While enterprise tools are powerful, you don't always need a massive budget to find evil. I heavily rely on open-source intelligence (OSINT) to find correlations and context for ongoing phishing campaigns. This guide is designed for beginners or anyone seeking to enhance their pivot skills without incurring significant costs.

Disclaimer: These techniques were developed through random OSINT research to understand infrastructure correlations. The goal here is to demonstrate the methodology of pivoting.

This blog may appeal to individuals who rely heavily on crowd-sourced feed sources for threat hunting, as well as to beginners in the field who prefer not to make significant investments at the start of their careers.

Phase 1: The Spark( Intelligence-Led Hunting)

My curiosity usually starts with reading research from the community. Recently, I was reading a Mandiant article titled Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. It detailed the operations of Scattered Spider (UNC3944), a financially motivated group known for aggressive social engineering.

If you are interested in learning about Scattered Spider’s modus operandi/TTPs, read here.

One section caught my eye: the group's specific patterns for registering phishing domains. [Fig. 1]

Fig. 1: Phishing Domain Registration Pattern mentioned in the blog

I became curious and attempted to search a database of newly registered domains that I had created and managed on my local machine over the previous two years. Similarly, I recall similar domain registration patterns last year that impersonated the "Okta" service and targeted multiple brands.

The Hypothesis

Based on Scattered Spider's history, they often use keywords like help, vpn, sso, and servicenow. However, given their recent campaigns targeting Salesforce customers, I hypothesized they might be shifting focus.

I searched my local NRD database for the keyword "salesforce".

Out of four results, one stood out immediately. On November 22, 2025, the domain salesforce-logs[.]com was registered.

• Hosting IP: 193.143.1.220

• ASN: AS198953 (PROTON66)

This ASN is frequently associated with bulletproof hosting or malicious activity (Ref: ThreatFox), which was my first red flag.

Ref: https://threatfox.abuse.ch/asn/198953

Phase 2: The Pivot (Validin)

Now that we have a suspicious indicator ( salesforce-logs[.]com ), we need to see how deep the rabbit hole goes. This is where ValidIn shines for correlating Passive DNS (pDNS) data.

Upon checking the IP 193.143.1.220 in ValidIn, I noticed a change in ownership around November 27, 2025. More importantly, the IP hosted a cluster of domains following a very specific theme. [Fig. 2]

Fig. 2: Passive DNS of the IP

The adversary wasn't just targeting Salesforce; they were building infrastructure to impersonate email marketing automation platforms such as ActiveCampaign, SendGrid, MailerLite, and ConvertKit.

activecarnpaignes[.]com
activecarnpaigns[.]com
serdgrid[.]com
salesforce-logs[.]com
converts-kits[.]com
mailerlite-logs[.]com

Using ValidIn’s Lookalike feature and with the deduced pattern *-logs.com from the above cluster, the search revealed 24 similar domains, confirming a wider campaign targeting marketing tools:

Fig. 3: Validin Lookalike Feature for *-log.com

mailjet-logs.com
mailchimp-logs.com
mailerlite-logs.com

At this stage, we have successfully mapped the infrastructure. We know what they are building, but we don't yet know how they are using it.

Phase 3: The Context (URLScan.io)

To understand the attack vector without touching the malicious infrastructure directly, we turn to URLScan.io.

We searched for our original suspect: salesforce-logs[.]com.

The "Evasion" Red Flag

You might notice scans redirecting to www.google.com. This is a classic evasion technique. If the phishing kit detects a scanner or a bot (like URLScan's automated browser), it redirects to a benign site (Google) to hide the true phishing page.

Fig. 4: Scans of salesforce-logs[.]com on URLScan

However, some scans succeeded. The results confirmed the domain was hosting a fake Salesforce Marketing Cloud login page.

Whatever we suspected about the uncovered domains is now confirmed. Similarly, we can check individual domains.

In the below example for serdgrid[.]com we have identified the similar pattern, i.e., the phishing page hosted on a subdomain with login keyword.

Finding the Delivery Vector

How is this reaching victims? This is where the Redirects tab in URLScan is a goldmine.

Most of the time, the Redirects tab in the URLScan tells us the story that we are looking for.

