What can be learned from a phishing domain
What information can we learn from a phishing domain? Can we define the threat actor behind the phishing scam? By tracking and investigating one phishing domain, can we find other phishing domains in operation or even better in preparation? I try to answer those questions in this article with some case studies. I avoid using complicated forensics tools. The techniques used to track and investigate phishing domains in this article are open source and simple to use for anyone. Enjoy!
What is phishing?
Before we dive into the nice case studies, it is important to define phishing attacks. If you already know what they are and you do not want to hear these definitive explanations, you can skip this section.
Phishing attacks are quite common among hackers to steal critical information such as login credentials, credit card information, personally identifiable information (PII), etc. or to download a malware to the target’s computer. Hackers usually disseminate the link to their phishing domain through e-mails.
Phishing domains are copycats of legitimate sites such as banks, e-commerce sites, etc. Once the victim enters his/her login credentials or other important information, s/he will be redirected from doppelgänger to the legitimate site.
Phishing domains are exploited to target not only employees but also customers. Even though companies cannot be directly held responsible for customers deceived by phishing scams, it is a loss of reputation when a company does not take necessary measures.
Name-blending (look-alike) phishing domains often swap easily-confused letters (“u” and “v” or “t” and “f”) and/or put additional characters in the domain (ex-ample.com for example.com). These typo-squatting techniques are quite efficient for attackers. Today, phishing domains even have valid SSL or TLS certificates to lure their targets.
In the past, we usually see phishing e-mails that include malware in the attachment. The advanced e-mail filters usually won’t let these e-mails go through, so hackers evolve their techniques using malwareless attacks and using social media posts instead of e-mails.
FireEye found that 90% of e-mail attacks are malware-less (with 81% is phishing attacks) by analyzing over a half-a-billion e-mails sent in the first half of 2018.
How to search for phishing domains
It is very difficult for a company to search the entire web and determine a phishing domain that may target its employees and customers, but certain tools can be used for those purposes such as NormShield’s Free Phishing Domain Search. There are also some Python codes that domain names that can be used for phishing and checks if they exist.
If you are searching for phishing domains inserted in social media posts like sponsored tweets, it is kinda difficult. Let’s take Twitter as our target social media platform (note that Twitter is the most common SM platform for such phishing attacks). Twitter Advanced Search does not allow you to filter out sponsored tweets.
Here are some characteristics of tweets used for phishing scams;
- Always include a link (to a phishing domain)
- Always include an image
- Often overpromise something that lures victims to click on the link
- Quickly detected by the crowd and flagged by them in the comments (Hurray crowdsource!!)
You can use these characteristics to search for tweets for phishing scams. Especially the last one may help you a lot. Though, it may be a regional parameter. For instance, in Turkey, when Twitter users see a phishing scammer tweet, they usually write one of the following phrases to the comment section by tagging Turkish Police’s twitter account; dolandırıcı (fraud), “sakın tıklamayın” (don’t click), sahte (fake), and so on.
Investigating the phishing domains
Phishing domains can be investigated with basic Open-Source Intelligence Tools (OSINT). This investigation can give hints about who is behind the phishing attacks or help you identify new phishing domains.
An article that investigates the threat actors behind the Elon Musk phishing scam ends up with a name who may be behind the attack. Here, we will investigate three different phishing attacks disseminated through hacked Twitter accounts and targeting Turkish citizens.
Case Studies
Phishing domains sharing the same IP address
The first case study involves a phishing domain that imposters Turkcell’s website, one of the major telecom operators in Turkey.
The phishing social media posts promise free data package of 8 GB. When you click on the link, it takes to the domain of turkcellcep[.]tk. It is important to note that domains with .tk extensions are one of the most preferred domains for phishing attacks that target Turkish people. On the website, if you click on the yellow buttons, an .apk file is downloaded to your device. I uploaded the file to VirusTotal and 22 engines detected the file as Spyware.
For my investigation, the first thing I did was to find the IP address of the domain, which can be done by whois, dig, nslookup commands, or by using many websites (just search for “IP for a domain”).
If the domain is not active, you have to search Passive DNS to see what was the IP address used for this domain in the past. To that, you can use websites such as Mnemonic Passive DNS search engine, Robtex.com SecurityTrails.com, HackerTarget.com, Cymon.io, and VirusTotal.
Once I got the IP address (which is 181.174.165.164 in this case), I can search if this IP address is listed in the blacklist to ensure that it is reported before. Besides Cymon.io, and VirusTotal, NormShield’s Free IP BlackList Search can also be used. Here I see that 181.174.165.164 is indeed listed by a few databases as blacklisted.
While investigating a phishing domain, it is important to check the other domains resolving the same IP address. Shared hosting techniques allow an IP address used by multiple domains and if you see a phishing domain resolving an IP address, you can be sure that there are other phishing domains at the same IP address. You can list the domains sharing the same IP address by SecurityTrails.com, Cymon.io, VirusTotal, and many other internet-wide scanners.
If we check this IP address on VirusTotal, we can see other domains. Here one of the domains called yapidabahar[.]com that sounds like a phishing domain to me because of its name. It can be translated as “Spring in Yapi” where the word yapi sounds like YapiKredi, one of the major banks in Turkey. The domain name is perfect if you use some spring campaign to lure people to the phishing domain.
When you go to this yapidabahar[.]com, you can see the index files indicating that the website is in preparation. There are two folders; one named index_dosyalar and the other one names xcvcxv.
If you click on the second folder, an empty page opens with a title of “Keriz Paneli” which can be translated as “Dupe Dashboard”. It hints that this is another phishing domain.
The first folder includes several files including css, JavaScript and png files.
One JavaScript File called creditly.js contains codes to gather credit card information. It is mostly used in phishing attacks targeting banking customers.
