Me Name:Yuichi Tsuboi (Tsubock)/ :@ytsuboi0322 Affiliation: NTT DOCOMO BUSINESS, Inc. Innovation Center Title: - Cyber Threat Intelligence Operations Architect - NTT Group Certified Security Principal - CISSP Work Focus: Exploring productization of defensive security technologies, Eradicating and uncovering threat infrastructure, Providing technical support to other organizations within the company, collaborating with external organizations, and phishing hunter.
1.Introduction 2.Introducing TOAMI, an extension tool for supporting Phishing hunters 3.Introducing the TOAMI architecture 4.DEMO 5.Planned Features 6.Summary
status of phishing attacks To begin, I'd like to briefly explain the current state of phishing damage in Japan. According to the 2025 Phishing Report compiled and published by the Anti-Phishing Working Group, the number of phishing reports submitted to the Working Group last year increased significantly compared to the year before, and the upward trend shows no signs of stopping. https://www.antiphishing.jp/report/phishing_report_2025.pdf Figure 1-1: Number of phishing reports in Japan (Excerpt)
status of phishing attacks The following factors are thought to be behind the increase in phishing attacks: • Shorter website lifespans and mass generation • Increasing sophistication of detection evasion techniques • Automatic generation of sophisticated emails and websites using AI and other technologies • The rise of PhaaS (Phishing-as-a-Service) • Division of labor in the criminal ecosystem
Hunter Activities There are people called phishing hunters who are active in taking measures against phishing. Phishing Hunter refers to security researchers and individuals who discover, track, and analyze phishing sites and phishing emails in order to prevent victims from falling victim to phishing scams.
Hunter Activities The main activity of phishing hunters is to find traps set by cybercriminals and neutralize or warn users before they are tricked. Main Activities: • Detecting and monitoring phishing sites • Collecting and analyzing phishing emails • Disseminating information and removing phishing sites
to activities and current issues hindering activities The team I work for, where I also hold a concurrent position, is working under the keyword of "Uncovering and Eliminating Threat Infrastructure." We are also working to uncover and eradicate phishing scams by issuing warning information and training the next generation of phishing hunters.
to activities and current issues hindering activities The following challenges exist in the continuous and effective promotion of Phishing Hunter operations. • Limited resources and response speed constraints • Lack of specialized personnel and advanced skills • Difficulty in fundamentally addressing "human vulnerabilities" • Responding to emerging and diversifying attack channels
- Casting Net - The reason for its development • Suspicious URL links collected from phishing emails may be manually visited to collect site content and screenshots. • When reporting abuse for takedown purposes, it is essential to take screenshots as evidence of a site visit. • However, when operated by humans, it is possible that screenshots may be missed. • Depending on the phishing site's functionality, a type of technique called cloaking may be used to prevent multiple accesses to the site for research purposes, making it impossible to visit the site again.
- Casting Net - The reason for its development • Suspicious URL links collected from phishing emails may be manually visited to collect site content and screenshots. • When reporting abuse for takedown purposes, it is essential to take screenshots as evidence of a site visit. • However, when operated by humans, it is possible that screenshots may be missed. • Depending on the phishing site's functionality, a type of technique called cloaking may be used to prevent multiple accesses to the site for research purposes, making it impossible to visit the site again. Let‘s automatically take screenshots!
- Casting Net - The reason for its development • Perhaps the lack of specialized personnel and advanced skills can be addressed through automated detection. • Since phishing kits have distinctive site structures, I thought they might be easier to identify with IoCs. • Phish Report's "Indicator of Kit (IOK)" is a common format for sharing phishing kit characteristics. • These two features, "automatic screenshot capture" and "detection of phishing sites (phishing kits) using IOKs," inspired me to develop this tool, hoping to make phishing hunters' work even a little easier.
- Casting Net - The reason for its development • Perhaps the lack of specialized personnel and advanced skills can be addressed through automated detection. • Since phishing kits have distinctive site structures, I thought they might be easier to identify with IoCs. • Phish Report's "Indicator of Kit (IOK)" is a common format for sharing phishing kit characteristics. • These two features, "automatic screenshot capture" and "detection of phishing sites (phishing kits) using IOKs," inspired me to develop this tool, hoping to make phishing hunters' work even a little easier. If we could identify the characteristics of phishing sites, we could increase the number of phishing hunters, even without advanced skills.
CyberTAMAGO (CODE BLUE2024) In fact, before submitting to this year's Bluebox CFP, I first presented it in the "Imagination Man" category at last year's CODE BLUE workshop, "CyberTAMAGO."
is IOK (Indicator Of Kit)? This describes an IoC (Indicator of Compromise) for Phishing Kit, which is published as open source by Phish Report. Phishing kits retain the habits and characteristics of their creators. for example: • Folder hierarchy characteristics • Specific JS/CSS patterns • Unique parameters • Code duplication structure By utilizing IOK → Resistant to redeployment of the kit → Easily identify the same attacker and the same infrastructure
concept 1. Zero missed evidence • Prevent operational errors • Reduce the hassle of re-acquisition due to missed acquisitions • Lost opportunities for takedown attempts due to failed acquisitions 2. Standardize investigation work/operation independent of phishing hunter skills • By utilizing IOK, even non-expert phishing hunters can detect similar phishing sites. • We want to simplify configuration as much as possible. 3. Operates even in high-security device environments (local operation only) • Difficult to navigate between applications other than the browser • Can be verified using the same UA/cookies as real users • Easy to capture DOM/HTTP/screenshots • We don't want users to install unnecessary programs
-投網- : List of Functions The current list of features of TOAMI - Cast Net - is as follows. It is equipped with features to make fishing hunters' daily hunting more efficient and reduce oversights. Key Features: • Favicon Hash Matching • Keyword Detection • IOK (Indicator of Kit) Testing • Automatic Screenshot Capture • Redirect Route Visualization • Detailed Hunting Log Output
–投網- : Functionality Overview ▪Feature summary: • Favicon hash matching: Checks the favicon hash of the visited site to ensure that a legitimate one has not been reused. • Keyword detection: Checks whether the brand name defined in the tool is present in the site content. The results are used as brand identification results. • IOK (Indicator of Kit) detection: Uses Phish Report's IOK (Indicator of Kit) to determine whether the visited site is a phishing site created with a phishing kit based on its structure. • Redirect route visualization: Automatically records the redirect route even when a redirector is accessed. • Automatic screenshot capture: Automatically captures screenshots of visited sites. • Detailed hunting log output: Automatically outputs TOAMI detections.