By analysing the redirect chain for a related domain (salesforce-logs[.]com), we can reconstruct the narrative. The scan data showed the link was likely delivered via a "Trailhead Account Verification" lure.

Fig. 5: Inspecting Redirects section from URLScan

Similarly, serdgrid[.]com was used to create a fake scenario claiming a "SendGrid API Key was paused due to violations." This creates urgency—a classic social engineering tactic to encourage the user to click and "log in" to the fake platform.

Conclusion

In this hunt, we focused heavily on Passive DNS and Lookalike Domains. These are powerful Indicators of Future Attack (IOFA)—breadcrumbs the adversary leaves behind while building their infrastructure before they launch the first phishing email.

You don't need a million-dollar budget to start. You only need curiosity, a few bookmarkable tools, and the patience to follow the thread when you notice something unusual.

Start with a keyword. Pivot on the IP. Verify the intent. Happy hunting!

The recent surge in job phishing campaigns targeting major platforms like Meta, WhatsApp, and Instagram has raised significant concerns recently. By analysing newly registered domains with keywords such as hire, apply and wajob a pattern of fraudulent activity has been uncovered. These domains, which began appearing in late 2024, are part of a coordinated effort to deceive job seekers by imitating legitimate recruitment processes.

Based on the similarity of such pages it is likely to be associated with the same phishing kit with page title as Meta Pro Support: Facebook and Instagram and Meta .

Another interesting fact of this domains are being registered on Ultahost, Inc.(https://ultahost.com/) and most of the historical domains with similar patterns and live domains are hosted on IP address: 160.30.169[.]150 belongs to Cao Hoang Hai Technology Company Limited(AS152983), a less popular stub AS.

Stealing Facebook Credentials

All of the phishing sites are designed to steal credentials or personally identifiable information (PII) from victims, either through the registration page or the login page.

By utilizing the websocket, the threat actor behind this campaign can track specific victim sessions, making it easier to intercept OTP/2FA codes, which have short validity periods.

The domain under attack, spyder1279[.]blog, was registered in March of this year and is used for WebSocket communication with phishing sites. A quick passive DNS analysis of the IP address 173.46.80[.]222 reveals that two other domains(adevsoftinc[.]com & datacenterprocessing[.]com) are associated with it, likely owned by the threat actor.

Conclusion

This targeted phishing campaign represents a sophisticated and coordinated effort to exploit job seekers' trust in established platforms like Meta, WhatsApp, and Instagram. The registration of domains through a single registrar (Ultahost, Inc.) and their consistent hosting on infrastructure linked to Cao Hoang Hai Technology Company Limited (AS152983) it is likely a well-organized operation rather than disparate opportunistic campaigns.

Several key observations warrant attention from the cybersecurity community:

1. Pattern Recognition: The domain naming conventions consistently leverage trusted brand names (WhatsApp, Messenger) combined with employment-related terms (talent, career, hiring). This deliberate approach exploits the current job market anxiety and candidates' eagerness to find opportunities with prestigious companies.

2. Infrastructure Insights: The concentration of domains on a less popular stub AS and consistent use of the same registrar provides valuable indicators for detection and blocking. The shared infrastructure connecting the phishing sites to spyder1279.blog via WebSocket for real-time credential interception demonstrates technical sophistication beyond basic phishing operations.

3. Evolving Tactics: The implementation of WebSocket technology to track victim sessions and intercept time-sensitive OTP/2FA codes represents an advanced capability that significantly increases the threat actor's success rate against even security-conscious victims.

Community Note

• Implement domain blocking for the identified patterns, particularly those featuring combinations of "wa," "messenger," "apply," "hire," and "job" with recently registered domains

• Monitor for traffic to the identified command-and-control domains, especially spyder1279.blog, adevsoftinc.com, and datacenterprocessing.com for further activities or associations

This research will be updated as new information becomes available.

There are various ways to detect phishing campaigns. By monitoring the certificate transparency logs and based on typosquatting domain names[based on a brand-specific keyword] in the domains from the logs, sometimes we can co-relate phishing sites based on the Site Title, Rendered Text, or Screenshot similarities (computer vision hash). But in this blog, I will talk about how we can also find similar phishing sites for ongoing phishing campaigns with the help of the unique filenames used.

