Our Expertise at the Heart of Cybersecurity

At StalkPhish, our core business includes, among other things, phishing detection. Every day we detect, enrich, and sort tens of thousands of phishing URLs. Beyond that, StalkPhish.io probes also retrieve relevant information directly embedded in phishing kits.

Among these, the phishing kits themselves, the source code of these pages revealing sensitive information about threat actors as well as victims. This wealth of data naturally opens the door to anti-fraud investigations of remarkable precision.

“Transforming cybersecurity data into business intelligence”

Inside Phishing Kits

Phishing kit sources reveal a multitude of exploitable information:

Configuration Files: Where exfiltration vector configurations, email addresses, Telegram bots and channels, Discord webhooks, etc., are recorded. These elements allow mapping the attacker’s complete infrastructure.

Log Files: Indicating initial hits, often tested by the actors themselves and potentially revealing their public IP address, relevant information for legal proceedings. These traces often constitute the first lead toward cybercriminal identification.

Page Source Code: Often revealing information about these kits’ developers, API keys, authentication keys to PHaaS (Phishing-as-a-Service), etc. Forensic analysis of these elements can expose entire criminal networks.

Flat Files: Often text files where stolen data can be recorded… and which can be, within a regulatory framework, relevant for conducting targeted and documented anti-fraud investigations.

Types of Stolen Data and Their Implications

Phishing is practiced to fulfill different objectives, among which we can reference the main ones:

Malware Deployment: Designed to make the user execute a malicious payload to take control of the victim’s workstation (or information system) by impersonating a legitimate contact.

Banking Data Theft: The victim is led to declare payment method information (bank card, CVV, expiration date), or even the OTP number generated to validate transactions/modifications. This data constitutes the core of numerous financial frauds.

Personal or Administrative Data Theft: Names, surnames, addresses, phone numbers, or even scans of identity papers or other declarations can be gleaned through this means, directly feeding identity theft networks.

Cryptocurrency Wallet Access Theft: The victim is invited to declare access secrets to their wallet, opening the way to often irreversible fund diversions.

Access Theft: To an email address, infrastructure (VPN, AD, …), enabling lateral movements and large-scale enterprise compromises.

From Stolen Data to Anti-Fraud Investigation

Retrievable data is generally timestamped, showing the date and time of theft, whether in a text file or via an API used for exfiltration. This temporality becomes crucial for reconstructing attack chronologies.

From there, it can be trivial to follow access attempts to stolen accounts and determine the actor’s objectives. If they have access to webmail, what is their objective? Spam? Lateralization? If it’s malware detonation, what actions have been performed since? Who else might have been caught by the same campaign?

The same applies to anti-fraud efforts, and it’s even more enriching when multiple accounts, identified as stolen during one or more phishing campaign(s), become subject to malversations:

Key Investigation Questions: Where can the actor connect from to access usurped accounts? If they connect, what are they trying to do? Can we identify a single malicious actor who could have used multiple stolen accounts? These are questions that can greatly enrich a potential fraud investigation.

Predictive Modeling: From observed patterns, can we determine a detection model for other accesses and malversation attempts, thus improving this detection? This is the entire purpose of this type of investigation, transforming each incident into a learning opportunity.

Toward a Holistic Cybersecurity Approach

Knowledge of stolen access can be of major utility in the context of investigations, including investigations in the fraud domain. This approach allows not only identifying ongoing or past frauds but also improving the detection system, then actors: a fake company, a malicious account, etc.

StalkPhish’s evolution toward anti-fraud investigation perfectly illustrates how phishing detection expertise can serve as a foundation for a broader security strategy, transforming each detected threat into actionable intelligence to strengthen organizational defenses. ✨

How StalkPhish Can Help You

StalkPhish.io analyzes tens of thousands of phishing URLs daily, providing real-time intelligence for anti-fraud investigations. Our platform helps organizations:

🔎 Trace compromised data and identify potential fraud attempts
📊 Correlate phishing campaigns with your security incidents
⚡ Proactive fraud detection through continuous monitoring
🛡️ Expert investigation support for internal teams and legal proceedings

Been targeted by phishing or suspect fraud? Our forensic experts can help analyze the scope of compromise, trace post-intrusion activities, and strengthen your detection systems.

Transform your threats into security opportunities.