be found from
the WHOIS site.
4
A formal application drafted by the company’s legal advisors and addressed to
the relevant Internet Service Provider (ISP) which uses the law in an attempt to
have the website taken down.
In each case, you will need to include the following information:
Obtain the relevant details from a WHOIS 2 (see below) look up of the
domain or IP address. Note the domain registrar, any resellers, the Domain
Name System (DNS) providers, the date the domain was registered and the
hosting company.
Where possible ascertain whether the domain or server has been hijacked.
If you are able to there is no need to seek deactivation of the domain; just
contact the host asking them to clean the site.
You can also, visit the registrar or hosting company website and look for
contacts.
Also use WHOIS Data Problem Report System
http://wdprs.internic.net
and
http://reports.internic.net/cgi/registrars/problem-report.cgi
If you cannot find a contact, do a GOOGLE search for “contact host.com”
or “abuse host.com”.
Using WHOIS
A WHOIS search can be conducted at the flowing www.whois.net. Where prompted
enter the suspect site web address.
This will return a page with technical data and contacts for the takedown request. Using this data you should include the following details to the Internet Service Provider:
Identification details of the copyrighted work that you believe have been infringed.
Full details of the site involved to allow the Internet Service Provider to locate the
material, reference or link.
Your contact details.
Internet utility that returns information about a domain name or IP address e.g. www.dnsstuff.com
5
A statement confirming that the use of the copyrighted material on the website has
not been authorised for use by the copyright owner, its agent or the law.
A statement confirming that you are the copyright owner or have authorisation to
act on behalf of the owner.
Summary of takedown process
A process where a complainant informs an Internet Service Provider (ISP) that they are
hosting illegal material (notice) in order that the material in question is promptly removed
(takedown).
False website identified.
Identification of IP address through WHOIS. WHOIS enables an enquirer to find
out whether a Domain Name is available and, if not, the organisation or person to
whom it is registered, and when that registration was made. WHOIS is used:
To find information about networks, domain and hosts.
To locate contact information for networks and domains.
To see if the domain name is already in use.
Host contacted to clean site.
Website removed.
Website takedown completed.
Please note: SOCA does not accept liability for the consequences arising from the
wrongful takedown of material and that any action taken against innocent parties may
lead to a breach of Article 8 in Schedule 1 Part 1 of the Human Rights Act 1998.
6
Annex A - Sample takedown notice
As applicable, include, delete or amend the following text as you see fit.
“Dear XXX,
I am writing on behalf of YOUR COMPANY NAME, a well known and internationally
respected company whose headquarters are in location.
We have received reports of XYZ site hosted on the network of the company
“Company Name” / your network.
The website is located at the following URL http:www.Full URL.com.
As at time GMT this domain resolved to an IP address of xxx.xxx.xxx.xxx.
We believe that it is the intention of the website owners(s) to use the site as an
instrument of fraud/recruitment of money mules/money laundering scheme/breach
of copyrights/trademark infringement.
We further notify you that the content located on the above mentioned website infringes
law concerned [Please seek independent legal advice to detail relevant breaches in
law such as copyright infringement], and we hereby request your assistance in:
1. Recovering any relevant files.
2. Shutting this website down or cleaning as appropriate.
3. Removing the domain from DNS resolution.
Should you not be the correct person to be dealing with in this incident, please be kind
enough to forward this request to the appropriate person.
Please feel free to pass this information on to other trusted parties (e.g. law enforcement),
as you deem appropriate.
We request you notify us without delay as to the steps you have taken to conform to our
above request. Our contact information for receipt of your communication is given below:
Name
Full Postal Address
Telephone/Fax/Contact Numbers
Email
Website
The information contained in this takedown request, is to the best of my knowledge, true
and correct and I am acting in good faith.
Regards,
Your Name, For and on behalf of YOUR COMPANY
Full Job Title and Department
7
Data Protection
Disclaimer
While every effort is made to ensure the accuracy of any information or other material
contained in or associated with this document, it is provided on the basis that the compiler and
its staff, either individually or collectively, accept no responsibility for any loss, damage,
cost or expense of whatever kind arising directly or indirectly from or in connection with the
use by any person, whomsoever, of any such information or material.
Any use by you or by any third party of information or other material contained in or
associated with this document signifies agreement by you or them to these conditions.
© 2009 Serious Organised Crime Agency
This information is supplied by SOCA under authority of Section 33 of the Serious Organised Crime and Police Act
2005
This would be ideal