Synopsis

In this article, I revisit a DIY approach I took to take down a scammer’s infrastructure during the last holiday season.

Stop and Think

If you have lost money or data to a phishing scam, please stop reading this article and contact law enforcement or get help.

• Australia: https://www.scamwatch.gov.au/get-help/where-to-get-help
• USA: https://www.usa.gov/stop-scams-frauds

The Link

You may have received one or more links from scammers with the description of “You have won an iPhone” or “A parcel is waiting for clearance” click here to claim it. Once you click the link, the link may direct you to a website, which could deceive you into entering PII (Personally Identifiable Information).

This attack is identified as phishing but based on the threat vector; it can be classified differently. For example, Smishing uses SMS as a medium to target users.

Analysis

The first step of the analysis begins with the link I received from the scammer. The link is the most important clue, as it may reveal the phishing infrastructures behind the scam.

I primarily used URLSCAN.io for my investigation . It is a web-based sandbox environment that scans and analyzes a given link. It provides detailed information about the link you were about to click.

An initial scan of that particular URL rendered an empty page. As web users, we know that websites may behave differently based on the device/browser. One of the techniques servers use to identify the browser is through the User-Agent, sent with the request to the server.

The above theory prompted me to try something with URLSCAN.io. I switched and tried multiple User-Agents with different Operating systems. But I finally got lucky with the mobile user agent iOS Safari, a nicely designed web app was prompting me to enter my email to claim an iPhone.

The scammers have hosted the primary user interface, the data collection user interface, on two separate hosting infrastructures. The reason could be that if someone takes down the primary domain and its infrastructure, the data is stored securely in the secondary hosting infrastructure.

Reporting

The key to taking down phishing infrastructure is to reporting it to hosting providers. In addition, reporting it to browser makers and antivirus companies could mark the domain as malicious/suspicious. The below image shows an example of URLSCAN.io results.

SwiftOnSecurity has written a comprehensive How-To at Decent Security on how to do this. Let me you take through the list of steps I used.

• Reporting it to Google Safe Browsing team was the initial step . Google shares this data with third parties, including browsers makers who use Google’s Safe Browsing API to block phishing and malware.

• Using the hosting information I gathered in the analysis phase, I reported it to Amazon Web Services and Digital Ocean through their abuse forms. The key is to provide as much information as possible, including a screenshot and links where appropriate.

• Since this scam targeted users primarily based in Australia, I also sent the report to ScamWatch Australia.

The waiting game

Hosting providers get tons of abuse reports a day. The average turnaround time could be days, weeks, or may be months.

• AWS got back to me after three days, and they took down the primary domain I reported.

• DigitalOcean did get back to me after two days. However, the site was still active during their investigation even after that.

• As of this writing none of the reported domains are active.

Conclusion

Taking down phishing scams are similar to the whack a mole game; there will be another when you take down one. However, reporting them is the key to prevent others from falling into the scam.

If you need to read the more comprehensive guide, please bookmark Decent Security and revisit it when you get another Smishing/Phishing scam.

Happy Hunting !!!.