Hunting With URLscan: Part 1
Today, we’re going to focus on using URLscan.io, a powerful tool to hunt for phishing attacks. This guide will help you understand the process better and improve your defensive strategy.
| Topics | Description |
|---|---|
| Hunting With URLscan: Part 1 | Get to know the basics |
| Hunting With URLscan: Part 2 | Filenames and Hashes |
| Hunting With URLscan: Part 3 | Search Operators |
| Hunting with URLscan: Part 4 | Query Builder |
What is URLscan.io?
URLscan.io is a free online service that allows you to analyze and scrutinize websites, identifying potential threats such as phishing, malware, and more. It generates detailed reports about the content and behavior of a scanned URL.
Let’s dive into what you can find in URLscan reports:
1. Summary Info
This is a brief overview of a scanned URL. It includes data like IP addresses, server type, location, and more. Here, you can quickly gauge if something looks out of the ordinary.
2. Web Requests
This section lists all web requests made when the page was loaded. It shows the requested URLs, methods (like GET or POST), and status codes. This can help spot strange requests that shouldn’t be there.
3. Redirects
Here, URLscan.io records all redirections that occurred while loading the webpage. Malicious sites often use redirects to hide their true location or purpose.
4. Links
This section shows all the links found on the webpage. Pay close attention to outbound links, which could lead to harmful sites.
5. Behavior
This unique feature shows what happens when the page loads. If it sets cookies, makes requests, or triggers downloads, you’ll see it here.
6. Indicators
Indicators provide information on anything suspicious about the site. This could include IP addresses linked to malicious activity or unusual script behavior.
7. DOM (Document Object Model)
Here you’ll find how the webpage is structured. Anomalies in the DOM can indicate malicious intent.
8. Content
This section shows the webpage’s visible text. Phishing sites often contain unusual or poorly written content.
Now, let’s move on to how we can use URLscan.io to hunt for phishing attacks.
Hunting Phishing Attacks
Searching with URLscan.io is straightforward. You can search using different parameters like IP, URL, ASN, domain.
For instance, if you want to search for all pages containing the word ‘paypal,’ you’d type ‘paypal*‘ in the search bar.
To hunt for phishing attacks specifically, you can use queries that focus on known phishing indicators. For example, to search for pages mimicking Facebook, you could use ‘page.url:facebook*login‘ and then look for suspicious URLs in the results.
