{"id":2889,"date":"2021-12-06T06:48:00","date_gmt":"2021-12-06T06:48:00","guid":{"rendered":"https:\/\/osintme.com\/?p=2889"},"modified":"2021-12-06T07:58:29","modified_gmt":"2021-12-06T07:58:29","slug":"how-to-investigate-a-massive-phishing-campaign","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2021\/12\/06\/how-to-investigate-a-massive-phishing-campaign\/","title":{"rendered":"How to investigate a massive phishing campaign"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2889\" class=\"elementor elementor-2889\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-992d810 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"992d810\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b11ab9e\" data-id=\"b11ab9e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ad16350 elementor-widget elementor-widget-text-editor\" data-id=\"ad16350\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A recent anonymous tip from a reader drew my attention to a malicious IP address allegedly involved in a widespread phishing campaign against users in Ireland.<\/p><p>The malicious actors behind this campaign have created hundreds of fake domains, impersonating several Irish banks, the national postal service of Ireland, courier services, Sky TV, covid pass issuers, as well as several other financial entities abroad, the English NHS and many others.<\/p><p>The IP in question &#8211; 35.234.96.61 &#8211; belongs to Google and at the time of writing was connected to <strong>371 hostnames and 924 URLs<\/strong>.<\/p><p>Active domains hosted on the IP in question can be found <a href=\"https:\/\/domainbigdata.com\/35.234.96.61#domain-same-ip\">here<\/a>, while a complete list, including passive DNS and older domains can be viewed <a href=\"https:\/\/otx.alienvault.com\/indicator\/ip\/35.234.96.61\">here<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9ed38f7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9ed38f7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-912c56d\" data-id=\"912c56d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9e08312 elementor-widget elementor-widget-text-editor\" data-id=\"9e08312\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>While the modus operandi of the majority of websites on the malicious IP address indicates phishing, some of the websites appeared to have contained a malicious Windows executable file &#8211; as per the <a href=\"https:\/\/www.virustotal.com\/gui\/ip-address\/35.234.96.61\/relations\">Virus Total scan<\/a>.<\/p><p>Example screenshots of several phishing site screens:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-65c3d11 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"65c3d11\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-bc0dd2c\" data-id=\"bc0dd2c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c172743 elementor-widget elementor-widget-image\" data-id=\"c172743\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"985\" height=\"832\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-1.png?fit=985%2C832&amp;ssl=1\" class=\"attachment-large size-large wp-image-2900\" alt=\"BOI phishing 1\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-1.png?w=985&amp;ssl=1 985w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-1.png?resize=300%2C253&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-1.png?resize=768%2C649&amp;ssl=1 768w\" sizes=\"(max-width: 985px) 100vw, 985px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6bb0e2f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6bb0e2f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c82f2be\" data-id=\"c82f2be\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c5815ac elementor-widget elementor-widget-image\" data-id=\"c5815ac\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"543\" height=\"726\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-phishing-1.png?fit=543%2C726&amp;ssl=1\" class=\"attachment-large size-large wp-image-2905\" alt=\"AIB phishing 1\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-phishing-1.png?w=543&amp;ssl=1 543w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-phishing-1.png?resize=224%2C300&amp;ssl=1 224w\" sizes=\"(max-width: 543px) 100vw, 543px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d829475 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d829475\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-32b6fde\" data-id=\"32b6fde\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ee3d1a0 elementor-widget elementor-widget-image\" data-id=\"ee3d1a0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"1024\" height=\"952\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/sky-tv-phishing-1.png?fit=1024%2C952&amp;ssl=1\" class=\"attachment-large size-large wp-image-2916\" alt=\"sky tv phishing 1\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/sky-tv-phishing-1.png?w=1061&amp;ssl=1 1061w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/sky-tv-phishing-1.png?resize=300%2C279&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/sky-tv-phishing-1.png?resize=1024%2C952&amp;ssl=1 1024w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/sky-tv-phishing-1.png?resize=768%2C714&amp;ssl=1 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8a1b69a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8a1b69a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9313457\" data-id=\"9313457\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ac54976 elementor-widget elementor-widget-image\" data-id=\"ac54976\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1007\" height=\"805\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/An-Post-phishing-1.png?fit=1007%2C805&amp;ssl=1\" class=\"attachment-large size-large wp-image-2906\" alt=\"An Post phishing 1\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/An-Post-phishing-1.png?w=1007&amp;ssl=1 