urlscan

New update in URLSCAN to detect malicious domains

Bangaly Koita 3 months ago

If you are following our blog Home Home - osintafrica, you already know the tool URL and website scanner - urlscan.io, click on  https://www.osintafrica.net/how-to-use-urlscan-part1/ for more details.

The best tools always need improvement and urlscan.io is one of those. The tool has done some improvements that can help an Analyst to perform faster and more efficiently the investigation on phishing website mimicking an organization.

Let’s have a look at the new improvements.

The tool introduced two great features (Favicon hash detection based and the HTTP post request detection) which can be used to detect phishing website mimicking an organization and credentials harvesting domain.

To better understand that, lets practice a bit.

Detecting a website mimicking Netflix using the FAVICON HASH ANALYSIS

A Favicon is the website icon, it helps to visually represent a website and to distinguish between open tabs or search results.

A favicon contains a hash, a hash of a favicon can be used to detect similar website.

The feature has been introduced into urlscan.io to make it easier for the Analyst to quickly perform his or her investigation.

Example 1:

We will connect to urlscan.io and use a domain mimicking NETFLIX website, we will use the favicon hash to find similar website.

Let’s do it.

Connect to https://urlscan.io/result/fb90e947-db87-4476-924d-5db678a50acd/#transactions

Click on the “HTTP” button in blue, type (crtl F - favicon), scroll down, click on the hash and open in a new tab, you will see the result. 

Example 2:  Detect website mimicking Microsoft.com.

https://urlscan.io/result/b4cf2f17-ebee-47b4-b85e-f63eae623ec4/#transactions

click on the hash and open in a new tab, you will see the result. 

 

Detecting a credential harvesting domain using HTTP POST request detection based.

 

A credentials harvest is when a threat actor sends a phishing link to user, once the user clicks and enters his/her credentials, the credentials will be sent to another domain, where they will be stored by the threat actor which will be used to impersonate the user or sell via the Dark web. This technic is commonly used against organizations that use the cloud as a service such as Microsoft O365

Let’s give an example, we have detected a maldomain mimicking Microsoft login, when a user enters the credentials, the credentials will be sent to hxxps://robertreed1313[.]xyz/next.php

Click on the link:

https://urlscan.io/result/e25dc1e1-9ab7-491c-94a8-20aec6eba2d8/#transactions

As you see in the image, there is “HTTP POST” request which is an indication of data being sent to another URL  in this case (hxxps://robertreed1313[.]xyz/next.php)

Let’s give another example to better understand it.

Another maldomian mimicking Microsoft login website:

fattykins.za.com - urlscan.io

Let’s show the last example

ron-marom12.github.io - urlscan.io

Maldomain mimicking Netflix website login.

NB: Be careful while checking the domains, always check with Virustotal and check if the domain is newly created before making a decision.

 

Do you know that we can use URLSCAN to find maldomains or typo squatting domains mimicking our organization?

We will try to find domains name similar to Microsoft.com

Connect to urlscan.io, go to search – type: page.domain:( page.domain:(microsoft.com~ AND NOT microsoft.com))

Search - urlscan.io

Like you see, URLSCAN has improved a lot; by using the tool, you can save a lot of times during your investigation. Feel free to start using the tool https://urlscan.io/.

 

How to use URLSCAN part2

Bangaly Koita 2 years ago

This is the part 2 of How to use URLSCAN part1 – osintafrica

Now, let’s move further, we can see in blue color, 11 menus available.

Now we will describe the utility of each menu

  1. Summary

Click on the “Summary button” to find more details about the menu.

The menu contains all details about the submitted domain.

When you look at the image above, the following details are visible:

The number of domains and IPs that were contacted by the submitted domain.

The main IP address with location and the domain hosting provider are also available.

The certificate detail used by the website with his validity period.

The website was scanned 3 times

  • Show scan

This submenu will show you the number of times the domain has been already scanned. You can click on each scan to have more details such as how the domain looks at the time it was scanned, the IP address, ASN behind the domain at the time it was scanned.

  • Domain classification

The second part of the Summary menu is the classification of the domain provided by Google Safe Browsing.

