Trending searches: what a phisher might get you to click
Intro Scammers are going to be furious at this video.
I'm going to show you how just by yourself, you can shut down scam and phishing websites
potentially within minutes. In this video, I'll demonstrate using a real life scam
phishing site that I found on Twitter designed to steal Steam accounts.
This website had been up for 10 days already and not a single antivirus
security company had flagged it yet. But within minutes, I had it flagged by multiple
security companies, within hours, nearly a dozen, and within 24 hours, the website was completely
blocked by Google Chrome and Edge by default. And within two days, the domain registrar itself
had the domain name suspended and taken away from the scammers completely, which is why I'm
not worried about showing the domain name here. Still though, don't go to it. You never know
in the future. So if you didn't think you could make a difference as just one person,
I'll show you how. All you need to do is know the various pages that security companies have
for submitting malicious websites and report them. And to be clear, I didn't use any kind of
special YouTuber connections to do any of this. I used the same exact public forms that
everyone else would, and within one day, a scam site was shut down. So
as an overview for this video, first I'll give you a quick explanation on
how this particular scam website worked. Then I'll show you how to report a malicious
URL to over 15 security companies using their pages for doing so, which will basically
end up nuking the scam website from orbit. Then I'll give you the results for about how
long it took each security company to start flagging the scam site. So for this scam, it's
actually getting pretty common recently on Steam, Today's Scam Example where you get a message from one of
your friends whose account has been hijacked though. And the scammer
will ask you to go to a website supposedly for some game tournament
and asks you to vote for their team. Again, still pretending to be your friend.
But on that website, when you go to vote, it prompts you to log in with your
Steam account. But it's a fake Steam login window. And it looks pretty
convincing. All the links on this window go to the real Steam site, but if you
type in any credentials, it will steal them. I've actually seen a couple varieties
of this type of website. On this site, it actually pops up a separate browser window,
but the URL box just says "about:blank". On another site, it brought up an entire
fake browser window. So this apparent window with Steam as the URL showing is
not even a separate browser window at all. Very tricky. Also apparently tricky is it will
also steal your Steam Guard credentials. So I just put in a fake login credential and it knew
that the login was incorrect. So I wasn't about to type in any real credentials, but I bet that
it was actually relaying the login and if it saw that it was asking for Steam Guard,
it would have just asked for that too. And by then it had your login and your
Steam Guard code. And I have to say, as far as scam domain names go, fps league dot com
actually seems pretty legit. Now obviously do not go to this website. Right now it's down anyways,
but you still don't want to knowingly visit a potentially malicious site. As a pro tip, a lot of
scam websites use newly registered domain names. Pro Tip: Site Age They are not up for very long before they get
caught and then they just go down. So a good way to tell if a site is kind of suspicious
is to look up that registration date using the so-called WHOIS registration data. If it's
a common domain extension like .com or.net, you can go to lookup.ican.org and
it will tell you the created date. If it's an extension that that site
doesn't work on, you can just Google the top level domain extension like .io
and then "whois lookup" and you should be able to find something from there. And I would
actually recommend if possible that you just automatically block newly registered domains if
you have some kind of service that allows that. Sometimes hardware firewalls use that,
but one service I've been using recently that I just found out about, and this
isn't sponsored or anything by the way, but it's called NextDNS and it
lets you add a bunch of filters, including newly registered domains. I'm not
going to get into how to do all that yourself. If you don't know how, maybe ask a friend who's
good with computers and they can probably help you. But I just wanted to mention it. I've been
using it for about a week and I like it so far. Preparing to Report All right, so now let's get to how to actually
report a malicious URL, assuming you come across one. So what you want to probably do is open up
notepad and copy over the URL so you have it. And also what you want to do is make a
note - a description, that you'll submit along with the report to describe what the
scam is. So for example with this website, I wrote a quick thing that says, "It is a
Steam phishing site. If you click on a link such as sign in with Steam at the top, then
it will bring up a fake Steam login window." And something like that is detailed enough, just
enough where if a human goes to review the site, they'll know why you actually reported it
as malicious and they'll be able to easily tell. If possible, you might also want
to take a screenshot of the scam part, like the fake pop-up window or something. That
can sometimes be included with the report. And remember if you are visiting
a known scam website, open it in a sandbox. Windows has a built-in sandbox
now that you can open it with. You can also use some kind of virtual machine. And
there's also some websites like Anyrun, which you can use a virtual machine online. Like
you just type in the URL here and it'll give you a quick 60 second virtual machine where you can
actually navigate around the site, click on stuff. So you can get a quick screenshot through
that. Just you want to be sure you're safe. Specific Sites for Reporting And now I can go through the individual
pages for all the security websites, how to report each one. I'm going to
go through them pretty quickly because there are several. And of course I will
put all these links in the description. Google Safe Browsing Alright so the first big one you'll want
to report it to is Google Safe Browsing. This will get the website blocked on Chrome.
