In this post we go over how you can use OSINT techniques to nail down a phishing site’s owner and their reach.
Phishing scams are incredibly common. 85% of businesses have experienced at least one successful phishing scam. When this occurs, various things can happen:
- Attacker uses your email to send more phishing scams to your clients customers and coworkers
- Attacker uses their access to get the data in your estate
- Attacker downloads all your emails, for extortion or use in further attacks
- Or worst case scenario, they steal all your data and then hold you ransom
So the threat is real. It can be useful to figure out how to figure out who is behind a phishing scam and what other sites are in their control. This allows you to research the group’s TTP’s and figure out how to better secure yourself against them.
The number one thing you can do to curb the risk of phishing is to do regular training for your workforce. People need to be aware of the risks associated with careless clicks or divulging information over the phone. I find that people respond well to a concise list, so I generally tell people to:
- Look out for emails creating a sense of urgency
- Look out for emails where the display name doesn’t match the sending address
- Be particularly cautious of links and attachments
This doesn’t prepare your people for dealing with email phishing, but it is a great aid in addition to formal training sessions.
Tracking Down Malicious Intent
So, you get a phishing email reported. Great! People are looking out. But what do you do with it from there? First of all, check for similar emails that may have entered your email host. Check for similar subjects, similar sender addresses, and similar links. The way to do this varies depending on what email host you use, but it is generally not that hard.
But what can you do with the phishing link itself? Well, there is a lot of information you can discover about a threat actor from a simple phishing link.
First of all, you can check the site in virustotal.com and sitelock.com. This can give you a threat graph that cites different pages and files associated with the website.
One way to find out if there are any similar websites, potentially owned by the same threat actor, you can use the site spyonweb.com. This site checks for things like Google analytics and adsense ID’s to form a web of associated sites. This gives you an idea of what sites and scams the malicious actor is working through.
Additionally, you can check the WhoIs record to see if the owner of the domain has shared their name. Often you’ll find they’re using an anonymity service – but that is okay. You can look at the history of the records using drs.whoisxmlapi.com. Often, due to poor opsec, the malicious actor will have originally registered at least one of their domains with their actual information.
Another way you can figure out what sites an attacker has in their purview is using dnstwister.report. This website is another option that maps out what a single entity owns in the public internet space.
There is a way to safely check a link to find out if it is phishing in the first place, using the service urlscan.io. This site will tell if the site is made with a phishing kit.
MX records are another way to find information. You can use mxtoolbox.com to pull the DNS record and figure out if the malicious actor is using any email service along with their domain name.
Once you’ve collected all this information, it becomes child’s play to pinpoint what threat actor is targeting you and what their online estate looks like. Knowing who you’re up against allows you to learn their methods via research, and how to protect yourself from them. You can also report this information to law enforcement.
—–BEGIN PGP SIGNATURE—– iQIzBAEBCAAdFiEEOJBrrvr5LFA44cqhoiIyQmUE51kFAmfkJeIACgkQoiIyQmUE 51lwlQ/+KiMQJ04LHnGt2+MY/hULXHEDzusuIcbpncdB2kn3xtmU0XrT4Ku8zyav LcJkt6LxYBXBwml12/JJzBwn7kzm3jipLW9Z3kd2fXOJkIl5py9Zw+aSZXT592LY uGkQSLb19tClj9nc3u511sf/8kHHe+Z/CmKOey1DlZ+Hr3giOodnj4xzPfADZd5N /9Colhwap5/Cun0sUPase3XZ7E/oTd1uQrLtJ7ZGBGzf0nLEuMCA9cMEBvKJiXG0 W7gSoFtZDHYiVYJkIWVvx7rN9MKBWkRkeFAp+BLYhx47VRSOnMcihh+WhVqbF/Bu y8HrhJlmdR1l/QoburFea7YDn6b2+fS7c2JcVEb+nvadZdFQ4oRy9BwHawyLfbK5 o+NhXkcJPOmyR+vfQRWcEBp5MB8s4/qWq2GC46s9zKw+CpefWs8sBS5/byfB7vmR g02Oh8rS+RKhVEAmp+UHNR6r8eI48GQPn6sNYm9cpE8pYG5C6PDj9TAxLk0D9bBE d79rrLCytN6KZODTL6ZsdUQH0jypQkLtntenV1pNYnz4OEqW8vNhBvfYce9RmX/n IeA/94HI1PRtTGXG9bJliJwjQwt0RoqyExtxGwrXcDN4BTZMxWqHiF1dIXnMYiA8 jpa29IhMNn6vYw8GI3bzDA7k7Cq+sEo9afvzDbbk3i6we5w1VwA= =G1n2 —–END PGP SIGNATURE—–