Pkit Finder - Hunt for Phishing Kits

Transcript

1. Finding phishing kits phihsing attcaks exlpoit weakkness of humaan brain

   for whcih no pach avaliable!

2.  The information include in this presentation is of my

   own research and purely for educational purposes, should not be attribute to my employer's past, present or future  Phishing kits collected during research were never used in any way other then finding indicators which helps in threat hunting
3. None
4. None
5. None

6. Curiosity | visibility | threat Intelligence

7. Phishing Kits Place to host SMTP Server Target audience

8. 1. Finding Phishing kits 2. Extracting Indicators & metadata 3.

   Add unique kits in database Stage 1 • Automated • Fetch URLs from phishtank & openphish hourly (avg 40-50 new Phish urls in an hour) • Manual • Tweets /threatIntel /certstream Crawl urls (anonymously) and look for zip/rar /txt /php/png

9. 1. Finding Phishing kits 2. Extracting Indicators & metadata 3.

   Add unique kits in database Stage 2 • Pull out interesting indicators From phishing kits • Check status with Virus total

10. 1. Finding Phishing kits 2. Extracting Indicators & metadata 3.

    Add unique kits in database Stage 2 • Pull out interesting indicators From phishing kits • Check status with Virus total

11. 1. Finding Phishing kits 2. Extracting Indicators & metadata 3.

    Add unique kits in database Stage 3 • Hash out kits and add unique in database

12. ./pkitfinder.sh

13. None
14. None

15. Email extracted : 26267 6402 9858 386 zfymail 106 fastmail

    324 dsfdeemail 1129 Most common brands Apple Dropbox Google Doc Paypal O365 3 5 1 4 3 6 16 55 217 423 845 2247 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 kits Time line for unique kits modified
16. None

17. kits 13/06/2017 10/07/2017 18/07/2017 28/07/2017 Domain: Octobert.net Kit modified: 07/07/2015

    Email: [email protected] VT: not positives Domain: radiosainamaina.org Kit modified: 08/08/2015 Email: [email protected] VT: Positives Domain: supremeenterprises.org Kit modified: 08/08/2015 Email: [email protected] VT: not positives Domain: aplcricket.co.nz Kit modified: 08/08/2015 Email: [email protected] VT: not positives Total Phishing URLs 115 HIBP: not Pwned Reverse Lookup: no domain HIBP: Pwned (Dailymotion, Myspace.com) Reverse Lookup: no domain HIBP: not Pwned Reverse Lookup: no domain

18. kits 02/10/2017 23/05/2017 15/06/2017 25/09/2017 Domain: rileysbrandhoney.com Kit modified: 18/05/2016

    Email: [email protected] VT: not positive Domain: despielhan.com Kit modified: 15/06/2016 Email: [email protected] VT: not Positives Domain: sotobetawisiti.co.id Kit modified: 14/04/2017 Email: [email protected] VT: not positives Domain: waiterss.com Kit modified: 25/05/2015 Email: [email protected] VT: not positives Total Phishing URLs 103 HIBP: not Pwned Reverse Lookup: no domain HIBP: not Pwned Reverse Lookup: no domain HIBP: not Pwned Reverse Lookup: no domain

19. kits 12/05/2017 12/06/2017 Domain: bowlcolumbus.com Kit modified: 28/11/2016 Email: [email protected]

    VT: not positives Domain: naturaltaste.com.br Kit modified: 28/11/2016 Email: [email protected] VT: not positives Total Phishing URLs 51 HIBP: not Pwned Reverse Lookup: no domain HIBP: not Pwned Reverse Lookup: no domain
20. None
21. None

22. [email protected]

23. None

24. [email protected] [email protected] Campaign: Aliexpress

25. None
26. None

27. Casim Khan Email: casimkhan[at]gmail.com @covertshell