Few things are more frustrating in cybersecurity than a domain registrar ignoring a clear case of DNS abuse. Whether it’s a phishing site or a malicious domain distributing malware, every day that these threats remain active increases the risk to the public and the targeted brand. When a registrar fails to act, knowing the right steps to escalate the issue can make all the difference.
Did You Provide Sufficient Evidence for a Phishing Site Takedown?
Not all registrars handle abuse reports the same way. Some strictly follow the DNS Abuse Framework, while others assess cases on a discretionary basis. Regardless of their approach, submitting well-documented evidence is key to securing a swift phishing site takedown. Ensure that your report clearly demonstrates how the abuse violates the Registrar Accreditation Agreement (RAA) or other applicable policies. Providing screenshots, WHOIS data, timestamps, and technical details can help strengthen your case and leave little room for inaction. We have listed the evidence requirements here.
Can a Registry Help If the Registrar Fails to Act?
Yes. If the registrar fails to act, you can escalate the case to the registry. Many registries have their own abuse policies and can intervene if a registrar ignores clear DNS abuse.
Registries like Public Interest Registry (PIR), which manages .ORG, provide dedicated abuse reporting systems, allowing cybersecurity professionals and the public to escalate complaints directly. This enables swift intervention, including domain suspensions for phishing, malware distribution, and other forms of DNS abuse.
Additionally, PIR incentivizes registrars to act on abuse complaints by incorporating response times and abuse mitigation efforts into its Quality Performance Index (QPI)—a program that rewards registrars with commercial benefits for maintaining a safer domain space. These measures demonstrate how some registries take an active role in phishing site takedowns, ensuring that abusive domains don’t remain operational due to registrar inaction.
Does Submitting a Complaint to ICANN Help?
It’s a common misconception that escalating a complaint to ICANN will lead to the suspension of an infringing domain name. In reality, ICANN does not have the authority to take down or suspend domain names directly.
ICANN’s role is to oversee the contractual compliance of registrars and registries, ensuring they adhere to the Registrar Accreditation Agreement (RAA) and other policies. If a registrar fails to comply—such as by ignoring legitimate abuse complaints—ICANN can investigate and take action. This may include issuing warnings, requiring corrective measures, or, in extreme cases, revoking the registrar’s accreditation for repeated violations.
However, ICANN does not intervene in individual phishing site takedowns. While submitting complaints may not resolve a specific infringement, a high volume of reports can pressure ICANN to take enforcement actions that improve compliance, potentially increasing the likelihood of future complaints being addressed.
Submitting a Complaint via the Hosting Provider
If a registrar fails to act on an abuse complaint, you can also contact the domain’s hosting provider. Hosting companies often have policies on malicious content, such as phishing, malware, or copyright infringement. To strengthen your complaint, provide clear evidence such as URLs, screenshots, and details on how the content violates the host’s Terms of Service. Many hosting providers have dedicated abuse reporting channels, and in cases where the content is egregious, they may suspend or remove the site entirely.
If the website is using a Content Delivery Network (CDN) such as Cloudflare, the actual hosting provider will be masked. So you will need to submit an abuse report to Cloudflare via their Abuse form that can lead to them disclosing the real hosting provider or taking action themselves if the site violates their policies. Additionally, tools like Crimeflare and other passive DNS lookup services can help uncover the origin server, allowing you to escalate the complaint directly to the true host.
Alternative Disruptive Techniques for Phishing Site Takedowns
If direct takedown efforts fail, there are several ways to disrupt an infringing website’s reach and effectiveness. Submitting a complaint to Google Safe Browsing, Microsoft SmartScreen, and other browser security lists can flag the site as dangerous, displaying warnings to potential visitors. Getting the website delisted from search engines by reporting the abuse to Google, Bing, and other search providers can drastically reduce traffic. Additionally, reporting the domain to Spamhaus, PhishTank, OpenPhish, and other threat intelligence feeds can lead to broader network-level blocking, impacting email providers, security tools, and corporate firewalls. Payment processors and ad networks can also be targeted for disruption, cutting off revenue streams for scammers and cybercriminals.
These multi-layered phishing site takedown tactics can significantly limit the impact of a malicious site, even if direct removal proves difficult.
Remove Phishing Content Quickly and Effortlessly with Unphish
Sign up for early access to Unphish Beta and experience best in class takedown service
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.
