惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Palo Alto Networks Blog
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
GbyAI
GbyAI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
量子位
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
Microsoft Azure Blog
Microsoft Azure Blog
C
CERT Recently Published Vulnerability Notes
Recent Announcements
Recent Announcements
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
P
Privacy International News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
L
Lohrmann on Cybersecurity
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hugging Face - Blog
Hugging Face - Blog
P
Proofpoint News Feed
NISL@THU
NISL@THU
博客园 - Franky
C
Cybersecurity and Infrastructure Security Agency CISA
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
Know Your Adversary
Know Your Adversary
A
Arctic Wolf
F
Full Disclosure
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
博客园 - 【当耐特】
D
Docker
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Jina AI
Jina AI
Help Net Security
Help Net Security
V
Visual Studio Blog
小众软件
小众软件
B
Blog
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
N
Netflix TechBlog - Medium
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
C
Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Nixintel: SpiderFoot HX Case Study of Investigating A Phishing Domain
2019-12-03 · via Intel 471 Blog

This write-up was by Nixintel and originally appeared on his blog.

In my last Spiderfoot tutorial I wrote about how Spiderfoot HX could be used to gather information about a suspicious IP address and then analyse and visualise the data. In this guide I’m going to show how Spiderfoot HX can be used to investigate a domain linked to phishing.

Despite a lot of high-profile coverage of zero day exploits and advanced hacking techniques, phishing still remains the single most prevalent way for bad guys to carry out a cyber attack according to the National Cyber Security Centre. So it helps to be able to understand the infrastructure behind a phishing attack.

Target

The research target is a real phishing domain that was identified as being linked to malware distribution just a few days ago. Victims were targeted with a phishing e-mail that impersonated a real e-mail from FedEx:

Opening the attachment installed some credential-stealing malware on the recipient’s device. You can see more of the analysis of the malware itself here (HT @dave_daves) but for now we’re going to focus on the domain that the malware was reporting back to:

hikmahmuliautama[.]co[.]id

In the rest of this guide we’ll look at how to prepare Spiderfoot HX to gather information about the domain and then evaluate what it finds.

Setting Up The Scan

In my last article I explained how to configure Spiderfoot HX to use API keys. Once they’re set up, they’re stored permanently so there’s no need to re-add them every time. For the scan itself, there are a couple of approaches we can take. Spiderfoot HX allows scans to be conducted either passively or by targeting the domain directly.

A passive search collects data from third party sources but never touches the target directly. This can be useful if you don’t want the target to have any indication of your scan in their logs. A passive scan still brings back a lot of detailed information too.

Alternatively it’s possible to conduct a scan either with all modules enabled, or with some selected modules enabled. In this case we want to find out everything we can about the target domain, so I’m going to set up an active scan with some modules specifically chosen for the task.

If you’re concerned about your scanning activity being detected by your target, Spiderfoot HX makes it possible to route all the scans via TOR. The target will still see they are being scanned, but the source IPs will be that of TOR exit nodes. Scanning through SpiderFoot HX is anyhow anonymous, but this can be an additional measure in case you are extra paranoid. To enable TOR, simply go to Configure > General and change “Use of TOR for tunnelling HTTP/HTTPS requests” to True:

After saving changes, your next scan will be conducted via TOR. I’ve found when using this option that although it is slightly slower, there was no impact on the amount of data returned.

There’s no need to enable every single module to conduct a scan of our target domain. Some of them aren’t relevant to the task and there’s no point causing the scan to take longer than necessary or using those precious API credits unnecessarily.

Enable modules you want by selecting New Scan > Select Individual Modules. For this scan I’ve chosen a few modules that will scan the target quite aggressively – I want to know everything that I can. These two modules will conduct DNS brute force, for instance:

And given the nature of the phishing attack, I certainly want to check out results from Fraudguard too:

The Page Info module will also grab HTML data from the target directly to determine what kind of content is hosted so that I don’t have to visit it from my own machine:
Overall Spiderfoot has about 170 different modules that you can enable or disable as needed. When you’ve enabled the modules that you want, you can save the configuration as a Scan Profile to reuse for future scans.

Correlations

There’s one more thing to prepare before starting the scan. How do we make sense of the huge amounts of data that Spiderfoot HX is likely to return? Gathering information is one thing, but in real-life OSINT what matters is being able to analyse data and draw sound conclusions quickly. Later in this guide we’ll see how Spiderfoot HX’s visualisation tools help to do part of this, but setting up the Correlations tool at the start will also help pinpoint the key data we want when the scan is complete.

