:: Phishing Hunting Thread ::

This is a thread about how to hunt and find #Phishing sites.
Retweets would be great to help spread the knowledge and please add your own techniques, ideas and suggestions.

Let's go hunting!

Firstly we need a site to use as a pivot. I have attached a number of sources at the bottom of this thread. For demonstration purposes we will use this site ::

hxxp://www.new.froid-guyader.fr/libraries/sharepointcontract/

This is a #Phishing site against Microsoft Office

Initially let's see if there is a #PhishingKit or #OpenDir on the domain. Enumeration on the domain is important. This is a example of sites to load and see ::

- hxxp://www.new.froid-guyader.fr/libraries/
- hxxp://www.new.froid-guyader.fr/
- hxxp://www.froid-guyader.fr/

Sadly, no results for that. Next hunting down phishing kits. To do this we can guess the name of the zip folder used. It is normally the same of the directory in which it resides. Running checks on the following URLs is a great starting point ...

- hxxp://www.new.froid-guyader.fr/libraries/sharepointcontract.zip
- hxxp://www.new.froid-guyader.fr/libraries.zip

Again sadly no hits. There are some great tools to automate this. I suggest checking out this tool made by @cybercdh :: github.com/cybercdh/phish…

Next step will be using @urlscanio to check the HTTP requests the web page made. This will show a list of pages and links requested by the page. I find a unique looking request and then finding other sites that use this resource.

The alternative is to hunt using legitimate resources such as a companies logo and find sites using it. The majority of these are phishing sites pulling the resources off the legitimate site.

For this hunt I choose the resource :: Converged1033.css

Using URLScan I can run a search to check which other sites call this resource ::
filename:"Converged1033.css"

That resource is used in over 18,000 sites. All of which are probably malicious. Next step is to look through the results. A good site is one which is clean according to Google and not submitted via a phishing feed. This is known as a undetected site. Found one!

We can also use search engines to pivot using resources :: Google, duckduckgo, yandex.

This is a big #phishing campaign. There is a huge number of sites.

There is further analysis you can do using the infrastructure of the site, checking the hosting IP for example. page.ip:"213.186.33.2"

Using name servers is also a pivot and tracking technique. Thanks to @johnsec11 for pointing this out to me. After chaseonlineservicess[.]com went down,
chasecardonlinerestore[.]com picked up the same campaign. Both URLs used the
same name server steelstory[.]org

That is all for now. I will be back with other information later. Please RT and share this thread to help others. Thanks 👍

As stated at the start of this thread here are some great #Phishing accounts to follow ::
- @JCyberSec_
- @IpNigh
- @PhishingAi
- @packet_Wire
- @ActorExpose
- @PhishStats
- @FeedPhish
- @JayTHL
- @Cyberfishio
- @dave_daves
- @ozuma5119
- @smica83

And here are some great #Phishing feed resources to use to hunt ::
- @PhishStats - phishstats.info/phish_score.txt
- @open_phish - openphish.com/feed.txt
- @PhishTank_Bot - data.phishtank.com/data/online-va…
- @urlscanio - urlscan.io/live/

@PhishStats @open_phish @PhishTank_Bot @urlscanio ⚠️Update - Part Two has been published.⚠️

:: Phishing Admin Panel Hunting Thread ::

In this thread we will find ways to hunt and attribute phishing admin panels.

This is a continuation from my #phishing hunting thread released earlier this year

https://twitter.com/JCyberSec_/status/1156545729952976896