Hunting Phishing URLs Made Easy: A Comprehensive Series [0x1]

Introduction

In this blog series, I share various ways to hunt phishing URLs [which may sometimes be malicious URLs, too]. Before tracking such URLs, it is always better to understand how phishing works in the real world, which includes creating phishing websites and deploying them in the wild using various ways.

In the first blog post, we’ll understand the process of deploying a phishing website through the lens of an actor, gaining insights into the various components of phishing sites.

Launch of A Phishing Campaign

Deploying a phishing website starts with choosing a target of interest. Sometimes, actors also select targets based on the current trends in the industry. For example, a famous company is launching a new product for free, or some brands are offering discounts during some festival season. Once finalized, the target actors started with the phishing site development, which looks relevant in the contexts above.

So let’s see the other most essential segments:

• Website Assets: The website resources encompass elements such as the replicated login page of the target, comprising HTML, JS, CSS, PHP, image, GIF, and video files that contribute to mimicking the appearance of the cloned site. In most cases, actors download used assets from the legitimate page of the specified target and manually create clon pages.

• Domain Registration: Domain registration is another creative task for actors to decide which domain names suit based on the target, product, and trend. Most of the time, actors go with typo-squatted domain names. Often, they buy free, cheap TLDs to save some bucks.

• Picking a Hosting Provider: The most crucial part of the process is to choose the right hosting provider with fewer regulations and shady operations. Such a lack of ordinance will help the phishing sites longer than the regulated ones. In this case, they wisely choose freemium services to host the cloned page. Some famous freemium services are Cloudflare free hosting services(Pages), Firebase free hosting services including Webohsot, and many others. But it is hard to bet that actors are always looking for relatively new, free alternative services to stay out of the radar of detection engines.

• Distribution Mediums: The final stage involves creating a distribution plan, where the actors decide the distribution medium of the phishing URLs. The primary distribution methods are SMS and Email, but actors may also use SEO poisoning techniques to disseminate these URLs through various search engines. Recently, ads through social media platforms such as Facebook, Instagram, and Twitter have also become popular.

Entities of A Phishing Website

The following are some entities of a phishing website, which are extremely useful in hunting similar websites, which will be discussed later in this blog:

• URL: This is one of the first indicators of any phishing website to notice. It helps us identify the pattern, which eventually aids us in finding other similar phishing sites.

• Site Title: The site title in phishing websites can be crucial if unique or peculiar because it helps us uncover similar phishing sites.

• DOM: Document Object Model cross-platform and language-independent interface that treats an HTML or XML document as a tree structure wherein each node is an object representing a part of the document.

• Assets: Assets have been used to design particular sites. They could be a single logo, favicon or background image video, GIFs, or other files. In this case, the unique file names are an essential indicator of finding similar phishing websites.

Phishing Kit

A Phishing Kit is a collection of tools, and resources used to create phishing websites or emails that impersonate legitimate ones. In a simple word, this is nothing but the file/assets required to create the phishing website. Phishing kits are the main weapon of any actor or group of actors to launch phishing campaigns fast and effectively.

Conclusion

This section is intended for beginners to understand the structure of a phishing website and why certain entities are used when hunting them. In the next part of the blog, we will write about “Hunting Similar Phishing URLs in the Wild.”