Understanding and Investigating Phishing Sites: What You Need to Know

Introduction

For context, a phishing site is a site that has been created to copy a legitimate site with the end-goal being: getting your sensitive information to later use likely with malicious intent.

Often, when we think of "hacking", we think of elaborate and complex techniques used to achieve this end goal.

Let's start with the basics though.

A phishing website is a common attack vector since it is easy to create (no need for advanced coding skills), relies on the weakest component in the security chain (the human factor), and can reach many people in as little time as possible.

In other words, it's an "oldie but a goodie".

Viewing the Suspicious Site

In this example, we'll be looking at a phishing site: flipperzero[.]at, a fraudulent site attempting to impersonate the real Flipper Zero site. Bleeping Computer has also created an article on this impersonation site.

We will use a sandbox environment to interact with the site (ex. CheckPhish, Browserling).

The legitimate site is https://flipperzero[.]one/

One of the initial giveaways for the site is its' "Too Good to be True" offer.

Using Browserling, we were able to see that by clicking the link; we were brought to yuridogs[.]com which required the user to input information.

Domain Ownership

Using GoDaddy, we were able to see that the registrant's state/province is listed as "tarrast". The organization is left blank.

After a quick Google search, we can see Tarrast is a location in Morocco (however, this does not mean the creators/malicious actors are located in Morocco). Doing further research using Virus Total, we can also note the hosting provider is Cloudflare.

Investigating the DOM

By investigating the structure of the site, we can see that the illegitimate site utilizes the legitimate one as a tactic to establish legitimacy (so, it points back to the real site for information such as contact information, documentation, compliance, and privacy policy). We can also see that the social media links are blank (again, this is likely to establish a presence).

However, the site links back to a different URL for the user to click on when they are ready to input information: yuridogs[.]com.

Using Links and Domains as Indicators

When thinking of links and domains, we need to understand the pyramid of pain. Attackers are aware of when a link or domain is flagged as "compromised" or "malicious", so as a result, they change it. The value of our indicator in our investigation changes and becomes less valuable, in a sense, over time.

For example, after taking a look at the URL through URLScan.io, we can see the initial URL for SHOP was trkrspace[.]com.

Likely, the attacker saw this URL was continuing to be flagged as "phishing" (as seen on VirusTotal) and replaced the URL for persistence.

Determining Malicious Behavior

When using tools to gain information on domains and websites, it's important to not treat results as a checklist. This means that we shouldn't use a sole result as proof that we are good to go. For example, just because VirusTotal says "it's good" does not absolutely mean it is good. As we saw in our investigation, a malicious actor grows and learns just as we analysts do.

An attacker thinks: "Saw this link was malicious? Okay, I'll put a new link. This domain got flagged? I'll change the domain."

Use context and more than one tool when performing your investigation.