Catch the Phishing Domain Before They Start Campaign

Hi Guys, You read it right. You can catch the Phishing domains before they start their campaign on your Organization.

Being Security Analyst, I always look for different ways to make organization secure from external threats and detect something which is malicious/phishy.

My Experience…

After having experience of Phishing tests on employees, I found How human think about something they receive over the email. No matter how much you train your employees still they will do some mistakes. There are certain level of employees who might never understands the basics of technical details. Like what to do or what not to do when you receive emails from external entity.

Bad intentions…

Bad guys always up for the opportunity to find out people who are not much concern/aware about security or may be some people are not interested in security. Obviously, We cant blame people as they all are not coming from technical background. Now a day’s, Hackers are really smart. They create similar kind of portals/websites to the Organization which they are targeting. The Phishing websites created by them looks legit. Also they use SSL certificate encryption so the less technical staff always believe that it is HTTPS so that’s safe. but, that is not enough as its not measure of safety but the connection to website is secure.

SSL Monitoring…

So here, what we need is to monitor SSL certificate of All the domains created worldwide in real time. Yes, it is possible. So whenever bad guys creates similar domain to your organization with SSL certificate to target you, You can catch them at the same time.

This facility is provided by Cert-stream. Cert-stream is real-time certificate transparency logs. We are gonna create a script to use cert-stream to fetch the real time logs and look for organization which you are working in.

Python Script…

Here’s my script to identify the phishy domains.

https://github.com/9thplayer/Catch-the-Phishing-Domain-before-they-start-Campaign

There are few dependencies for python. Please read the readme file first.

How it Works…

We are gonna create another script to get the intended domains notified to us. Suppose, you are working in example.com. You would like to know the SSL which are created similar to example.com. May be attacker can create a similar web portal which you are using internally. A HR portal or any other portals. For an example, I saw someone has created Microsoft.com as a micr0soft.com. You see there is a little zero which creates completely new domain. Also, I saw Microsoft.com.payment_due.com which is again not Microsoft. So for my organization, I used our all portals and websites domain and twisted them alot in wired way and put them for monitoring.

Monitoring Script…

Here’s the script for monitoring all the domain/portals keywords and later if match found it will notify through Microsoft Teams web-hook. I like Microsoft teams also we are using it so that was best option for me. You can also use slack-bots APIs for notification. But for now if you follow along, Please install pymsteams module as well to use Teams web-hook.

Further, to get incoming web-hook API. Follow below article from Microsoft.

https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/connectors/connectors-using#setting-up-a-custom-incoming-webhook

!/usr/bin/env python

import os
import re
import pymsteams

domain = ""

with open(r'/phishing_catcher/suspicious_domains.log', 'r') as f:
     lines = f.readlines()
     for line in lines:
         if re.search(r'micr0soft', line):
             domain += line
             myTeamsMessage = pymsteams.connectorcard("https://outlook.office.com/webhook/xxxxx-exxx")
             myTeamsMessage.text(domain)
             myTeamsMessage.send()
	elif re.search(r'micros0ft', line):
	     domain += line
	     myTeamsMessage = pymsteams.connectorcard("https://outlook.office.com/webhook/xxxxx-exxx")
	     myTeamsMessage.text(domain)
	     myTeamsMessage.send()
	elif re.search(r'micr0s0ft', line):
	     domain += line
	     myTeamsMessage = pymsteams.connectorcard("https://outlook.office.com/webhook/xxxxx-exxx")
	     myTeamsMessage.text(domain)
	     myTeamsMessage.send()
     import os
     os.remove("/phishing_catcher/suspicious_domains.log")

Keywords to Use…

You see the trick here is to find out the similar domain. For Microsoft, I kept search keywords micr0soft, micros0ft and mic0s0ft. This just for example, you can keep any number of words to search which just need modification in above script.

As you already understood from script that it is deleting the log file after scanning because it will be adding huge data per second. Above script needed to be run every hour to check whether we found any suspicious domain or not and at the same time it will delete that file after notification.

End Result…

As you can see below, I found few phishing domain related to our organization. Received notification over Teams by above script. As we caught them instantly so we blocked them as well before they start any malicious activity.

I hope this is informative and helpful to your organization to discover threats before they hunt you and people in your organization.

About me: https://cyberzombie.in/about
Twitter: https://twitter.com/9thplayer
FB: https://www.facebook.com/ShekharSKS
Insta: https://www.instagram.com/Shekhu_19

Leave a Reply