For followers of this blog I must apologise for the lack of content and delay in me updating this. As I’ve been working hard, learning new systems, going through the cycles of life I’ve spent more time sharing security news on linkedin rather than refining any guides or articles on this blog.

This post will be short and sweet but will demonstrate just what you can do about phishing pages and includes a brief example of some Office365 phishing I had this week.

So it started with someone’s compromised email account sending an email with a .HTM attachment :

This attachment would load a locally built page (with very little but an animation and a redirection):

Now after rolling an animation for about 5-10 seconds this would then redirect to a real URL. Often phishing tries to employ “Domain Squatting” where a URL looks like a legitimate page (I.E Office3655.com )

The URL this would load is: http://lowasiticas.xyz/ma/ which was the hosted phishing page:

The URL quite cleverily redirects to office.com (when using no other extension) so even if weary, it’s possible if you put in http://lowasiticas.xyz you may auto login to office which could give more legitimacy to how it appears.

Now when you have a direct domain that is hosting abusive content, phishing pages, malware or more there are things you (and anyone) can do about it (usually).

Firstly, discovering the domain registrar and who hosts the domain (directly/indirectly) is the first and potentially last place you’ll need to go. By searching the “WhoIS” information for the domain you can bring up registration information:

From just the above we know that the domain is registered with the legitimate registrar namecheap.com along with an Abuse@ email (which almost every domain will have, typically along with spam@ technical@ admin@ and so on).

Using this info you are able to submit or inform the registrar of the content one of their domains is hosting which typically makes them act to removing/blocking/banning it.

At time of writing this domain has been reported and already the phishing page is now redirecting to google.com to potentially evade detection.

In past experiences, this practice has often had pages taken down and in my line of work when attacks or spam campaigns have been specifically targeted (and often automated) removing the source of the badness (the domain hosting the spam) has often undone the damage of mass emails or prevented further infections/credential harvesting.