collected automatically TOAMI collects the following information and uses it for analysis • URL / title / favicon • HTTP status / response header • HTML source • JavaScript execution environment information • Screenshots • IOK / favicon hash / keyword detection results
TOAMI -投網- We will now proceed with a demonstration of how TOAMI – 投網- operates. ▪Demo Scenario Outline: The objective is to access a suspected phishing site and determine if there are any traces or indicators that confirm it as a phishing site. ▪Verification Steps: • Confirm that the Browser Extension (TOAMI –投網-) is activated. • Access the suspected phishing site. • TOAMI automatically checks the Favicon Hash of the accessed site. • Check if a predefined Brand Name is present within the accessed content. • Check if the site's structure matches any of the possessed IOK (Indicator of Kit) definitions. • If a redirection occurs, log the redirection route. • Automatically capture a screenshot of the accessed content.
overview Demo Virtual Machine Simulated cloaking processing server Simulated phishing kit Simulated redirect server + The environment for this demo is as shown in the diagram below. TOAMI -投網- Clicked mail text URL redirect redirect
–投網- Architecture The TOAMI architecture consists of four main components and the communication paths that connect them. 1. Service Worker: background.js This section executes the core logic of this extension. Network Monitoring (webRequest): One of the extension's most important features, automatic recording of redirect routes, is achieved by monitoring all network requests made by the browser using the webRequest permission in this service worker. Function Control: In response to requests from popups and content scripts, this section performs tasks such as saving data to storage, taking screenshots using tabs, and downloading files using the downloads API.
–投網- Architecture 2. Popup (Action): popup.html This is a small UI that appears when a user clicks the extension's icon in the browser toolbar. It serves as the extension's main interface. From here, users can toggle various detection features on and off, check information about the current page, and manually trigger actions such as taking a screenshot.
–投網- Architecture 3. Content Script: content_script.js This script is injected into each web page to analyze the specific page content of a phishing site. In-page detection: It runs in document_idle and retrieves the page's HTML, text, metadata, etc. after the DOM loads, and performs keyword detection and IOK (Indicator of Key) detection. Third-party library: To load IOK, js-yaml is loaded. The content script parses the YAML format configuration and rule files (rules/iok/*.yaml) within the page and uses them for detection logic. Data collection: It collects information from the page and sends it as a message to the service worker (background.js).
–投網- Architecture 4. Options Page (Options UI): options.html This is a tab-based interface for managing extension settings and rules. It provides a UI for customizing and updating the favicon hash list, keyword dictionary, and IOK rules (rules/iok/*.yaml). Settings are persisted via the storage permission.
Features Tools that utilize IOK (Indicator of Kit) are still not widespread globally. Specifically, IOKs targeting Japanese phishing sites are extremely rare. Through TOAMI - Casting Net -, we aim to enhance the detection of phishing sites both domestically and internationally and promote the widespread use of IOKs, positioning it as a Japanese-developed detection support tool that leverages IOKs.
Features We are planning to implement the following features in the future: • IOC linkage with Yara rules (e.g., yara-netloc / PhishingKit-Yara- Rule). • Countermeasures against cloaking via a multiple proxy switching function. • Improved automatic detection accuracy using machine learning. Furthermore, we will collaborate with phishing hunters in Japan and globally to evolve TOAMI into a more practical and effective tool.
• This tool was launched to streamline phishing hunting operations, which require specialized/highly skilled personnel. • We designed, implemented, and tested the tool based on the requirements presented at last year's CyberTAMAGO. • As a result, we were able to achieve our initial goals of standardizing detection logic and preventing forgetting to take screenshots. • As mentioned in our future implementation plans, we would like to enhance the detection logic to support machine learning detection and other IoCs such as Yara rules, so that we can detect a wide range of unknown phishing sites. Phishing damage is steadily increasing. In order to make hunting operations easier and reduce phishing damage in Japan, we would like to continue improving the tool by standardizing operations and detection logic.
from CyberTAMAGO will also be speaking. The CyberTAMAGO workshop within CODE BLUE, we will be introducing ideas for an extension tool to the tool introduced this time, "TOAMI -Casting Net-", in the "Idea Man" category. Presentation tool title: • "IKESU – Phish Tank – / CHOKA – Phish Results –“ Presentation time • 14:10 If you have time, please come and listen!!
nttcom
zozotech
sugyan
visional_engineering_and_design
toshi_atsumi
starfish719
lycorptech_jp
tsukuha
sorah
abemii
knih
yuki_ink
tammyeverts
reverentgeek
sergeychernyshev
stephaniewalter
lara
chrislema
csswizardry
kevinliebholz
3n
thoeni
addyosmani
orderedlist
