Attackers have frequently utilized malicious techniques to create phishing sites that impersonate well-known websites and steal personal financial information through emails, SMS, and online community boards. According to Verizon’s “2021 Data Breach Investigation Report,” it was discovered that 36% of data breaches were linked to phishing, highlighting the significant role of phishing tactics in security breaches.

Here are some common examples of attempted phishing that anyone can encounter:

  • Use of sender addresses that resemble well-known and reputable companies
  • Absence of a proper signature block in the web browser’s address bar
  • Grammatical errors, incorrect sentences, spelling mistakes, and inconsistent content
  • Urgent requests for file downloads or clicking on links emphasizing a false sense of urgency and importance

AI Spera’s Criminal IP (CIP) Domain Search feature allows you to reduce potential damage by determining whether a phishing site exists and diagnosing whether its domain is benign or malicious.

If you are a security manager, you may already be familiar with your company employees reporting the receipt of suspicious messages, as shown in the examples below. After the report has been filed, it is essential to promptly block the identified domain and implement comprehensive measures based on in-depth analysis to proactively mitigate further damage.

Messages containing phishing sites

After analyzing the domain using Domain Search, it was determined that its score reached a critical level. The analysis summary highlighted two key findings: the domain’s suspicious length property exceeds 30 characters and contains an iframe tag commonly used for injecting malicious code.

Furthermore, the domain can be identified as a phishing site due to noticeable differences in the title, favicon, screenshot, inserted content, and redirect to paths compared to legitimate Facebook pages.

AI Spera provides an informative feature summary, displayed in the table below, which helps security managers using Domain Search to easily comprehend the analysis results of phishing sites.

TypePropertyExplanation
CommonURL with IPCheck whether the detected domain or link is with IP address
Fake DomainCheck domain similarity with Top sites
Fake SSLCheck certificate validity
MITM AttackCheck possibilities of MITM attacks
LocationsCheck the country diversity of IP associated with the domain
Newborn DomainCheck domain creation time
Suspicious LengthCheck whether the domain name length is abnormal
Abuse RecordCheck whether any IP scored as Critical or Dangerous is included
Mail ServerCheck whether the mail server exists
SPF1 ResultCheck the query results of the domain
DGA ScoreCheck the existence of irregular character strings
HTMLHidden ElementCheck hidden elements in HTML
Hidden IframeCheck hidden iframes in HTML
IframeCheck whether iframe exists
Obfuscated ScriptCheck JavaScript obfuscation
Suspicious HTML ElementCheck suspicious objects in HTML
Suspicious ProgramCheck the installation files downloadable within HTML
Button TrapCheck entirely different domain calls with button events
Credential Input FormCheck redirection of authentication information within HTML
NetworkRedirection to another ASCheck other AS upon redirection
Redirection to another countryCheck other countries upon redirection
Redirection to another domainCheck other domains upon redirection
Suspicious CookieCheck validity of domain cookies
Criminal IP Domain Search Results
Facebook phishing site vs. legitimate site

Moreover, due to the absence of a regular signature block on many phishing sites, fraudulent websites often trigger alert messages on the web browser address bar and are detected by the built-in filter features of the web browser.

 If a website does not seem to be a random testing site created by companies and you come across warning messages similar to the one below, it is advisable to treat it as a phishing site.

Facebook phishing site

 To mitigate the potential damage caused by phishing sites, it is important to adhere to the following guidelines and take appropriate action:

  • Delete messages and links from unknown sources immediately.
  • Avoid clicking on links when you cannot verify the electronic signature or when similar domains and sender information are used.
  • Enable all anti-phishing features offered by mobile devices, email clients, and web browsers.
  • Activate multi-factor authentication for all accounts as much as possible.
  • Use CIP Domain Search to obtain data-driven analysis results and respond quickly.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]