This process might not be the standered way to detect asimilar phishing sites for some specific instances . It is advised you can always improvise your detection techniques/methods based on the situation!

Finding an Active Phishing Link

All we need is an active phishing link before we hunt down the ongoing phishing campaign associated with the phishing site. We can get active phishing kits through Twitter searches and various open-source data feeds.

Twitter Searches

Getting active and recent phishing URLs from Twitter searches is easy. For example, we can go to twitter.com > Explore and search the following hashtags: #phishing / #phishingurl / #scam, or simply search those mentioned keywords without the hashtags.

Also, the infosec community has awesome folks who help by tweeting the newly detected phishing URLs to the community. We can grab any active phishing links from their Twitter feeds. Following is the list of the Twitter accounts:

• @noladefense

• @PhishKitTracker

• @JCyberSec_

Open Data Feeds

We can also collect the active phishing URL from any one of the following data feeds:

• PhishTank

• TweetFeed

• OpenPhish

• Phishing.Database

• ThreatMiner

Let’s the Hunt Begin

I have found one interesting phishing site from Noladefense( Unfortunately the account got suspended)

Noladefense Tweet of Phishing Site

The phishing domains 365-irlnotification[.]com is impersonating the login page of the Bank of Netherlands, which is definitely to steal the credentials from their customers.

---

Interestingly this phishing website is using cookies and google analystics to track the victim’s acitivity which is not new. So, I don’t want to distract myself by digging deep about the functionality of this phishing website.

Find the Unique Asset/Filename of the Phishing Websites

There are ways you can find out the file/assets are being used by any website, but the only straightforward way to open the Developer Tool[ctrl+shift+i] and go to the network tab. This way, we can find the names of the resources while loading the website in the browser.

Following the process above, while loading the phishing site in the browser[chromium-based], we will get the filenames. Identifying specific filenames from the noise of the resources/network traffic will take some time, though there are a few points we can keep in mind:

1. Firstly, if image/video/mp3 files are present, note their filenames.

2. Based on the behavior of the phishing site, sometimes JS files or CSS files can be taken as the unique filename.

Unique Files from the Phishing Site

In this case of the phishing site, we can identify a few image file names to be unique:

- boi_logo_grey.svg
- map-marker-white-icon.svg
- more-prelogin-icon.svg
- logo-blue-text.png
- powered_by_logo.svg

Finding Similar Phishing Site URLs

After identifying the filename, we can start hunting similar phishing site URLs via URLScan.io [Website scanner for suspicious and malicious URLs, but we can scan any URL]. We will be leveraging the search endpoint to search the filenames we have. The query for searching any file is : filename: "filename.ext".

After searching the image file: boi_logo_grey.svg, we have found more than 1000+ URLs, some of which are duplicates and old ones.

[Updated] Removing Flase Positive from the Obtained Result

Despite having websites with similar patterns URLs, we can still differentiate them by filtering out results based on other queries such as the filename and hash value. We can obtain the hash value of a scanned URL by clicking on the “+” button on the right side of the file we want to get the hash value from, located in the result section of the URL scan tab.

Once we get the hash value for the file of our interest then we can create the final query: filename:"boi_logo_grey.svg" AND hash:13300feda859b998be4625203d06747c5313e87c566dcee605a316c24a79bbe5 to get the filtered out results.

Thanks to Roberto Martinez for sharing this valuable feedback, to add the hash value of the file, after posting this blog on LinkedIn.

Conclusion

I shared my thoughts on how to hunt similar phishing sites without analyzing their phishing kit. Through my experience, I have found that this method can help us locate phishing sites that may be using the same kit. Additionally, it is possible to uncover phishing sites that use assets from different kits using this approach.

In the previous part of this blog series, we learned about the structure of phishing websites, which can aid us in identifying similar phishing websites. In this part, we will focus on identifying similar phishing websites from a single phishing website. We will utilize a community-based platform, URLScan.io, to hunt down identical phishing URLs.