1007w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/An-Post-phishing-1.png?resize=300%2C240&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/An-Post-phishing-1.png?resize=768%2C614&amp;ssl=1 768w\" sizes=\"(max-width: 1007px) 100vw, 1007px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6a0acb8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6a0acb8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e1c1cc3\" data-id=\"e1c1cc3\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c11b529 elementor-widget elementor-widget-heading\" data-id=\"c11b529\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Investigation techniques<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-543d2e1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"543d2e1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8159f11\" data-id=\"8159f11\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-828038a elementor-widget elementor-widget-text-editor\" data-id=\"828038a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Given the vast amount of malicious domains, there are numerous investigative angles to take here.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e8abc96 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e8abc96\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d7afd78\" data-id=\"d7afd78\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d175fdd elementor-widget elementor-widget-text-editor\" data-id=\"d175fdd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Check IP address reputation<\/strong> &#8211; this initial step will allow you to quickly establish if you are dealing with a known threat or if you came across something completely new. For example, you can check if the IP address has a been associated with undesired or suspicious activity such as spam:<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8a1ae31 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8a1ae31\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-84a4cdb\" data-id=\"84a4cdb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-430cf29 elementor-widget elementor-widget-text-editor\" data-id=\"430cf29\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/mxtoolbox.com\/SuperTool.aspx\">Mx Toolbox<\/a> is a great tool for checking IPs against known blacklists. The command in this case is &#8220;<span class=\"result-command\">blacklist<\/span>:<span id=\"ctl00_ContentPlaceHolder1_lblAddMonitor\">35.234.96.61<\/span>&#8220;, which returns 1 match for <a href=\"https:\/\/mxtoolbox.com\/Problem\/Blacklist\/Spamhaus-ZEN\/?page=prob_blacklist&amp;ip=35.234.96.61&amp;link=button&amp;action=blacklist:35.234.96.61&amp;showLogin=1&amp;hidetoc=1&amp;reason=127.0.0.2\">Spamhaus ZEN<\/a>.<\/p><p><a href=\"https:\/\/ipremoval.sms.symantec.com\/lookup\">Symantec&#8217;s Broadcom<\/a> lets you conduct a similar check &#8211; in this case we can learn that:<\/p><ol class=\"block_reasons\"><li>The host has been observed sending spam in a format that is similar to snow shoe spamming techniques.<\/li><li>The host is unauthorized to send email directly to email servers.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2325bf8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2325bf8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d1b289d\" data-id=\"d1b289d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e453f22 elementor-widget elementor-widget-text-editor\" data-id=\"e453f22\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/talosintelligence.com\/\">Cisco Talos Intelligence<\/a> can be used to check for types of activities associated with an IP address (in this case however it resulted in <a href=\"https:\/\/talosintelligence.com\/reputation_center\/lookup?search=35.234.96.61\">no detections<\/a>).<\/p><p><a href=\"https:\/\/www.virustotal.com\/gui\/ip-address\/35.234.96.61\/detection\">Virus Total<\/a> is also useful for broad searches of IP addresses &#8211; with information ranging from general reputation, passive DNS to community comments.<\/p><p>The abovementioned <a href=\"https:\/\/otx.alienvault.com\/indicator\/ip\/35.234.96.61\">Alien Vault<\/a> also gives very detailed indicators and really detailed info.<\/p><p>And finally, <a href=\"https:\/\/twitter.com\/search?q=35.234.96.61&amp;src=typed_query\">Twitter<\/a> can be a great source of information, given the mature and very experienced community of researchers and cyber security specialists.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-10e683b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"10e683b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-801b1e5\" data-id=\"801b1e5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8611da2 elementor-widget elementor-widget-text-editor\" data-id=\"8611da2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Check for DNS variations<\/strong> &#8211; it is common enough for malicious actors to engage in domain typo-squatting, which means purposeful registration of domain names with deceptively similar spelling to the target domain; the intention here is to fool unsuspecting phishing victims.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-03e9dcd elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"03e9dcd\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-20f899d\" data-id=\"20f899d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-75ff5ea elementor-widget elementor-widget-text-editor\" data-id=\"75ff5ea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>One of my favourite tools for checking DNS variations is <a href=\"https:\/\/dnstwister.report\/\">DNS Twister<\/a>. It can be very useful for checking similar domain names, as well as alerting whenever such new domains become registered.<\/p><p>This is also another way of discovering similar, unrelated phishing campaigns.