Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to become a phisherman

6589e3179283043e0f5907144b9ad6eb?s=47 ninoseki
April 25, 2019

How to become a phisherman

My slides for Becks Japan #2
https://becks.doorkeeper.jp/events/89161

6589e3179283043e0f5907144b9ad6eb?s=128

ninoseki

April 25, 2019
Tweet

Transcript

  1. How to become a phisherman Manabu Niseki

  2. Who am I • A researcher who works at a

    CSIRT. ◦ Twitter: @ninoseki ◦ GitHub: @ninoseki • Thanks Beist-san & Tessy-san for inviting me to this great meetup!
  3. Topics Covered in This Talk • What is “phishing kit”?

    • How can I get it? • How to use Certificate Transparency for phishing hunting
  4. Phishing Kit? • “Phishing kit” is a kit to deploy

    a phishing website. ◦ In this talk, “phishing kit” means a compressed file including scripts for a phishing website. • By analyzing “phishing kit”, you could take practical countermeasures. ◦ C2 takedown: ▪ 16shop(Apple): 16shop[.]club ▪ HijaIyh(Apple): hijaiyh[.]net ◦ Attribution & coordination with national CSIRTs and LEAs.
  5. How Can I Get a Phishing Kit? • You can

    get a phishing kit via an open directory website!
  6. How Can I Get a Phishing Kit? • Example: ◦

    myvoicemailringcentralportal.sanantonio-entertainment[.]com
  7. How Can I Get a Phishing Kit? • Example: ◦

    myvoicemailringcentralportal.sanantonio-entertainment[.]com/officevo icemail
  8. How Can I Get a Phishing Kit? • The idea

    is simple: ◦ Get suspicious URLs ◦ Distinguish opendir or not ◦ Grab a phishing kit
  9. None
  10. A Tool For Phishing Hunting • miteru (https://github.com/ninoseki/miteru) ◦ An

    experimental phishing kit detection tool. ◦ Installation:
  11. How It Works • Enumerating suspicious URLs from various feeds

    provided by urlscan.io. • Crawling suspicious URLs to hunt a phishing kit.
  12. urlscan.io? • urlscan.io (https://urlscan.io/): ◦ urlscan.io is a service to

    scan and analyse websites. ◦ The service provides feeds via its search feature. ▪ OpenPhish • https://urlscan.io/search/#OpenPhish ▪ PhishTank • https://urlscan.io/search/#PhishTank ▪ certstream-suspicious • https://urlscan.io/search/#CertStream-Suspicious
  13. certstream-suspicious? • certstream-suspicious is a feed which is based on

    Certificate Transparency.
  14. Certificate Transparency? Certificate Transparency aims to remedy these certificate-based threats.

    Specifically, Certificate Transparency has three main goals: • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain. • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued. • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. (source: https://www.certificate-transparency.org/what-is-ct)
  15. None
  16. Certificate Transparency? • TL; DR: ◦ You can get (possibly)

    new domains via CT log servers.
  17. certstream-suspicious? • certstream-suspicious provides “suspicious” domains based on CT logs.

    ◦ The algorithm of calculation of “suspiciousness” is not public. ◦ Probably it would be similar to x0rz’s phishing_catcher’s algorithm. ▪ https://github.com/x0rz/phishing_catcher
  18. Why CT is important? • PhishLab says: ◦ “In Q3

    nearly half of all phishing sites, 49 percent, were using SSL” ▪ https://info.phishlabs.com/blog/49-percent-of-phishing-sites-now-use-https • CT makes it possible to discover phishing sites before they run.
  19. Omake: CT monitoring with ease • Facebook Certificate Transparency Monitoring

    ◦ https://developers.facebook.com/tools/ct/search/
  20. Omake: CT monitoring with ease • CaliDog CertStream ◦ https://github.com/CaliDog/certstream-server

    ◦ An Elixir app for CT monitoring. ◦ It monitors CT log servers every 15 seconds and broadcasts new data via WebSocket. ◦ urlscan.io uses CertStream internally.
  21. Demo

  22. Be Responsible! <REDACTED/>

  23. Conclusions • You can get a phishing kit via an

    open directory. • Certificate Transparency is a good resource for phishing hunting. • miteru is an easy-to-use phishing kit detection tool. ◦ Similar tools / alternatives: ▪ StreamingPhish • https://github.com/wesleyraptor/streamingphish ▪ StalkPhish • https://github.com/t4d/StalkPhish ▪ Phish-collect • https://github.com/duo-labs/phish-collect • Be responsible!
  24. Any questions?

  25. References • The Rise of Certificate Transparency and Its Implications

    on the Internet Ecosystem ◦ https://arxiv.org/pdf/1809.08325.pdf • Cats? In My Certificate Transparency Logs? ◦ https://static.sched.com/hosted_files/bsidessf2019/88/Catlog_BSidesSF_2019.pdf • Using certificate transparency streams to hunt down phishing sites ◦ https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1551104568.pdf