Case 04 / Domain / CTI
Phishing domain chain
Read a phishing claim as a chain: short link, lookalike domain, passive DNS, certificate traces, and page similarity.
Real-case basis: Citizen Lab analysis of phishing and disinformation infrastructure.
Data package
A message that appears to be a security warning
A short URL, redirect chain, and visible login page
WHOIS/RDAP, passive DNS, IP, and certificate traces
Similar infrastructure from related campaigns
Task
Map the link and redirect chain without logging in or submitting data.
Compare the lookalike domain with the real service domain.
Assess whether IP, timing, and content patterns support campaign linkage.
Hint
Short links hide the destination. Expand them through safe or passive methods.
Lookalike domains may use a different TLD, punycode, or a single changed character.
A shared IP is not attribution by itself.
Answer key
The chain should be shown from message to short link to lookalike domain to infrastructure trace.
Citizen Lab connected domain, message, and infrastructure evidence to explain campaign context.
A good report focuses on risk and defensive handling, not live interaction.
Weak analysis example
The link looks like a security warning, so the user should open it and reset the password.
Careful report example
The link was not clicked live. Passive sources show a redirect to a domain that does not match the real service. Shared infrastructure and timing support phishing risk. The user should avoid the link and report it through the proper security channel.