Skip to content

How to investigate phishing campaigns – resources for the SANS OSINT Summit 2022 talk

  • by

I was delighted to be able to present at the SANS OSINT Summit 2022!

Here is the YouTube video stream of ALL the presentations that appeared at the Summit.

My one starts exactly at the 2 h 30m mark.

Or you can just watch it separately here.

A big thank you to the organisers, fellow speakers, to all attendees and participants.

A separate thank you and a shout out to John TerBush who provided great assistance and feedback during the creation of this presentation.

SANS Osint Summit

List of helpful resources to use in support of various OSINT methods I described during the SANS OSINT Summit 2022 presentation:

IP reputation & passive reconnaissance

  • Broadcom – simple IP address reputation check.
  • Centralops – multi-purpose tool with the domain dossier lookup functionality. Has a free usage limit of 50 queries per day.
  • Cisco Talos Intelligence – allows checking for various data points and types of activity associated with an IP address. Decent reputation lookup tool.
  • Domain Big Data – allows searches by IP, domain, email, even phone number. Returns information on what else is being hosted on the same IP address.
  • Go Find Whois – advanced tool with multiple functionalities. It aggregates several other search engines and tools that can be used to perform lookups.
  • IP Info – detailed IP lookup, including IP address type (VPN, proxy, hosting, etc.).
  • IP Neighbors – for checking hosting neighbours of a site / host of interest.
  • IP Void – multi-tool IP search tool, allows lookups against several basic and advanced criteria.
  • MX Toolbox – another multi-tool that allows searching by domain name, IP address or host name. Also allows conducting IP reputation checks.
  • ShowMyIP – bulk IP address lookup, allows looking up as many as 100 IPs at the same time, but can be plagued by captchas. IP search results can be downloaded as .csv files.
  • Threatminer – a threat intelligence portal that combines the information from several well-respected infosec industry platforms.
  • Virus Total – handy for checking IPs and URLs. Predominantly a static analysis sandbox for suspicious files, with solid capabilities for screening websites and IPs.

DNS analysis

  • Alien Vault – for DNS records but also a myriad of other indicators, like URLs, file scans and other telemetry.
  • Complete DNS – for checking the DNS history, domain history and archive records.
  • DNS Dumpster – very useful for subdomain enumeration. Includes the option to create a map displaying all the results.
  • DNSlytics – reverse IP lookup tool for identifying domains that share the same IP address or subnet.
  • DNS Twister – for searching domains by name and monitoring DNS records. Useful when investigating typo-squatting and domains with very similar names / special characters.
  • Passive DNS – for basic DNS lookups.
  • Sucuri Site Check – quick website scanner, useful for running DNS name checks.

Shortened URLs

Many shortened links can be explored by simply adding a ‘+’ symbol at the end of the shortened URL in the your browser’s URL tab. This will work majority of the time, but it depends on the compatibility of the URL shortening service.

Note that instead of the ‘+’ symbol, in order to unshorten your link some of these services require different symbols, like:

  • a hyphen ‘-‘;
  • a question mark ‘?’
  • a tilde ‘~’

Other ways to investigate shortened URLs include installing a dedicated browser extension or going directly to online resources that will do the job for you, with varying degrees of details. Examples:

Open directory websites

Opendir websites can be found using the following search methods:

Google searches:

intitle:”index.of” .exe (or whatever file extension you’re searching for; could be a name keyword of interest too).

intext:”keyword” intitle:”index.of” -inurl: file extension – example:

intext:”osint” intitle:”index.of” -inurl: jpg

Multiple piped search criteria combinations are also possible, for instance:

intext:”osint” intitle:”index.of” (rar|tar|7z|zip)

index of parent directory “keyword” “file extension” – example:

index of parent directory osint  (.txt|.doc|.docx)

  • Twitter search – hashtag #opendir – or this link here (great for finding malware / phishing sites).
  • ODCrawler – useful for searching by keyword and file type. However, it focuses on finding specific files as opposed to opendir websites.


Website technology stack & content examination

  • Awesome Tech Stack – currently in beta, this site allows for scanning websites and generating performance reports for their tech stacks.
  • Built With – online scan of the technologies and components used on a particular website.
  • HTTrack – for downloading websites offline. Useful for phishing / scam websites as they are typically not very cumbersome or rich in video file / multimedia content.
  • Public WWW – source code inspection engine, good for finding and identifying complete or incomplete elements of website source code.
  • The Markup Blacklight – a privacy enabling tool, allows for conducting a quick website scan in search for trackers, third party cookies, keyloggers and Facebook / Google ad monitoring.
  • Web Tech Survey – another online scanner, useful for tracking changes to the website’s technology stack.

Security certificates

Captcha abuse OSINT

  • Captcha sites contain a reCAPTCHA API key used in the URL parameters
  • Repetitive values within a URL string
  • These identifiers can be drilled into and searched for on other pages, which gives us the ability to find other phishing websites or campaigns using the same MO.
  • CAPTCHA keys can be extracted from the HTML source code.
  • View page source code / F12 – examine the code searching for values that follow “recaptcha”, “recaptcha-response” or “recaptcha callback”.
  • Simple Google searches as follow up to see if these can be found elsewhere?
captcha OSINT phishing site
captcha OSINT phishing 2

Leave a Reply

Your email address will not be published. Required fields are marked *