And all you have to do is put in the URL and add a little note describing it. So I'll
put that in that I showed you before. And if it doesn't get auto detected, that note
will of course help them review it manually. And then you just submit it. The other big one
you'll want to report it to is Microsoft and their Microsoft SmartScreen SmartScreen Filter. This will get it blocked
on Edge and Windows and all that. Now you can either log in with your Microsoft account or as a
guest. I don't think it really makes a difference. But either way, you'll just put in the URL and
then choose phishing or the other one, depending on the website, and then fill out the CAPTCHA
if you're not logged in and then hit submit. Unfortunately there is no notes section
on this site. I'm not sure why that is, but it is what it is. Also if you're
using an enterprise admin account, you can go into the Microsoft 365 Defender
dashboard and you can submit a URL through that. And that does actually let you add a note,
but you have to have like a business account. So most people won't be able to do that.
Next, it's definitely worth trying to Contact the Registrar report the domain to the registrar and cut it
off at the source. Right in the WHOIS info, there should be the registrar's
name and abuse contact email. I emailed this one and basically said
the same thing as in my other notes. But when you do go to type the
domain, don't do it like this. Write it something like this with
the dot spelled out or whatever, because the first email I tried to send
got blocked by Gmail, because I guess the domain was already flagged. So you want to
write it out as not a link. In this case, they actually just sent an email back saying that
I actually had to fill out a form on their site. So I did that instead. And about two days later, I
noticed the registrar had set the name servers to show that it was actually suspended. And there
were also some new domain statuses applied, which corroborate that. Though not every registrar
may show suspended name servers like this. Also, not every registrar is very good at taking
down sites, but it's still worth it. But usually I found after Google and Microsoft
start blocking the site that the scammers often just shut the site down themselves anyway. Next
up we have FortiGuard. And here you type in the Fortiguard URL for the site and hit enter or the search icon.
And you'll see that here it lists the category as recently registered and a security risk group.
But we want it flagged fully as phishing. So click request a review and then for
suggest a category, choose "phishing" or whatever the site is. And if you're able, take
a screenshot of the site or the malicious part, like the fake login window. A lot of these
sites block scanners that are automatic. So you'll notice VirusTotal actually returned a
404 because it must have somehow blocked it. So putting in a screenshot, a lot
of times it will help with a manual review. Then just put in your name and
email, you'll get a notification on what they do. And then for "company", you can
just put "self". And then for comment, add that same note and then hit submit. And you
should see a confirmation message at the top. Brightcloud Next we have BrightCloud. Just paste the
site in the box that says "Look up URL or IP" and then hit look up. The reputation
will probably be uncategorized or suspicious because it's a new domain, but again we want
it fully flagged. So look on the left for the "Request a Change" section. Put in the URL, then
click on "I would like to suggest a category." In this case we want "phishing or other
frauds." Then click done and then put in your email and you can leave the
product box empty. Then add your note and then submit. And then you should
see a confirmation message. Next is CRDF CRDF Threat Center Threat Lab Center. So at the top, hover over
URLs and then click Submit Malicious URLs. This form is super basic. It just asks you
for your email address and a list of URLs. So don't put anything except links in here, no
notes or anything. And then agree to the terms, then submit the request and you'll
see a confirmation number. Now I have found this website often on the first
attempt might not catch a scam site. I guess it's automated. So in my case, I got
an email about 30 minutes after submitting it and it says no malicious sites were found.