The image above shows that Google Safe Browsing classified the domain as “No classification” which means that the domain is cleaned following the rating score available on Google Safe Browsing.

  • Domain and IP information

7 submenus are available at the section.

The menu IP/ASNs contains the information about all the IPs addresses contacted by the domain while being submitted with their ASN (Autonomous System Number).

You can click on each IP address and ASN to find more information.

The submenus “IP Detail” and “Domains” and “Domain Tree” contain some information about the IPs and the domains contacted by the submitted domain. You can click on each section to see the information available.

 

The submenu “LINK” contains all the link redirecting to others domains or URLS.

You can click on each link to get more details about.

The submenu “Certs” contains the list of all certificates used by the submitted domain with the validity period.

You can click on the crt.sh on the right side to get more details about the certificate

 

The submenu “Frames” will show you if the website is using any URL Frames.

  • Image

After describing different submenus from the Summary, from the right side, once the domain has been submitted, the main image from the website will appear in real time.  

We can see how the website behind the domain submitted looks like. This is very important during an investigation, for example when you are analysing a phishing issue, it is necessary to view the website without connecting directly to it.

You can click on “Live screenshots” and “Full Image” to have better visibility of the image.

  • Detected technologies

Here, we can find some technologies used by the domain. Notice that this is very important for you as analyzer. For example, When the website is compromised, the threat actor might embed a malicious code into the website, by checking this, you might find out the malicious code embedded within your website, checking this, can also help you to find some technologies that need to be updated or are not in used anymore.

  • Page Statistics

This section shows you the whole details about the submitted URL such as HTTP request, domains, subdomains, cookies, IP etc …

Part 3 (How to use URLSCAN part3 – osintafrica)

How to use URLSCAN

Bangaly Koita 2 years ago

URLSCAN is used to perform different types of web scan and also to analyze different IOCs such as IP address, domains, Hashes, filenames and others.

URLSCAN is a tool used by different security teams such as Security Analyst, Cyber Threat Intelligence, Threat Hunting, Incident response team and others.

The tool is divided in 2 versions (community version and paid version).

We will talk about the community version that is available for free.

In order to connect to the Web application, you need to type the domain (urlscan.io), once you connect to the domain, you will get to the following screen.  

In our case, we need two menus (Home and Search)

  • HOME

Once we click on this menu, we can see the scanned queried by the users from different locations.

By default, the tool is showing the public scan mode, if you want to leave the default mode and scan anything, the scan will be visible by everyone.

So, we advise you to click on option and used the private mode if you do not want other people to see the query you entered, this option can also help to avoid alerting the threat actor about your findings.

URLSCAN can anonymize your identity.

Examples:

  • If you want to hide your location, you can click on “country selection” or auto (be aware that the Country selection for the private mode works only on the Commercial plans.)
  • You can change the “User Agent”. For example, if the website you want to scan is for the mobile phone – you can choose one of the Android User Agent.

You can also customize your own User Agent.

  • The “HTTP referer” can be used to custom the HTTP header before scanning.

 

Now, lets scan in a private mode a URL in hazard and analyze its behavior.

After submitting the URL, we can see the IP address 151.101.129.140 from the submitted URL following the submitted URL and the effective information.

From the right side, we can see 5 menus.

The menu “Lookup” will direct you to find different tools such as (Virus Total, crt.sh, Riskiq …). The tools can help you find more details about the submitted domain (click on each of them to learn more about). 

The option “Go To” will bring you to the domain submitted webpage (be careful before you click on it in case it is a malicious domain, you might be compromised).

The option “Rescan” is used to rescan the submitted URL.

The option “Add Verdict” and “Report” are used to add some comments about the submitted domain and contains some details about the scan report. 

The next part is described in the part 2 (How to use URLSCAN part2 – osintafrica)

You may have missed

Windows files system you should never whitelist in your environment

Bangaly Koita 3 weeks ago

New update in URLSCAN to detect malicious domains

Bangaly Koita 3 months ago

How to securely open a file

Bangaly Koita 8 months ago

Payoutproject[.]com the biggest scam ever on social media Facebook, twitter, TikTok, Instagram

Bangaly Koita 10 months ago

How to use a proxy server for free over the internet

Bangaly Koita 10 months ago