Where to report malicious URLs, phishing, and malicious web sites?

If you want to do a good turn, you can report the malicious site to several centralized sources. There are some companies that maintain centralized lists of malicious web sites, and you can report the web sites to those companies. Here are some places you can report phishing sites:

  • Report a phishing site to Google
  • Report a phishing site to Symantec
  • Report a phishing site to PhishTank (previously existing account required)
  • Report a phishing email to Anti Phishing Working Group (via [email protected])
  • Report a phishing site to the US Government (US-CERT) (via [email protected])

And some places you can report bad/malicious sites in general:

  • Report a malicious site to Google [*]
  • Report a phishing or malware site to Spam404
  • Report a phishing or malware site to Microsoft (account required)

Reporting the site to these lists helps other users. Many modern browsers will query one of the lists maintained by these companies, and warn other users who try to visit that site.

Here is a good list of places to report to: https://decentsecurity.com/#/malware-web-and-phishing-investigation/

Notifying the owners of the website is a bit harder. Here are some options:

  • You can poke around the website to see if it lists any information about how to notify the owners about security problems.
  • Sometimes email to [email protected], [email protected], [email protected], or [email protected] will reach a system administrator (replace example.org with the domain of the malicious site). You could try emailing all of those addresses.
  • You could use WHOIS to look for contact information for the site owners. See, this example. You can use abuse.net to simplify the process of contacting the site owners: you'll have to register, but once you register, email to [email protected] is forwarded to the site owners of example.com.

Related:

  • What are common/official methods of reporting spam/phishing/nasty-grams to organizations?
  • Unknown malware, how to report it and whom to report it to?
  • What is a good method to report security breaches that are being used to actively spam?

Footnote: Thanks to Zoredache for the sites listed with a *!


That site is registered through a GoDaddy subsidiary - contact GoDaddy Abuse for starters:

https://supportcenter.godaddy.com/Abuse/SpamReport.aspx