The Phishing URL

To begin the hunting game, we require an active phishing URL as our starting point. There are numerous ways to obtain a live phishing URL, but I usually search the latest Twitter feed using the #phishing or #scam hashtags. Victims or recipients of phishing/suspicious URLs share screenshots when they receive such links, and one of the benefits of this is that we get to see the distribution medium of the phishing link. While browsing through the Twitter feed, I promptly identified a URL via @CriminalIP’s Twitter account, and it turned out to be an Apple Phishing Page, as indicated in the post.

CriminalIP’s Twitter post

The suspicious link mentioned in the post is http://apple-clone-by-rebie[.]netlify[.]app, fortunately, it was active while writing this blog.

Analysis of the URL

Once we have the URL to analyze it and get the necessary information, we can scan it on URLscan.io or do it ourselves(manually with the browser). Here, we will do it in both ways.

Scan with URLScan.io

URLScan.io is one of the best tools for scanning any URL. It helps us to extract all the associates and entities. Like from WHOIS records and screenshots of the webpage, including IP address and passive DNS data of the URL.

Steps to Scan a URL in URLScan.io:

• Go to the urlscan.io and paste the URL that needs to be scanned in the URL to scan box. Click on the Public Scan button to scan it.

  

• Once the scan is complete, a page displaying the summary of all HTTP requests, external links, redirect behaviors, and a screenshot of the webpage will load. The Phishing URL result can be shown here: https://urlscan.io/result/f0972c72-2948-4f08-9d1b-4f91bb1a6d1b

  

Scanning URLs and checking results are hassle-free, so if you are starting with phishing URL hunting, this platform will greatly help you. Also, I am planning to write a dedicated blog on Hunting with URLScan.io.

Analyzing Manually

We can also find more information about the phishing website if we open the URL using a local browser.

PS: It is always advisable to open phishing sites in a temp browser or maintain proper OPSEC.

Most of the time, I always open the Network tab from the browser’s Developer Tools[Ctrl+Shit+i] before I open any phishing URL in the local browser to get network traffic visibility.

Now we can have more information about the phishing URL, like what the files loaded and their names or if any particular files are getting loaded from the other external links.

Hunting Similar URLs

After getting more information about the websites and the assets, we can search for unique file names that are getting loaded. With the file, we can reverse-search other URLs in URLScan.io. The syntax for searching URLs is based on its file: filename:”<filename.extnsion>”.

On the website mentioned above, we have a few files that seem unique:

Let’s try to find similar websites that were likely using the same files:

• With filename:"apple-card-logo.png", we have found similar patterns in URLs that impersonate Apple

• And with the other file name, filename:"search-icon-sm.png"We have found more similar URLs

  

List of Similar Phishing URLs

Conclusion

In this blog, I have discussed one of the approaches to how we can hunt for similar phishing URLs based on filenames used by phishing sites. In the next blog, I will write about more approaches to hunting for phishing websites.

In this blog series, I share various ways to hunt phishing URLs [which may sometimes be malicious URLs, too]. Before tracking such URLs, it is always better to understand how phishing works in the real world, which includes creating phishing websites and deploying them in the wild using various ways.

In the first blog post, we’ll understand the process of deploying a phishing website through the lens of an actor, gaining insights into the various components of phishing sites.

Launch of A Phishing Campaign

Deploying a phishing website starts with choosing a target of interest. Sometimes, actors also select targets based on the current trends in the industry. For example, a famous company is launching a new product for free, or some brands are offering discounts during some festival season. Once finalized, the target actors started with the phishing site development, which looks relevant in the contexts above.

So let’s see the other most essential segments:

• Website Assets: The website resources encompass elements such as the replicated login page of the target, comprising HTML, JS, CSS, PHP, image, GIF, and video files that contribute to mimicking the appearance of the cloned site. In most cases, actors download used assets from the legitimate page of the specified target and manually create clon pages.

• Domain Registration: Domain registration is another creative task for actors to decide which domain names suit based on the target, product, and trend. Most of the time, actors go with typo-squatted domain names. Often, they buy free, cheap TLDs to save some bucks.

• Picking a Hosting Provider: The most crucial part of the process is to choose the right hosting provider with fewer regulations and shady operations. Such a lack of ordinance will help the phishing sites longer than the regulated ones. In this case, they wisely choose freemium services to host the cloned page. Some famous freemium services are Cloudflare free hosting services(Pages), Firebase free hosting services including Webohsot, and many others. But it is hard to bet that actors are always looking for relatively new, free alternative services to stay out of the radar of detection engines.