<\/p><p>Take the example below &#8211; a DNS Twister scan of one of the malicious domains from the suspicious IP address:<\/p><p>secureboi365login[.]com &#8211; see the DNS Twister results <a href=\"https:\/\/dnstwister.report\/search?ed=736563757265626f693336356c6f67696e2e636f6d\">here<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c0e8b7a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c0e8b7a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3554c7c\" data-id=\"3554c7c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8a170cf elementor-widget elementor-widget-image\" data-id=\"8a170cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"785\" height=\"209\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-DNS-OSINT.png?fit=785%2C209&amp;ssl=1\" class=\"attachment-large size-large wp-image-2969\" alt=\"BOI phishing DNS OSINT\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-DNS-OSINT.png?w=785&amp;ssl=1 785w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-DNS-OSINT.png?resize=300%2C80&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-DNS-OSINT.png?resize=768%2C204&amp;ssl=1 768w\" sizes=\"(max-width: 785px) 100vw, 785px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9b82840 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9b82840\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-fe47fde\" data-id=\"fe47fde\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5a97047 elementor-widget elementor-widget-text-editor\" data-id=\"5a97047\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The second IP address matched above is not related directly to the one involved in the malicious campaign against Irish users &#8211; but after a more detailed analysis, it seems to be part of an even larger malicious campaign that involves malware distribution, with 500+ passive DNS records and over 9k URLs &#8211; see the indicators listed below:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-695283f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"695283f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ec3cf66\" data-id=\"ec3cf66\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a3508a4 elementor-widget elementor-widget-text-editor\" data-id=\"a3508a4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><a href=\"https:\/\/otx.alienvault.com\/indicator\/ip\/103.224.182.251\">https:\/\/otx.alienvault.com\/indicator\/ip\/103.224.182.251<\/a><\/li><li><a href=\"https:\/\/www.virustotal.com\/gui\/ip-address\/103.224.182.251\">https:\/\/www.virustotal.com\/gui\/ip-address\/103.224.182.251<\/a><\/li><li><a href=\"https:\/\/talosintelligence.com\/reputation_center\/lookup?search=103.224.182.251\">https:\/\/talosintelligence.com\/reputation_center\/lookup?search=103.224.182.251<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-09bcc8b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"09bcc8b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3b8d49f\" data-id=\"3b8d49f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-05ca246 elementor-widget elementor-widget-text-editor\" data-id=\"05ca246\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Similar checks can be conducted on other malicious domains, with tens of thousands of potential findings to unravel&#8230;<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-593a6a1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"593a6a1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f6d9544\" data-id=\"f6d9544\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-dd70d6e elementor-widget elementor-widget-text-editor\" data-id=\"dd70d6e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Examine the technology stack<\/strong> &#8211; every website, even the most simplistic phishing page, has a technology footprint to it. You can check what web server it uses, what language it was written in, what widgets or documents it contains, and so on.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d254d78 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d254d78\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3984802\" data-id=\"3984802\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-884c84c elementor-widget elementor-widget-text-editor\" data-id=\"884c84c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Below are some of the best resources for scanning a website&#8217;s technology stack:<\/p><ul><li><a href=\"https:\/\/awesometechstack.com\/\">https:\/\/awesometechstack.com\/<\/a><\/li><li><a href=\"https:\/\/builtwith.com\/\">https:\/\/builtwith.com\/<\/a><\/li><li><a href=\"https:\/\/sitereport.netcraft.com\/\">https:\/\/sitereport.netcraft.com\/<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4b637ff elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4b637ff\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-27679dc\" data-id=\"27679dc\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-32a38eb elementor-widget elementor-widget-text-editor\" data-id=\"32a38eb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Examining the underlying technologies that run on a website can be used for comparison purposes against other sites. This can be another way of uncovering similar and related \/ unrelated malicious activities.<\/p><p>As a follow up, you can use a <a href=\"https:\/\/www.sitelike.org\/\">Site Like<\/a> or <a href=\"http:\/\/similarweb.com\/\">Similar Web<\/a> scan &#8211; but beware, this is a broad search that will likely return a lot of sites with various degrees of similarity; further examination will be necessary.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e23d62 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1e23d62\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-416b9d2\" data-id=\"416b9d2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f10c1d5 elementor-widget elementor-widget-text-editor\" data-id=\"f10c1d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Calculate the webpage&#8217;s SHA256 hash<\/strong> &#8211; hashing is a common concept when it comes to files or disk images &#8211; but how about calculating a hash value of a website&#8217;s HTML content?