Phishing Infrastructure That Survives 24 Hours: Domains, Redirectors, and Categorization

Cybersecurity

Most phishing infrastructure dies in the first six hours, killed by URL scanners and SafeBrowsing. This guide builds infrastructure that survives the engagement window, with aged domains, layered redirectors, proper categorization, and a kill switch that protects scope when something goes wrong.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 20, 2023 · 11 min read

Why most phishing dies fast

New domains, lookalikes, and bare IP addresses get blocked by URL scanners within hours. SafeBrowsing, Microsoft Defender SmartScreen, and corporate proxies all share signals. Your infrastructure has to look boring to survive.

Domain selection

• Buy aged domains from a reputable broker, prefer six months plus.
• Avoid obvious lookalikes, prefer semantic variants like vendor-portal-help.com.
• Set realistic WHOIS that matches the pretext, not the operator.

Categorization

Submit domains to category services as business or technology, not anonymizer. Tools like Bluecoat and Cisco Talos accept reclassification requests, and a clean category is worth more than any payload trick.

Redirector chain

1. Front: a low-cost VPS with nginx and a benign-looking landing page.
2. Middle: mod_rewrite or nginx rules that route only valid targets to the payload host.
3. Back: the actual phishing server, never exposed to crawlers.

User-agent and IP gating

• Allow only browsers expected for the target geography and platform.
• Block known scanner IP ranges, including Microsoft, Google, and Cloudflare egress.
• Drop requests without an expected URL token to a benign 404.

TLS that does not scream phishing

Use Let's Encrypt with a clean subject alternate names list. Avoid wildcard certs that cover unrelated brand names. Set HSTS only after you are sure of the path, or you will brick your own retry.

Frameworks worth using

• GoPhish for traditional credential harvest campaigns.
• Evilginx2 or Evilginx3 for MFA-aware proxy phishing.
• Modlishka as an alternative reverse proxy with native HTML rewriting.

Sender side

• Warm the sending domain with weeks of low-volume legitimate-looking traffic.
• Set SPF, DKIM, and DMARC correctly, missing records get auto-quarantined.
• Use a reputable transactional sender for the actual blast, not your own MTA.

Detection your client should run

1. DMARC reporting analysis for unusual sender patterns.
2. Proxy logs correlated with newly registered domain feeds.
3. Phish-report workflow with one-click submission for users.

Remediation

• FIDO2 keys on high-risk accounts neutralise proxy phishing.
• Conditional access policies that block legacy authentication.
• Active brand monitoring on newly registered domains.

Boring infrastructure outlives clever infrastructure every time.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.