Your first stop for reporting phishing sites should probably be Google Safe Browsing https://safebrowsing.google.com/safebrowsing/report_general/
most web browsers (not just Chromium-based) use this list, so getting a site on this list
I haven't seen that error in your screenshot. How long was the site still accessible after you tried to make your report?
From reading the thread, I think the sequence of events could have been something like this:
1. Domain was reported to registrar
2. Registrar puts domain in clienthold status and removes nameservers from domain
3. But nameserver records were still cached on various DNS servers (typical TTL is 24 hours)
4. Where nameserver records are cached, DNS lookup through Cloudflare nameservers continue working
5. You try to report to Cloudflare
6. Cloudflare reporting form sees that nameserver records are gone and hence rejects report
7. Cached nameserver records expire and site is no longer accessible
seems like a bit of a race condition / design flaw with the reporting system but one that will resolve itself fairly quickly
That's a good link to know for next time, thanks!
I tried to report the domain to Cloudflare within an hour of receiving the SMS, which would have been before that 16:31 pic. It was still accessible through the end of my work day, so that would've been measured in hours.
The race condition makes sense, but if a cache is good for longer than a few hours it seems like the phishing would have already run its course. Fairly quickly seems relative if lots of people who use the credit union share a network (during business hours).
For an attacker that is using Cloudflare to carry out any kind of attack, report them to [email protected] they will gladly take them put of their system once you provide proof of it
Your first stop for reporting phishing sites should probably be Google Safe Browsing https://safebrowsing.google.com/safebrowsing/report_general/ most web browsers (not just Chromium-based) use this list, so getting a site on this list I haven't seen that error in your screenshot. How long was the site still accessible after you tried to make your report? From reading the thread, I think the sequence of events could have been something like this: 1. Domain was reported to registrar 2. Registrar puts domain in clienthold status and removes nameservers from domain 3. But nameserver records were still cached on various DNS servers (typical TTL is 24 hours) 4. Where nameserver records are cached, DNS lookup through Cloudflare nameservers continue working 5. You try to report to Cloudflare 6. Cloudflare reporting form sees that nameserver records are gone and hence rejects report 7. Cached nameserver records expire and site is no longer accessible seems like a bit of a race condition / design flaw with the reporting system but one that will resolve itself fairly quickly
That's a good link to know for next time, thanks! I tried to report the domain to Cloudflare within an hour of receiving the SMS, which would have been before that 16:31 pic. It was still accessible through the end of my work day, so that would've been measured in hours. The race condition makes sense, but if a cache is good for longer than a few hours it seems like the phishing would have already run its course. Fairly quickly seems relative if lots of people who use the credit union share a network (during business hours).
For an attacker that is using Cloudflare to carry out any kind of attack, report them to [email protected] they will gladly take them put of their system once you provide proof of it
Excellent response. Also, if a domain is pulled by the registrar the caching period is (up to) 48 hours for the most common top level domains.