<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-162a9c4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"162a9c4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9feddd9\" data-id=\"9feddd9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4acd4d8 elementor-widget elementor-widget-text-editor\" data-id=\"4acd4d8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Phishing websites are frequently simplistic copies of each other, without any bells and whistles since the objective here is to steal user information. That makes the task of investigating them and linking them to other malicious domains a little easier, if they are indeed carbon copies of one another.<\/p><p>To calculate a website&#8217;s SHA256 value, you can use the following Linux terminal command:<\/p><p><em>curl www.boionline365authenticaton.com | sha256sum<\/em><\/p><p>The result will display below after a brief calculation:<\/p><p><em>022d1d9c0ef92f7100837906545e28d8becde6548d750f258f582ef5a8b33481<\/em><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d237c1c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d237c1c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b69f120\" data-id=\"b69f120\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-766b002 elementor-widget elementor-widget-image\" data-id=\"766b002\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"644\" height=\"288\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/website-hash-sha256-OSINT.png?fit=644%2C288&amp;ssl=1\" class=\"attachment-large size-large wp-image-2988\" alt=\"website hash sha256 OSINT\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/website-hash-sha256-OSINT.png?w=644&amp;ssl=1 644w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/website-hash-sha256-OSINT.png?resize=300%2C134&amp;ssl=1 300w\" sizes=\"(max-width: 644px) 100vw, 644px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b07a8a1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b07a8a1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7284aa7\" data-id=\"7284aa7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-376951e elementor-widget elementor-widget-text-editor\" data-id=\"376951e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The obtained hash value can be then searched against using <a href=\"https:\/\/urlscan.io\/search\/#*\">Urlscan<\/a> and should produce a multitude of results as seen in <a href=\"https:\/\/urlscan.io\/search\/#022d1d9c0ef92f7100837906545e28d8becde6548d750f258f582ef5a8b33481\">this example<\/a>.<\/p><p>Once again, there are nearly countless pivot points here, using multiple new detections &#8211; like for example this <a href=\"https:\/\/urlscan.io\/result\/4875f1a6-4e49-4d07-bd25-4c1bd8b7f2c7\/\">unrelated malicious website<\/a>, with a Russian top level domain, hosted on an IP address somewhere in Seychelles &#8211; seemingly another phishing attempt by yet another malicious actor.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9d1dd03 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9d1dd03\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-54d7eae\" data-id=\"54d7eae\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ca33be0 elementor-widget elementor-widget-image\" data-id=\"ca33be0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"469\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/website-hash-match-OSINT.png?fit=1024%2C469&amp;ssl=1\" class=\"attachment-large size-large wp-image-2992\" alt=\"website hash match OSINT\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/website-hash-match-OSINT.png?w=1148&amp;ssl=1 1148w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/website-hash-match-OSINT.png?resize=300%2C137&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/website-hash-match-OSINT.png?resize=1024%2C469&amp;ssl=1 1024w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/website-hash-match-OSINT.png?resize=768%2C352&amp;ssl=1 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-064adfa elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"064adfa\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-246bb47\" data-id=\"246bb47\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b3f36b2 elementor-widget elementor-widget-text-editor\" data-id=\"b3f36b2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Examine security certificates<\/strong> &#8211; not every phishing website from the list has a security certificate enabling a https encrypted connection, but some of them do. Nowadays scammers obtain free security certificates for their fake websites (for example by abusing the free <a href=\"https:\/\/letsencrypt.org\/\">Let&#8217;s Encrypt<\/a> service) in order to add another layer of purported legitimacy to the phishing sites; after all, many people still erroneously believe that the &#8220;green padlock&#8221; symbol in the browser means the website they visit is real and that the information they enter into it is fully secure.