01 The challenge
The bank's fraud team was discovering new phishing domains daily — typosquats and homoglyph variants of its login portal, each harvesting credentials and OTPs. Their existing abuse-report process averaged five to seven days per domain, by which point attackers had already rotated to the next domain in the kit. The volume was outpacing the team, and customers were filing complaints faster than takedowns closed.
02 The approach
Cluster the kit, not the symptoms
Rather than treating each domain as an isolated report, we fingerprinted the shared phishing kit — common favicon hash, TLS issuer, and hosting ASN — to enumerate the full cluster, including dormant domains not yet weaponised.
File with evidence the first time
Each abuse report shipped with packaged evidence: screenshots, the credential-harvesting endpoint, WHOIS, and DNS records. Complete reports get actioned faster and bounce back less often.
Escalate stalled cases automatically
When a registrar or host went quiet past its typical response window, cases were escalated to the upstream provider and, where applicable, the relevant CERT — without waiting for a human to notice.
03 The outcome
Within the first week, 41 active and staged domains were removed. Median time-to-removal dropped from roughly six days to 31 hours. Because the takedowns hit the registrar and hosting layers rather than just the URLs, 96% of the cluster stayed down after 30 days, and the attacker's reappearance rate fell sharply.
“We went from chasing domains one at a time to watching the whole kit come down in a week. The reporting alone saved our SOC days of work.”
Service used
Phishing takedown