I was recently introduced to an interesting feature of urlscan.io that allows you to search for phishing pages using image hashes. I quickly realized the potential power of this tool. A hash, by definition, is a unique numerical fingerprint created from the total sum of a file’s components. Hashing a file involves using an algorithm that generates a fixed-size bit string value, which is unique to the file.
It was then shown to me that you could take the file hash of an image from a website and then use it to find all websites that contain the same hash and image. Most phisherman are lazy and will just steal the contents of an entire website, clone it, and host it on their own server to begin harvesting credentials from unsuspecting victims.
I decided to test how useful this feature was from a site (gov.uk) that is often used to scam victims out of their payment details, personally identifiable information (PII), and other sensitive data.
I chose to use the logo from the site:
I saved and downloaded the logo and uploaded it to VirusTotal to create the hash:
SHA-256: bb9e22aff7881b895c2ceb41d9340804451c474b883f09fe1b4026e76456f44b
With the hash I can search urlscan.io and perhaps we can find some phishing pages:
Oh look, lots and lots of phish 😮 It works!
This is evidence that phishermen will constantly rip the code of targeted sites and reupload it, making it easy for us to find!
Hope you can try this method out and find some pages targeting your employees/customers.
Indicators of Compromise (IOCs):
tax-office-return.com/
dvla.co.uk.pending-refund-mar27.info/
tax-compensation.com
dvla.uk-gov-ref0ll6.com\
www.gov.uk.tax.refund.online.ssl.2msuaritma.com
taxuk-return.com
refund-forms-gb.com
dvla.co.uk.form-refund-mar20.info/
dvla.co.uk.pending-refund-mar23.info/
vtax.refund-refi2p1.com
gov.hmrc-taxservices.com/
hmrc-govrefund.com/