Dissecting the Phish: Intro to Phishing Investigations — Useful Online Resources
In this blog post, I will be introducing online resources that can be used to investigate Phishing sites.
In Collecting the Phishing Samples, I will cover how Phishing samples can be collected from online databases.
In Domain/IP/URL Analysis, I will be covering how the domains, IPs, and URLs can be analyzed using online services and WHOIS information.
In Sandbox Analysis, I will be covering how online sandboxes can be used to interact with and analyze Phishing pages.
Table of contents
- Collecting the Phishing Samples
- PhishStats
- OpenPhish
- Phishing Database
- DNpedia - Domain/IP/URL Analysis
- VirusTotal
- urlscan.io
- WHOIS - Sandbox Analysis
- Browserling
- ANY.RUN
- Joe Sandbox - Conclusion
Collecting the Phishing Samples
There are various phishing databases available online, which include PhishStats, OpenPhish, Phishing Database. Phishing sites can also be found by checking for newly registered domains from places like DNpedia.
PhishStats
PhishStats’s public CSV is updated every 90 min and contains phishing URLs found in the past 30 days.
The phish_score.csv can be downloaded from the above and contains the Date discovered, score, URL, and IP address.
OpenPhish
OpenPhish’s community database contains some phishing URLs found in the last 12 hours.
Phishing Database
Mitchell Krog’s Phishing Database contains the Phishing domains and URLs discovered in the present and the past (it includes the Total Phishing Domains and links captured). It also shows which domains and links are active.
DNpedia
DNpedia can be used to check for Daily registered domains, Domains with certain keywords, and Possible Phishing domains.
Many suspicious domains are newly registered every moment, they can be checked in “Daily Domains”.
Brand impersonations and typo-squats can be checked in “Domain Search”.
For example, I used the search query “amazo” to look for some sites that may be impersonating Amazon.
DNpedia can also look for possible phishing domains that were recently registered in “Phishing Domains”. You can select the impersonated brand under the “Keyword”. It shows the IPv4, AS Name as well.
For example, amazonoofers[.]com leads to a fake Amazon login page.
Domain/IP/URL Analysis
There are various services that can be used to analyze the URL, IP and domains. I will provide some examples of these useful online tools such as VirusTotal, urlscan.io. I will also briefly cover WHOIS analysis.
VirusTotal
VirusTotal shows the analysis results of multiple security vendors and other useful information.
Under the Relations tab, Passive DNS replication, Subdomains, Historial Whois Lookups, etc. can be seen.
The example used in this section can be found below,
urlscan.io
urlscan.io shows many useful information such as Google safe browsing flag, current DNS A record, domain creation date, domain registrar, screenshot of the site, domain & IP information, etc. These can be found in the Summary section.
The HTTP request, status, response, and headers can be seen under HTTP transactions.
The redirect information, behaviour, and indicators can also be seen.
Similar domains can also be seen,
The example used in this section can be found below,
WHOIS
There are various sites and tools that can be used to lookup a WHOIS information. The WHOIS information includes the Creation date, Registrar information, ASN. This information can be used to analyze a domain.
Young domains and certain Registrars can raise a red flag (although this alone should not be used to judge whether a domain is malicious or not).
WHOIS.com and who.is can be used to show the WHOIS information of a domain.
You can also lookup the WHOIS information on your terminal using the following command,
$ whois domain.com
Sandbox Analysis
There are multiple online sandboxes that can be used to analyze phishing sites, such as Browserling, ANY.RUN, Joe Sandbox.
Browserling
Browserling is an Online cross-browser testing service, which can be used as an interactive sandbox. There are various operating systems available for testing, such as Windows 7, 8, XP, Android, etc. There are also various Browsers available for testing, such as Chrome, IE, Firefox, Opera, Safari.
You can open and view the contents of the phishing page and interact with the page.
You can also utilize the browser’s Developer tools. They can reveal a lot of information about the phishing page. The source code can be seen,
The Headers can be seen under “Network”,
Some phishing sites will only open if it matches a specific User-Agent. The User-Agent can be changed under “Network Conditions”.
ANY.RUN
ANY.RUN is an online sandbox that can be used to test malware as well as suspicious links. It shows the screenshot of the phishing page, alongside other useful information.
The HTTP Requests, process information, DNS requests, threat information, and connection details can be seen,
A PCAP file can also be downloaded for further analysis.
There is a lot of other useful information on ANY.RUN. The full analysis result can be found below,
Joe Sandbox
Joe Sandbox is an online sandbox that can be used to test malware and suspicious links. It shows the screenshot, malicious detection results, signatures, and much other useful information.
The behavior graph shows information like DNS/IP info, Process, Created File, etc.
The reputation of contacted domains and IPs can be seen,
Created/Dropped files can be seen,
The HTTP information can be seen,
The network information can be seen,
The packets can also be downloaded for further analysis,
There is a lot of other useful information on Joe Sandbox. The full analysis report can be found below,
Conclusion
These were some of the methods that can be used to investigate phishing sites. Each service has its strengths and coverage area.
For example, Browserling lets you interact freely with phishing pages, but will not give you analysis details and other useful information like ANY.RUN and Joe Sandbox.
These services can be used together to conduct a deep dive investigation into phishing sites.
Bonus
Here’s a speed sketch timelapse of the thumbnail,
In my other blog posts, I used these techniques to analyze phishing pages.
Thank you for reading, and good luck with your investigations!