So what you'll want to do then is follow the link in the email to the report that they give
you. And then next to the URL you submitted, you can check the "misclassification" box and
then click "Continue the reporting process." Then here, they finally do let you add
an explanation in this box. So be sure to put your note and that it has enough
details for when they manually review it, then just hit submit and it'll say successfully
reported. In the two times I submitted a website and they didn't catch it at first, I appealed
and both times they then caught it after that. So you might have to do that. Next up we
have Netcraft. So just put in the URL of Netcraft the site along with your email. And I
actually forgot to do this, but be sure to select "add further details" and then add
your explanation. And then hit Report Malicious URL. Fortunately even without the details, it
still caught it and flagged it automatically. But if they send you an email
that says no threats were found, just hit "Check Results" and then on the left,
click "Report An Issue". And then next to the URL, select Misclassification and ideally upload
a screenshot for evidence. But then either put the same note you did before or maybe add
a more detailed one in the misclassification report reason, and then hit submit issue
and they'll re-review it probably manually. And I did have to do this one time and they did
catch it when re-reviewing it. As a cool side note for this website, they actually have a leaderboard
for who submits the most malicious URLs the first time. And they even have some prizes if
you submit enough, which is kind of cool. Palo Alto Networks Moving on for Palo Alto Networks on the "Test a
Site" page, just put in the URL and hit search. And it may have a few categories already
like newly registered, high risk, but nothing confirmed malicious or phishing.
So click Request a Change, then put in your note and then find the proper category and select
it, put in your email and hit submit. For ESET, ESET they have a "report a phishing page"
form. So put in the URL, then the note. And it also asks you for the organization
being targeted. So in this case, the site is stealing Steam logins, so I put Steam.
Also, some sites like this one may require you to add the HTTPS to the beginning of the
URL. So just be aware of that and then hit submit. And they don't ask you for email, so
you won't get a notification if they flag it. Trend Micro For Trend Micro, you put the URL in the box that
says, "Is It safe?" And then hit Check Now. And here it just says untested and newly observed
as the category. So hit Reclassify Request. And then here are two options. So just click the
button under where it says "For Home Users", etc. And then on this page for safety rating, select the Dangerous option under content,
select "suggest a different category." Then under Internet Security, choose phishing or
whatever it is. Then you can just leave these two check boxes alone, but in the box for comments,
add your note to explain it and then enter email address and hit OK. Now hold on because
there's one more step. For this one you need to actually go to the email they send you and click
a confirmation link before they actually scan it. And also check your spam box. In my case,
it was in there. So then once you go to the confirmation link, it will actually submit
for a scan. For Bitdefender on this page, Bitdefender you'll want to scroll down to the
submission form and then for category, select False Negative. Then put in your name, your
email, in our case select URL and paste it in. Then for description as usual put the
note and hit submit. And you should see a green confirmation message show up. For
McAfee, this page is for checking a single McAfee URL. This box will ask you what product
you're using. Just select the Real-Time Database option. Here it's at the top. And
then put in the link and hit Check URL. You can see it says it's currently uncategorized.
So down lower for Category 1, select Phishing and you don't need to select all the categories, just
one is fine. Then put in your note and hit submit URL for review and it should show a confirmation
page. For the company Forcepoint, in this box Forcepoint we put the URL. And I guess you can only report
five a day or something, but anyway hit analyze. Currently it says the threat level is
low and is only classified as a newly registered website. So hit suggest a different
classification. In the suggest dropdown, the phishing option is actually called "Security: Phishing and Other Frauds". So select that then
put in your note. Then click submit and there doesn't seem to be any kind of confirmation
message, but it still should have worked. For Symantec on their site review request page, first put in the URL and then
hit check category. In this case, Symantec it just says the URL has not been rated and lets
you fill out a form. For "Filtering Service", there are a bunch here. I wasn't even sure which
one, so I just picked Norton Safe Web, but I kind of assume that they're going to propagate the
malicious URLs to all their products anyway. For category, it's just Phishing and then put in
your email address and then in the comment box, your note and hit submit for review. To submit
to Spam404, this one is very simple. Just put in the URL and the explanation note and that's
it, hit submit. For Kaspersky on their Threat Spam404 Intelligence portal, go to the Lookup tab,
then put in the URL and hit enter to search. Kaspersky We can see it is not categorized. So on the right,
hit the submit to reanalyze button and here just put in your email address and then it lets you