• Distribution Mediums: The final stage involves creating a distribution plan, where the actors decide the distribution medium of the phishing URLs. The primary distribution methods are SMS and Email, but actors may also use SEO poisoning techniques to disseminate these URLs through various search engines. Recently, ads through social media platforms such as Facebook, Instagram, and Twitter have also become popular.

Entities of A Phishing Website

The following are some entities of a phishing website, which are extremely useful in hunting similar websites, which will be discussed later in this blog:

• URL: This is one of the first indicators of any phishing website to notice. It helps us identify the pattern, which eventually aids us in finding other similar phishing sites.

• Site Title: The site title in phishing websites can be crucial if unique or peculiar because it helps us uncover similar phishing sites.

• DOM: Document Object Model cross-platform and language-independent interface that treats an HTML or XML document as a tree structure wherein each node is an object representing a part of the document.

• Assets: Assets have been used to design particular sites. They could be a single logo, favicon or background image video, GIFs, or other files. In this case, the unique file names are an essential indicator of finding similar phishing websites.

Phishing Kit

A Phishing Kit is a collection of tools, and resources used to create phishing websites or emails that impersonate legitimate ones. In a simple word, this is nothing but the file/assets required to create the phishing website. Phishing kits are the main weapon of any actor or group of actors to launch phishing campaigns fast and effectively.

Conclusion

This section is intended for beginners to understand the structure of a phishing website and why certain entities are used when hunting them. In the next part of the blog, we will write about “Hunting Similar Phishing URLs in the Wild.”

Over the weekend, while leisurely browsing the internet, I came across a unique and suspicious link designed specifically for an Indonesian audience. This scam had a fresh approach that piqued my curiosity, prompting me to investigate further.

As I delved into the fraudulent website, I uncovered additional templates resembling WhatsApp Group Invitations, which ultimately served as a disguise for stealing people’s Facebook login credentials. What made this even more alarming was the content shared within these WhatsApp groups, as they were primarily centred around the distribution of viral and explicit adult videos.

In this blog, I’ll discuss my methods for thoroughly investigating a scam campaign, starting from the very basics. Along the course of this campaign, I also came across the phishing kit that had been utilized.

The Phishing Page

I uncovere this phishing page while surfing through a Telegram Channel. It was impersonating the WhatsApp Group Invitation Page which was focused on sharing sharing viral and explicit adult content[Fig. 1].

Phishing URL: hxxps://chatwpscpij.terbaru-2023[.]com/Faxt16jOoXfq6

Fig.1 impersonating whatsapp group invite focused on sharing viral and explicit adult content

Since all the content was written in the Indonesian language, it was clearly targeted towards the Indonesian people. Upon clicking the “Bergabung Ke Chat” or “Join the Chat” button, it redirected to a Facebook login page, prompting users to enter their login credentials and loaded go.<kbd>php</kbd> file.

Since all the content was written in the Indonesian language, it was clearly targeted towards the Indonesian people. Upon clicking the “Bergabung Ke Chat” or “Join the Chat” button, it redirected to a Facebook login page, prompting users to enter their login credentials and loaded go.php file.

Since all the content was written in the Indonesian language, it was clearly targeted towards the Indonesian people. Upon clicking the “Bergabung Ke Chat” or “Join the Chat” button, it redirected to a Facebook login page, prompting users to enter their login credentials and loaded go.php file.

Fig 2: Clonned Facebook Login Page: go.php

When attempting to enter random credentials and clicking the Login button, it triggered the execution of the check.php file on the backend, resulting in a blank page but internally taking the data and saving it to a data.json file[got the filename later when I discovered the phishing-kit for the same template].

Fig 3: stealing credentials via check.php execution

Fig 4: check.php file which steals credentials from the phishing-kit

Discovering the Phishing Kit

After exhaustively exploring various methodologies and inspecting the endpoint that led to a blank page, it initially appeared to be a dead end. However, my determination led me to explore alternative methods to gather more information about the phishing domain. During one of these methods, where I attempted to gather information about the certificates associated with the phishing domain, I conducted a search on crt.sh. To my surprise, this search revealed the existence of additional subdomains linked to the phishing domain through their SSL certificates. One of the previously mentioned subdomains inadvertently exposed the phishing kit.