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-88f26f3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"88f26f3\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ddf376b\" data-id=\"ddf376b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2ecf5cf elementor-widget elementor-widget-text-editor\" data-id=\"2ecf5cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Security certificates can yield some interesting information, beyond the usual standard details such as the subject name, issuer name, validity timeframe and so on. Looking at a specific example:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c6e10c6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c6e10c6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-bbe6dae\" data-id=\"bbe6dae\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3ea9508 elementor-widget elementor-widget-image\" data-id=\"3ea9508\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"711\" height=\"640\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-fake-certificate-OSINT.png?fit=711%2C640&amp;ssl=1\" class=\"attachment-large size-large wp-image-3029\" alt=\"AIB fake certificate OSINT\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-fake-certificate-OSINT.png?w=711&amp;ssl=1 711w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-fake-certificate-OSINT.png?resize=300%2C270&amp;ssl=1 300w\" sizes=\"(max-width: 711px) 100vw, 711px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-502e45a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"502e45a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3f952a1\" data-id=\"3f952a1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ac8b778 elementor-widget elementor-widget-image\" data-id=\"ac8b778\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"764\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-fake-certificate-OSINT-2.png?fit=700%2C764&amp;ssl=1\" class=\"attachment-large size-large wp-image-3030\" alt=\"AIB fake certificate OSINT 2\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-fake-certificate-OSINT-2.png?w=700&amp;ssl=1 700w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/AIB-fake-certificate-OSINT-2.png?resize=275%2C300&amp;ssl=1 275w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f4aa023 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f4aa023\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-be7504f\" data-id=\"be7504f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-655a805 elementor-widget elementor-widget-text-editor\" data-id=\"655a805\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Apart from the subdomains that the certificate covers, we can get the certificate&#8217;s unique fingerprints:<\/p><ul><li>Serial number:<\/li><\/ul><p><span class=\"info hex\">00:9E:46:60:65:DA:27:E3:96:B1:33:95:E3:C5:FA:25:F3<\/span><\/p><ul><li>SHA-256:<\/li><\/ul><p><span class=\"info hex long-hex hex-open\">D8:22:2C:22:9C:96:A2:61:4E:D2:4D:FC:A5:7E:72:3E:CB:4A:A2:2A:F5:45:60:35:F4:34:83:EE:8D:F0:64:0C<\/span><\/p><ul><li>SHA1:<\/li><\/ul><p><span class=\"info hex\">B1:D8:5A:42:E7:89:D5:09:B6:BE:A6:4C:B5:D1:72:23:FE:0D:3C:3B<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-80c8303 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"80c8303\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e80197c\" data-id=\"e80197c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-10b822f elementor-widget elementor-widget-text-editor\" data-id=\"10b822f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>These values can be checked further for instances of the same certificate shared across multiple websites or IP addresses using one of the following services:<\/p><ul><li>Binary Edge: <a href=\"https:\/\/app.binaryedge.io\/\">https:\/\/app.binaryedge.io\/<\/a><\/li><li>Cert SH: <a href=\"https:\/\/crt.sh\/\">https:\/\/crt.sh\/<\/a><\/li><li>Censys: <a href=\"https:\/\/search.censys.io\/\">https:\/\/search.censys.io\/<\/a><\/li><li>Shodan: <a href=\"https:\/\/www.shodan.io\/\">https:\/\/www.shodan.io\/<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-afc05aa elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"afc05aa\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a3bd1c8\" data-id=\"a3bd1c8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-df5bd5a elementor-widget elementor-widget-text-editor\" data-id=\"df5bd5a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>In the case of the domain mentioned above, no certificate overlap was detected with any other site or IP. However, it is not that uncommon to get matches that way &#8211; like for instance with the <a href=\"https:\/\/search.censys.io\/search?q=09d26a272fbf39257c1ee1afc43e00073e678e2258b3e010f577e29926d582e7&amp;resource=hosts\">Facebook<\/a> domain.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-dd7d4d3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"dd7d4d3\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c50fb47\" data-id=\"c50fb47\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ed7dd7e elementor-widget elementor-widget-text-editor\" data-id=\"ed7dd7e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"text-decoration: underline;\">Search query syntax:<\/span><\/p><p>&#8211; Binary Edge &#8211; <em>ssl.cert.sha1_fingerprint:&#8221; &#8220;; ssl.cert.sha256_fingerprint:&#8221; &#8220;<\/em> (insert value inside quotes)<\/p><p>&#8211; Shodan &#8211; <em>ssl.cert.serial: <\/em>(insert value directly after the colon, no space)<\/p><p>&#8211; Cert SH and Censys allow you to search for values directly in the search field, so no additional parameters are necessary.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9b06e35 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9b06e35\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-07b390b\" data-id=\"07b390b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e7e8caf elementor-widget elementor-widget-text-editor\" data-id=\"e7e8caf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Conduct a favicon search<\/strong> &#8211; a favicon is a small icon displayed in a browser tab next to the name (always with the .ico file extension). Favicons also display in bookmarks. The purpose of a favicon is to help brand recognition, as well as to help users distinguish between many open tabs in a browser window.