A Hands-On Investigation into Phishing Campaigns

Author: Vance Poitier

Cyber threat intelligence (CTI) and open source intelligence (OSINT) are key tradecrafts in today’s cybersecurity landscape. As organisations face increasingly sophisticated attacks, the ability to collect, analyse, and act on threat intelligence has become crucial for security professionals. In this blog, we’ll walk through a practical investigation of a common cybercrime scenario, illustrating both surface-level tactics and the critical thinking used in real-world information gathering and analysis.

Before diving into the practical assessment, it’s essential to understand that threat intelligence goes beyond data collection. It’s a defensive measure that analyses threat behaviour, focusing on the customer or end-user of the intelligence product disseminated at the end of the analytical process.

There is always room for improvement in the technical fields of OSINT and CTI. With cybercrimes on the rise, criminal opportunists continuously exploit human vulnerabilities to achieve their goals. Therefore, honing skills in CTI and OSINT is not just a necessity but an ongoing process.

Investigation Methodology

When approaching a potential cyber threat, it's crucial to follow a structured methodology that ensures thorough analysis while maintaining proper documentation. This investigation will demonstrate the following key phases:

1. Initial Discovery and Assessment
2. Technical Surface Analysis
3. Social Engineering Pattern Recognition
4. Connected Campaign Analysis
5. Evidence Collection and Documentation

Each phase, though not always linear, is interrelated and builds upon the previous one to create a comprehensive understanding of the phishing campaign.

‍Investigation Process

‍The investigation began on Facebook, where I came across a post from an account claiming to be ScotRail. Several red flags emerge: the low number of followers, the post encourages users to click on a link, and it offers an attractive price incentive. These are clear signs of an impersonation attempt.

Such posts are often great opportunities to practice OSINT techniques, as they begin with a single post but are usually part of more sophisticated phishing campaigns that can span multiple countries.

When consumers click the link contained in the post, they are redirected to a page asking for personal details such as card delivery method, name, and phone number. While it’s common for phone numbers to be used in further phishing attempts, I bypass this stage by entering fake information. This takes the user to the next step, a seemingly random game where users are asked to pick from three choices. The JavaScript is designed so the user always wins, advancing them to the next part of the site.

URLScan

‍A URL scan of the phishing post link reveals that Google has flagged it as a dangerous URL, although Cloudflare has not yet taken action. It is relatively simple to contact Cloudflare and request that malicious domains be removed, which would cause a temporary disruption for the criminals using that IP for phishing.

Critical Thinking in Phishing Investigations

‍When investigating phishing attacks, it’s important to look beyond technical findings and assess the overall operational environment. Each piece of information, whether it’s the URL structure, hosting provider, or social engineering tactics, provides insight into the sophistication and operational security of the threat actor.

For example, the use of Cloudflare indicates an understanding of infrastructure protection, while the multi-stage phishing game reflects a high level of expertise in manipulating human behaviour. These observations help us understand not only the goals of the campaign but also the mindset of the attacker and which defensive measures would be most effective.

‍Main Target

‍Upon reaching the final stage of the process, where the user is guaranteed to win the game and receive a fake train ticket, the site redirects to a payment process where additional personal information is collected. 

The payment gateway charges arbitrary amounts despite claiming only a small fee of 2 euros, with the payment appearing under the name “YourOC.EU” on the credit card statement. This is an obfuscation tactic to prevent detection of the phisher’s identity.

‍Subdomains and Payment Link

‍The payment gateway only has two subdomains that can be used for further enumeration. All planned IP addresses still point to Cloudflare’s content delivery networks (CDNs). While penetration testing could reveal more detailed information, for this investigation, I focused on surface-level findings. These publicly available elements contribute to intelligence gathering, but to take action, one would need to gather information about the individuals or groups responsible for setting up the payment gateway and running the phishing campaign across Europe.

Reviewing Facebook Comments

‍When researching a scam like this on Facebook, pivoting to comments on posts can help identify possible partners. For example, the account highlighted in the screenshot below appears to be a fake social media account designed to make the phishing post appear more legitimate. The account’s profile picture was tested using an AI image detector and then passed through Pimeyes, revealing that the image had been used on multiple Russian mail-order bride and dating sites.

Exploring the Suspicious Facebook Account

‍Digging into the identified account Facebook further and reviewing the account’s activity suggests this is just one component of a larger phishing effort targeting multiple European countries. The account follows several other phoney Facebook pages, each posing as legitimate businesses with similar tactics.

While the profile picture appears to originate from Russia, it’s crucial not to jump to conclusions about the nationality of the attackers. The information we gather should always be assessed critically, avoiding bias and ensuring we draw conclusions based on facts.

Diamond Model of Intrusion Analysis‍

The Diamond Model of Intrusion Analysis is an analytic model that helps analysts categorise cyber attacks by focusing on four main categories:

1. Adversary: The human or group behind the attack. This can be a solo individual, a team, or even a state-sponsored actor.
2. Infrastructure: The tools and systems used to carry out the phishing campaign.
3. Capability: The tactics, techniques, and procedures used throughout the phishing campaign.
4. Victim: The intended target(s) of the phishing campaign.

‍

Conclusion

‍This investigation case study illustrates how everyday cybercrime cases provide excellent opportunities to hone OSINT and CTI skills. From social media analysis to infrastructure evaluation, each stage of the inquiry offers a chance to practice and refine various aspects of threat intelligence gathering and analysis.

For aspiring threat intelligence analysts, such investigations provide invaluable hands-on experience in:

• Technical analysis
• Social engineering recognition
• Infrastructure investigation
• Campaign mapping and intelligence documentation

Every suspicious post, website, or campaign is a learning opportunity to improve your investigative skills and to a deeper understanding of current threat environments.