Contact
More about DataExpert

News

A phishing panel, how does that work?

In the first half of 2022, the Dutch Fraud Helpdesk received as many as 18,738 reports of online fraud [1]. By then, the loss amount was over 21 million euros, which was already 2.5 million higher than the first half of 2021. Online fraud comes in many different forms: online store fraud, payment method fraud, identity fraud, unfair sales to individuals and so on. Many of these forms of fraud are facilitated by a phishing panel. We will explain how a phishing panel works and what investigation opportunities are involved in more detail in this article.

The operation of a website
To understand how a phishing panel works, it is important to first understand how a general website works. A website is a collection of files and folders placed on a computer. Through an IP address, a unique string such as 100.200.80.60, the computer as well as some of the folders and files on it can be reached via the internet. Making a website available on the internet is also known as 'hosting' on a 'web server'.

Since typing an IP address into the address bar to get to a website is not very user friendly, to reach the website, a domain name is claimed. The claimed domain name (e.g. dataexpert.eu) refers to the computer on which the website resides.

A phishing panel
A phishing panel is nothing but a website, or a collection of folders and files on a computer. The image below shows the folders of files from a phishing panel. When the cybercriminal makes these folders available via a web server, the phishing websites are automatically published.

By going to the "admin" section behind the domain name with a browser, cybercriminals can gain access to an admin panel. From this admin panel, cybercriminals can choose a phishing attack such as €0.01 fraud or the PostNL fraud.

The chosen attack includes ready-made phishing websites that can be displayed to victims. These phishing websites have the exact appearance of well-known and trusted organisations, such as bank login pages.

When victims fall into the trap, the cybercriminals can then view the data entered in real time in the admin panel. In addition, they can interact live with the victims to find out the right information.

Apart from the appearance of the websites resembling existing business pages, cybercriminals also claim domain names very similar to those we are used to from the well-known sites. With the advent of Top Level Domains (TLDs) other than .nl and .com, it has become easier for cybercriminals to lead a victim astray. Take Tikkie as an example. Is the correct domain name https://tikkie.nl, https://tikkie.com, https://tikkie.onine or https://tikkie.me? The site with the .me domain is the real “Tikkie” service.

The opportunities for law enforcement
It is relatively easy for a cybercriminal to remain anonymous online and use criminal services such as phishing panels. This is possible because they use techniques such as a VPN connection, a mobile connection or a public Wi-Fi network. Nevertheless, mistakes are regularly made by cybercriminals and the chance of being caught by law enforcement is real. However, in doing so, it is crucial that investigators know what steps cybercriminals go through to then know what traces they leave behind.

In the case of phishing, it is necessary to look at the bigger picture. For instance, it is not only the phishing website itself that is relevant for finding out the modus operandi of a cybercriminal, but also how they made contact and how they settled it financially. Below, we have listed step by step what information may be relevant to investigate in the case of phishing: 

  1. Identify how the cybercriminal made contact:
  • Through an online advertisement.
  • Via an e-mail.
  • Via a WhatsApp or SMS.
  1. Depending on the method of contact, different data sources can be requisitioned and investigated:
  • Online ad: requisition IP address data of visit.
  • E-mail: investigate the mail header.
  • WhatsApp or SMS: query the phone number and requisition the IP address from WhatsApp. In addition, investigate proprietary systems & OSINT.
  1. Find out valuable information about the phishing website itself, including:
  • Where is it hosted? Here, requisition name and address, payment and IP address details.
  • Where is the domain name registered? Here, requisition the name, payment and IP address details. 
  1. Map out how the financial settlement was done.
  • Requisition name, address and other details of the counter account. 
  • Requisition IP address details at login and transfer.
  • Requisition camera images if money was withdrawn.

Follow our cybercrime training courses
Want to learn more about how cybercriminals work? Follow our cybercrime training courses. During these training courses, we map out (complex) cybercrime processes and teach you how to investigate cybercrime taking into account the possible risks of harm.

Source
[1] https://www.nu.nl/tech/6213738/dit-jaar-al-bijna-21-miljoen-euro-aan-schade-door-online-fraude-gemeld.html

This website uses cookies

We find it very important that you are aware of which cookies our website uses and for which purposes. We use Functional Cookies to make our website function properly. In addition, we use Analytics Cookies to analyze the use of our website. We also ask your permission for the placement of cookies from third parties (social media, advertising and analytics partners) with whom we share information. By clicking 'Accept', you accept the placement of the above mentioned cookies. If you click on 'Settings', you will be taken to a page where you can specify which cookies may and may not be placed. Click here for our Privacy Statement.