Editor's Note: This post was co-authored with Ray Bejjani, CloudFlare's engineer that was the lead for this project.
As the internet has grown, phishing attacks have continued to be a problem. While better awareness and focus on security has helped reduce their number, the RSA and other services tracking phishing still show that somewhere between 20-30,000 phishing attacks generally occur every month. In the past, criminals used to launch most of these phishing attacks through email but they have now switched to hacking sites to better hide their tracks and dupe more unsuspecting consumers into divulging their personal information unknowingly to fraudsters. This can become a difficult problem for less technical users that wish to participate and contribute to the World Wide Web.
Given our position in the internet ecosystem, we often receive phishing reports via our abuse channel. Previously, this meant a manual process to notify the appropriate parties especially the site owner. We felt we could serve our customers better, and their customers in turn, with a solution unique to CloudFlare. When we have identified a URL that is phishing we notify the owner and provide them summary information and notifications when they log in. We also begin serving a warning page in place of the bad URL. This page can be bypassed by the visitor at their preference.
Why did CloudFlare create this new anti-phishing process?
- Our mission is to help make the web faster and safer.
- We can block phishing pages as soon as they are reported to us. This provides the following benefits to sites using CloudFlare:
- Stops site visitors from potentially falling victim to identity theft
- Stops site owners from being penalized for unknowingly hosting phishing content. Many search engines will blocklist your site if you're hosting malicious content, which only compounds the issue for site owners that don't know that they have been compromised
- We can quickly notify site owners about the issue on their site quickly so they can clean up the malicious files.
How do I protect my site from future hacks and phishing attempts?
If you're interested in protecting your site, whether you have been hacked or not, you can take the following steps that can secure your site:
- Use SSL on your site to encrypt information between your site and your server.
- In addition to providing a layer of security to your site already, CloudFlare has partnered with a number of app providers that can help further protect site owners from malicious intrusions and provide additonal site monitoring.
- Always update your site's CMS platform, plugins and server software. If you have a notification from your provider that there is a software update available, these updates were probably done to fix known exploits that have shown up since the last release to the plugin or platform. Since doing these updates often only takes a few minutes or so, you can save yourself from a potential world of hurt by doing it "now" instead of "later".
What should I do if CloudFlare has notified me of phishing pages on my site?
CloudFlare will send you an email advising you as to what pages on your site are phishing content. You will also see a message on your 'My Websites' page when a domain has pages blocked for a phishing report, with a link to take you to more information about the report.
Steps you should take if you receive an email from us or see a message on your dashboard:
- If you are an experienced web administrator, chances are you already know how to remove the page(s) from your site. Remove the pages in question and then request a review that will be processed by the abuse team.
- If you are not an experienced web administrator, we would recommend that you contact your hosting provider for assistance in removing the pages. You should then request the review so we can confirm the phishing pages have been removed.
Where should I report a site on CloudFlare that has a phishing page?
If you see a site on the CloudFlare network that has a phishing page, please report the site to us via our abuse form.
Please be sure to include the following in the report:
- The domain in question
- The actual page that the phishing link is located on.