Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to become a phisherman

6589e3179283043e0f5907144b9ad6eb?s=47 ninoseki
April 25, 2019
Technology
0
840

How to become a phisherman

My slides for Becks Japan #2
https://becks.doorkeeper.jp/events/89161

6589e3179283043e0f5907144b9ad6eb?s=128

ninoseki

April 25, 2019
Tweet

More Decks by ninoseki

See All by ninoseki
AVTokyo 2020 Phishing Kit Analysis Workshop
6589e3179283043e0f5907144b9ad6eb?s=48 ninoseki
2
800
Botconf 2019 OSINT 101
6589e3179283043e0f5907144b9ad6eb?s=48 ninoseki
2
590
DNS changerとハニーポット
6589e3179283043e0f5907144b9ad6eb?s=48 ninoseki
2
1.1k
MISP & TheHive/Cortex in 20 minutes
6589e3179283043e0f5907144b9ad6eb?s=48 ninoseki
0
430
HTTP(S)ハニポを作ってみた
6589e3179283043e0f5907144b9ad6eb?s=48 ninoseki
4
1.5k
OWASP Juice Shop どうでしょう
6589e3179283043e0f5907144b9ad6eb?s=48 ninoseki
1
590

Other Decks in Technology

See All in Technology
History of the ML system in KARTE
290d6f09d5a1df2c2ecb6601011fe5c1?s=48 kargo113
0
610
アーキテクチャを明文化して開発に臨んだ話
903c7dbf16067d22e7b03ead7d8acdc5?s=48 akihiyo76
0
260
複数のスクラムチームをサポートするエンジニアリングマネジメントの話
4bddf664b03da8ad6b8d61660dcdc682?s=48 okeicalm
0
1.1k
Custom GitHub Actions by Java
E68f2e8b47dc1769380a1fa8181df3dd?s=48 kazamori
0
280
Istio入門
72c25016e1baff3eb99a80dfc1e95ca1?s=48 nutslove
15
4.9k
データ分析で切り拓け! エンジニアとしてのデータ分析職キャリア戦略
43ba5a2227c580ce2290544d81c6261c?s=48 ksnt
0
110
oakのミドルウェアを書くときの技のらしきもの
6ab47a68ee78e84c34731ce12333deff?s=48 toranoana
0
110
誰が正解を知っているのか / Who knows the right answer
95aaab3d693889550fd2e7ae02f2f789?s=48 takaking22
1
230
さいきんのRaspberry Pi。 / osc22do-rpi
74476e142a767a018d68c5e72e34ee2f?s=48 akkiesoft
5
5k
ソフトウェアテスト 2022 / Software Testing 2022
77fa3ebbf229a884c74c905034b1f4c2?s=48 ak1210
1
1.8k
JDK Flight Recorder入門
484571ccba0db66b69dc11761afdd0c4?s=48 chiroito
1
500
1人目QAエンジニアよもやま話 / QA Test Talk Vol.1
1b7098127bb4872f5fa10415d88479b7?s=48 nametake
4
220

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
269
11k
Why You Should Never Use an ORM
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
47
7.6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
940
Code Review Best Practice
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
43
9.2k
Building Applications with DynamoDB
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
83
4.7k
The Pragmatic Product Professional
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
19
3k
Music & Morning Musume
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
4.2k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
119
28k
GraphQLの誤解/rethinking-graphql
3cb4e761dbdb7aebd1ffd85f752e1e3e?s=48 sonatard
27
6.6k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
5.9k
The Success of Rails: Ensuring Growth for the Next 100 Years
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
10
3.4k
The Straight Up "How To Draw Better" Workshop
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
225
120k

Transcript

  1. How to become a phisherman Manabu Niseki

  2. Who am I • A researcher who works at a

    CSIRT. ◦ Twitter: @ninoseki ◦ GitHub: @ninoseki • Thanks Beist-san & Tessy-san for inviting me to this great meetup!

