urlscan.io Blog



Rise of Oriental Gudgeon

Phishing kit targets over 40 Japanese financial services entities

– urlscan Threat Research Team

This is the first ever research-oriented post on the urlscan blog. Our goal with these posts is to cover malicious activity we have not seen covered by other researchers. Will will also showcase how urlscan.io and urlscan Pro can be used to track the types of activities we cover in these posts.

Since October 2024, we have observed a phishing kit impersonating dozens of Japanese commercial entities, primarily companies in the financial services sector. The phishing kit will impersonate the website of these organizations and their brands with the goal of obtaining valid login credentials of legitimate users of these sites.

We are currently tracking this activity under the name Oriental Gudgeon due to its suspected Chinese origin. Oriental Gudgeon has recently expanded its targeting to include more than 40 Japanese companies.

In this blog post, we will highlight the timeline of Oriental Gudgeon’s activity, the organizations being targeted, its attack flow, and how urlscan.io can be used to discover and analyze its activity.

Targeting and Timeline

weekly-submission

Weekly website scans observed on urlscan Pro

→ Read the rest of this post...


urlscan - Q1/2025 improvements

– Andreas Gilger

Over the course of Q1/2025 we have made the following improvements to the urlscan platform:

Improved data capture within iframes

Our threat research team will sometimes encounter legitimate hosting services which are used to stage links to malicious third-party websites. For some of these file-hosting services, any user-supplied content and outgoing links reside in iframes, often on different web origins. Our scanning engine now correctly captures the content, HTTP requests, and outgoing links of these iframes.

urlscan Pro: Custom Javascript injection for Live Scanning

For our Live Scanning tool within urlscan Pro we have added support for customer-supplied Javascript code which is inserted and executed in our scanning engine before the requested page is scanned. The Javascript code runs in the context of the website that is about to scanned.

urlscan Pro: User seat tracking for customer accounts

Our commercial plans have always included a fixed number of so-called seats for urlscan Pro. These seats govern how many unique users within an account are able to access the urlscan Pro platform on any given day. The seats included with each subscription are always floating seats, meaning that they can be taken by any user on a customer account on a first-come-first-serve basis on any given day.

To this day the seat limits have not been enforced on a technical level and we have rarely issued warnings to customers that exceeded their assigned seat limits. Starting today we will track seats that have been used per customer account and will show that information back to our users. If a seat limit is exceeded we will now show a warning messages within the urlscan Pro platform. This will give our customers the ability to inspect their current seat use and identify which of their users are using the urlscan Pro platform.

With a future update in Q3/2025 we will start to enforce these limits. For customers that have taken all of their assigned seats within a given day, we will prevent any additional users from that team from accessing the urlscan Pro platform.

Availability

If you want to learn about urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trials with no strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.


urlscan Observe General Availability

– Johannes Gilger

We are thrilled to announce significant updates to the Incidents feature as part of urlscan Observe, which is now generally available. Since the launch of the beta version of Incidents in mid-2023, we have received valuable feedback from our customers about how they use this functionality. Based on that input, we have implemented several new features and improvements designed to make monitoring observables more effective and tailored to your requirements.

Release Highlights

  • The introduction of so-called perpetual incidents which do not expire.
  • The ability to select one (or multiple) scanner countries and user-agents for scanning.
  • Custom stop-conditions which will automatically close an incident after a certain condition.
  • The ability to specify a custom website scan interval for the incident.
  • The ability to control the observed attributes.
  • Full API support and documentation.
  • A simplified way incidents are accounted for against the team quota.
  • Support for pre-defined Incident Profiles which can be applied to new incidents.
  • An improved Incidents UI and common quick actions.
  • Private Incidents which now include own private scan results as well.

We will cover some of the changes in more detail below.

→ Read the rest of this post...


Account Security Controls

– Johannes Gilger

We have just launched a suite of account security features and improvements to our core urlscan platform. Some of these features will benefit every user, while others are only available to commercial customers.

Active session control

You can now view and manage your active user sessions under the new Security tab in your user dashboard on urlscan.io. You will see your currently active sessions along with information about when and where these logged in from. Furthermore you have the ability to log-out (terminate) all other currently active sessions.

When you change your password, all other currently active sessions will automatically be terminated.

urlscan Pro - Session Control

IP Whitelisting

You can limit access to your account to a fixed set of IP addresses and IP networks. This will apply both to interactive logins as well as API-initiated requests.

(This feature is only available as part of urlscan Enterprise and Ultimate)

Session lifetime settings

You are able to control the default idle session timeout as well as the maximum session age for your whole organization. You can also choose to use so-called session cookies which are automatically cleared once your browser is closed.

Lastly, you can also activate exclusive sessions which will prevent a user within your organization from logging in more than once at the same time.

(These features are only available as part of urlscan Enterprise and Ultimate)

Subscription notifications

For your team-account you can now add billing contacts as well as technical contacts. When these contacts are supplied we will be able to send you automated notifications when your current subscription is about to expire.

Additionally you will be able to observe a visual warning in your user dashboard when your subscription is nearing its renewal date.

