TLDR
Phishing websites are cheap to build, fast to deploy, and increasingly difficult to detect. ScamVerify™ tracks 69,088 malicious domains through URLhaus - and the infrastructure behind each one costs as little as $10 to set up. This article breaks down exactly how phishing sites are constructed, from domain registration to credential harvesting.
The Lifecycle of a Phishing Website
Phase 1: Domain Registration (5 minutes, $1-$12)
The attacker registers a domain designed to impersonate a legitimate brand:
| Strategy | Example | Cost |
|---|---|---|
| Typosquatting | arnazon.com | $10-12/year |
| Keyword domain | amazon-login-verify.com | $10-12/year |
| Cheap TLD | amazon-login.xyz | $1-2/year |
| Subdomain trick | amazon.com.verify-login.com | $10-12/year |
Our URLhaus data shows the TLD distribution of malicious domains:
| TLD | Count | % | Avg Cost/Year |
|---|---|---|---|
| .com | 59,876 | 86.7% | $10-12 |
| .net | 4,000 | 5.8% | $10-12 |
| .org | 3,996 | 5.8% | $10-12 |
| .xyz | 715 | 1.0% | $1-2 |
| .online | 182 | 0.3% | $1-3 |
| .site | 181 | 0.3% | $1-3 |
The overwhelming preference for .com (86.7%) reflects a simple calculation: .com domains cost a few dollars more but dramatically increase victim trust.
Phase 2: SSL Certificate (1 minute, Free)
The attacker obtains a free SSL certificate from Let's Encrypt or another free CA. This gives the phishing site:
- The padlock icon in the browser
- An "https://" URL
- Protection from browser warnings
This is why the padlock icon does not mean a site is safe. It means the connection is encrypted. It says nothing about who owns or operates the site.
Phase 3: Website Cloning (10-30 minutes)
The attacker copies the target website's appearance:
Method 1: HTML scraping Using tools like wget or HTTrack, the attacker downloads the entire front-end of the legitimate website: HTML, CSS, JavaScript, images, and logos.
Method 2: Phishing kits Pre-built phishing kits for major brands (banks, email providers, social media) are available on underground forums. These include ready-to-deploy clones of login pages for hundreds of brands.
Method 3: Screenshot + HTML recreation For simpler phishing pages, the attacker screenshots the legitimate site and recreates just the login form.
Phase 4: Backend Setup (30 minutes)
The attacker adds credential harvesting code:
- Form action modified - the login form submits data to the attacker's server instead of the real site
- Data logging - every submission is saved to a database or sent via email/Telegram to the attacker
- Redirect - after submitting credentials, the victim is redirected to the real site's login page (making them think the first attempt "failed")
- Anti-detection - code to block security scanners, show different content to bots vs humans, and self-destruct after a set number of visits
Phase 5: Distribution (Hours)
The phishing URL is distributed through:
- Phishing emails (most common)
- Scam text messages (smishing)
- Social media posts and ads
- Search engine ads (SEO poisoning)
- QR codes
Phase 6: Harvesting and Shutdown (24-72 hours)
Most phishing sites are active for only 24-72 hours. During this window:
- Credentials are harvested in real time
- Stolen data is used or sold within hours
- The domain gets reported and blocked
- The attacker moves to the next domain
This rapid lifecycle is why our URLhaus database tracks 69,088 domains, each representing a campaign that was live for a very short time.
Why Detection Is Getting Harder
AI-Generated Phishing Pages
AI tools can generate pixel-perfect website clones with proper responsive design, eliminating the quality gap that used to make phishing pages identifiable.
Content Delivery Networks
Phishing sites hosted behind CDNs like Cloudflare make it harder to identify the actual hosting server and take down the site.
Evasion Techniques
Modern phishing kits include:
- Geofencing (only show phishing content to users in target countries)
- Bot detection (show clean content to security scanners)
- Time-limited access (auto-delete after 48 hours)
- CAPTCHA gates (prevent automated scanning)
How to Protect Yourself
- Never click links in emails or texts - go to websites directly
- Check the URL character by character before entering credentials
- Use a password manager - it will not auto-fill on a domain that is not an exact match
- Enable two-factor authentication everywhere
- Check unfamiliar URLs on ScamVerify before interacting
FAQ
How long does it take to set up a phishing site?
An experienced attacker with pre-built kits can deploy a new phishing site in under an hour. From domain registration to a fully functional credential harvesting page, the entire process requires minimal technical skill and less than $15 in costs.
Can phishing sites install malware on my computer?
Most phishing sites only collect information you voluntarily enter. However, some include exploit kits that attempt to install malware by targeting browser vulnerabilities. Keep your browser and operating system fully updated to protect against drive-by downloads.
Why don't browsers block all phishing sites?
Browser safe browsing databases (Google Safe Browsing, Microsoft SmartScreen) are reactive - they block sites after they are reported and verified. New phishing sites exist in a detection gap of hours to days. During this window, the site appears unblocked. This is why manual verification and tools like ScamVerify are important supplements to browser-based protection.
