Pipeline Blog

Dissecting the Phish: Intro to Phishing Investigations

In this blog post, I will be introducing online resources that can be used to investigate Phishing sites.
In Collecting the Phishing Samples, I will cover how Phishing domain samples can be collected from online databases.
In Domain/IP/URL Analysis, Iwill be covering how the domains, IPs, and URLs can be analyzed using online services and WHOIS information.
In Sandbox Analysis, I will be covering how online sandboxes can be used to interact with and analyze Phishing pages.

Table of contents

  • Collecting the Phishing Samples
  • - PhishStats
  • - OpenPhish
  • - Phishing Database
  • - DNpedia
  • Domain/IP/URL Analysis
  • - VirusTotal
  • - urlscan.io
  • - WHOIS
  • Sandbox Analysis
  • - Browserling
  • - ANY.RUN
  • - Joe Sandbox
  • Conclusion

Collecting the Phishing Samples

There are various phishing databases available online, which include PhishStats, OpenPhish, Phishing Database. Phishing sites can also be found by checking for newly registered domains from places like DNpedia.


PhishStats’s public CSV is updated every 90 min and contains phishing URLs found in the past 30 days.
The phish_score.csv can be downloaded from the above and contains the Date discovered, score, URL, and IP address.


’s community database contains some phishing URLs found in the last 12 hours.

Phishing Database

contains the Phishing domains and URLs discovered in the present and the past (it includes the Total Phishing Domains and links captured). It also shows which domains and links are active.


can be used to check for Daily registered domains, Domains with certain keywords, and Possible Phishing domains.
Many suspicious domains are newly registered every moment, they can be checked in “
Brand impersonations and typo-squats can be checked in “
For example, I used the search query “amazo” to look for some sites that may be impersonating Amazon.
DNpedia can also look for possible phishing domains that were recently registered in “
”. You can select the impersonated brand under the “Keyword”. It shows the IPv4, AS Name as well.
For example, amazonoofers[.]com leads to a fake Amazon login page.

Domain/IP/URL Analysis

There are various services that can be used to analyze the URL, IP and domains. I will provide some examples of these useful online tools such as
, urlscan.io. I will also briefly cover WHOIS analysis.


VirusTotal shows the analysis results of multiple security vendors and other useful information.
Under the Relations tab, Passive DNS replication, Subdomains, Historial Whois Lookups, etc. can be seen.
The example used in this section can be found below,




shows many useful information such as Google safe browsing flag, current DNS A record, domain creation date, domain registrar, screenshot of the site, domain & IP information, etc. These can be found in the Summary section.
The HTTP request, status, response, and headers can be seen under HTTP transactions.
The redirect information, behaviour, and indicators can also be seen.
Similar domains can also be seen,
The example used in this section can be found below,

amazonoofers.com - urlscan.io

This website contacted 5 IPs in 3 countries across 5 domains to perform 12 HTTP transactions. The main IP is , located…



There are various sites and tools that can be used to lookup a WHOIS information. The WHOIS information includes the Creation date, Registrar information, ASN. This information can be used to analyze a domain.
Young domains and certain Registrars can raise a red flag (although this alone should not be used to judge whether a domain is malicious or not).
can be used to show the WHOIS information of a domain.
You can also lookup the WHOIS information on your terminal using the following command,
$ whois domain.com

Sandbox Analysis

There are multiple online sandboxes that can be used to analyze phishing sites, such as


Browserling is an Online cross-browser testing service, which can be used as an interactive sandbox. There are various operating systems available for testing, such as Windows 7, 8, XP, Android, etc. There are also various Browsers available for testing, such as Chrome, IE, Firefox, Opera, Safari.
You can open and view the contents of the phishing page and interact with the page.
You can also utilize the browser’s Developer tools. They can reveal a lot of information about the phishing page. The source code can be seen,
The Headers can be seen under “Network”,
Some phishing sites will only open if it matches a specific User-Agent. The User-Agent can be changed under “Network Conditions”.


is an online sandbox that can be used to test malware as well as suspicious links. It shows the screenshot of the phishing page, alongside other useful information.
The HTTP Requests, process information, DNS requests, threat information, and connection details can be seen,
A PCAP file can also be downloaded for further analysis.
There is a lot of other useful information on ANY.RUN. The full analysis result can be found below,

https://amazonoofers.com - Interactive analysis - ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no…


Joe Sandbox

Joe Sandbox
is an online sandbox that can be used to test malware and suspicious links. It shows the screenshot, malicious detection results, signatures, and much other useful information.
The behavior graph shows information like DNS/IP info, Process, Created File, etc.
The reputation of contacted domains and IPs can be seen,
Created/Dropped files can be seen,
The HTTP information can be seen,
The network information can be seen,
The packets can also be downloaded for further analysis,
There is a lot of other useful information on Joe Sandbox. The full analysis report can be found below,

Automated Malware Analysis Report for http://amazonoofers.com/ - Generated by Joe Sandbox

Automated Malware Analysis - Joe Sandbox Analysis Report

These were some of the methods that can be used to investigate phishing sites. Each service has its strengths and coverage area.
For example, Browserling lets you interact freely with phishing pages, but will not give you analysis details and other useful information like ANY.RUN and Joe Sandbox.
These services can be used together to conduct a deep dive investigation into phishing sites.
In my other blog posts, I used these techniques to analyze phishing pages.