Catching phishing before they catch you

Paypal phishing, paypal phishing everywhere

x0rz
Just another infosec blog type of thing
2 min readNov 7, 2017

Let’s catch some phishing domain names using CertStream!

What is Certificate Transparency?

Certificate authorities (CA) get hacked (it already happened), and sometimes they mistakenly issue rogue certificates… That is why Google’s Certificate Transparency project try to fix several structural flaws in the SSL certificate system by providing an open framework for monitoring and auditing SSL certificates in nearly real time, as they are being issued!

Certificate Transparency framework

CertStream + phishing keywords = ❤️

CertStream is a free service for getting data from the Certificate Transparency Log (CTL). Using their Python library to receive certificate log is quite easy:

Now all you have to do is monitor for suspicious keywords such as paypal, outlook, icloud, etc. to get early detection: detect phishing domains before they are even fully operational!

I made a quick proof of concept using the CertStream Python library, and it works like charm! Here are a few samples identified in just a couple of hours:

appleid[.]icloudlphone[.]com
paypalaccountupadate[.]com
apple[.]appleidsecured[.]com
recovery-my-paypal[.]com-locale-country-us[.]help-accessid[.]net
paypal-login[.]com[.]accounntreviews-highrisk[.]com
supports-apple-client-verified-info17[.]tk
secure[.]appleid[.]apple[.]com[.]ecc2a6[.]info
appleid[.]com-jp-unlock-cloud[.]net
www[.]com-jp-unlock-cloud[.]net
member-ticket1117-paypal-webapps00211138822[.]ml
*[.]com-login-required-attempt[.]com
accounts[.]login[.]yahoomail[.]support
support-appleid-login[.]com-servicss[.]com
account-information-paypal-blocked[.]tk
account-service.aactivitydisable[.]tk
myaccount-updated-security-limited-information[.]payungpal[.]com
myaccount-updated-security-limited-informations[.]payungpal[.]com
myaccount-updates-security-limited-information[.]payungpal[.]com
myaccount-updates-security-limited-informations[.]payungpal[.]com
myaccounts-updates-security-limited-information[.]payungpal[.]com
myaccounts-updates-security-limited-informations[.]payungpal[.]com
appleid[.]apple[.]com[.]datasecure[.]report
aple-verification[.]account-4pps-sing-in-manage-1nfo[.]com
www[.]aple-verification[.]account-4pps-sing-in-manage-1nfo[.]com
recovery-paypal[.]com-client[.]locale-country-us[.]net
Get results in seconds!

There are a few false positives but nothing too crippling. Feel free to edit the source code to suit your needs 👍

Feel free to buy me a coffee ☕ if you liked the article!

Responses (3)

What are your thoughts?

This looks neat. I was trying to implement something similar. Had a few questions. There are duplicates in the results — is there a way to filter out those if we plan to store the data. Is there a way to limit how many certs the stream returns, since everytime it runs it tries to grab everything.

--

I installed phishing_catcher on my Mac, works like a charm, but on a Centos 7 in a VirtualBox, I get the following error:
[root@localhost phishing_catcher-master]# ./catch_phishing.py
certificate_update: 0cert [00:00, ?cert/s][ERROR:root] 2017–11–28…

--

CertStream comes from the certificate transparency logs maintained by google. Yes, these phishing sites have SSL certificates. Now you can get certificates at zero cost using Let’s Encrypt. Most likely these phishing sites use certificates issued by Let’s Encrypt.

--