From the past, attackers have long been employing malicious methods to set up phishing sites disguising as famous sites and steal personal financial information via emails, SMS and online community boards. According to Verizon’s ’21 Data Breach Investigation Report’, it was found that 36% of breaches were associated with phishing, which is an indicator of how much phishing tactics account for in security breaches.

 

Below are some classic examples of attempted phishing that anyone could experience.

  • Use of origins that are seemingly similar to reputable and famous companies
  • Absence of normal signature block in web browser address bar
  • Incorrect grammar, sentence, spelling error, and inconsistent content
  • Strongly urging file downloads and link through expressions stressing a false sense of urgency and importance

 

AI Spera’s Criminal IP (CIP) Domain Search feature allows you to reduce potential damage by determining whether a phishing site exists and diagnosing whether its domain is benign or malicious.

 

If you are a security manager, you may already be familiar with your company employees reporting receipt of fishy messages illustrated below.

 

After the report has been filed, you must quickly block the domain in question and follow through with measures that are built on in-depth analysis in order to preempt further damage.

 

Messages containing phishing sites

 

After analyzing the domain through Domain Search, its score was confirmed as standing at a critical level. It was already mentioned in the analysis summary that the suspicious length property has a length of more than 30 characters and there is an iframe tag that is commonly used for inserting malicious codes.

Also, seeing that the title, favicon, screenshot, inserted, and Redirect to paths are different from normal Facebook, it is quite evident that the domain is a phishing site.

AI Spera provides an expository feature summary such as shown in the table below to make it easier for security managers using Domain Search to understand analysis results of phishing sites.

TypePropertyExplanation
CommonURL with IPCheck whether the detected domain or link is with IP address
Fake DomainCheck domain similarity with Top sites
Fake SSLCheck certificatge validity
MITM AttackCheck possibilities of MITM attacks
LocationsCheck the country diversity of IP associated with the domain
Newborn DomainCheck domain creation time
Suspicious LengthCheck whether the domain name length is abnormal
Abuse RecordCheck whether any IP scored as Critical or Dangerous is included
Mail ServerCheck whether mail server exists
SPF1 ResultCheck the query results of the domain
DGA ScoreCheck the existence of irregular character strings
HTMLHidden ElementCheck hidden elements in html
Hidden IframeCheck hidden iframes in html
IframeCheck whether iframe exists
Obfuscated ScriptCheck JavaScript obfuscation
Suspiciouis HTML ElementCheck suspicious objects in html
Suspicious ProgramCheck the installation files downloadable within html
Button TrapCheck entirely different domain calls with Button event
Credential Input FormCheck redirection of authentication information within html
NetworkRedirection to another ASCheck other AS upon redirection
Redirection to another countryCheck other countires upon redirection
Redirection to another domainCheck other domains upon redirection
Suspicious CookieCheck validity of domain cookies

 

Criminal IP Domain Search Results

Facebook phishing site and legit site.

 

Furthermore, since many phishing sites do not have a normal signature block applied to them,

there are many cases where fraudulent websites are flagged through alert messages on the web browser address bar and built-in filter features of the web browser.

If it is not a random website set up by companies purely for testing purposes, it is recommendable to treat it as a phishing site if you come across warnings such as below.

 

Facebook phishing site

 

In order to avert potential damage caused by phishing sites, it is necessary to keep the following guidelines in mind and act accordingly.

  • Messages and links from unknown origins should be deleted immediately.
  • Do not click when you cannot verify the electronic signature or when similar domains and sender information are used
  • Enable all anti-phishing features provided by mobile, email clients and web browsers.
  • Activate multi-factor authentication for all accounts as much as possible.
  • Use CIP Domain Search to obtain data-driven analysis results and respond quickly.

This article was written by drawing on data provided by Criminal IP. If you are keen to find out more about specific Criminal IP services as well as beta tester recruitment, feel free to head over to our LANDING PAGE that is NOW open!