put in a comment to explain. So then hit submit and you should see a little confirmation
message. Next up we have Cisco's Talos Intelligence service. This one actually requires
signing up for a free account to report a URL, Cisco Talos but it is actually probably worth it because Cisco
is such a big company with so many customers. Anyway, on the reputation center page,
you can put in a URL or even just an IP and then hit the search icon. And here it
says unknown reputation and no category, but if you have an account, you can click
the buttons to submit a reputation or categorization ticket. However, one thing
to note is for the categorization option, very strangely, there is no option
for phishing or malware or anything. It's just regular website categories,
which I thought was weird. So instead what you have to do is go to the reputation
change option and then in the dropdown here, select "Suggest Threat Category", and then
it lets you select stuff like phishing and malware. So do that and then you set the platform
to Talos Intelligence, which is the only option. Then in the comments, put the usual note and
click submit. Finally I want to mention this one called PhishTank. Now this would
be a good one to submit to because PhishTank it's used by so many other services. However, they require a account to submit and for some
reason they have registrations closed right now. So I guess just check back on this one, or
if anyone knows a guy who knows a guy so I can get an account, maybe just send me an
email or DM me on Twitter or something. Oh, and one final thing though, you can
actually sign up for a VirusTotal account and that will let you vote on
a website and also leave a comment. VirusTotal Community So if anyone scans it, maybe even if it isn't
detected yet, they can still see your comment about it. So now after reporting all of these,
we can get into the results for what happened. I'll show you the VirusTotal scan results
and then I'll show you as accurate as I can The Reporting Results the exact amount of time that each of these
security vendors took to actually flag it. So I re-scanned on VirusTotal
after about an hour. And awesome, there were already four vendors that
were flagging it. But surprisingly, even though VirusTotal had Google Safe Browsing
showing it as clean, on the actual Google site to check a domain status, it does say it had
flagged it as unsafe and it was the same day. So I'm sure it was from when I submitted.
And this was even the case six hours later and even the next day, VirusTotal is
still saying it was clean. So good to know that VirusTotal can be pretty
delayed with some vendors. And do realize that VirusTotal won't actually show
the latest results unless you hit re-scan. You can see here that it'll say it was
scanned hours ago and it'll just show you those results. Also if you do
a scan and it flags something new, be sure to also re-scan it on both the HTTP
and HTTPS version of the URL. For some reason, VirusTotal shows these as separate and you will
want people to see the flagged results whether they look on the HTTP or HTTPS version. And they
might not know they have to actually re-scan it. After re-scanning a couple hours later,
eight vendors were now flagging it. And after about six hours, 10 of them were
flagging it. Now I do want to mention something that I just learned, that even
if Google Safe Browsing flags a website, which apparently it did very shortly after
I submitted it, it won't be blocked in Google Chrome right away unless you have
Enhanced Protection on in the settings. I just had Standard Protection on and you'll
notice it says "Chrome may send URLs" to Safe Browsing and checks if the malicious URL is
stored locally. But for enhanced protection it checks all URLs I guess. So you might
want to enable that. I will say however, that by the next day within 24 hours, it was
blocking with standard protection by default. And also Microsoft Edge was blocking it with
their smart screen. I'm not sure exactly how long this took because I was asleep, but
it was within 24 hours. But I will note that even though both Google and Microsoft
were blocking these, VirusTotal still was not showing them as being flagged when I
re-scanned it, which was kind of weird. Anyway, I was doing my best to keep track of
exactly how long each security company would Company Response Times take to flag it, whether by sending an email
or just showing up on VirusTotal. And here are the results. Though I will point out that
it seems that for this site, fortunately a lot of the companies were able to automatically
detect it, I guess with an automated scan. Other times it may take longer if it had
to be manually reviewed to confirm. So don't necessarily expect some of these instant
results, but it could be. So now hopefully you all are scam website destroying machines.
And the next time you see a scam website and it just fills you with rage, you can
do something about it and take them down. Definitely give this video a big thumbs
up if you enjoyed it. I put quite a bit of testing and work into this one, so I'd
really appreciate it. Also let me know down in the comments if there's maybe other services
that let you submit to it that I didn't mention, that it would be good. Or you can let me
know if you did this and it worked out. And if you want to subscribe, I try to make
videos about twice a week, Wednesday and Saturday, so it should be worth it. If you want to keep
watching, the next video I'd recommend is one where I was talking about some new scams this
year. So I'll put that link right here if you want to click on it. So thanks so much for
watching and I'll see you in the next one.