Investigate Phishing Campaigns

Investigate Phishing Campaigns 

How to investigate phishing campaigns? 

First we discuss that what is phishing campaign. A phishing campaign is an email scam designed to steal personal information from victims. Threat Actor use phishing  to obtain sensitive information for fraud such as  credit card details and login credentials, by concealing as a organization  or person in an email communication.

How bad is phishing? You aware that social engineering attack  daily basis  occurs. Threat Actor main aim to steal  your  data, financial information, login information. According to CISCO Cybersecurity report more then 90%  data breaches as result of phishing. 
A particular way of the majority of websites on the malicious IP address indicates phishing, some of the websites appeared to have contained a malicious executable file for stealing data. 
There is Some Screen Shots of malicious sites,

Following is some basic techniques to investigate phishing campaign,

Basic IP Address reputation / Website identification:

Initial step, we check that if the IP address has a been associated with undesired or suspicious activity such as spam: Mx Toolbox  is a great tool for checking IPs against known blacklists. there you give IP and its give result about that IP reputation. you also use various tool like Symantec’s Broadcom, Cisco Talos Intelligence and  Virus Total  for investigate the IP address reputation.

Check for DNS variations: 

Commonly malicious actors to engage in domain typo-squatting, which means purposeful registration of domain names with  similar spelling to the target domain; the aim here is to fool unsuspecting phishing victims. For checking DNS variation, there is tool DNS Twister. It can be very useful for checking similar domain names, as well as alerting whenever such new domains become registered.

Calculate the webpage’s SHA256 hash :
Phishing websites are frequently simplistic copies of each other, without any bells and whistles since the objective here is to steal user information. That makes the task of investigating them and linking them to other malicious domains a little easier, if they are indeed carbon copies of one another.

To calculate a website’s SHA256 value, you can use the following Kali Linux terminal command:

curl www.mydomain.com | sha256sum

The result  give you a hash value and then  hash value can be then searched against using Urlscan and should produce a multitude of results.

Examine security certificates :
Phishing website  not enable  security certificate https encrypted connection, but some of them do. Nowadays Threat Actor  obtain free security certificates for their fake websites in order to add another layer of purported legitimacy to the phishing sites; after all, many people still erroneously believe that the “green padlock” symbol in the browser means the website they visit is real and that the information they enter into it is fully secure.