Learn to write IOK rules with real-world examples of phishing sites

Phishing sites often use domains containing the brand name they're impersonating.

Let's find a phishing site where the domain contains "stripe"

Phishing sites (hopefully) have a short lifespan before they're detected and taken down. At which point the phisher registers a new domain and starts the process all over again.

Some phishers automate this process using a script which automatically registers new domains. Once you figure out the pattern, you can quickly find every new domain, just based on the name.

In the previous lesson we found a large number of Facebook phishing sites. But our results were full of 404 pages from scans after the site had been suspended.

In this lesson we'll see how to use multiple properties to filter down results to just the malicious sites.

Phishing sites are created by relatively low skilled threat actors who rely heavily on copying from other phishing kits.

This means you'll often see the same assets (images, scripts, etc.) used across multiple similar phishing kits. We use this to detect a set of Microsoft scams.

It's useful to detect not only that a site is malicious, but specifically which phishing kit it's hosting.

Some website design choices make this very easy. We can look for values in the page which are usually unique per request, but which during the cloning process get fixed at a specific value.

Today the training wheels come off! You'll be writing an IOK rule from scratch to detect a WhatsApp QR phishing kit.

This site can be detected using IOK features you've seen in previous lessons, but if you get stuck we've got a companion blog post to guide you: https://phish.report/blog/whatsapp-iok-rule

Phishers often create their kits by cloning the website of the brand they're targeting. Their goal is a perfectly standalone phishing kit, but the process is rarely perfect and so assets are often still loaded from the original source.

We can use this to find sites which are likely the result of cloning.