Finding Fraudsters Who Hide Behind Cloudflare

Tutorial: How to Find Fraudulent Websites Hidden Behind Cloudflare

Step 1: Introduction to Cloudflare and the Challenge

• Cloudflare is a service used by fraudsters to hide the true origin of their websites.
• As an investigator, you may come across websites hidden behind Cloudflare, making it challenging to trace them back to their true IP addresses.

Step 2: Using Security Certificates to Find True IP Addresses

• Security certificates have unique fingerprints that can help identify websites hidden behind Cloudflare.
• Use services like crt.sh or Censys to search for historic security certificates associated with a domain.
• Look for unique fingerprints to determine the true origin of the website.

Step 3: Leveraging DNS Records for Investigation

• DNS records provide information about the IP addresses associated with a domain.
• Explore historic DNS records using tools like SecurityTrails to uncover past IP addresses and potential hosting providers.
• Identify any changes in hosting providers or IP addresses to reveal the true location of the website.

Step 4: Exploring Subdomains for Additional Clues

• Subdomains are extensions of the main domain that can reveal other services or components of a website.
• Use tools like DNSDumpster or command line tools like Sublister to discover subdomains associated with a domain.
• Investigate subdomains to find potential IP addresses that may not be hidden behind Cloudflare.

Step 5: Analyzing Security Headers for Insights

• Security headers provide instructions for browsers to enhance website security.
• Look for Content Security Policy headers to identify permitted content sources and potential origin servers.
• Search for specific security headers using services like SecurityHeaders.io to uncover hidden traces of websites.

Step 6: Utilizing Favicon Hashes to Track Websites

• Favicon hashes are unique identifiers associated with website icons.
• Use services like Favicon.com to calculate the hash for a website's favicon.
• Search for favicon hashes in platforms like Shodan to track down websites hidden behind Cloudflare based on their unique favicon identifiers.

By following these steps and utilizing various techniques such as analyzing security certificates, exploring DNS records, investigating subdomains, analyzing security headers, and tracking favicon hashes, you can enhance your ability to uncover fraudulent websites hidden behind Cloudflare.