What’s Phishing Like In 2023?

submited by
Style Pass
2023-11-20 17:00:04

I found a phishing filter (here) which can be used in content blockers (as well as adblockers) like uBlock Origin. I wanted to analyze the phishing links — and this is the analysis.

crazydomains.com (with their Sitebeat website builder), with 1,164 websites. Interestingly, the domains I tested seemed to redirect to global_errors.sitebeat.crazydomains.com with a “Coming Soon” page (which is also in the filter list)

workers.dev (Cloudflare Workers), with 759 entries Cloudflare Workers is a service which allows a user to run JavaScript on their edge nodes. I presume these could be proxies or returning hardcoded HTML. However, the code isn’t visible so that’s just speculation.

Google Docs, with 1,296 entries. This includes 74 forms, 10 documents, 6 drawings, and 1,206 presentations. Almost all presentations contain “/pub?” with some data as URL parameters. I’m not too sure what this does. In addition, Google Drive has 9 entries. Many of the URLs seem to be taken down, either by the owner or by Google.

There are 102 entries for “script.google.com” (Google Apps Script) which link to macros and running the script, sometimes with parameters to track the user that clicks.

Leave a Comment