With the help of telecommunications operators, we are starting a war against phishing sites that target personal data, banking information and social media accounts. In response to the growing number of phishing incidents related to the coronavirus pandemic, we are launching a list of malicious domains targeting Polish users. It will be free to use for everyone. Additionally, operators that are a part of the agreement will block access to websites that have been identified and marked as dangerous.
Phishing websites are a widespread occurrence that targets many groups of internet users in Poland. Links are sent using various channels like SMS, email or social media. The websites are registered in huge amounts and used promptly to be replaced by brand new ones. This is why quick identification, reporting and information sharing is key.
Each website submission will be verified by at least two human operators from the CERT Polska team. In the event of an unfortunate mistake, the block will be reverted as quickly as possible and the domain removed from the list. We want to emphasise that as of this moment, the list consists of domains only used for phishing attacks and not fraud or malware. The primary target is to share information about malicious websites with all interested entities and protect Polish users.
Cooperation with telecommunications operators relies on the agreement between the Minister of Digitalization, Director of NASK PIB, President of the Office of Electronic Communications and Orange Polska S.A., Polkomtel Sp. z o.o., P4 Sp. z o.o., T-Mobile Polska S.A. The text of the agreement was published on the website of the Office of Electronic Communications. Participation in the agreement is voluntary, and any party is allowed to terminate the contract at any time.
Anyone can report a website that tries to steal personal data, account information or banking data using the form on https://incydent.cert.pl/domena#!/lang=en.
Suspicious SMS messages can be forwarded to the phone number 799-448-084 using the « forward » or « share » option. The submission will be delivered directly to our analysts, who will decide whether to add it to the list or not. You’re allowed to report at most three messages within a 4-hour window. Remember that this number should be used only for reporting messages containing URLs that lead to phishing pages or malicious applications – we don’t handle premium SMS messages.
The list is available in following file formats:
Files are updated every 5 minutes. The full API specification can be downloaded from here.
The list can be used by Internet service providers to protect users that use their network. The provider shouldn’t demand any additional charges.
The providers mentioned in the original agreement are Orange, Polkomtel (Plus), P4 (Play), and T-Mobile. Participation of each operator in the program is voluntary.
You can check that by going to a special service designed for that purpose at lista.cert.pl
We only care about protecting Polish users from malicious websites. The list is only a recommendation, and we don’t force the providers to use it.
Each submission will be verified by at least two human operators from the CERT Polska team experienced in identifying malicious websites targeting Polish users. After the domain is added to the list, access is blocked by telecommunications operators on the domain name resolution level. We do not make any changes to the domain registry or contents of the servers hosting malicious websites.
Telecommunications operators change the address of the malicious domain in their DNS cache system. Instead of pointing users to a malicious website, they are redirected to the warning site provided by the particular operator or CERT Polska (which looks like this).
Because our solution is based on changing the IP address returned by the DNS server, the domain can still be accessible from some devices despite being present on the list.
Possible reasons are as follows:
Please contact us at firstname.lastname@example.org.
We make our best effort to ensure that the whole process takes as little time as possible. However, it may take some time to restore correct domain name resolution by telecommunications operators.
Each report is verified with the utmost care and caution. There is no need to worry if your website is not used for malicious purposes.
All submissions are manually analysed and verified by CERT Polska analysts. False submissions will be rejected. If you have any doubts about domains put on the list, please let us know by emailing us at email@example.com.
No. The block is performed by operators freely, not as a part of the .pl registry and its terms of conditions.
New domains will appear on the list within 5 minutes after being identified as malicious.
No. The list only includes domains that target personal data, banking information and social media accounts.
The domain can be removed from the list if the reasons for its presence are no longer valid. If this is the case, telecommunications operators should immediately revoke the block. Operators can also make independent decisions to allow access to the domain despite its presence on the list.
No. Please submit pre-verified domains using the form available at https://incydent.cert.pl/phishing.
As of this moment, the agreement with operators assumes cooperation during states of emergency, epidemic or epidemic threats. Participation of operators in the agreement is voluntary, and we do not rule out the possibility of maintaining it in other periods.
We make our best effort to ensure that the whole process takes as little time as possible.
Yes, you can.