Correlations detect when scan results meet a certain set of rules, reported separately from the scan results so you can focus your attention there first. For example if Spiderfoot detects that a website features an unencrypted password page, this can be immediately brought to the user’s attention with a risk-rated correlation rule. You might want to enable this if you were conducting a penetration test, for example.

The level of risk assigned to each correlation rule is fully customisable according to your need. Spiderfoot HX will flag anything that meets the correlation rule conditions, so setting it up carefully at the outset will help to pinpoint the important details at the end. Changing correlation rules applies to all future scans, so you don’t need to configure them per-scan.

It’s safe to just leave all rules enabled, and as the volume should be low, it’sfairly simple to browse them when the scan is completed.

We’re ready to start the scan and let it run. Spiderfoot HX runs on its own cloud server so you can let the scan run by itself and receive an e-mail notification when it’s completed (unless you disable that option). Results are also returned in real time so you don’t need to wait for the scan to complete before reviewing the data.

Analysis

Visualisation of the entire scan results in Tree Graph mode

It’s immediately clear why the correlations feature is so important. Scanning the target domain has returned more than 5000 pieces of information, but the correlations feature will ensure that we can focus on the most important ones first.
The correlations are colour-coded according to risk level. You can click on each one to learn more about the results. These are the results that Spiderfoot HX has flagged as being of high concern:

Spiderfoot HX has identified three subdomains on the target host that prompt for passwords but are unencrypted – an immediate red flag from a security point of view. The scan has also indicated that the host IP address and and its wider subnet are considered malicious by multiple sources. We can use Spiderfoot HX’s visualisation features to get a better understanding of this:
To visualise this search result, click on the number in the Data Elements column, then select the visualisation technique of your choice from the drop down menu. The image above is the All Data Node Graph (Random) visualisation.

This is the same data visualised with the Connectivity Chord option:

In the same way we can also visualise the wider malicious subnet:
Ouch! There’s a VirusTotal report for 13 different IPs on this subnet. The fact that all the malicious IPs are in sequential order might also offer some clues as to how they became hosts for malicious activity in the first place. This pattern may indicate that a bot crawled a range of IPs systematically, and was able to exploit the same vulnerability over and over again. If this is the case, we might be looking at a compromised host rather than domain created specifically for a phishing campaign.

Following up the VirusTotal results also leads to some more useful information about the type of malware being distributed by the target domain. There’s no need for us to visit and sample it ourselves:

The Correlations feature in Spiderfoot HX really helps to focus on the important issues. Out of all the data returned, the areas of interest that we specified during the initial setup have been flagged up right away so we can make a quick assessment about the type of threat posed by this domain and its wider subnet.

Further Analysis
What about the rest of the scan results? There’s plenty of useful analysis to be done with these too. To see the rest of the results, go to Browse By > Data Type:

The amount of information retrieved by Spiderfoot HX is considerable and we can learn an awful lot about the target. One of the first results identifies a Facebook page associated to the domain:


There’s also an awful lot of open ports:

And use of vulnerable software with several well-known CVEs:

The RIR (Regional Internet Registry) results also contain a lot of useful data about the host, including Whois data, associated e-mail addresses, HTTP banners, and HTML content:

To view more detail about any of the nodes, just right-click and choose “Details” to see more information. Nodes of interest can be highlighted, and if you’re ever unsure how a particular node is connected to the original query, you can look at the Discovery Path to find out. Right click on a node > Details > Discovery Path.

Because we chose a targeted scan rather than just a passive scan, there’s a lot of information that comes directly from the target website itself. Spiderfoot HX discovered 229 different URLs that accept passwords, 236 different HTML pages, 249 headers, and details of 45 co-hosted domains which are themselves likely to have been compromised. That’s more than enough information to learn about the domain and how it’s used for phishing.

It’s possible to export any or all of these datasets into JSON, CSV or GEXF format for further analysis by clicking on the Export icon:

As you can see, Spiderfoot HX is highly customisable, very powerful, and it gathers a huge amount of data in a short amount of time so that users can spend more time analysing the data and actioning it rather than spending hours just gathering it.

So far in this series of Spiderfoot guides we’ve looked at malicious IP addresses and domains. In the next part I’ll explore how Spiderfoot HX can be used to research online profiles, phone numbers, and e-mail addresses – and how Spiderfoot HX’s monitoring feature can keep actively checking them as part of an OSINT investigation.