Today I had the opportunity to attend to the SANS organized OSINT Summit. This event was focused on Open-Source Intelligence, bringing security professionals and engineers to talk about different topics related to OSINT.

One of the talks that interested me was named How to Investigate Phishing Campaigns, this talk counted with the presence of Maciej Makowski that did an amazing job conveying information. This sparked my interested since I have been studying for the Blue Team Level 1 certification, and Phishing Analysis is a crucial component, so I thought that it would be valuable to learn more about the investigation process of a phishing campaign.

In this post, I will try to briefly explain the core components of Maciej’s talk and the information that I know will help me alot in the future.

Investigation Process

Firstly, every process related to the analysis of phishing emails must have these basic artifacts gathered, such as:

  • WhoIs lookups
  • Reputation Checks
  • Checking if anything else is being hosted on that address
  • Is DNS resolved? If so, to what? Does it have variations?
  • Any shortened URLs?
  • Do subdomain enumeration

This can provide valuable information, allowing for more context on the specific attack such as understanding the tactics being employed.

Secondly, analyzing the technology stack used on a website used for phishing attacks. Getting intelligence like:

  • What was it built with?
  • Looking for open directory
  • Favicon examination
  • HTML hash value

Some interesting tools to use for the purposes enunciated above BuiltWith or WebTechSurvey.

The most important thing here is looking for patterns and repetitions between phishing campaigns, it’s all about the intelligence.

HTML Hash Value

Why is this so important? Phishing websites can be copies of other websites being hosted for the exact same purpose, this is not a rare occurence. By using the hash value of the HTML on the site, we can use it on tools like URLScan to check if there are other websites that use the same HTML.

This is big, since it can give precious information such as to give an idea of how big a phishing campaign is.

Emergint Threats, Phishing landscape

There are emerging threats in the phishing field, attacks like Browser-in-the-Broswer are starting to be used more and more. The implementation of CAPTCHAS and fake browser notifications and alerts in phishing are other examples of strategies being used currently.