Check Phishing Links – Enterprise Security Department Guide

Why you need to check phishing links in your organization

Why Check Phishing Links? When you work in Enterprise Security Department like SOC or any other, you will receive phishing links either from Hoax email box or other sources. You will need to initiate takedown with help of a registrar or other services. But you need to make sure they relate to your organization and that they are malicious / phishing in order to do that.

Check Phishing Links – Legit or Malicious / Phishing

Setup Virtual Machine for your URL checking to make sure less data is exfiltrated if there is something malicious on the site.

Navigate to the URL with regular browser to see what is going on. Make sure you go over the article Check Links for Legitimacy with Tools and Observation . There you will find several techniques and tools that will help you recognize if the link is legitimate business or is it malicious / phishing.

Check Phishing Links – What to do if you do not see any content

HTTP Method

Try with “http://” and “https://”, since their process can be different on the server.

Geolocation – TOR Browser or VPN

If the URL / Link that you received is targeting a specific geolocation and you are in another – you might not receive the content of the page.
You can Download TOR browser and set TOR Exit Node to that country.
As an alternative you may also set up a Proxy / VPN extension like “Hoxx VPN Proxy” (free version available for both Chrome and Firefox) for your browser or regular VPN with TAP driver. Just remember that free VPN / Proxy IPs can be blacklisted and you will not see the content anyway. I had 404 errors with Hoxx VPN Proxy while I did not with paid TAP Driver VPNs.

Use Different User Agents

Try using different User Agents. Since TOR is Based on Mozilla Firefox, you can add

User-Agent Switcher by Alexander Schlarb

You can get it from two official locations:
1. Official Firefox Browser Add-Ons – User-Agent Switcher
2. GitLab – User-Agent Switcher and Source
You can add your User Agents in the settings of this addon.
Someone from “torproject” recommended this one in the comments.

Another User Agent Switcher for Firefox:

User-Agent Switcher and Manager by Ray

I did not test this one, but it has relatively high ratings in Firefox Browser Add-Ons store.

If you want, you also can try Google Chrome. There are two Extensions that I used:
1. User-Agent Switcher for Chrome by google.com
This one is official from Google. This is nice but limited and not customizable.
2. User-Agent Switcher by www.toolshack.com
Has more built in User Agents and you can use custom string User Agent of anything.

Try several Desktop User Agents, try also Mobile (Apple iOS, Android). If nothing works you can try also “Curl” and “Wget”.

If at any point you will want to set a custom User Agent you can check this comprehensive User Agent Database on WhatIsMyBrowser.
Another list is provided in the “User-Agent Switcher extension by www.toolshack.com”: List of User Agent Strings.

You can check that your User Agent was actually switched with User Agent parser on WhatIsMyBrowser.
There is also an option to parse any User Agent string manually and not from your exact system.

Note: Not always client errors are real errors. A site can return 404 because the User Agent is not mobile. Keep that in mind.

Change Browsing Resolution

You can change your browser’s resolution from Developer Tools either in Google Chrome or Mozilla Firefox.
In Firefox / TOR it is “Responsive Design Mode”. Shortcut: [Ctrl] + [Shift] + [M].
In Google Chrome / Chromium Browsers it is “Toggle device emulation” and is using the same shortcut.

You can test if a site got any specific mobile version resolution with Mobi Ready – Mobile Performance test. Off course if the site does not use any type of WAF like Cloudflare since it is free.

Use Browser Developer Tools to check phishing links

In Developer Tools check the [Network] tab to see if there is something interesting, while you load the URL. It is also a good idea to check this section to find any credentials database that can be used on the site while you submit fake credentials.

Check the Page Source

Sometimes you will see white or any other color blank page. Check the source, probably there are some hints. Since this is not Server / Client-side error – it is a blank page. Probably something IS loaded, like Java Script and is hiding the content.

Check if Domain / URL is Available Worldwide

Check with “Where’s it up”:
1. Navigate to https://wheresitup.com/
2. Click “Customize Locations”.
3. If you are interested in specific country you will want to add all the servers that are available for that Geolocation. Hit [+5] till all the locations are selected for that country.
4. Paste your exact URL. The service tests the exact URL that you input and not the whole domain unlike the WHOIS services. Pasting the exact URL refers also to using “http” or “https”. If you will not state it, the default “http” will be used.
5. The result page will show you if the URL is reachable from other geolocations and their Trace.
6. If you see that the URL is reachable from a specific geolocation, set your TOR Exit Node / VPN to that location.

Try using What’s My DNS – DNS Propagation Checker. Similar to “Where’sItUp”, but checks for DNS Propagation worldwide.

Try Directory Stripping

Another thing you can try is Directory stripping. Example:

https://www.somesite.com/dir1/dir2/dir3

“Directory Stripping” means getting rid of last directory one at a time and check what is going on there. Next directory check will be at:

https://www.somesite.com/dir1/dir2

Maybe the phishing is in dir2 and dir3 is a GUID or a parameter.
Next directory strip will be:

https://www.somesite.com/dir1

And so on.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.