By Fight phishing (aka “Phight”) is not an easy task, you need to detect a campaign before starting to dismantle it. You can compare that to a race: the faster you detect a campaign, the faster you can start to takedown it!
We created StalkPhish with this idea in mind, to be fast and accurate. Fast because StalkPhish can use several data sources to feed itself, to deliver real-time data. Accurate because you can use StalkPhish to search for specific patterns, patterns that define as precisely as possible the searched threat, here phishing pages.
The faster you detect a campaign, the faster you can start to takedown it!
More, StalkPhish was created in order to gain a better understanding of the threat. Knowing the threat better allows for better detection.
This is why StalkPhish can download the sources of the phishing kit – if it still exists on the server – allowing the analyst a better understanding of the phishing kit.
What is specific to the searched kit
Let’s take the example of the Fudsender LinkedIn phishing kit that we have previously analyzed (see: https://stalkphish.com/2022/07/28/linkedin-phishing-kit-targeting-chinese-users-an-analysis/). To resume, this kit targets Chinese speaking LinkedIn users.
First, as we saw previously, this particular phishing kit use a specific directory name/path: “LiinkedInhardest/900“
Knowing the threat better allows for better detection.
Well, this information can be used to search for deployment traces of this kit in various OSINT data sources (StalkPhish.io, Urlscan.io, phishtank.org, …).
For example, here is the result of a search for the string “LiinkedInhardest” using the URL endpoint of the StalkPhish API:
We have just determined a detection mechanism based on a string search, a string specific to this phishing kit. Do the same for other kits or URLs, and you will increase your detection capacity.
Pivoting, pivoting, pivoting…
As seen in the last screenshot, the string we used for the search (‘LiinkedInhardest‘) is _always_ followed by another string : ‘/900‘
What if we were to look for another string as ‘hardest/900‘ ?
We can then observe that the same type of path exists for other brands, particularly used in China: Netease and 263.
This may mean that the same phishing kit base is being used to target these different brands and that these campaigns may be run by the same group or individual.
In the same way, we can also pivot on the previously revealed email address, using the email endpoint of StalkPhish.io API:
… But we can only see that this address is only used in the LinkedIn campaign we still know.
In the same way we could rotate on the title of the page, IP addresses, and so on, to better understand the threat and attackers.
IOCs
From this we can determine IOCs to describe the threat:
String: “hardest/900/“
String: “LiinkedInhardest“
Page Title: “网易企业邮箱 – 登录入口“
Email address: “danwoodlogz[@]gmail.com“
Follow us!
We hope that this article will give you a better understanding of how to search for phishing pages in order to improve your detection systems for takedown or investigation.
You can apply for free on our phishing detection/investigation platform Stalkphish.io.
You can found more blog posts on our dedicated page: https://stalkphish.com/blog-feed/
You can also follow our information on Twitter or LinkedIn, where we share knowledge and data about phishing.
StalkPhish - phishing and brand impersonation detection 