So far, we understand that this is a phishing domain targeting some bank’s customers. But what bank? The domain name suggests YapiKredi as I mentioned before. I also checked the png file (logo_white.png) on the websites to get a clue on my hypothesis.
Interestingly, the picture is the logo of another major bank in Turkey, Türkiye İş Bankası. That was quite interesting considering the domain name does not have any similarity to this bank. Nevertheless, we find another phishing domain in preparation that can be used to target banking customers.
Phishing domains sharing the same phrases or parameters
In this study, we have started with another phishing tweet that targets e-state (e-devlet in Turkish) users with the following promise:
Public Announcement
The refund of the dues of all citizens who use credit cards is refunded up to ₺10,000 as per the Legislation №4395.
To get the dues refund of your credit card;
You can click on the link above.
It was posted 20 minutes ago, so it was fresh and alive. Note that there is a shortened bit.ly link in the post and we will talk about link shorteners soon.
There is in fact such legislation passed from the Turkish Assembly. Phishing scammers want to exploit the news. As a matter of fact, I’ve personally seen the phishing kit and website codes are on sale (just for $20) in some deep web hacker forums. These scammers do not even bother to replicate a website, they just enjoy ready-to-use HTML codes and Javascript.
When you click on the link in the post, it directs you one of these look-a-like websites with the following phishing domain: www-e-devlet-portal[.]cf. The first screen asks for the credit card number and expiration date. The following screens ask for CVV number (3-digit number at the back of the credit card) and even ask for the credit card limit.
At this point, let me give you some quick tips about shortened links. Some of the url shorteners provide statistics with some easy tricks. For instance, if you add a plus (+) operator at the end of a bit.ly link, then you can see the stats, like this one (https://bitly.com/aa+). The same trick works for some other url shorteners like goo.gl, tickurl.com, tiny.cc (use ~ instead of +), and bit.do (use — operator instead of +).
Now, if you look at the statistics of the shortened url in the tweet, you can see that more than six thousand people clicked on the link. But wait, the title in these stats says “Nike”.
If I use the same shortened url by using VPN (so that I will be connecting from a different country), then it is in fact directs me to Nike’s legitimate websites nike.com. Does this url shortener work on a location-based fashion? I don’t know. It’s a mystery to be solved another time. Let’s move on to our investigation to the phishing domain.
Let’s look at the HTML code of the phishing website by simply right-clicking on the website and click on “View Page Source”. The code is pretty simple and if you scan through it, you can see some JavaScripts used.
One of the Javascripts embedded in the code is creditly.js. Looks familiar? That’s right. It is the same js file we have seen in our previous case study used for grabbing credit card information.
As I mentioned before, many phishing scammers use the same HTML code for their phishing attacks. Some unique phrases and parameters (like a token or Google Analytics tag) may help you identify other phishing domains.
In the HTML code (and also on the website), you can see the text “Sadece Kredi Kartları Geçerlidir..” (that means “Only credit cards are accepted” in Turkish). If you simply Google it with quotation marks, it is possible that you can find other phishing domains that use the same code. I know that this phrase looks very generic, but it is worth to give it a shot. Here are the results;
Bingo! The title of the second result (modamarkam[.]com) is e-Devlet Kapisi which can be translated as “e-State Gate”. If we click on that one, we see the replicate of the same phishing site with small modifications (they also ask for name and surname on the first page).
Now, let’s try a token in the HTML code. In line 106, there is a token value that we can use. These tokens and tags should be unique for legitimate websites. Since these scammers use the same code, they don’t bother to change these tokens.
The token can also be searched in Google, but this time we will use one of the internet-wide scanners, Shodan. In the search box of Shodan, if you use the parameter http.html: , it searches the term following the colon in the HTML codes. Here are the results;
The results showing an IP address (that is 172.104.156.186) and the domain title is Türkiye Halk Bankası, the largest state bank in Turkey. When we click on the details, we see that the location that this IP address is hosted is in Frankfurt, Germany and the registrant organization of the IP address is Linode.
Linode is a cloud hosting provider and phishing scammer got the IP address from this organization.
Now, the question is whether this new phishing domain is active or not. Since we only have the IP address and not a domain address, we can simply write http://172[.]104[.]156[.]186 to address bar of the web browser. Here how the website looks like.
This is a phishing website in preparation and the title and the external links at the website suggest that it will be targeting HalkBank customers.
I also checked if the IP address is blacklisted. It is reported by only one database.
Phishing domains sharing the same registrant
The last case study involves a phishing domain that targets a bank in Turkey called Turkiye Finans. The domain name is turkiyefinas[.]com (one letter is missing from the original domain) and it is not active (yet!).
When we explore this phishing domain in SecurityTrails, we can see the IP address, NS, MX, and SOA records of the domain.
There are also six subdomains created under this phishing domain.
When we look at the domains sharing the same IP address, we can see that there are more than six thousand domains hosted.
The important thing about this domain is that it is registered with a personal e-mail as seen in SOA records; kconsistency1@gmail.com. When we look at the domains registered by this e-mail address, we can identify many other phishing domains. Some are targeting again banking customers in Turkey.
Apparently, this guy is a serial phisher. So, I searched for the username of this persona (kconsistency1) to see if there is any information about him/her. A simple Google search returns much information about this scammer. So, I am not the first one who tracks this threat actor. That is good.
Some other curious people search for this guy and identify him as a 30-year old male in Nigeria named Oghenekevwe Ogodogun.
Conclusion
Tracking and investigating phishing domains with simple OSINT tools may help you identify other phishing domains in prep or the threat actor behind it.
_________________
Thanks for reading. If you enjoyed this article, feel free to hit that clap button 👏 (more than once if you like) to help others find it.