Labs

When Phishing Makes You Pay

There are several types of phishing—email, SMS, website, a phone call, or chat program—but phishing's purpose is always the same: separate an unsuspecting victim from money or sensitive or personally identifiable information (PII). In this post, I'll showcase what we see within our RiskIQ Phishing application when identifying a phishing threat. In the image below, you'll see a phisher targeting users of a well-known payments system via a fake login page. On the left is the fraudulent version, on the right you'll see the legitimate.

Phisher (left) viewed safely within RiskIQ Phishing application and the real login page (right) comparison

To see the phishing page shown in (Fig-1), we view its summary within the RiskIQ Phishing App (Fig-2), which gives us the rendered page showing exactly what a victim would see while the phishing campaign is live, along with other important details that provide clues about the phisher's identity. These clues are crucial to have all in one place when reacting to a phishing event because it saves time and cuts down the period the phishers are active.

Fig-2 RiskIQ Phishing Summary page

Below are just a few of the key attributes associated with this particular phisher along with why they appear in the summary page and what they can tell us (Fig-2):

  • Alexa ranking tells us how popular the phishing site is with visitors each day.
  • Domain the phisher is using tells us the domain being abused to phish people.
  • Others with domain tells us if other phishers are using the same domain name within a campaign.
  • Others with registrant tells us any other phishers that could be using additional domains the registrant has. This helps us bunch together domains a Phishing actor is registering.
  • Domain expires tells us the date the domain name expires and can be used for telling if the domain is part of a certain group’s infrastructure.
  • Initial URLs tells us the full URL of how we got to the phishing page in the place. This also will tell us if a hosting account is compromised then on which page is the malicious content located.
  • Cloaking tells us if cloaking has been identified within the phishing event.
  • Source tells us where the phishing URL came from before we analyze it within the RiskIQ Application so we can tag it appropriately.
  • Target brand tells us the financial institution or login service that the phisher is trying to use.
  • Target country tells us, if identified from our application, in what country the Phishers is located.
  • Whois Information tells us domain registration, domain name servers, IP addresses, ASN ownership, dates and times, and points of contact.

Fig-3 Crawls tab showing crawls associated with our Phishing event showcase

In addition to the page summary information above, we can dig even deeper into the phishing event for more attributes by selecting the crawls tab (Fig-3) and picking one of the times our RiskIQ web crawlers observed a phishing event. Although the domain may stay the same, a different phisher can be associated with it, even in the same location, which makes the ability to review multiple crawls using the same infrastructure incredibly important.

Fig-4 Rendered Document Object Model (DOM) View

You can also view additional data in this tab (FIG-4), which will help you get more context about the phishing incident, such as the Original Response, Rendered DOM, Files Associated with the Phishers, Cookies, links, and Headers.

Fig-5 Files tab showing the makeup of the phishing page and location of files

The Files Tab in (Fig-5) shows the general makeup of the phisher’s files by indicating the location of the content it's using, and if it's using outside resources to populate the phishing page. You'll notice that there is a legitimate payments system asset that is being used to render the phishing page, which makes it look like a legitimate login page when the victim views it. It's worth noting that if we click on the hyperlink to the company's asset, we get additional information that could be used to match referrer logs to more hacked servers serving phishing pages.

Fig-6 Blacklist tab will show you why a phisher was detected, by who, and how

I've highlighted only a few of the components within our RiskIQ Phishing product. Overall, it makes reviewing phishing-related data easy and safe, which I believe would have made my life at past jobs much easier. Be sure to stay tuned; we'll follow up with some additional key features in RiskIQ as well as a deeper insight into the overall Phishing Threat Landscape.

Questions? Feedback? Email research-feedback@riskiq.net to contact our research team.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor