How to do a phishing takedown on Amazon AWS Hosting?

Hosting Providers
, , ,
1

How to do a takedown on the malicious URL(s)/IP Address hosted on Amazon AWS Infrastructure? A threat actor is targeting our brand and is hosting the phishing pages on AWS.

2

Hi pi12309,

Thank you for submitting the question. Please follow these steps to initiate a takedown on Amazon AWS.

Option 1: Send a Takedown request using email

  1. Please use any Whois tool to find the hosting provider of any URL, you can use (Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6) and in the Network Records, you can confirm the hosting provider name and the abuse contact as well. (where you can send the report for takedown).

  2. Now we will prepare our report template, you can find an example template that you can use to report the site on AmazonAWS.

:::Template:::

Subject: 

“BRAND Phish hosted on your infrastructure.”

Body: 

Hello,

The reported URL(s) are fraudulent and are impersonating the official site (your website) and misleading the users to believe it’s a legit site of ours and the attacker captures the login credentials.

Official website: https://www.YOURWEBSITE.com/ 

Phishing URL(s): http://abcd.xyz123.com/

IP Address: 123.123.123.123 

Please remove the abusive content that is hosted on the Amazon AWS IP address, Please reach out to us if you have any questions. 

Thank you!

NOTE: To avoid blocking by the Email providers, we can change our reporting URL by changing some characters in the URL. Ex: “https://www.google.com” can be “hXXp//:www[.]google[.]com”.

  1. Now we have to send this email to Amazon Abuse team at ([email protected])

  2. Once our email gets delivered to the Amazon team, we will receive a general acknowledgment from Amazon with a case ID, that we can use to further discussion with the Amazon team.

Option 2: Fill their abuse form

  1. Navigate to (Amazon Web Services Support)

  2. Select the option “AWS owned resources ” and select the category: “Web Content/Non-Copyright IP ” (since we are going to report phishing site)

image

  1. Now we will select “phishing website ” under the Type of abuse dropdown.

  2. Please add the phishing URL in the field “URL of abusive content”.

  3. Add the same template we discussed above which has all the details of the malicious URL.

image
image581Ă—822 25.1 KB

  1. Now we have to provide all our contact details so the Amazon AWS team can reach out to you to provide updates on the report.

image
image719Ă—903 24.4 KB

  1. Now we just need to click on the “Submit Form ” button and it’s done!

Please be aware of:

  • Please allow 72 business working hours before reaching out to the AmazonAWS team to ask update on the takedown report.
  • Make sure to reply to the same ticket you’ve received in the email. (so it has the same chain and ticket number)
  • Please do not submit duplicate tickets for the same URL, it will delay the takedown time.
4 Likes
Welcome to Checkphish! :wave: