How to investigate a massive phishing campaign
by Maciej Makowski
A recent anonymous tip from a reader drew my attention to a malicious IP address allegedly involved in a widespread phishing campaign against users in Ireland.
The malicious actors behind this campaign have created hundreds of fake domains, impersonating several Irish banks, the national postal service of Ireland, courier services, Sky TV, covid pass issuers, as well as several other financial entities abroad, the English NHS and many others.
The IP in question – 35.234.96.61 – belongs to Google and at the time of writing was connected to 371 hostnames and 924 URLs.
Active domains hosted on the IP in question can be found here, while a complete list, including passive DNS and older domains can be viewed here.
While the modus operandi of the majority of websites on the malicious IP address indicates phishing, some of the websites appeared to have contained a malicious Windows executable file – as per the Virus Total scan.
Example screenshots of several phishing site screens:
Investigation techniques
Given the vast amount of malicious domains, there are numerous investigative angles to take here.
- Check IP address reputation – this initial step will allow you to quickly establish if you are dealing with a known threat or if you came across something completely new. For example, you can check if the IP address has a been associated with undesired or suspicious activity such as spam:
Mx Toolbox is a great tool for checking IPs against known blacklists. The command in this case is “blacklist:35.234.96.61“, which returns 1 match for Spamhaus ZEN.
Symantec’s Broadcom lets you conduct a similar check – in this case we can learn that:
- The host has been observed sending spam in a format that is similar to snow shoe spamming techniques.
- The host is unauthorized to send email directly to email servers.
Cisco Talos Intelligence can be used to check for types of activities associated with an IP address (in this case however it resulted in no detections).
Virus Total is also useful for broad searches of IP addresses – with information ranging from general reputation, passive DNS to community comments.
The abovementioned Alien Vault also gives very detailed indicators and really detailed info.
And finally, Twitter can be a great source of information, given the mature and very experienced community of researchers and cyber security specialists.
- Check for DNS variations – it is common enough for malicious actors to engage in domain typo-squatting, which means purposeful registration of domain names with deceptively similar spelling to the target domain; the intention here is to fool unsuspecting phishing victims.
One of my favourite tools for checking DNS variations is DNS Twister. It can be very useful for checking similar domain names, as well as alerting whenever such new domains become registered.
This is also another way of discovering similar, unrelated phishing campaigns.
Take the example below – a DNS Twister scan of one of the malicious domains from the suspicious IP address:
secureboi365login[.]com – see the DNS Twister results here.
The second IP address matched above is not related directly to the one involved in the malicious campaign against Irish users – but after a more detailed analysis, it seems to be part of an even larger malicious campaign that involves malware distribution, with 500+ passive DNS records and over 9k URLs – see the indicators listed below:
Similar checks can be conducted on other malicious domains, with tens of thousands of potential findings to unravel…
- Examine the technology stack – every website, even the most simplistic phishing page, has a technology footprint to it. You can check what web server it uses, what language it was written in, what widgets or documents it contains, and so on.
Below are some of the best resources for scanning a website’s technology stack:
Examining the underlying technologies that run on a website can be used for comparison purposes against other sites. This can be another way of uncovering similar and related / unrelated malicious activities.
As a follow up, you can use a Site Like or Similar Web scan – but beware, this is a broad search that will likely return a lot of sites with various degrees of similarity; further examination will be necessary.
- Calculate the webpage’s SHA256 hash – hashing is a common concept when it comes to files or disk images – but how about calculating a hash value of a website’s HTML content?
Phishing websites are frequently simplistic copies of each other, without any bells and whistles since the objective here is to steal user information. That makes the task of investigating them and linking them to other malicious domains a little easier, if they are indeed carbon copies of one another.
To calculate a website’s SHA256 value, you can use the following Linux terminal command:
curl www.boionline365authenticaton.com | sha256sum
The result will display below after a brief calculation:
022d1d9c0ef92f7100837906545e28d8becde6548d750f258f582ef5a8b33481
The obtained hash value can be then searched against using Urlscan and should produce a multitude of results as seen in this example.
Once again, there are nearly countless pivot points here, using multiple new detections – like for example this unrelated malicious website, with a Russian top level domain, hosted on an IP address somewhere in Seychelles – seemingly another phishing attempt by yet another malicious actor.
- Examine security certificates – not every phishing website from the list has a security certificate enabling a https encrypted connection, but some of them do. Nowadays scammers obtain free security certificates for their fake websites (for example by abusing the free Let’s Encrypt service) in order to add another layer of purported legitimacy to the phishing sites; after all, many people still erroneously believe that the “green padlock” symbol in the browser means the website they visit is real and that the information they enter into it is fully secure.
Security certificates can yield some interesting information, beyond the usual standard details such as the subject name, issuer name, validity timeframe and so on. Looking at a specific example:
Apart from the subdomains that the certificate covers, we can get the certificate’s unique fingerprints:
- Serial number:
00:9E:46:60:65:DA:27:E3:96:B1:33:95:E3:C5:FA:25:F3
- SHA-256:
D8:22:2C:22:9C:96:A2:61:4E:D2:4D:FC:A5:7E:72:3E:CB:4A:A2:2A:F5:45:60:35:F4:34:83:EE:8D:F0:64:0C
- SHA1:
B1:D8:5A:42:E7:89:D5:09:B6:BE:A6:4C:B5:D1:72:23:FE:0D:3C:3B
These values can be checked further for instances of the same certificate shared across multiple websites or IP addresses using one of the following services:
- Binary Edge: https://app.binaryedge.io/
- Cert SH: https://crt.sh/
- Censys: https://search.censys.io/
- Shodan: https://www.shodan.io/
In the case of the domain mentioned above, no certificate overlap was detected with any other site or IP. However, it is not that uncommon to get matches that way – like for instance with the Facebook domain.
Search query syntax:
– Binary Edge – ssl.cert.sha1_fingerprint:” “; ssl.cert.sha256_fingerprint:” “ (insert value inside quotes)
– Shodan – ssl.cert.serial: (insert value directly after the colon, no space)
– Cert SH and Censys allow you to search for values directly in the search field, so no additional parameters are necessary.
- Conduct a favicon search – a favicon is a small icon displayed in a browser tab next to the name (always with the .ico file extension). Favicons also display in bookmarks. The purpose of a favicon is to help brand recognition, as well as to help users distinguish between many open tabs in a browser window.
In the case of fraudulent websites, a favicon is often copied or directly linked from the original page that is being impersonated, in order to bolster the impression of legitimacy. Not every domain on the list here displays a favicon, but many do.
Favicon links can be found in the the webpage source code (depending on your browser, this can be viewed by pressing Ctrl + U, F12 or right click and “view page source”). This is how the display in the source code of the phishing websites mentioned above:
Searching a favicon by image (by reverse image search, for example) is not going to be effective here due to multiple false positives. Something more unique should be searched for – like for example a hash value of a favicon.
For this purpose, copy the link found in the page source code and head over to Favicon Hash.
There simply paste in the URL and calculate the hash value in MMH3 format. Note that whenever the hash value displays the minus sign, you need to remember that in this case it’s also part of the hash.
The next step will require logging into Shodan and running the following search for the favicon hash using the following Shodan query:
(or, in the case of the Santander example favicon – http.favicon.hash:2147153955)
Results will vary and you will encounter legitimate websites in there, as well as some fake impersonations:
You can revert back to Virus Total then and check the URL – in many cases it will immediately cement the malicious domain suspicion (see here for an example).
This technique is a great way to discover similar, sometimes even unconnected phishing websites that impersonate the same target by using their favicons.
- Interact with the website – simple interactions with the website and its login fields might lead to unexpected results – especially if you interact with the elements while simultaneously looking at the Developer Tools (right click and Inspect while using Google Chrome). In the case of one of the phishing websites, an item of particular interest was found when viewing network requests made after a failed login attempt:
Above is a link to a rather unusual link to a Telegram account:
Even the most cursory research on the handle “Kr3pto” will bring back numerous sources describing the nature and the type of activities that this individual engages in – essentially, this is a malicious actor (suspected to be Russian) who supplies phishing kits for monetary reward.
This whole phishing campaign is therefore directly or indirectly (some sources point to the possibility of cracked phishing kits being used in this case) linked to this malicious software developer, whose digital footprint includes accounts on the following platforms:
* * * * *
PS: Some light reading for those interested in more detail about the malicious actor Kr3pto (who has been around for a while now, actually):
- https://www.wmcglobal.com/blog/kr3pto-puppeteer-kits-dynamic-phishing-kit-targeting-uk-banking-customers
- https://www.wmcglobal.com/blog/threat-actor-update-kr3pto
- https://www.akamai.com/blog/security/dont-risk-getting-caught-by-kr3pto-phishing-kits
- https://www.globaldots.com/resources/blog/massive-campaign-targeting-uk-banks-bypassing-2fa/
- https://thefintechtimes.com/11-uk-banking-brands-hit-by-phishing-kits-according-to-akamais-security-report/
About the Author:
Maciej Makowski - information security specialist with a strong background in criminal investigations and online safety. Spent nearly 13 years working as a police officer and cyber crime detective in An Garda Siochana, Ireland’s National Police and Security Service. Graduate of University College Dublin, also received professional qualification in data protection from the Law Society of Ireland. Experienced Axiom, Encase and FTK digital investigator, certified Cellebrite forensic mobile examiner. Author of osintme.com, a blog on open source intelligence and digital privacy.
The article was originally published at: https://www.osintme.com/index.php/2021/12/06/how-to-investigate-a-massive-phishing-campaign/