Using image hashes to find phishing pages

-


I was recently introduced to this nice feature of urlscan.io which lets you search phishing pages via image hashes. I quickly realised how this could be a powerful tool. A hash, by definition, is the unique numerical fingerpint made of the total sum of a file's components. Hashing a file includes using an algorithm that calculates a unique fixed-size bit string value from the file.

 It was then shown to me that you could take the file hash of an image from a website and then use it to find all websites that contain the same hash and image. Most phisherman are lazy and will just steal the contents of an entire website, clone it, and host it on their own server to begin harvesting credentials from unsuspecting victims.



 I decided to test how useful this feature was from a site (gov.uk) that is often used to scam victims out of their payment details, personally identifiable information (PII), and other sensitive data.

 I chose to use the logo from the site: 


I saved and downloaded the logo and uploaded it to VirusTotal to create the hash:


SHA-256: bb9e22aff7881b895c2ceb41d9340804451c474b883f09fe1b4026e76456f44b

 With the hash I can search urlscan.io and perhaps we can find some phishing pages: 




Oh look, lots and lots of phish 😮 It works!

 This is evidence that phishermen will constantly rip the code of targeted sites and reupload it, making it easy for us to find!

 Hope you can try this method out and find some pages targeting your employees/customers. 

 Indicators of Compromise (IOCs): 

 tax-office-return.com/
dvla.co.uk.pending-refund-mar27.info/
tax-compensation.com
dvla.uk-gov-ref0ll6.com\
www.gov.uk.tax.refund.online.ssl.2msuaritma.com
taxuk-return.com
refund-forms-gb.com
dvla.co.uk.form-refund-mar20.info/
dvla.co.uk.pending-refund-mar23.info/
vtax.refund-refi2p1.com
gov.hmrc-taxservices.com/
hmrc-govrefund.com/


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more