[Use case] Hunting for phishing pages

No comments

Fight phishing (aka “Phight”) is not an easy task, you need to detect a campaign before starting to dismantle it. You can compare that to a race: the faster you detect a campaign, the faster you can start to takedown it!

We created StalkPhish with this idea in mind, to be fast and accurate. Fast because StalkPhish can use several data sources to feed itself, to deliver real-time data. Accurate because you can use StalkPhish to search for specific patterns, patterns that define as precisely as possible the searched threat, here phishing pages.

The faster you detect a campaign, the faster you can start to takedown it!

More, StalkPhish was created in order to gain a better understanding of the threat. Knowing the threat better allows for better detection.

This is why StalkPhish can download the sources of the phishing kit – if it still exists on the server – allowing the analyst a better understanding of the phishing kit.

What is specific to the searched kit

Let’s take the example of the Fudsender LinkedIn phishing kit that we have previously analyzed (see: https://stalkphish.com/2022/07/28/linkedin-phishing-kit-targeting-chinese-users-an-analysis/). To resume, this kit targets Chinese speaking LinkedIn users.

First, as we saw previously, this particular phishing kit use a specific directory name/path: “LiinkedInhardest/900

Fudsender LinkedIn phishing kit zip file

Knowing the threat better allows for better detection.

Well, this information can be used to search for deployment traces of this kit in various OSINT data sources (StalkPhish.io, Urlscan.io, phishtank.org, …).

For example, here is the result of a search for the string “LiinkedInhardestusing the URL endpoint of the StalkPhish API:

StalkPhish.io extraction

We have just determined a detection mechanism based on a string search, a string specific to this phishing kit. Do the same for other kits or URLs, and you will increase your detection capacity.

Pivoting, pivoting, pivoting…

As seen in the last screenshot, the string we used for the search (‘LiinkedInhardest‘) is _always_ followed by another string : ‘/900

What if we were to look for another string as ‘hardest/900‘ ?

Extend search

We can then observe that the same type of path exists for other brands, particularly used in China: Netease and 263.

This may mean that the same phishing kit base is being used to target these different brands and that these campaigns may be run by the same group or individual.

In the same way, we can also pivot on the previously revealed email address, using the email endpoint of StalkPhish.io API:

Pivoting on email address

… But we can only see that this address is only used in the LinkedIn campaign we still know.

In the same way we could rotate on the title of the page, IP addresses, and so on, to better understand the threat and attackers.


From this we can determine IOCs to describe the threat:

String: “hardest/900/

String: “LiinkedInhardest

Page Title: “网易企业邮箱 – 登录入口

Email address: “danwoodlogz[@]gmail.com

Follow us!

We hope that this article will give you a better understanding of how to search for phishing pages in order to improve your detection systems for takedown or investigation.

You can apply for free on our phishing detection/investigation platform Stalkphish.io.

You can found more blog posts on our dedicated page: https://stalkphish.com/blog-feed/

You can also follow our information on Twitter or LinkedIn, where we share knowledge and data about phishing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s