From March 2020 we continuously provide a list of dangerous websites (the Warning List, the List). We maintain it 24 hours a day, 7 days per week and update with all domains that trick Polish internet users to steal their data and credentials.

Phishing websites collecting personal data and credentials are now a mass phenomenon, affecting various groups of internet users in Poland. Links to such webpages are sent through various channels: SMS, e-mail or social media. The websites are registered in large numbers and used within a short time of registration, after which they are abandoned in favor of new addresses. For this reason, it is very important to quickly identify threats and share information with affected organizations and network administrators.

The Warning List is used by telecommunication operators, companies, organizations and users themselves to automatically block access to malicious sites and thus limit the impact of phishing attacks and other campaigns targeting Polish citizens.

Using the Warning List

Many Polish internet users are protected by the Warning List as their Internet Service Providers (ISPs) use it block dangerous websites based on agreement with the President of the Office of Electronic Communications (UKE), the Minister of Digitization, and NASK¹.

ISPs involved in the original agreement were:

• Orange Polska S.A.
• Polkomtel Sp. z o.o. (operator of the Plus network)
• P4 Sp. z o.o. (operator of the Play network)
• T-Mobile Polska S.A.

Users can easily test if their ISP is using the Warning List by visiting a dedicated service at lista.cert.pl.

If the ISP does not use the Warning List, the easiest way to protect our device is to install a web browser extension supporting blocking list compatible with the adblock format (e.g. uBlock Origin) and to add the List to the extension's filters.

Available formats

• text format, active domains only, single domain per line – https://hole.cert.pl/domains/v2/domains.txt
• TSV (tab-separated values) format – https://hole.cert.pl/domains/v2/domains.csv
• JSON format – https://hole.cert.pl/domains/v2/domains.json
• XML format – https://hole.cert.pl/domains/v2/domains.xml
• ad-blocker list compatible with uBlock Origin and AdGuard AdBlocker browser extensions – https://hole.cert.pl/domains/v2/domains_adblock.txt
• hosts format – https://hole.cert.pl/domains/v2/domains_hosts.txt
• .rsc format, limited to 4096 bytes, for MikroTik/RouterOS systems – https://hole.cert.pl/domains/v2/domains_mikrotik.rsc
• RPZ (Response Policy Zones) blacklist format – https://hole.cert.pl/domains/v2/domains_rpz.db

The List is also used by private DNS service providers – quad9, dns0.eu, and nextdns.io.

Information for administrators

If you want to integrate the Warning List into your security infrastructure please implement domain blocking in accordance with the points below:

• list of blocked domains should be updated every 5 minutes
• domains are put on the List for a period of 6 months, if an entry is no longer on the List or there is information about its deletion, the domain should no longer be blocked
• blocked domains should point to the records listed on https://hole.cert.pl/schema/hole.txt. Information about the scope and scale of individual campaigns allows us to better prioritize our tasks
• subdomains of domains present on the List should be also blocked - if a.example.com domain is on the List, then both a.example.com and b.a.example.com should be blocked, but not example.com.

Full description of individual formats and correct implementation of the List can be found in the specification.

Reporting suspicious websites and SMS messages

Anyone can report a phishing website that gathers personal information, bank account or social media credentials, using a form available at https://incydent.cert.pl/domena#!/lang=en. Please report only websites targeting Polish internet users.

In case the source of the suspicious website is an SMS message, we encourage you to send it to our 8080 number using the "forward" or "share" function on your phone. Sending an SMS is free when using Polish mobile network operators, the cost of sending it while roaming is in accordance with the operator's price list. The number provided is for receiving SMS messages only - the number for reporting incidents by phone can be found on our website.

Changes introduced in the second version of the List

In response to changing threats and the ever-growing size of the List, we have decided to make a few changes in the operation of the List that will help us to better respond to new threats, and help users to integrate it more easily:

• domains are blocked for a 6 month period, after this time if a domain is still considered as dangerous it will be added as a new entry
• considering the above, all List formats are time-limited to the last 6 months - this will solve the problem of having to download increasingly large files at short intervals
• in order to maintain transparency regarding blocked domains, a data stream has been introduced – "actions.log". It lists all domains we add to the Warning List and remove from it grouped by year
• in addition to blocking the domains on the List, we also recommend blocking traffic to their subdomains

Legal basis

Based on the art. 20 of The Act on Combating Abuse in Electronic Communications from 28th July 2023 ² CSIRT NASK becomes the entity responsible for maintaining of the Warning List. All domains that have as their primary goal to mislead internet users and to defraud their data or disadvantageous disposition of their property, are to be entered on the List.

In order to protect their customers, a telecommunications company can make an agreement with the President of the Office of Electronic Communications (UKE), the Minister of Digitization, and NASK. The telecommunications company that is a party to the agreement may prevent internet users from accessing websites that use internet domain names listed on the Warning List.

More information can be found in the knowledge base on gov.pl portal (in Polish).

Appeals

According to art. 21 of The Act on Combating Abuse in Electronic Communications³, an entity holding legal title to an internet domain included in the Warning List may file an objection to the inclusion of their domain in the Warning List with the President of the Office of Electronic Communications (UKE).