One of the greatest challenges for any cybersecurity professional is keeping up with the constantly-evolving threats that emerge on a daily basis. The standard operating procedure for most infosec teams is to develop a “security mesh” of overlapping defenses, typically anchored around detection and response tools that identify malicious activity in the environment and alert on these threats. These solutions tend to take a reactive approach that often leaves the organization in question vulnerable to net new (novel) attacks.

Many cybersecurity professionals have started taking more proactive approaches to security, leveraging methods that disrupt and neutralize threats before they take action. By bolstering defenses with tools powered by the advanced adoption of modern technologies that harness the power of Large Language Models (LLMs), such as machine learning and artificial intelligence, security teams are able to anticipate and disrupt novel methods introduced in these attacks.

One such method of disrupting the adversary’s domain-based presence is through the practice of executing domain takedowns. Domain takedowns are not a new concept, and some may question whether they are even relevant or effective in 2024. 

In short, domain takedowns are not a thing of the past. In this article, we will explore how domain takedowns can augment a broader proactive cybersecurity posture and improve the effectiveness of an organization’s security strategy (a.k.a., why domain takedowns are not dead!).

 

Why are Domain Takedowns Necessary?

Before addressing the question of whether domain takedowns are dead, let’s first discuss what a domain takedown actually involves and why domain takedowns still have a place in an organization’s cybersecurity strategy.

According to the WordPress resource Colorlib, around 628.5 million websites registered at the original publication of this article, and this number is expected to grow rapidly year over year. In the last quarter of 2023 alone, APWG reported that over one million unique phishing websites were detected. While every industry is impacted by these fraudulent sites, there was an explosion of phishing sites targeting users of popular social media brands in late 2023. During that quarter, fraudulent social media phishing sites accounted for 43% of malicious domains, followed by software-as-a-service (SAAS) companies (15%) and financial institutions (14%). That’s 72% of all phishing domains!

Because these domains are relatively easy for cyber criminals to create and they enjoy a high success rate if allowed to operate, phishing websites remain popular with cybercriminals. The brands fluctuate, but the methods are largely the same: doppelgänger domain impersonation, typosquatting, homographs, top level domain misuse, or any of these in combination. 

 

A Malicious Domain Takedown Scenario

It all starts with a malicious actor hosting a replica of an organization’s website with a deceptively similar domain name. This site is reaching out to that organization’s customers, asking them to take some type of action, like downloading a (fraudulent) application through a third-party link, or trying to force a pending payment to collect financial data. Domains like this are purpose-built to deceive and defraud at scale, resulting in harm to the business, its brand reputation, and its customers.

The term “takedown” refers to the process of removing websites that engage in brand infringement or malicious activities, like the one described above, by officially issuing a notice to their hosting providers and registrars. All websites are recognized by domain records such as registrar details, mail records, and hosting data – all important details when providing relevant proof of misuse. 

To disrupt its malicious operations, a complaint needs to be made to the hosting providers and registrars of the website. This is usually done by addressing the issue with the registrars via a detailed “abuse” email or filling a form. Once the proof of fraudulent activity is submitted, the DNS registry acts upon it and gives a status code to these domains that indicates whether the takedown is successful or not. In most cases, the fraudulent website is eventually taken down. However, the response rate and turnaround time of a takedown can vary and it’s important to recognize that this happens on a massive scale, not in ones and twos. 

Since new fraudulent sites appear so quickly, and they are just a fraction of the new websites registered, a security team must have both a working knowledge and a process in place for quickly and accurately detecting phishing websites at scale. 

 

What Triggers a Domain Takedown?

Now that we have defined how malicious domains operate, and how takedowns work at a high level to combat online fraud, let’s drill into how a takedown is typically triggered. 

Assume an imaginary website, “malicious.xyz”, is registered and has been identified by an organization’s in-house cybersecurity team as being malicious. This website has to meet certain criteria that can provide substantial proof that the site is, indeed, malicious to activate the takedown. 

There is a long list of possible criteria a team might consider to quantify the severity level of a specific malicious domain in order to prioritize the site for neutralization. Here are a few examples of common criteria:

1. The identified website has active malicious content present and is an accurate replica of the original website. 
2. Customers and users have identified the website and are discussing the related scam. The discussions also include victims detailing subsequent operations of the scam and the individuals or group behind it.  
3. The website enables payment or harvests PII (Personally Identifiable Information) such as name, email address, social security numbers, and date of birth that further propagates into social engineering campaigns. 
4. The registrant details do not match the details of the original website’s owner. 
5. The malicious domain has some unidentifiable characters that are not likely to appear on a legitimate website. Small errors such as spelling, punctuation, and different fonts within the subdomains are common red flags to look out for. 
6. While the main domain is an active replica, the subdomain contains irrelevant pages. 
7. The website was recently registered, while the original company has had an online presence for much longer. Additionally, the website’s DNS and SSL certificates are set to expire in the shortest amount of time possible or it defaults to one year. This serves as a strong indicator that the domain will stop its usage once its phishing campaign is completed and will likely move to the next domain. 

