How to Investigate Phishing Websites with Redirection (3/5)
In this third installment of our five-part series on phishing website investigation, we dive deep into using Chrome DevTools to analyze and understand how redirection is controlled by JavaScript and other methods. This post is your step-by-step guide to uncovering the inner workings of redirection techniques on scam websites, with practical examples and clear tactics for both beginners and advanced users.
🧰 Introduction to Chrome DevTools
Chrome DevTools is an indispensable toolkit for developers and cybersecurity professionals. It allows you to inspect the underlying code and behavior of any website. With DevTools, you can view:
-
JavaScript Code: See exactly which scripts are running, including those that trigger redirections.
-
HTML Structure: Understand the page layout and embedded elements.
-
Redirection Behavior: Identify commands such as
window.locationthat manipulate the browser’s location. -
Network Requests: Examine the complete redirect chain to trace where each request leads.
-
DOM Events: Monitor automatic events like page load or user interactions that can initiate redirections.
While phishing sites often redirect so fast that the original page logic is hidden from view, several techniques allow you to pause these actions and investigate the underlying code.
🌐 How to Pause and Analyze Fast Page Redirects
Because many phishing websites perform redirections in under 0.1 second, stopping the transition to inspect the initial code can be challenging. The following methods help you intercept these rapid redirects:
🧨 Method 1: Disabling JavaScript in DevTools
One effective way to “freeze” a fast redirect is by temporarily disabling JavaScript on the page. This stops any automatic redirection code from executing.
Step-by-Step Instructions:
-
Open DevTools:
Press F12 (or right-click on the webpage and select Inspect) to open Chrome DevTools. -
Access Settings:
Click the gear icon (Settings ⚙️) or press F1. -
Disable JavaScript:
In the left sidebar, navigate to Preferences → Debugger and check Disable JavaScript.
What Happens:
With JavaScript disabled, the webpage will load its HTML content without executing any scripts. This halts all redirections—including automatic scripts, iframes, and event-driven functions. You can now switch to the Sources or Elements panel to review the raw code and redirection logic.
Pro Tip:
Use Ctrl+F and search for keywords such as location, href, setTimeout, or replace to quickly pinpoint redirection code snippets.
🛡 Method 2: Inspecting Network Requests
Not all redirection comes from JavaScript; some are performed by the server via HTTP headers (like 302 redirects). By monitoring the network traffic, you can capture the full redirect chain.
Step-by-Step Instructions:
-
Open the Network Panel:
In DevTools, select the Network tab. -
Preserve the Log:
Check the Preserve Log option at the bottom left. This ensures that even after a redirect, all network requests remain visible. -
Disable Cache:
Also select Disable Cache on the right. Avoid refreshing until these settings are applied. -
Refresh the Page:
Press Ctrl+R (or refresh the page) and quickly inspect the first request from the suspected phishing domain. Expand the Headers section to find the HTTP Status Code (e.g., 302 Found) and the Location header pointing to the redirected URL.
Advantages:
This method captures every redirection step, allowing you to reconstruct the entire redirect chain even if the redirection happens too quickly to visually inspect the page.
👾 Method 3: Simulating Different User Agents
Phishing websites often use device-based redirection tactics. Some pages might only redirect mobile users or specific browser types. Chrome DevTools lets you emulate different devices to see these variations.
Step-by-Step Instructions:
-
Toggle Device Toolbar:
Click on the small mobile phone icon in the top-left corner of DevTools (or press Ctrl+Shift+M). -
Select a Device:
Choose a device (e.g., iPhone, Android) or set a custom resolution to mimic different user agents. -
Monitor Redirection:
Observe the page behavior using the Network panel, looking for differences in redirection patterns or additional headers that may only trigger for specific devices.
🧪 Bonus: Using cURL on Linux
For those who prefer a command-line approach, you can use curl on Linux to simulate a request without executing JavaScript. This is particularly useful for confirming server-side redirection.
Example Command:
Expected Output:
This confirms that the server is issuing a 302 redirect without relying on client-side JavaScript.
🧭 Practical Steps to Uncover Redirect Behavior
The following is a consolidated workflow to uncover the redirection actions on a phishing website:
-
Launch DevTools on the Target Page:
Open the page (for example, a .top phishing URL) and press F12 to open DevTools. -
Inspect JavaScript Code:
Navigate to the Sources panel and use Ctrl+Shift+F to search for keywords likewindow.locationorlocation.href. This will help you find the specific lines that trigger redirects. -
Set Breakpoints:
Click on the line number next to any redirection code to set a breakpoint. Refresh the page and observe where the code execution halts. Check the Call Stack in the bottom-right to determine what triggered the redirect. -
Examine the Network Tab:
Switch to the Network panel and refresh the page. Identify the initial request made to the phishing site, then click through the chain to track HTTP 302 responses and view the final destination URL in the Location header. -
Analyze Remote Address Information:
In the Network tab, check the Remote Address field for the IP address (e.g.,102.134.34.168:443). This reveals the actual server hosting the content. Use this information with whois commands or online tools such as ipinfo.io, db-ip.com, or AbuseIPDB to determine the server’s ownership, geographical location, and potential past misuse.
🧪 Real-World JavaScript Redirection Examples
Phishing websites often deploy various JavaScript snippets to achieve redirects. Here are two common patterns:
Example 1:
Explanation:
This script delays the redirection by 100 milliseconds, which might be long enough for some bots to capture or for a user to briefly view the source code before the redirect occurs.
Example 2:
Explanation:
This script ensures the page redirection occurs right after the DOM content has loaded, preventing early inspection without intervention.
💡 Bonus: Comparing HTTP 302 and JavaScript Redirects
Phishing sites choose redirection methods based on their goals:
| Redirection Method | Advantages | Drawbacks |
|---|---|---|
| HTTP 302 Redirect | Server-side control, clear indication of redirect | Easily detected by antivirus and security systems |
| JavaScript Redirect | Harder to detect and mix with other scripts, adjustable timing | Requires JavaScript to execute; only works in browsers |
Cybercriminals frequently favor JavaScript redirects to evade automated blocking measures while still achieving fast redirection.
Conclusion
Mastering the use of Chrome DevTools to monitor and dissect web redirection tactics is a critical skill in the fight against phishing scams. By understanding how to disable JavaScript, inspect network requests, simulate various user agents, and analyze redirection-related code, you empower yourself to conduct thorough phishing website investigations.
Armed with these techniques, you can uncover redirection chains, trace scam website IPs, and ultimately contribute to preventing fraudulent activities. In our next post, we will explore additional tools and tactics to further enhance your investigative capabilities.
Comments
Post a Comment