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2097502 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2097502\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ebcc46b\" data-id=\"ebcc46b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1174f5b elementor-widget elementor-widget-text-editor\" data-id=\"1174f5b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>In the case of fraudulent websites, a favicon is often copied or directly linked from the original page that is being impersonated, in order to bolster the impression of legitimacy. Not every domain on the list here displays a favicon, but many do.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5efad04 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5efad04\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4b43178\" data-id=\"4b43178\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-caa915b elementor-widget elementor-widget-image\" data-id=\"caa915b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"690\" height=\"462\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-2.png?fit=690%2C462&amp;ssl=1\" class=\"attachment-large size-large wp-image-2942\" alt=\"BOI phishing favicon 2\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-2.png?w=690&amp;ssl=1 690w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-2.png?resize=300%2C201&amp;ssl=1 300w\" sizes=\"(max-width: 690px) 100vw, 690px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-36b54d9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"36b54d9\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8620b74\" data-id=\"8620b74\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2f53873 elementor-widget elementor-widget-image\" data-id=\"2f53873\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"700\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-OSINT.png?fit=1024%2C700&amp;ssl=1\" class=\"attachment-large size-large wp-image-2941\" alt=\"santander phishing favicon OSINT\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-OSINT.png?w=1290&amp;ssl=1 1290w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-OSINT.png?resize=300%2C205&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-OSINT.png?resize=1024%2C700&amp;ssl=1 1024w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-OSINT.png?resize=768%2C525&amp;ssl=1 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-169a986 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"169a986\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ab14902\" data-id=\"ab14902\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-89556c6 elementor-widget elementor-widget-text-editor\" data-id=\"89556c6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Favicon links can be found in the the webpage source code (depending on your browser, this can be viewed by pressing Ctrl + U, F12 or right click and &#8220;view page source&#8221;). This is how the display in the source code of the phishing websites mentioned above:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9867d57 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9867d57\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-bf9ee15\" data-id=\"bf9ee15\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e62fad8 elementor-widget elementor-widget-image\" data-id=\"e62fad8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"340\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon.png?fit=1024%2C340&amp;ssl=1\" class=\"attachment-large size-large wp-image-2946\" alt=\"BOI phishing favicon\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon.png?w=1115&amp;ssl=1 1115w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon.png?resize=300%2C100&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon.png?resize=1024%2C340&amp;ssl=1 1024w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon.png?resize=768%2C255&amp;ssl=1 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3356cc5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3356cc5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b4fdf16\" data-id=\"b4fdf16\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2750134 elementor-widget elementor-widget-image\" data-id=\"2750134\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"363\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-favicon.png?fit=640%2C363&amp;ssl=1\" class=\"attachment-large size-large wp-image-2947\" alt=\"santander phishing favicon\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-favicon.png?w=640&amp;ssl=1 640w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-favicon.png?resize=300%2C170&amp;ssl=1 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ad52178 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ad52178\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-eb72b77\" data-id=\"eb72b77\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e2a2574 elementor-widget elementor-widget-text-editor\" data-id=\"e2a2574\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Searching a favicon by image (by reverse image search, for example) is not going to be effective here due to multiple false positives. Something more unique should be searched for &#8211; like for example a hash value of a favicon.<\/p><p>For this purpose, copy the link found in the page source code and head over to <a href=\"https:\/\/faviconhash.com\/\">Favicon Hash<\/a>.<\/p><p>There simply paste in the URL and calculate the hash value in <a href=\"https:\/\/pypi.org\/project\/mmh3\/\">MMH3 format<\/a>. Note that whenever the hash value displays the minus sign, you need to remember that in this case it&#8217;s also part of the hash.