Availability

These features are available today. If you want to make use of them please reach out to support@urlscan.io.


urlscan Pro — Live Browsing

– Johannes Gilger

Today we are launching major improvements to our scanning engine and new scanning capabilities for our customers.

Live Browsing — Interact with websites

Our scanner has always been using the Google Chrome web-browser as the basis for its website analysis. Using Chrome allows the scanner to open and view websites exactly like a human user would. However, there are scenarios where additional human input is needed to access a website, such as dialogues or captchas.

With our new Live Browsing capability, customers on the urlscan Pro platform will be able to scan website while interacting with it through a VNC-like remote video and keyboard session. The primary use-case of Live Browsing is lightweight interaction, like dismissing alerts, confirming captchas or following a single level of redirection to get to the web-content of interest.

Live Browsing can also be used for other research-related tasks where the goal is not to create a scan result at the end. Some of these use-cases include:

  • Capturing evidence for take-down purposes.
  • Browsing through open directories.
  • Browsing through the Tor network via .onion addresses.
  • Quickly downloading files, DOM snapshots and screenshots from third-party websites.

Live Browsing is available today as a Beta feature for customers on the urlscan Pro platform.

Live Browsing in action

Real Device Scanning

Some of our customers have encountered malicious websites which evade detection even when faced with the anti-detection methods available in our regular scanner. In some cases the only way to analyze these sites is to use an actual mobile device like an Android phone.

As part of the Live Browsing capability, we have also modified our scanning engine to analyze website using actual mobile devices, providing the high-fidelity output as our standard website scans.

Real Device Scanning is available to select Enterprise and Ultimate customers in Germany and the Netherlands for now. Reach out to support@urlscan.io if you are interest in this new capability.

Scanning Engine Improvements

In addition to the new features we have made various small improvements to our scanning engine and our Live Scanning UI in urlscan Pro:

  • We have improved the device and user-agent selection in urlscan Pro.
  • We have simplified the settings UI for Live Scans.
  • We have improved the way language and locale settings are determined in the scanner.

Current state, availability

Live Browsing and Real Device Scanning are now available via the urlscan Pro platform. These features are currently in Beta, so there are no guarantees about their fitness for a particular purpose. Once these features are promoted to GA we will also implement certain rate limits according to applicable subscription plans.

If you want to learn about urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trial access without any strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.


urlscan Pro — Inline Matching, System-Labels, User-Tags

– Johannes Gilger

As we welcome the year 2024, we wanted to update you on what we have been working on in the second half of 2023 and announce the new features that are launching today. These changes will have a profound impact for our customer workflows and our own detection and classification abilities.

Saved Searches — A success story

When we launched Saved Searches in 2022 for our scans and hostnames feeds, we did not envision how popular this feature would turn out to be. Initially, Saved Searches were meant as a convenient way to bookmark a search term within the urlscan Pro platform. The Subscriptions feature allowed customers to receive notifications for any new items that matched their Saved Searches.

Over the past year, the value of Saved Searches to customers has become abundantly clear. Right now we manage more than 3000 Saved Searches and almost 1000 Subscriptions that have been created by our customers. Our subscription notification system sends out over 5000 emails a day.

Saved Searches and Subscriptions became even more important when we launched our Newly Observed Domains & Hostnames Feed in late 2022 and urlscan Observe earlier this year. Since then, many of our customers have set up Saved Searches to look for domains impersonating their brand or targeting their workforce. Our feed captures 2.5 million new domains and hostnames every day, so having an expressive search ability to find and alert on interesting hits is crucial.

Today we are launching major improvements for Saved Searches, Subscriptions and collaboration within the urlscan Pro platform.

→ Read the rest of this post...


Announcing urlscan Observe

– Johannes Gilger

urlscan.io has always been a powerful tool for scanning and investigating suspicious websites. Our platform is used by hundreds of customers and tens of thousands of community users to scan suspicious URLs. Up until now, the majority of these scans were initiated by customers.

Today we are announcing the general availability of urlscan Observe, our new and integrated hands-off monitoring system on the urlscan Pro platform. urlscan Observe ties together our extensive data collection with our notification and scanning features to drive fast and automated monitoring of suspected malicious infrastructure.

urlscan Observe

→ Read the rest of this post...


2022 year in review and new products launching in 2023

– Johannes Gilger

If you’re not sick of hearing it yet: Here’s to a happy new year from all of us at urlscan.io!

We wanted to take the opportunity to revisit major changes that launched in 2022 and to give you a glimpse of our 2023 roadmap at the same time. Some of the things we have worked on in 2022 represent the foundation for new products due to launch over the next quarters.

→ Read the rest of this post...


urlscan Pro - Newly observed domains & hostnames

– Johannes Gilger

Today we are officially launching our real-time feed and search index of newly observed hostnames and domains on urlscan Pro. This is a huge step forward since it will allow customers to proactively look for new domains and hostnames that might be of interest to them, even if these hostnames were not previously scanned as a full-blown website through urlscan.io.

hostname search

→ Read the rest of this post...


Subscribe via RSS