Using image hashes to find phishing pages



I was recently introduced to this nice feature of urlscan.io which lets you search phishing pages via image hashes. I quickly realised how this could be a powerful tool. A hash, by definition, is the unique numerical fingerpint made of the total sum of a file's components. Hashing a file includes using an algorithm that calculates a unique fixed-size bit string value from the file.

It was then shown to me that you could take the file hash of an image from a website and then use it to find all websites that contain the same hash and image. Most phisherman are lazy and will just steal the contents of an entire website, clone it, and host it on their own server to begin harvesting credentials from unsuspecting victims.



I decided to test how useful this feature was from a site (gov.uk) that is often used to scam victims out of their payment details, personally identifiable information (PII), and other sensitive data.

I chose to use the logo from the site: 




I saved and downloaded the logo and uploaded it to VirusTotal to create the hash:


SHA-256: bb9e22aff7881b895c2ceb41d9340804451c474b883f09fe1b4026e76456f44b

With the hash I can search urlscan.io and perhaps we can find some phishing pages: 






Oh look, lots and lots of phish 😮 It works!

This is evidence that phishermen will constantly rip the code of targeted sites and reupload it, making it easy for us to find!

Hope you can try this method out and find some pages targeting your employees/customers. 

Indicators of Compromise (IOCs): 

tax-office-return.com/
dvla.co.uk.pending-refund-mar27.info/
tax-compensation.com
dvla.uk-gov-ref0ll6.com\
www.gov.uk.tax.refund.online.ssl.2msuaritma.com
taxuk-return.com
refund-forms-gb.com
dvla.co.uk.form-refund-mar20.info/
dvla.co.uk.pending-refund-mar23.info/
vtax.refund-refi2p1.com
gov.hmrc-taxservices.com/
hmrc-govrefund.com/


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Lessons from the iSOON Leaks

The Ransomware Tool Matrix