a phishing website. ◦ In this talk, “phishing kit” means a compressed file including scripts for a phishing website. • By analyzing “phishing kit”, you could take practical countermeasures. ◦ C2 takedown: ▪ 16shop(Apple): 16shop[.]club ▪ HijaIyh(Apple): hijaiyh[.]net ◦ Attribution & coordination with national CSIRTs and LEAs.
scan and analyse websites. ◦ The service provides feeds via its search feature. ▪ OpenPhish • https://urlscan.io/search/#OpenPhish ▪ PhishTank • https://urlscan.io/search/#PhishTank ▪ certstream-suspicious • https://urlscan.io/search/#CertStream-Suspicious
Specifically, Certificate Transparency has three main goals: • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain. • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued. • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. (source: https://www.certificate-transparency.org/what-is-ct)
◦ The algorithm of calculation of “suspiciousness” is not public. ◦ Probably it would be similar to x0rz’s phishing_catcher’s algorithm. ▪ https://github.com/x0rz/phishing_catcher
nearly half of all phishing sites, 49 percent, were using SSL” ▪ https://info.phishlabs.com/blog/49-percent-of-phishing-sites-now-use-https • CT makes it possible to discover phishing sites before they run.
◦ An Elixir app for CT monitoring. ◦ It monitors CT log servers every 15 seconds and broadcasts new data via WebSocket. ◦ urlscan.io uses CertStream internally.
open directory. • Certificate Transparency is a good resource for phishing hunting. • miteru is an easy-to-use phishing kit detection tool. ◦ Similar tools / alternatives: ▪ StreamingPhish • https://github.com/wesleyraptor/streamingphish ▪ StalkPhish • https://github.com/t4d/StalkPhish ▪ Phish-collect • https://github.com/duo-labs/phish-collect • Be responsible!
on the Internet Ecosystem ◦ https://arxiv.org/pdf/1809.08325.pdf • Cats? In My Certificate Transparency Logs? ◦ https://static.sched.com/hosted_files/bsidessf2019/88/Catlog_BSidesSF_2019.pdf • Using certificate transparency streams to hunt down phishing sites ◦ https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1551104568.pdf