Analyzing fraudulent sites, you sometimes marvel at the ingenuity of crooks. Either they offer you free pizza, or morgencoins ... There are also resources that you cannot say immediately that they are fraudulent: these sites simply collect contacts, so that later, after forming a database, they can immediately dissolve everyone. However, before you thoroughly examine a site created by Internet crooks, you first need to find it. We will now talk about search methods and how scammers hide their resources on the network.
It happens that a company or bank service that deals with Internet security receives a complaint about a particular site, which becomes a reason for investigation. This case will not be considered, but let us assume that the IB-Schnick
The easiest way involves the following simple steps:
- download the list of domains registered over the past few months in the .ru zone from the Domains.ihead.ru website (the list contains domains registered over the last three months);
- looking for domains similar to the official domains of large companies and banks;
- go to the site and see what is there;
- if a fraudulent resource is detected, we submit an application to block the domain to the registrar, complain to the hoster, or set up a firewall to block such resources in our own perimeter.
SIMILAR WRITING
If, for example, you select domains with the word gaz from the list of all domains, then you will not find the gaazprom.ru domain, but the Dnstwist utility from Kali will help you find it. You can also use the online services Dnstwist or Dnstwister.report.
Dnstwist generates six different main domain spellings and checks which ones are registered. For example, 2270 variants were generated and tested for the official gazprom.ru. 38 domains were registered.
Results of checking the gazprom.ru domain in the dnstwist.it service
Now let's check what is still on this very gaazprom.ru.
An example of the content of a fraudulent site. 14 free seats, you must take!
SUBDOMAIN
Everything is simple here. If we scan the site openstockinvest.cyou, then we will not see anything. And if you go to the subdomain hxxp: //bussiness.openstockinvest.cyou, we will suddenly find a fraudulent landing page.
Fraudulent site on subdomain
COMFORT ZONE
Often, the search for fraudulent sites is limited to checking domains in the ru zone. If you do this, then you will miss the sites registered in 1555 domain zones. The same Dnstwist generates domains not in all possible zones, which takes the potential catch out of our field of vision.
You need to get all the domains. For example, at Domains-monitor.com, you can download a list of 250 million registered domains. The service costs $ 7 for 24-hour access.
Service with a list of registered domains domains-monitor.com
PARASITES
By analogy with wildlife, a virtual parasite uses other people's resources to live as long as possible and remain unnoticed. Most often, a harmless site is hacked for this and a malicious one is poured into one of the subdirectories.
Hacked website of a commercial firm
NEIGHBORS
By this method, I mean the placement of fraudulent sites on "foreign" resources. For example, hxxps: //gatrade.turbo.site - in this case, the web page was created in the site builder from Yandex .
An example of a site created in Yandex Designer
Sites created on quiz platforms (these are online survey constructors) can also be classified in the same category. An example of a fraudulent survey that I found earlier is no longer working, only traces of it remain on Google.
An example of a fraudulent survey on the quizgo.com platform
INNER
Another way to protect fraudulent sites from security scanners. If you follow the link hxxps: //invest-it.live, you will be redirected to Google, and the fraudulent page itself is located “inside” the site, at hxxps: //invest-it.live/russian-platform.
Example of a fraudulent resource in the site directory
CLOAKING
This term denotes the substitution of site content depending on the technical characteristics of the visitor. For example, if you go from the Ukrainian IP to the address hxxp: //gazpromrekl.ru, we will see a fraudulent site.
Fraudulent site
And if you go from any other IP, we will be shown a store that sells houses for cats.
An example of substitution of content depending on the visitor's IP
By the way, this very gazpromrekl.ru sometimes glitches, and when entering from a Russian IP it shows the site of some web studio. It looks like the guys are additionally monetizing their skills. Cloaking is also used on social networks, including for bypassing moderation (and we wonder why moderators are letting in obviously fraudulent content. They were simply deceived by technical means).
Facebook ad scam example
When a moderator switches from his European (or Indian) IP to 5000-privitum-podarok.ru, he is shown one site, and if you go from the IP of one of the CIS countries, the content is completely different.
Different content depending on the visitor's IP
CONCLUSIONS
The listed methods of placing fraudulent sites do not exhaust the entire arsenal of methods used by crooks. There is a whole business of selling ready-made landing pages, copying the sites of well-known companies and banks, as well as affiliate programs aimed at organizing scams.
Different content depending on the visitor's IP
Therefore, there are only two methods of combating fraud that are most effective: technical blocking of what you could find (if you are an information security / IT specialist), and training employees, relatives and friends in information security rules. It will enable the user's "brainfirewall", which works much better than all the technical tools combined.
