Phishing Attacks Exposed: Essential OSINT Investigation Tactics

Protect against phishing attacks. Master practical OSINT investigation techniques and discover easy-to-use tools for uncovering phishing schemes.

Cyber Sleuth. Image created using DALL-E.

You can also find this article on Mirror.xyz.

Phishing attacks are an old threat, but they remain shockingly effective. With attackers becoming more sophisticated every year, knowing how to delve into a phishing campaign is a crucial skill for every OSINT analyst. This article will equip you with a well-rounded methodology to guide your investigations and help protect yourself and your organization.

The Ever-Present Threat of Phishing

Before we dive into analysis, let’s set the stage. Phishing is a form of social engineering. Attackers use mass emails or texts containing malicious links or attachments to trick victims into giving up sensitive information like login credentials. They prey on fear, urgency, or curiosity to make their targets act without thinking. These attacks can lead to data breaches, ransomware infections, and other serious cybersecurity incidents.

The numbers paint a grim picture. In 2023, 58% of organizations battled account takeovers, with a staggering 79% of those breaches originating from phishing. This highlights the risk for organizations of every size.

A Practical Investigative Methodology

There are many effective ways to investigate phishing campaigns. Here’s a flexible, step-by-step approach to guide you:

1. Website and IP Investigation

• Perform a WHOIS Lookup: Begin by investigating the suspicious domain’s registration details. Though privacy rules may limit information, historical records often provide valuable clues.
• Assess Website Reputation: Verify the website’s reputation against threat intelligence databases and blacklists. This helps determine if it’s part of a known malicious campaign.
• Uncover Shared Hosting: Identify other websites hosted on the same IP address. This can expose larger attack patterns.

Figure 1. Screenshot of the phishing message I recently received. Source: Captured by the author.

Note: Just 16 hours later, the site was yanked offline, nixing much of the detective work we were all set to dive into.

Figure 2. WHOIS record information for UpServiceSn2.com. Source: Captured by the author.

Figure 3. IP address blacklist check results. Source: Captured by the author.

2. Analyzing Suspicious DNS Records

• Examine DNS Records: Look for suspicious DNS records that could point to the attacker’s infrastructure.
• Detect Typosquatting: Check for DNS variations of the domain (typosquatting), a common tactic to mimic legitimate websites.

Figure 4. Typosquatting domain check results for usps.com. Source: Captured by the author.

3. Deciphering Shortened URLs

• Expand Shortened Links: If the phishing message contains a shortened URL, try the following:
• Add “+” at the end of your browser.
• Utilize URL expansion services (like ExpandURL.net).
• Important Note: Be cautious, as these techniques might not work on all URL shortening services.

4. Subdomain Enumeration for Deeper Insights

• Identify Associated Subdomains: Discover subdomains linked to the phishing domain. This can reveal the attacker’s attempts to target multiple brands with the same infrastructure.

5. Understanding the Phishing Site’s Technology Stack

• Determine Technologies Used: Uncover the technologies used to build the phishing site (use tools like “BuiltWith”).
• Analyze Security Certificate: Check the website’s security certificate. Phishers often abuse free services like Let’s Encrypt, which can be a red flag.
• Tracking Scripts and Ads: Scrutinize Google ads or tracking scripts and analyze their IDs for further clues.
• Check for Open Directories: Determine if the site is an open-directory website. These can expose sensitive files due to attacker negligence.

6. Offline Analysis for In-Depth Examination

• Download Phishing Website: Download the entire phishing website (e.g., using HTTrack) for in-depth analysis.
• Scrutinize HTML Code: Carefully examine the website’s HTML code for:
• Copied elements from legitimate websites
• Links to external malicious sources
• Image and File Metadata: Analyze image and file metadata, but remember, modern attackers may remove this information.

7. Hash-Based Investigations

• Calculate HTML Hash Value: Calculate the phishing page’s HTML hash value.
• Search for Matches: Use various hash algorithms to search for the same hash value on platforms like URLScan. This helps uncover networks of connected phishing sites.

Figure 5. Failed website scan notification for upservicens2.com. Source: Captured by the author.

• Investigate Favicon Hash: Do the same for the favicon’s hash to identify sites potentially impersonate legitimate ones.

Figure 6. Terminal command for SHA256 checksum verification. Source: Authors terminal.

8. Live Interaction for Dynamic Analysis (When Safe)

• Use Developer Tools: When safe, interact with the phishing website using developer tools to monitor its behavior.
• Test with Fake Logins: Attempt fake logins or interactions to observe redirects or uncover hidden attacker communication methods.

