On the surface, phishing usually looks like a regular website or a message from a family member, friend, or coworker—it even fools internet savvy folks now and then. But when you look at phishing incidents under the hood, you can't help but see why many of them are truly Facepalm worthy.

What is phishing?

In infosec, you hear about phishing all the time; it fools grandparents out of their Social Security checks, lures business execs into divulging top secret information, and costs the banking industry over $1 Billion annually. It can take several different forms—email, SMS, website, a phone call, or chat program—but phishing's purpose is always the same: separate an unsuspecting victim from their money or sensitive or personally identifiable information.

How does a RiskIQ web crawl detect it?

The following observations made by the RiskIQ research team will show you why when it comes to phishing, a little vigilance goes a long way.

In this example, the phisher used a fake page pretending to be from a well-known Canadian bank asking customers to update their "Personal Security and Details." Questionable grammar aside, it's a decent attempt at fooling the bank's more careless customers into giving up their login credentials:

However, when you dig deeper, you see just how ridiculous this phishing attempt is. First of all, the domain name ends in '.NL', which is country code for the Netherlands—probably not where a Canadian bank's URL would resolve from:

However, the title of the page does tell us we’re banking at said Canadian bank, which, ostensibly, is in Canada:

Yet, continuing our world tour, the IP address for resolution is not even close to Canada; it's located in Germany: @ AS29671 (SERVAGE Service GmbH):

Facepalm indeed.

When we dig into the source code, you can see that a compromised WordPress account is part of this phisher's infrastructure because of the URL from which the logo is being downloaded. The source code also shows another connection to a different compromised WordPress account, which indicates the collection method “login module” is being used by the phisher. This code shows a bit of trickery, stating that the bank is not available and to call:

Since we got this far, I’ll humor the phisher a little by putting in fake info and clicking "OK" to "update my details successfully":

As a careless banking customer, this would result in a major headache. As a cybersecurity researcher, this quick run-through shows how much fun a crawl can be when looking under the hood into the source code.

Protect yourself

Safeguarding your organization against the potential of attack—and understanding motive and intent of that attack—often requires rich intelligence data. RiskIQ web crawls, like the one above, add to our proprietary dataset comprised of all phishing attacks we discover, known as our Phishing Feed. RiskIQ provides real-time access to this data, which can defuse current phishing attacks and develop policies to detect and mitigate future incidents.

You can learn more about RiskIQ web crawling technology here.