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-51d0d55 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"51d0d55\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f0f585c\" data-id=\"f0f585c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1af3937 elementor-widget elementor-widget-image\" data-id=\"1af3937\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"798\" height=\"226\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-hash.png?fit=798%2C226&amp;ssl=1\" class=\"attachment-large size-large wp-image-2951\" alt=\"BOI phishing favicon hash\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-hash.png?w=798&amp;ssl=1 798w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-hash.png?resize=300%2C85&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-hash.png?resize=768%2C218&amp;ssl=1 768w\" sizes=\"(max-width: 798px) 100vw, 798px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8a57fef elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8a57fef\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5042086\" data-id=\"5042086\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a4446cf elementor-widget elementor-widget-text-editor\" data-id=\"a4446cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The next step will require logging into <a href=\"https:\/\/www.shodan.io\/\">Shodan<\/a> and running the following search for the favicon hash using the following Shodan query:<\/p><p><a href=\"https:\/\/www.shodan.io\/search?query=http.favicon.hash%3A-1175420087\">http.favicon.hash:-1175420087<\/a><\/p><p>(or, in the case of the Santander example favicon &#8211; <a href=\"https:\/\/www.shodan.io\/search?query=http.favicon.hash%3A2147153955\">http.favicon.hash:2147153955<\/a>)<\/p><p>Results will vary and you will encounter legitimate websites in there, as well as some fake impersonations:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0fc4f4a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0fc4f4a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ca57a87\" data-id=\"ca57a87\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-266a89c elementor-widget elementor-widget-image\" data-id=\"266a89c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"745\" height=\"313\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-3.png?fit=745%2C313&amp;ssl=1\" class=\"attachment-large size-large wp-image-2952\" alt=\"BOI phishing favicon 3\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-3.png?w=745&amp;ssl=1 745w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-favicon-3.png?resize=300%2C126&amp;ssl=1 300w\" sizes=\"(max-width: 745px) 100vw, 745px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-50a54fd elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"50a54fd\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6ca60b3\" data-id=\"6ca60b3\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8ae7af6 elementor-widget elementor-widget-image\" data-id=\"8ae7af6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"748\" height=\"303\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-favicon-2.png?fit=748%2C303&amp;ssl=1\" class=\"attachment-large size-large wp-image-2953\" alt=\"santander phishing favicon 2\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-favicon-2.png?w=748&amp;ssl=1 748w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/santander-phishing-favicon-2.png?resize=300%2C122&amp;ssl=1 300w\" sizes=\"(max-width: 748px) 100vw, 748px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fbe4824 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fbe4824\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-65d4075\" data-id=\"65d4075\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-54a4d19 elementor-widget elementor-widget-text-editor\" data-id=\"54a4d19\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>You can revert back to Virus Total then and check the URL &#8211; in many cases it will immediately cement the malicious domain suspicion (see <a href=\"https:\/\/www.virustotal.com\/gui\/domain\/active-secureonline.com\">here<\/a> for an example).<\/p><p>This technique is a great way to discover similar, sometimes even unconnected phishing websites that impersonate the same target by using their favicons.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5035c8f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5035c8f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a40aa85\" data-id=\"a40aa85\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fe36041 elementor-widget elementor-widget-text-editor\" data-id=\"fe36041\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Interact with the website<\/strong> &#8211; simple interactions with the website and its login fields might lead to unexpected results &#8211; especially if you interact with the elements while simultaneously looking at the Developer Tools (right click and Inspect while using Google Chrome). In the case of one of the phishing websites, an item of particular interest was found when viewing network requests made after a failed login attempt:<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f200ec1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f200ec1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c8fdd4e\" data-id=\"c8fdd4e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9de5e94 elementor-widget elementor-widget-image\" data-id=\"9de5e94\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"636\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-link-OSINT.png?fit=1024%2C636&amp;ssl=1\" class=\"attachment-large size-large wp-image-3034\" alt=\"BOI phishing link OSINT\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-link-OSINT.png?w=1041&amp;ssl=1 1041w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-link-OSINT.png?resize=300%2C186&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-link-OSINT.png?resize=1024%2C636&amp;ssl=1 1024w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/BOI-phishing-link-OSINT.png?resize=768%2C477&amp;ssl=1 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cd59abc elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cd59abc\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-905bb70\" data-id=\"905bb70\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7f5a644 elementor-widget elementor-widget-text-editor\" data-id=\"7f5a644\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Above