Catching phishing before they catch you

Paypal phishing, paypal phishing everywhere

Let’s catch some phishing domain names using CertStream!

What is Certificate Transparency?

Certificate authorities (CA) get hacked (it already happened), and sometimes they mistakenly issue rogue certificates… That is why Google’s Certificate Transparency project try to fix several structural flaws in the SSL certificate system by providing an open framework for monitoring and auditing SSL certificates in nearly real time, as they are being issued!

Certificate Transparency framework

CertStream + phishing keywords = ❤️

CertStream is a free service for getting data from the Certificate Transparency Log (CTL). Using their Python library to receive certificate log is quite easy:

Now all you have to do is monitor for suspicious keywords such as paypal, outlook, icloud, etc. to get early detection: detect phishing domains before they are even fully operational!

I made a quick proof of concept using the CertStream Python library, and it works like charm! Here are a few samples identified in just a couple of hours:

appleid[.]icloudlphone[.]com
paypalaccountupadate[.]com
apple[.]appleidsecured[.]com
recovery-my-paypal[.]com-locale-country-us[.]help-accessid[.]net
paypal-login[.]com[.]accounntreviews-highrisk[.]com
supports-apple-client-verified-info17[.]tk
secure[.]appleid[.]apple[.]com[.]ecc2a6[.]info
appleid[.]com-jp-unlock-cloud[.]net
www[.]com-jp-unlock-cloud[.]net
member-ticket1117-paypal-webapps00211138822[.]ml
*[.]com-login-required-attempt[.]com
accounts[.]login[.]yahoomail[.]support
support-appleid-login[.]com-servicss[.]com
account-information-paypal-blocked[.]tk
account-service.aactivitydisable[.]tk
myaccount-updated-security-limited-information[.]payungpal[.]com
myaccount-updated-security-limited-informations[.]payungpal[.]com
myaccount-updates-security-limited-information[.]payungpal[.]com
myaccount-updates-security-limited-informations[.]payungpal[.]com
myaccounts-updates-security-limited-information[.]payungpal[.]com
myaccounts-updates-security-limited-informations[.]payungpal[.]com
appleid[.]apple[.]com[.]datasecure[.]report
aple-verification[.]account-4pps-sing-in-manage-1nfo[.]com
www[.]aple-verification[.]account-4pps-sing-in-manage-1nfo[.]com
recovery-paypal[.]com-client[.]locale-country-us[.]net

Get results in seconds!

There are a few false positives but nothing too crippling. Feel free to edit the source code to suit your needs 👍

Feel free to buy me a coffee ☕ if you liked the article!