How to become a phisherman

Transcript

1. How to become a phisherman Manabu Niseki

2. Who am I • A researcher who works at a

   CSIRT. ◦ Twitter: @ninoseki ◦ GitHub: @ninoseki • Thanks Beist-san & Tessy-san for inviting me to this great meetup!

3. Topics Covered in This Talk • What is “phishing kit”?

   • How can I get it? • How to use Certificate Transparency for phishing hunting

4. Phishing Kit? • “Phishing kit” is a kit to deploy

   a phishing website. ◦ In this talk, “phishing kit” means a compressed file including scripts for a phishing website. • By analyzing “phishing kit”, you could take practical countermeasures. ◦ C2 takedown: ▪ 16shop(Apple): 16shop[.]club ▪ HijaIyh(Apple): hijaiyh[.]net ◦ Attribution & coordination with national CSIRTs and LEAs.

5. How Can I Get a Phishing Kit? • You can

   get a phishing kit via an open directory website!

6. How Can I Get a Phishing Kit? • Example: ◦

   myvoicemailringcentralportal.sanantonio-entertainment[.]com

7. How Can I Get a Phishing Kit? • Example: ◦

   myvoicemailringcentralportal.sanantonio-entertainment[.]com/officevo icemail

8. How Can I Get a Phishing Kit? • The idea

   is simple: ◦ Get suspicious URLs ◦ Distinguish opendir or not ◦ Grab a phishing kit
9. None

10. A Tool For Phishing Hunting • miteru (https://github.com/ninoseki/miteru) ◦ An

    experimental phishing kit detection tool. ◦ Installation:

11. How It Works • Enumerating suspicious URLs from various feeds

    provided by urlscan.io. • Crawling suspicious URLs to hunt a phishing kit.

12. urlscan.io? • urlscan.io (https://urlscan.io/): ◦ urlscan.io is a service to

    scan and analyse websites. ◦ The service provides feeds via its search feature. ▪ OpenPhish • https://urlscan.io/search/#OpenPhish ▪ PhishTank • https://urlscan.io/search/#PhishTank ▪ certstream-suspicious • https://urlscan.io/search/#CertStream-Suspicious

13. certstream-suspicious? • certstream-suspicious is a feed which is based on

    Certificate Transparency.

14. Certificate Transparency? Certificate Transparency aims to remedy these certificate-based threats.

    Specifically, Certificate Transparency has three main goals: • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain. • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued. • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. (source: https://www.certificate-transparency.org/what-is-ct)
15. None

16. Certificate Transparency? • TL; DR: ◦ You can get (possibly)

    new domains via CT log servers.

17. certstream-suspicious? • certstream-suspicious provides “suspicious” domains based on CT logs.

    ◦ The algorithm of calculation of “suspiciousness” is not public. ◦ Probably it would be similar to x0rz’s phishing_catcher’s algorithm. ▪ https://github.com/x0rz/phishing_catcher

18. Why CT is important? • PhishLab says: ◦ “In Q3

    nearly half of all phishing sites, 49 percent, were using SSL” ▪ https://info.phishlabs.com/blog/49-percent-of-phishing-sites-now-use-https • CT makes it possible to discover phishing sites before they run.

19. Omake: CT monitoring with ease • Facebook Certificate Transparency Monitoring

    ◦ https://developers.facebook.com/tools/ct/search/

20. Omake: CT monitoring with ease • CaliDog CertStream ◦ https://github.com/CaliDog/certstream-server

    ◦ An Elixir app for CT monitoring. ◦ It monitors CT log servers every 15 seconds and broadcasts new data via WebSocket. ◦ urlscan.io uses CertStream internally.

21. Demo

22. Be Responsible! <REDACTED/>

23. Conclusions • You can get a phishing kit via an

    open directory. • Certificate Transparency is a good resource for phishing hunting. • miteru is an easy-to-use phishing kit detection tool. ◦ Similar tools / alternatives: ▪ StreamingPhish • https://github.com/wesleyraptor/streamingphish ▪ StalkPhish • https://github.com/t4d/StalkPhish ▪ Phish-collect • https://github.com/duo-labs/phish-collect • Be responsible!

24. Any questions?

25. References • The Rise of Certificate Transparency and Its Implications

    on the Internet Ecosystem ◦ https://arxiv.org/pdf/1809.08325.pdf • Cats? In My Certificate Transparency Logs? ◦ https://static.sched.com/hosted_files/bsidessf2019/88/Catlog_BSidesSF_2019.pdf • Using certificate transparency streams to hunt down phishing sites ◦ https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1551104568.pdf