Based on the criteria mentioned above, a security analyst can issue an email elaborating on the malicious intent of this newly registered domain, such as brand infringement, financial fraud, or phishing for the masses. 

Ideally, a takedown is most effective when there are serverHold and/or clientHold status codes (these codes deactivate the domain and the page will fail to load) set on malicious websites that have been recently registered, but have not gone live to execute its campaign. Once a website is registered, it typically takes up to 24-72 hours to go live. This is the ‘golden’ time frame to identify and disrupt the campaign, preventing the potentially catastrophic impact caused by the domain. 

 

The Challenges of Executing Efficient Domain Takedowns 

While takedowns for adversarial infrastructure disruption are not dead, there are certain factors that can stall their efficiency.  

Among the most prevalent obstacles to effective domain takedowns are “bulletproof” hosting providers. These providers enable the hosting of malicious content and have lenient restrictions. Takedown requests submitted to these providers are deflected, much like a bulletproof shield deflects a bullet, hence the name. Many of these hosting providers are based in countries where standard rules and regulations don’t apply, and provide them a certain degree of anonymity, as well. As a result, all the actions taken towards takedown are not “received” for various reasons, enabling threat actors to exponentially populate the internet with their fraudulent campaigns. 

Various registrars and hosting providers can be non-compliant regarding takedowns simply because there is a lack of sufficient evidence from the complainant’s side. A website whose content is not yet live has to be dealt with carefully since there is no tangible proof of misuse. However, by tracking the registrant’s details (if available) and matching them with the details of newly registered domains, there is some hope of overcoming this obstacle. Takedown teams also face a significant lag in receiving a response once a complaint has been raised. 

 

Making Takedowns a Defensive Shield Against Cybercrime 

With the clear understanding of the critical role takedowns play in adversarial disruption, there’s no doubt that takedowns remain a critical weapon in a security team’s arsenal! Analysts on both individual and organizational levels can perform a takedown, depending on the scope and likelihood of exploitation for a domain. 

However, at their core, takedowns are a group effort. Takedowns can’t eliminate cybercrime entirely, but by encouraging collaborative efforts between hosting providers, registrars, law enforcement agencies, and analysts, the reach of criminal operations can be greatly reduced. As more and more organizations adopt malicious domain takedowns as a crucial component of their cyber defense strategy, they drive other legitimate businesses to reevaluate their own security posture and report abuses, which is better for everyone. 

By imparting the right training and awareness regarding takedowns, adversarial disruptions can see a significant rise. Furthermore, by creating an efficient and strategic takedown process, a malicious domain can be removed before it has time to deliver a devastating impact. 

 

AI and the Future of Takedowns (a.k.a., Takedowns are not Dead!)

Considering the impact artificial intelligence (AI) seems to be making in the revolutionization of the cybersecurity industry, the effect on takedowns for adversary disruption is no different. Companies that leverage AI as part of delivering holistic takedown services can do so by providing comprehensive coverage of every possible combination of your domain, and then quickly learning and adapting to make fraudulent attempts easier to catch. At the same time, a comprehensive platform can ensure that the accuracy level of alerts is high, while maintaining a low false positive rate. In this, AI can act as a powerful extension of one’s security team. 

With artificial intelligence, analysts can experience the “predictive” element of cybersecurity. AI aids in automation, prioritization, and, most importantly, threat analysis by introducing the concept of fuzzy logic. The nexus of takedowns and AI can greatly benefit organizations that are actively pursuing fraud and phishing investigations. It’s no wonder that malicious threat actors are also leveraging this technology to evade detection. We can beat them at their own game!

So, are domain takedowns really dead? In fact, for organizations seeking to minimize the financial and reputational risk associated with cybercrime, domain takedowns remain critical for effective cyber programs. Additionally, if one considers the statistics around the potential AI shows for extending takedown capabilities, the answer is a resounding “NO”! 

The process of identifying a malicious domain and taking it down remains an essential action that organizations should deploy to eliminate surface-based web threats. With the exponential daily growth of new domain registrations, not to mention future ones, organizations without robust cyber defenses to handle these threats remain at constant risk of frequent adversarial attacks. 

With the technological advancements around artificial intelligence, an organization with prepared data that assesses and prioritizes action based on risk scores and is able to predict patterns that help identify phishing trends can finally start to turn the tide on these types of attacks – by shifting from a reactive approach to a proactive one.