Attackers have frequently utilized malicious techniques to create phishing sites that impersonate well-known websites and steal personal financial information through emails, SMS, and online community boards. According to Verizon’s “2021 Data Breach Investigation Report,” it was discovered that 36% of data breaches were linked to phishing, highlighting the significant role of phishing tactics in security breaches.
Here are some common examples of attempted phishing that anyone can encounter:
- Use of sender addresses that resemble well-known and reputable companies
- Absence of a proper signature block in the web browser’s address bar
- Grammatical errors, incorrect sentences, spelling mistakes, and inconsistent content
- Urgent requests for file downloads or clicking on links emphasizing a false sense of urgency and importance
AI Spera’s Criminal IP (CIP) Domain Search feature allows you to reduce potential damage by determining whether a phishing site exists and diagnosing whether its domain is benign or malicious.
If you are a security manager, you may already be familiar with your company employees reporting the receipt of suspicious messages, as shown in the examples below. After the report has been filed, it is essential to promptly block the identified domain and implement comprehensive measures based on in-depth analysis to proactively mitigate further damage.
After analyzing the domain using Domain Search, it was determined that its score reached a critical level. The analysis summary highlighted two key findings: the domain’s suspicious length property exceeds 30 characters and contains an iframe tag commonly used for injecting malicious code.
Furthermore, the domain can be identified as a phishing site due to noticeable differences in the title, favicon, screenshot, inserted content, and redirect to paths compared to legitimate Facebook pages.
AI Spera provides an informative feature summary, displayed in the table below, which helps security managers using Domain Search to easily comprehend the analysis results of phishing sites.
| Type | Property | Explanation |
|---|---|---|
| Common | URL with IP | Check whether the detected domain or link is with IP address |
| Fake Domain | Check domain similarity with Top sites | |
| Fake SSL | Check certificate validity | |
| MITM Attack | Check possibilities of MITM attacks | |
| Locations | Check the country diversity of IP associated with the domain | |
| Newborn Domain | Check domain creation time | |
| Suspicious Length | Check whether the domain name length is abnormal | |
| Abuse Record | Check whether any IP scored as Critical or Dangerous is included | |
| Mail Server | Check whether the mail server exists | |
| SPF1 Result | Check the query results of the domain | |
| DGA Score | Check the existence of irregular character strings | |
| HTML | Hidden Element | Check hidden elements in HTML |
| Hidden Iframe | Check hidden iframes in HTML | |
| Iframe | Check whether iframe exists | |
| Obfuscated Script | Check JavaScript obfuscation | |
| Suspicious HTML Element | Check suspicious objects in HTML | |
| Suspicious Program | Check the installation files downloadable within HTML | |
| Button Trap | Check entirely different domain calls with button events | |
| Credential Input Form | Check redirection of authentication information within HTML | |
| Network | Redirection to another AS | Check other AS upon redirection |
| Redirection to another country | Check other countries upon redirection | |
| Redirection to another domain | Check other domains upon redirection | |
| Suspicious Cookie | Check validity of domain cookies |
Moreover, due to the absence of a regular signature block on many phishing sites, fraudulent websites often trigger alert messages on the web browser address bar and are detected by the built-in filter features of the web browser.
If a website does not seem to be a random testing site created by companies and you come across warning messages similar to the one below, it is advisable to treat it as a phishing site.
To mitigate the potential damage caused by phishing sites, it is important to adhere to the following guidelines and take appropriate action:
- Delete messages and links from unknown sources immediately.
- Avoid clicking on links when you cannot verify the electronic signature or when similar domains and sender information are used.
- Enable all anti-phishing features offered by mobile devices, email clients, and web browsers.
- Activate multi-factor authentication for all accounts as much as possible.
- Use CIP Domain Search to obtain data-driven analysis results and respond quickly.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]
Leave a Reply