To take down infrastructure of a malicious actor, you can report the server to the hosting provider, and the domain to the registrar. If appropriate action is taken, you will take down both their infrastructure and domain, keeping other companies from being compromised from the attack they've sent out, and forcing the malicious actor to rebuild everything. 


Contacting their hosting provider:


1. Open a sandbox (Kasm or Windows) and go to the phishing website.

2. Once the page has loaded, right click and select "Inspect"

3. Depending on browser, you will now have a lot of options on the bottom or right hand of the screen. Select the "Network" tab

Firefox

Chrome based

4. After the page has fully loaded, clear all the activity from the network window by clicking either the trashcan, or in the top left this symbol: 

5. Enter invalid credentials (not your real email) to the page, then attempt to login

6. Inspect the output of the Network tab, locate where they are attempting to verify the credentials (usually says "Collector" or "GetLogin" or similar in the "File" column). If you hover the "Domain" column, usually you will see either a domain or an IP address it is sending the login data to. If it is the IP this is easy, if it's the domain you have a little more to do.

Example of the "Domain" tab showing an IP address:

If domain (skip if you see an IP address)

6A. Open a new tab in your sandbox, then navigate to the page. 

6B. Right click and click Inspect, then click the Network tab. 

6C. Clear the contents again. 

6D. Refresh the page, then look for the IP address it sends your request to.

7. Now that we have the IP, do a WhoIs on the IP address. For example go to https://www.whois.com/whois/ and type the IP address. Once there it will show you who is owns that IP, which is typically a hosting provider (Linode in my example below)

8. DDG/Google/Send a certified letter or owl to look up the hosting provider with "abuse" at the end, then locate their "Report Abuse" page.

9. Fill out the form, or send them an email (depends on how the provider wants you to report it) and include all this detail, with screenshots if possible. Make sure to include the phishing URL to them so they can also inspect the network output, this will help them verify what you're saying is accurate. You also want to let them know you're reporting the domain, that way they can inspect the server if the domain is gone. 



Most hosting providers will take the infra down in about an hour, which is awesome because now their phishing campaign is broken and they have to rebuild. This next part will also break their domain, so they can't easily point it to new infra to keep the campaign working. 


Contacting their registrar:


1. Check if they are using a subdomain with a provider such as it.com, to do this: in your sandbox navigate to the main domain (so if it's myphish.domain.com you would go to domain.com). Check if this is a company they would be able to host myphish.domain.com, or is it a blank page/non-legit. 

2. Now we have 2 different scenarios, so do one of the following depending on yours: 

If this is a subdomain hosted by another company: 

2AA. DDG/Google/Send a certified letter or owl for that domain and "Abuse" (for example if it was myphish.domain.com I would search for "domain.com abuse")

2AB. Fill out their form or email (depending on what they want) explaining how you investigated this and narrowed things down, including screenshots. Also good to include the original phishing email with their URL in it, that way they can see you received a true malicious email to that domain.


If this is a domain with a registrar: 

2BA. Do another WhoIs search for the domain, which will return the registrar and usually give you an "abuse@registrar.tld" to send an email to. 

2BB. Email explaining how you investigated this and narrowed things down, including screenshots. Also good to include the original phishing email with their URL in it, that way they can see you received a true malicious email to that domain.


You can occasionally visit the domain now, and check if it has been taken down. Both of these usually happen fairly quickly, I'd say typically within an hour everything is offline.