How to Hunt Phishing Campaigns in the Wild Without Analyzing Any Phishing Kit

Introduction

There are various ways to detect phishing campaigns. By monitoring the certificate transparency logs and based on typosquatting domain names[based on a brand-specific keyword] in the domains from the logs, sometimes we can co-relate phishing sites based on the Site Title, Rendered Text, or Screenshot similarities (computer vision hash). But in this blog, I will talk about how we can also find similar phishing sites for ongoing phishing campaigns with the help of the unique filenames used.

This process might not be the standered way to detect asimilar phishing sites for some specific instances . It is advised you can always improvise your detection techniques/methods based on the situation!

Finding an Active Phishing Link

All we need is an active phishing link before we hunt down the ongoing phishing campaign associated with the phishing site. We can get active phishing kits through Twitter searches and various open-source data feeds.

Twitter Searches

Getting active and recent phishing URLs from Twitter searches is easy. For example, we can go to twitter.com > Explore and search the following hashtags: #phishing / #phishingurl / #scam, or simply search those mentioned keywords without the hashtags.

Also, the infosec community has awesome folks who help by tweeting the newly detected phishing URLs to the community. We can grab any active phishing links from their Twitter feeds. Following is the list of the Twitter accounts:

• @noladefense

• @PhishKitTracker

• @JCyberSec_

Open Data Feeds

We can also collect the active phishing URL from any one of the following data feeds:

• PhishTank

• TweetFeed

• OpenPhish

• Phishing.Database

• ThreatMiner

Let’s the Hunt Begin

I have found one interesting phishing site from Noladefense( Unfortunately the account got suspended)

Noladefense Tweet of Phishing Site

The phishing domains 365-irlnotification[.]com is impersonating the login page of the Bank of Netherlands, which is definitely to steal the credentials from their customers.

---

Interestingly this phishing website is using cookies and google analystics to track the victim’s acitivity which is not new. So, I don’t want to distract myself by digging deep about the functionality of this phishing website.

Find the Unique Asset/Filename of the Phishing Websites

There are ways you can find out the file/assets are being used by any website, but the only straightforward way to open the Developer Tool[ctrl+shift+i] and go to the network tab. This way, we can find the names of the resources while loading the website in the browser.

Following the process above, while loading the phishing site in the browser[chromium-based], we will get the filenames. Identifying specific filenames from the noise of the resources/network traffic will take some time, though there are a few points we can keep in mind:

1. Firstly, if image/video/mp3 files are present, note their filenames.

2. Based on the behavior of the phishing site, sometimes JS files or CSS files can be taken as the unique filename.

Unique Files from the Phishing Site

In this case of the phishing site, we can identify a few image file names to be unique:

- boi_logo_grey.svg
- map-marker-white-icon.svg
- more-prelogin-icon.svg
- logo-blue-text.png
- powered_by_logo.svg

Finding Similar Phishing Site URLs

After identifying the filename, we can start hunting similar phishing site URLs via URLScan.io [Website scanner for suspicious and malicious URLs, but we can scan any URL]. We will be leveraging the search endpoint to search the filenames we have. The query for searching any file is : filename: "filename.ext".

After searching the image file: boi_logo_grey.svg, we have found more than 1000+ URLs, some of which are duplicates and old ones.

[Updated] Removing Flase Positive from the Obtained Result

Despite having websites with similar patterns URLs, we can still differentiate them by filtering out results based on other queries such as the filename and hash value. We can obtain the hash value of a scanned URL by clicking on the “+” button on the right side of the file we want to get the hash value from, located in the result section of the URL scan tab.

Once we get the hash value for the file of our interest then we can create the final query: filename:"boi_logo_grey.svg" AND hash:13300feda859b998be4625203d06747c5313e87c566dcee605a316c24a79bbe5 to get the filtered out results.

Thanks to Roberto Martinez for sharing this valuable feedback, to add the hash value of the file, after posting this blog on LinkedIn.

Conclusion

I shared my thoughts on how to hunt similar phishing sites without analyzing their phishing kit. Through my experience, I have found that this method can help us locate phishing sites that may be using the same kit. Additionally, it is possible to uncover phishing sites that use assets from different kits using this approach.