Skip to main content
HashnodeHuskyscripts Blog - Threat ResearchHuskyscripts Blog - Threat Research

Command Palette

Search for a command to run...

Hunting Phishing URLs Made Easy: A Comprehensive Series [0x2]

Updated
3 min read
Hunting Phishing URLs Made Easy: A Comprehensive Series [0x2]
T
thebitdoodler

Introduction

In the previous part of this blog series, we learned about the structure of phishing websites, which can aid us in identifying similar phishing websites. In this part, we will focus on identifying similar phishing websites from a single phishing website. We will utilize a community-based platform, URLScan.io, to hunt down identical phishing URLs.

The Phishing URL

To begin the hunting game, we require an active phishing URL as our starting point. There are numerous ways to obtain a live phishing URL, but I usually search the latest Twitter feed using the #phishing or #scam hashtags. Victims or recipients of phishing/suspicious URLs share screenshots when they receive such links, and one of the benefits of this is that we get to see the distribution medium of the phishing link. While browsing through the Twitter feed, I promptly identified a URL via @CriminalIP’s Twitter account, and it turned out to be an Apple Phishing Page, as indicated in the post.

CriminalIP’s Twitter post

https://twitter.com/CriminalIP_US/status/1749114640079155215

The suspicious link mentioned in the post is http://apple-clone-by-rebie[.]netlify[.]app, fortunately, it was active while writing this blog.

Analysis of the URL

Once we have the URL to analyze it and get the necessary information, we can scan it on URLscan.io or do it ourselves(manually with the browser). Here, we will do it in both ways.

Scan with URLScan.io

URLScan.io is one of the best tools for scanning any URL. It helps us to extract all the associates and entities. Like from WHOIS records and screenshots of the webpage, including IP address and passive DNS data of the URL.

Steps to Scan a URL in URLScan.io:

  • Go to the urlscan.io and paste the URL that needs to be scanned in the URL to scan box. Click on the Public Scan button to scan it.

  • Once the scan is complete, a page displaying the summary of all HTTP requests, external links, redirect behaviors, and a screenshot of the webpage will load. The Phishing URL result can be shown here: https://urlscan.io/result/f0972c72-2948-4f08-9d1b-4f91bb1a6d1b

Scanning URLs and checking results are hassle-free, so if you are starting with phishing URL hunting, this platform will greatly help you. Also, I am planning to write a dedicated blog on Hunting with URLScan.io.

Analyzing Manually

We can also find more information about the phishing website if we open the URL using a local browser.

PS: It is always advisable to open phishing sites in a temp browser or maintain proper OPSEC.

Most of the time, I always open the Network tab from the browser’s Developer Tools[Ctrl+Shit+i] before I open any phishing URL in the local browser to get network traffic visibility.

Now we can have more information about the phishing URL, like what the files loaded and their names or if any particular files are getting loaded from the other external links.

Hunting Similar URLs

After getting more information about the websites and the assets, we can search for unique file names that are getting loaded. With the file, we can reverse-search other URLs in URLScan.io. The syntax for searching URLs is based on its file: filename:”<filename.extnsion>”.

On the website mentioned above, we have a few files that seem unique:

Let’s try to find similar websites that were likely using the same files:

  • With filename:"apple-card-logo.png", we have found similar patterns in URLs that impersonate Apple

  • And with the other file name, filename:"search-icon-sm.png"We have found more similar URLs

List of Similar Phishing URLs

hxxp[://]sebene27[.]github[.]io/apple[.]com-clone-bootstrap/
hxxps[://]illustrious-peony-447413[.]netlify[.]app/
hxxp[://]apple-clone-by-rebie[.]netlify[.]app/
hxxps[://]apple-with-bootstrap[.]netlify[.]app/
hxxp[://]golos[.]com[.]ua/
hxxp[://]www[.]wise-cad[.]com/
hxxp[://]samigutema[.]com/
hxxps[://]www[.]samigutema[.]com/
hxxp[://]objective-blackwell-5e79b8[.]netlify[.]app/
hxxps[://]apple-bootstrap[.]pages[.]dev/
hxxp[://]apple-with-bootstrap[.]netlify[.]app/
hxxps[://]www[.]apple-replica-bootstrap[.]naty12[.]com/
hxxp[://]sebene27[.]github[.]io/apple[.]com-clone-bootstrap
hxxp[://]illustrious-peony-447413[.]netlify[.]app/
hxxp[://]kaufman-cad[.]org/
hxxp[://]www[.]apple[.]nikeb13[.]com/
hxxps[://]objective-blackwell-5e79b8[.]netlify[.]app/
hxxps[://]www[.]appleclone[.]eyosiyastibebu[.]com/
hxxp[://]apple-replica-bootstrap[.]naty12[.]com/
hxxps[://]fervent-borg-a88941[.]netlify[.]app/
hxxps[://]showmeexchange[.]com/
hxxp[://]apple-bootstrap[.]pages[.]dev/
hxxps[://]apple-replica-bootstrap[.]naty12[.]com/
hxxps[://]samigutema[.]com/
hxxp[://]fervent-borg-a88941[.]netlify[.]app/
hxxp[://]appleboot[.]netlify[.]app/
hxxp[://]apple[.]nikeb13[.]com/
hxxps[://]www[.]applebootstrap[.]naty12[.]com/
hxxp[://]apple-clone12[.]netlify[.]app/
hxxp[://]downunderleisure[.]co[.]uk/
hxxps[://]www[.]hctax[.]info/
hxxps[://]coverageappple[.]000webhostapp[.]com/
hxxp[://]justonweb[.]be/
hxxps[://]www[.]apple[.]moebios[.]com[.]br/
hxxp[://]hctax[.]info/
hxxps[://]sebene27[.]github[.]io/apple[.]com-clone-bootstrap
hxxps[://]gentle-churros-0eaa63[.]netlify[.]app/
hxxps[://]justonweb[.]be/

Conclusion

In this blog, I have discussed one of the approaches to how we can hunt for similar phishing URLs based on filenames used by phishing sites. In the next blog, I will write about more approaches to hunting for phishing websites.

#phishing#threat-intelligence#cybersecurity-1
32 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

H

Huskyscripts Blog - Threat Research

6 posts

Threat Research blog focusing on recent threats like phishing and adversary infrastructure hunting