Phishing Host

• Domain registered within the last 24–72 hours with a lookalike name (e.g., paypa1-secure.com, apple-id-verify.net)
• TLS certificate issued by Let's Encrypt or ZeroSSL with a common name closely resembling a known brand
• HTTP response contains clone of a legitimate brand's login page with a foreign form action URL
• IP address appears in phishing feed databases (PhishTank, OpenPhish, APWG eCrime)
• Server returns identical HTML to legitimate sites but with modified <form action> pointing to attacker infrastructure
• Hosting on bulletproof providers or newly registered cloud VPS with no legitimate history
• DNS TTL extremely low (60–300 seconds) indicating fast-flux configuration

Query PhishTank and OpenPhish feeds

# Check if a URL appears in PhishTank
curl -s "https://checkurl.phishtank.com/checkurl/" \
  -d "url=https://paypa1-secure.com/login&format=json" | jq .

# Download and grep OpenPhish feed
curl -s https://openphish.com/feed.txt | grep -i "paypal"

DNS-based detection — lookalike domain scoring

import Levenshtein

brands = ["paypal", "apple", "microsoft", "amazon", "google"]
query_domain = "paypa1-secure.com"

for brand in brands:
    score = Levenshtein.ratio(brand, query_domain.split(".")[0])
    if score > 0.7:
        print(f"Possible lookalike of {brand}: score={score:.2f}")

Snort rule — detect phishing redirect

alert http $EXTERNAL_NET any -> $HOME_NET any \
  (msg:"PHISHING credential harvesting page"; flow:to_client,established; \
   content:"<form"; nocase; content:"password"; nocase; \
   content:"action="; nocase; \
   pcre:"/action=[\"']https?:\/\/(?!yourdomain\.com)[^\"']+[\"']/i"; \
   sid:9001003; rev:1;)

Monitor DNS for newly registered lookalike domains

# Using dnstwist to enumerate permutations
dnstwist --registered --format csv paypal.com | grep -v "paypal.com"

1. Enable browser-level phishing protection: Configure DNS filtering (Cisco Umbrella, Quad9, Cloudflare 1.1.1.2) to block known phishing domains before the page loads.
2. Deploy email anti-phishing controls: Implement DMARC (p=reject), DKIM, and SPF on all owned domains. Enable Microsoft Defender for Office 365 or Google Workspace's anti-phishing AI models.
3. Register defensive domains: Pre-register common typosquats and lookalike variations of your domain to prevent attackers from using them.
4. Subscribe to phishing intelligence feeds: Integrate PhishTank, APWG eCrime Exchange, or commercial threat intelligence into firewall/proxy block lists with automated updates.
5. Report and request takedown: Submit phishing URLs to Google Safe Browsing (safebrowsing.googleapis.com), Microsoft SmartScreen, and the hosting provider's abuse team. Use APWG's eCrime reporting portal.
6. Train users: Conduct regular phishing simulation exercises. Train staff to verify URLs, check TLS certificate details, and report suspicious emails before clicking.
7. Implement FIDO2/passkeys: Phishing-resistant authentication methods (hardware security keys, passkeys) prevent credential theft even if a user visits a phishing page.
8. Monitor for brand abuse: Use services like Recorded Future, BrandShield, or Digital Shadows to alert on new domain registrations impersonating your brand.

Operation Wire Wire (2018): The FBI arrested 74 individuals across the US, Nigeria, and other countries involved in a massive phishing campaign targeting businesses and individuals. Attackers compromised email accounts and impersonated executives or vendors to redirect wire transfers totaling over $40 million. Phishing sites mimicked corporate email portals and banking login pages.

GitHub Credential Phishing Campaign (2020): Attackers registered hundreds of lookalike domains resembling GitHub's login page, distributed via targeted email campaigns to open-source developers. The phishing kit used real-time credential validation against GitHub's actual API — if credentials were wrong, victims were shown an error and prompted to retry, maximizing harvested valid credentials.