Site Tracing And Host Program follows and reports on the redirection chain for a phishing site.
To start a trace on a single URL
stahp.console.exe -u|--url <url>
eg.
stahp.console.exe --url example.com
STAHP can also be run in an interactive mode by not providing and command line arguments, allowing you to perform subsequent traces.
Today's phishing and other broadly-cast scam attacks often involve directing a user through multiple URLs before reaching the target site.
STAHP is a .NET 6 console application to follow and record the various redirect methods used between the initial hyperlink sent to a target, and the eventual target site used for the phishing or other scam attack. Along the way, it will pull out relevant information for the cloud provider, or perform whois
queries to find where a domain name is registered, and where to report abuse to those companies.
You could of course do the same thing using browser dev tools to see each redirect and do whois
queries yourself, but this takes that legwork out for you, also saving you time.
Scammers are thrifty and agile, and don't expect all their infrastructure to remain operational for long.
The free storage tiers offered by cloud providers can easily host static websites to redirect users through to the eventual target site, providing further obfuscation to casual observers. Further, these services can be updated very quickly and easily if a link in the chain breaks (or to purposefully break the chain to hide the target site).
The quicker the use of these services can be reported for malicious activity to any organizations involved, and taken down, the fewer victims there are that may fall prey to the attack.
nslookup
with aliases to identify and report on web hosting providerswindow.location
)Stahp.Core
as a nuget package to allow other projects to make use of it.