To learn how to investigate and visually map phishing campaigns using powerful tools like Maltego, continue reading

OSINT in Action: Visualize & Dissect Phishing Campaigns with Maltego

Emerging Phishing Trends to Watch For

The phishing landscape is constantly changing. Keep an eye on these emerging trends:

1. Sophisticated Impersonation Attacks: Phishing campaigns have become more sophisticated, using impersonation of IT and HR systems to trick employees into engaging with malicious links that lead to fraudulent sites almost identical to real ones​​.
2. Payloadless Malware: This type of attack does not rely on traditional malicious files. Instead, attackers trick victims into calling a fraudulent call center, where they are persuaded to download malware under the guise of reversing a transaction​.
3. QR Code Phishing (Quishing): The use of QR codes in phishing, known as “quishing,” is on the rise. These attacks are challenging to detect because they rely heavily on images rather than text, bypassing many traditional security measures​.
4. Vendor Email Compromise (VEC): These attacks compromise email accounts of vendors or other third parties that have established relationships with the target. Attackers then use these accounts to conduct financial fraud or obtain sensitive information​.
5. AI-Generated Attacks: AI technologies enable cybercriminals to generate sophisticated and unique phishing content, raising the complexity and effectiveness of attacks​​.
6. Salesforce-based Attacks: There has been a significant increase in phishing attacks using Salesforce domains to impersonate reputable companies, leveraging sophisticated techniques to bypass security measures​​.

OSINT Tools Anyone Can Use (No Command Line Required)

Let me share some widely used OSINT tools ideal for conducting phishing investigations. These tools are designed to be accessible and user-friendly for all levels of technical expertise.

• Urlscan.io is a web-based tool designed to help users analyze and investigate URLs. It provides a sandbox environment for the web with different visibility levels for scans. It allows for comprehensive scanning of websites from various countries and with different user agents, aiding in cybersecurity efforts by examining the content and behavior of websites.
• ExpandURL.net is a service designed to reveal the destination of shortened URLs before you click on them. It enhances online safety by helping users avoid potential phishing, malware, and viruses. It provides users with the final link destination and additional information about the URL, aiding in deciding whether to visit the link.
• Pentest-Tools.com offers a Subdomain Finder tool that leverages both passive and active discovery methods to help cybersecurity professionals identify the subdomains of a target domain, enhancing their reconnaissance efforts. The tool validates scan results to ensure relevance and provides comprehensive recon data, including IP addresses, WHOIS details, and server technologies. It is an essential tool for mapping an organization’s attack surface and uncovering potential vulnerabilities.
• SEOSiteCheckup.com is a tool designed to check whether a website’s directories are publicly visible and browsable. This is a potential security risk that could expose sensitive files to unauthorized users.
• Chrome DevTools, integrated into the Google Chrome browser, offers a suite of web development tools allowing for the real-time editing of web pages and diagnostics of issues to improve website construction and debugging speed. It covers various functions, from DOM manipulation to performance analysis, designed to streamline the development process and enhance website performance and accessibility.
• The Typosquatting Finder is a free public service designed to help identify potentially malicious domains that mimic legitimate ones through common typographical errors, assisting in quickly assessing online threats. Users can input a domain to discover typo-squatted variations, with advanced options for selecting specific detection algorithms and enhancing cybersecurity efforts by pinpointing fake domains used by adversaries.
• DNSChecker.org is a tool that offers a DNS check propagation service. It allows users to verify the global propagation of their DNS records by checking against a list of DNS servers worldwide. The tool supports various DNS record types and provides visual propagation results on a map, making it easier to identify any regional discrepancies or issues.
• The IP Blacklist & Email Blacklist Check tool on DNSChecker.org enables users to determine if a domain, IP address, or email is listed in DNSBL and other blacklist databases due to suspicious activities. It provides a comprehensive solution for identifying blacklisting issues, aiding in the protection of online presence, and ensuring smooth email deliverability and website integrity.
• HTTrack is a free, GPL-licensed utility that serves as an offline browser. It allows users to download entire websites from the Internet to a local directory for offline viewing. It captures the website’s HTML, images, and other files, preserving the site’s link structure for easy browsing offline. It also supports updates to mirrored sites and resuming interrupted downloads.
• The Whois Lookup service provided by DomainTools allows users to perform searches on domain names to find ownership details, registration data, and availability. It’s a comprehensive tool for domain research, offering insights into domain history, related domains, and sometimes the registrant’s contact information. It supports cybersecurity, market research, and domain investment decisions.
• BuiltWith is a comprehensive web tool that provides detailed insights and analytics on the technologies used by websites, covering trends, usage statistics, and market share information. It’s designed for lead generation, market analysis, and sales intelligence, offering data on over 100,522 web technologies across millions of websites.
• ExifInfo.org is an online platform designed to analyze and display the metadata contained within images and other media files. It supports a wide range of file formats, including JPEG images, videos, audio files, and documents, offering insights into hidden data like capture dates, GPS locations, and device information.

Explore Next

Want to explore the dark web without the coding hassle? Check out this article:

Point-and-Click OSINT: Dark Web Scraping with GUI Tools

Discover how blockchain is transforming industries on the Blockchain Insights Hub. Follow me on Twitter for real-time updates on the intersection of blockchain and cybersecurity. Subscribe now to get my exclusive report on the top blockchain security threats of 2024. Dive deeper into my blockchain insights on Mirror.xyz.