is a link to a rather unusual link to a Telegram account:<\/p><ul><li><a href=\"https:\/\/t.me\/kr3pto\">https:\/\/t.me\/kr3pto<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-16a4c72 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"16a4c72\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3474c32\" data-id=\"3474c32\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-819a9f4 elementor-widget elementor-widget-image\" data-id=\"819a9f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"376\" height=\"303\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/kr3pto-OSINT.png?fit=376%2C303&amp;ssl=1\" class=\"attachment-large size-large wp-image-3038\" alt=\"kr3pto OSINT\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/kr3pto-OSINT.png?w=376&amp;ssl=1 376w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/12\/kr3pto-OSINT.png?resize=300%2C242&amp;ssl=1 300w\" sizes=\"(max-width: 376px) 100vw, 376px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-71fa535 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"71fa535\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e736820\" data-id=\"e736820\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d83f729 elementor-widget elementor-widget-text-editor\" data-id=\"d83f729\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Even the most cursory research on the handle &#8220;Kr3pto&#8221; will bring back numerous sources describing the nature and the type of activities that this individual engages in &#8211; essentially, this is a malicious actor (suspected to be Russian) who supplies phishing kits for monetary reward.<\/p><p>This whole phishing campaign is therefore directly or indirectly (some sources point to the possibility of cracked phishing kits being used in this case) linked to this malicious software developer, whose digital footprint includes accounts on the following platforms:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-22a1556 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"22a1556\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3c9d40d\" data-id=\"3c9d40d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d82fb18 elementor-widget elementor-widget-text-editor\" data-id=\"d82fb18\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><a href=\"https:\/\/t.me\/kr3pto\">https:\/\/t.me\/kr3pto<\/a><\/li><li><a href=\"https:\/\/icq.im\/Kr3pto\">https:\/\/icq.im\/Kr3pto<\/a><\/li><li><a href=\"https:\/\/keybase.io\/kr3pto\">https:\/\/keybase.io\/kr3pto<\/a><\/li><li><a href=\"https:\/\/bitify.com\/user\/kr3pto\/\">https:\/\/bitify.com\/user\/kr3pto\/<\/a><\/li><li><a href=\"https:\/\/bitcointalk.org\/index.php?action=profile;u=2249615\">https:\/\/bitcointalk.org\/index.php?action=profile;u=2249615<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b60f782 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b60f782\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-31792f5\" data-id=\"31792f5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e0c7d4c elementor-widget elementor-widget-text-editor\" data-id=\"e0c7d4c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>* * * * *<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-09c55fe elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"09c55fe\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-893664f\" data-id=\"893664f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-29c36d5 elementor-widget elementor-widget-text-editor\" data-id=\"29c36d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>PS:<\/strong> Some light reading for those interested in more detail about the malicious actor Kr3pto (who has been around for a while now, actually):<\/p><ul><li><a href=\"https:\/\/www.wmcglobal.com\/blog\/kr3pto-puppeteer-kits-dynamic-phishing-kit-targeting-uk-banking-customers\">https:\/\/www.wmcglobal.com\/blog\/kr3pto-puppeteer-kits-dynamic-phishing-kit-targeting-uk-banking-customers<\/a><\/li><li><a href=\"https:\/\/www.wmcglobal.com\/blog\/threat-actor-update-kr3pto\">https:\/\/www.wmcglobal.com\/blog\/threat-actor-update-kr3pto<\/a><\/li><li><a href=\"https:\/\/www.akamai.com\/blog\/security\/dont-risk-getting-caught-by-kr3pto-phishing-kits\">https:\/\/www.akamai.com\/blog\/security\/dont-risk-getting-caught-by-kr3pto-phishing-kits<\/a><\/li><li><a href=\"https:\/\/www.globaldots.com\/resources\/blog\/massive-campaign-targeting-uk-banks-bypassing-2fa\/\">https:\/\/www.globaldots.com\/resources\/blog\/massive-campaign-targeting-uk-banks-bypassing-2fa\/<\/a><\/li><li><a href=\"https:\/\/thefintechtimes.com\/11-uk-banking-brands-hit-by-phishing-kits-according-to-akamais-security-report\/\">https:\/\/thefintechtimes.com\/11-uk-banking-brands-hit-by-phishing-kits-according-to-akamais-security-report\/<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Investigating a large phishing campaign against Irish users &#8211; while laying out step by step the methodology and the workflow.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[93],"tags":[80,149,34,56,82,81,79],"class_list":["post-2889","post","type-post","status-publish","format-standard","hentry","category-my-investigations","tag-domain","tag-fraud","tag-investigation","tag-ireland","tag-phishing","tag-scam","tag-website"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/2889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/comments?post=2889"}],"version-history":[{"count":162,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/2889\/revisions"}],"predecessor-version":[{"id":3072,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/2889\/revisions\/3072"}],"wp:attachment":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/media?parent=2889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/categories?post=2889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/tags?post=2889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}