Fig 5: Certificate Transparency log for the phishing domain

Fig 5.1: Exposed phishing-kit from one of the subdomains

Workflow of the Phishing Kit

Upon downloading and thoroughly analyzing this phishing kit, the entire workflow of the phishing template became clear and comprehensible.

Fig 6: complete workflow of the phishing-kit

In the final stages of examining the entire workflow, I made a crucial discovery when inspecting the last executed file, wana.php. It became evident that all the collected credentials were sent to a different endpoint, as depicted in Figure 7. As I investigated the remote host server, I found a message in Indonesian that read: “Mau Nyolong? wkwkkwkw” (translated to English as “Want to Steal? hahahaha”), conveying a sense of trolling or mockery from the threat actor behind this campaign .See the Fig 8.

Fig 7: Victim’s Credentials were exfiltrated to a different server

Fig 8: The TA being a troll 😛

What makes this situation particularly intriguing is that, upon examining the source code, it becomes apparent that the scammer or group of scammers responsible for this campaign lacks technical sophistication. This is evidenced by the fact that they have hardcoded a few Gmail addresses and making it possible for anyone to access victim data simply by reviewing the source code[Fig 9]. Upon inspecting the active phishing sites, it appears that there hasn’t been a significant number of victims so far. This suggests that the campaign may have only recently begun, and its impact has been limited thus far[Fig 10]

Similar Phishing Site Hosted on the Same Domain

During the writing of this blog, I came across several more phishing websites hosted on the same domain, all of which were actively engaged in similar phishing activities. These websites appeared to follow a similar workflow but utilized different phishing-kit templates, indicating a coordinated effort by the scammers to target victims using multiple variations of their scam.

Phishing Domains

hxxps://grup-warxik.terbaru-2023[.]com/vhsfhqpdhdxih1
hxxps://grup-wakcor.terbaru-2023[.]com/vhsfhqpdhdxih1

Additionally, I encountered another type of phishing website that employs a different tactic to lure victims by impersonating Mediafire brand. This website tricks users into divulging their Facebook credentials under the false pretense of granting access to download viral adult content videos. It’s evident that these scammers are employing various deceptive strategies to steal sensitive information from unsuspecting individuals.

Another Phishing Domain

hxxps://mediafirejeryghx.terbaru-2023[.]com/Faxt16jOoXfq6

Additional Findings

While having a conversation with the founder(Bradley Kemp) of phish.report about this canmpaign he shared me some insights on how we can track more similar website, using the tool IOK(which is based on URLScan.io API query) by phish.report.

By utilizing URLScan.io and inputting a filename from the phishing kit, we can hunt additional similar phishing URLs from the platform.

While having a conversation with the founder(Bradley Kemp) of phish.report about this canmpaign he shared me some insights on how we can track more similar website, using the tool IOK(which is based on URLScan.io API query) by phish.report.

By utilizing URLScan.io and inputting a filename from the phishing kit, we can hunt additional similar phishing URLs from the platform.

Query URL: https://urlscan.io/search/#filename:%2220230920-195253.png%2

filename:"20230920-195253.png"

Screenshot from URLScan.io of similar phishing sites using the same image file from a phishing-kit

Conclusion

Indeed, it is observed that scammers are employing various techniques to lure victims, but their ultimate goal remains straightforward: stealing social media credentials. This campaign has illustrated that scammers can impersonate not just Facebook but potentially any other social media platform, using different templates. It emphasizes the need for heightened vigilance when clicking on shared links in WhatsApp groups or Telegram channels. Furthermore, we must be conscious of when and where we provide our login credentials to protect ourselves from falling victim to these scams.

In closing, I encourage you to share this blog with others to spread awareness about these phishing campaigns and the importance of online security. For threat hunters and cyber threat researchers, this might serve as a valuable starting point in uncovering and addressing other phishing campaigns lurking in the digital landscape. Your contributions to our collective online safety are greatly appreciated.

FeedbackYour feedback is invaluable, so please connect with me on Twitter to share your thoughts and insights. Together, we can help protect ourselves and our online communities from cyber threats.