Cyber Security

Takedown: removing malicious content to protect your brand

How to protect your brand from being exploited online.

As a brand owner, whether for a small business or a large multinational organisation, you will want to do as much as possible to protect it. In this post, we introduce some methods you can use to protect your online brand, and by extension, your customers or users.

What is the risk?

If you own or manage a brand there is a risk that your brand could be exploited online. This can include false representations of your products or services, fake endorsements, and using your brand in phishing or malware to make fake campaigns look (and sound) credible.

The better-known your brand is, the more likely someone will try to exploit it. This misuse can appear across many platforms including online adverts, social media accounts, email, SMS and phone calls.

What is “takedown”?

In this context, takedown is the removal of malicious content such as phishing sites. This is achieved by issuing a notification to the hoster of the malicious content, or in the case of a phishing domain (that is, where a registered domain has been set up to enable fraud), contacting a domain registrar to request its suspension.

If the request for removal is accepted, the recipient will remove it from the internet. In the majority of cases, a takedown notification does not rely on legal compulsion, as it merely flags pertinent information or provides evidence of an issue that may breach the terms and conditions of the hosting platform.

What can you do right now?

Anyone can contact hosting companies and domain registrars if their services are being abused, requesting that the service be withdrawn by removing either the domain name or the web hosting service.

All reputable registrars and hosting companies have terms and conditions that forbid sending phishing emails or distributing malware. If you can prove that one of their customers has done this, then the hosting company/registrar will remove the service. In some cases, they may need to check if the website that’s in breach of conditions was itself hacked, for example to deliver the malware.

If you want to contact a hosting company or domain registrar, you should:

  1. Identify the domain name registrar for the domain. Use the search term ‘online whois‘ to find tools that can help with this.
  2. Once you have identified the registrar for the domain, search for the name of the registrar and the word ‘abuse’ to find out how to report abuse.
  3. Identify the IP address of the website or service. Use the search term ‘website to ip‘ to find tools that can help with this.
  4. Use the search term ‘ip whois online’ and use a tool to identify who owns the IP address that is being exploited.
  5. Either use the abuse contact information in the data returned in step 4, or search for the IP owner organisation and the word ‘abuse’.

In order to support your case you should ensure that you have evidence such as:

  • phishing forms: a screenshot which shows the content and the full location (URL) of the page, along with a record of when you took the screenshot
  • phishing emails purporting to be from you or representing your brand; ensure it’s a complete copy of the mail, including all email headers which will show originating IP addresses

Takedown requests could take anything between hours to days or even weeks. Some less reputable suppliers may simply ignore requests.

Using a takedown provider

Alternatively, you can use a takedown provider who has experience dealing with hosters/registrars and carries out many of the above services on your behalf. When choosing a provider, there are several factors to take into consideration to ensure you receive the service that is right for you. Price should not be the only deciding factor. You should also consider:

  • How do they manage takedown requests?
  • Do they have established relationships with hosting providers and registrars around the world?
  • Do they have a track record? Have they published any customer testimonials?
  • How do they discover attacks (other than ones reported by you the brand owner)? This helps to understand how they are monitoring online platforms to look for examples of abuse proactively instead of responding reactively.
  • How easy is it to report attacks to them? Where do they look? What sources of data do they use?
  • How quickly do they process a reported attack, validate it and send notifications?
  • What outcomes can you expect from them? What are the average or median times for takedown with their service? Can the service scale if required?
  • Is it possible to review statistics and outcomes relating to the takedowns?
  • What is their specialisation? For example, some providers may specialise in social media, advertising analysis, phishing, or malware. Or do they claim to do all of it?
  • Beyond the scope of content removal, what other mitigations do they offer? Blocking or other additional countermeasures?
  • Many takedown notifications are not legally compelling. Does the provider provide legal compulsion in any of their takedown categories, if required?
  • Do you need a more robust legal response? Does your takedown provider provide notifications with legal compulsion?

One thought on “Takedown: removing malicious content to protect your brand”

Leave a Reply

Your email address will not be published. Required fields are marked *