  3. Topics Covered in This Talk • What is “phishing kit”?

    • How can I get it? • How to use Certificate Transparency for phishing hunting

  4. Phishing Kit? • “Phishing kit” is a kit to deploy

    a phishing website. ◦ In this talk, “phishing kit” means a compressed file including scripts for a phishing website. • By analyzing “phishing kit”, you could take practical countermeasures. ◦ C2 takedown: ▪ 16shop(Apple): 16shop[.]club ▪ HijaIyh(Apple): hijaiyh[.]net ◦ Attribution & coordination with national CSIRTs and LEAs.

  5. How Can I Get a Phishing Kit? • You can

    get a phishing kit via an open directory website!

  6. How Can I Get a Phishing Kit? • Example: ◦

    myvoicemailringcentralportal.sanantonio-entertainment[.]com

  7. How Can I Get a Phishing Kit? • Example: ◦

    myvoicemailringcentralportal.sanantonio-entertainment[.]com/officevo icemail

  8. How Can I Get a Phishing Kit? • The idea

    is simple: ◦ Get suspicious URLs ◦ Distinguish opendir or not ◦ Grab a phishing kit
  9. None

  10. A Tool For Phishing Hunting • miteru (https://github.com/ninoseki/miteru) ◦ An

    experimental phishing kit detection tool. ◦ Installation:

  11. How It Works • Enumerating suspicious URLs from various feeds

    provided by urlscan.io. • Crawling suspicious URLs to hunt a phishing kit.

  12. urlscan.io? • urlscan.io (https://urlscan.io/): ◦ urlscan.io is a service to

    scan and analyse websites. ◦ The service provides feeds via its search feature. ▪ OpenPhish • https://urlscan.io/search/#OpenPhish ▪ PhishTank • https://urlscan.io/search/#PhishTank ▪ certstream-suspicious • https://urlscan.io/search/#CertStream-Suspicious

  13. certstream-suspicious? • certstream-suspicious is a feed which is based on

    Certificate Transparency.

  14. Certificate Transparency? Certificate Transparency aims to remedy these certificate-based threats.

    Specifically, Certificate Transparency has three main goals: • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain. • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued. • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. (source: https://www.certificate-transparency.org/what-is-ct)
  15. None

  16. Certificate Transparency? • TL; DR: ◦ You can get (possibly)

    new domains via CT log servers.

  17. certstream-suspicious? • certstream-suspicious provides “suspicious” domains based on CT logs.

    ◦ The algorithm of calculation of “suspiciousness” is not public. ◦ Probably it would be similar to x0rz’s phishing_catcher’s algorithm. ▪ https://github.com/x0rz/phishing_catcher

  18. Why CT is important? • PhishLab says: ◦ “In Q3

    nearly half of all phishing sites, 49 percent, were using SSL” ▪ https://info.phishlabs.com/blog/49-percent-of-phishing-sites-now-use-https • CT makes it possible to discover phishing sites before they run.

  19. Omake: CT monitoring with ease • Facebook Certificate Transparency Monitoring

    ◦ https://developers.facebook.com/tools/ct/search/

  20. Omake: CT monitoring with ease • CaliDog CertStream ◦ https://github.com/CaliDog/certstream-server

    ◦ An Elixir app for CT monitoring. ◦ It monitors CT log servers every 15 seconds and broadcasts new data via WebSocket. ◦ urlscan.io uses CertStream internally.

  21. Demo

  22. Be Responsible! <REDACTED/>

  23. Conclusions • You can get a phishing kit via an

    open directory. • Certificate Transparency is a good resource for phishing hunting. • miteru is an easy-to-use phishing kit detection tool. ◦ Similar tools / alternatives: ▪ StreamingPhish • https://github.com/wesleyraptor/streamingphish ▪ StalkPhish • https://github.com/t4d/StalkPhish ▪ Phish-collect • https://github.com/duo-labs/phish-collect • Be responsible!

  24. Any questions?

  25. References • The Rise of Certificate Transparency and Its Implications

    on the Internet Ecosystem ◦ https://arxiv.org/pdf/1809.08325.pdf • Cats? In My Certificate Transparency Logs? ◦ https://static.sched.com/hosted_files/bsidessf2019/88/Catlog_BSidesSF_2019.pdf • Using certificate transparency streams to hunt down phishing sites ◦ https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1551104568.pdf