This blog post if part 2 for What’s behind that It’s a guide on how to find out who owns the domain behind the suspicious shortener link. Using an example from Phishingalert that has kindly shared with the community. Using this Tweet as the example. Spammers have the tendency to send links to cover/hide their malicious link from an Google/Microsoft e-mail protection engine. We’ll use couple things to uncover this without actually visiting the link while uncovering what’s behind it. Disclaimer: The link provided is a phishing link to steal your Suntrust credentials and it is recommended not entering your credentials. Let’s imagine we received an e-mail that looks strange because you were unaware that the person was going to send you what he did.  

Ghost, Sign in to your Suntrust account: Suntrust account Regards, Malicious Actor

If you hover over the Suntrust account, you can tell its actually a link to which the statistics page for djomen[.]pl domain. Let’s do a whois lookup on this domain.   Let’s first do a quick Google search on this domain: It doesn’t seem like anything interesting regarding this site has shown. It doesn’t even show up in the front page. Why? It is probably because this domain was created for this purpose specifically? Ehh, nothing too interesting. Let’s do a whois lookup web application. my prefer are domaintools and centralops but you can choose whatever you prefer. Using, we are going to search for registrar information about domain djomen[.]pl since its hosting phishing site. What can we gather from this: Details: IP ADDR: This ip address is located in Germany, Hessen, Sachsenhausen. Domain was registered back in September of 2015. Who register this and what are their address: Polish domain name with a German IP Address; Why is that?.. Let’s keep searching. Let’s search for the domain with quotes: This domain looks like its related to DJ Omen and probably got pwned which was used to add the phishing site. This posts was going to be on what to do when you get sent a phish link and you didn’t know if its suspicious or not. The link behind the link is no longer live and can’t actually get what’s behind it, so I will cover it in a different post when I get a live link.