Original Article: https://decentsecurity.com/#/malware-web-and-phishing-investigation/

Easily Report Phishing and Malware

This is how you can strike back at criminals sending phishing spam - by getting their webpages on blacklists. Blocking their sites helps protect other people and helps researchers trying to stop this. Sites can be blocked within 15 minutes of your report, but you may not immediately see it.

Some phishing pages might also use 0-days exploit to target researchers or increase effectiveness. Maximum precaution should be observed - dedicated analysis machines in a secure environment is necessary.

Preparation

1. Create an analyst lab (VM Firewall > Observation VM).
2. Firewall VM: Create rules, dedicated VLAN to harden and isolate connections from your real network.
3. Internet <> Firewall VM + VPN < Host to Host Adapter > Observation VM.
4. Observation VM: Apply hardening, updates, tools, bookmarks and applications.
5. Create a snapshot.
6. After each analysis, restore to original snapshot.

Report phishing website:

Right-click the link in the phishing email, and copy the hyperlink. Do not click the link, which is less useful to security companies.

Evaluation stage

1. MXToolbox Header Analyzer - Email headers can provide valuable diagnostic information like hop delays, anti-spam results and more.
2. urlscan.io - Quickly get a screenshot and redirects (run by @heipi)
3. CheckPhish.ai - Phishing detection engine (run by RedMarlin)
4. phishcheck.me - Custom phishing detection engine
5. VirusTotal - Checks against multiple blacklists
6. any.run: Remotely download and interactively sandbox analyze arbitrary file downloads (run by @anyrun_app)
7. DomainTools - Registration information
8. MXToolbox - SMTP/IP blacklist check
9. Maltiverse - IOC search
10. URLVoid - URL reputation
11. WhereGoes - Redirect tracker
12. WannaBrowser - User agent spoofer
13. Site-Shot - Screenshot a website
14. Browserling - Cross browser testing

Virtual Systems Online

1. APKOnline
2. OnWorks
3. BrowserStack

Reporting stage

Phish.Report - Phish Report monitors the status of phishing sites giving you to the minute info about when the site first became active, how quickly you detected it, what actions were taken, when the attack became inactive.

1. Google - Block in Chrome, Firefox, Android, iPhone, Google, and more
2. Microsoft - Block in Edge, Office 365, and Internet Explorer
3. NetCraft - Send to computer security companies
4. Symantec - Submit to Norton
5. Blue Coat - Symantec has not yet integrated with Norton submission
6. McAfee - Select real-time, click Check, and click Submit at the bottom
7. Websense/Forcepoint
8. Webroot BrightCloud - Provides data to PaloAlto firewalls, many others.
9. Cisco PhishTank - Wide distribution, but requires registration.
10. Kaspersky
11. CIRCL - Shares with European partners, lookup and click "Send report to CIRCL"

Report phishing/file hosting abuse directly:

Link shorteners:

• bit.ly: Report spam

• goo.gl: Report spam

• is.gd: Report spam

• x.co: Report abuse

• tiny.cc: Report abuse

• 000webhost.com: Report abuse

• Dropbox: [email protected]

• SugarSync: support [at] sugarsync.zendesk.com

• Weebly: Report spam

• Wix: Report spam

Extra-credit phishing reporting:

Via Email:

• [email protected]
• [email protected]
• [email protected]
• [email protected]

To representative organizations:

• Financial companies - FS-ISAC
• Universities - REN-ISAC

Via Twitter:
If you have a Twitter account, message these people the link (add a space somewhere so clicking it doesn't work). They are high-powered researchers with lots of connections who track down clues and shut down entire constellations of fraud. Like computer Batman.

• illegalFawn
• phishingalert

Other malware tools:

• any.run: Interactive sandbox for arbitrary files
• IRIS-H: Analyze Office, RTF, LNK
• sekoia: Broad frontend to multiple analysis tools
• quicksan.io: Analyze Office documents
• cryptam: Analyze Office documents
• PDFExaminer: Analyze PDF files

Report malware:

1. VirusTotal.com (Shares reports publicly, shares files with Premium subscribers)
2. Hybrid-Analysis.com (Shares reports and files publicly, uses Payload Security's VxStream sandbox)
3. Malwr.com (Shares reports and files publicly)
4. Microsoft (Select 'Home User')
5. Webroot (Detections and threat intelligence go to multiple other products)
6. Kaspersky
7. ClamAV (Especially for files that came through email, used in many spam filters)
8. Emsisoft

Report phishing/spam text (SMS) message:

Copy the contents of the spam SMS and paste it into a message to this four-digit number. This reports it to your phone company so they can search for who sent it and block them. Don't click the link, it could be dangerous!

7 7 2 6 ( S - P - A - M )

On iPhone: Hold your finger on the message, tap "More...", tap the Forward icon in the bottom right of the screen.

Report unsolicited calls and SMS

Use the form on SpamResponse.

Report abuse to website hosts:

Find who hosts the website with WhoIsHostingThis and search Google for "webhost + abuse" to find their complaint contact information.

Investigate IP/domains:

• Pulsedive
• Netcraft SiteReport
• ThreatMiner.org
• ThreatCrowd.org
• AlienVault OTX
• RiskIQ PassiveTotal (requires registration)
• Cisco SenderBase