Without going into too much detail, the past 6 months have seen me embark on a fairly significant project that is focused on finding security issues that concern New Zealand businesses and our address space. The project evolved from two smaller projects:

  • A Slack channel of Shodan enthusiasts.
  • My (retired) malware tracker.

Between my existing operation and the general goal of the Slack channel we found a common purpose of helping find issues in our country and initiate resolution of them through public and private sector contacts.

A large component of the data that we generate is phishing sites, so I thought I’d take the opportunity to share a small number of the insights that I’ve gathered from the first couple of months my platform has been live.


Infrastructure gets re-used (and shouldn’t)…

Taking down a phishing kit isn’t enough. Whether it be a VPS dedicated to hosting kits, an unpatched WordPress instance that has had a kit uploaded to it via a file-upload vulnerability, or a completely owned shared host – you’re almost guaranteed to see a host pop up on your radar again if all you do is remove the offending files from it. If it looks like an account is being used for the sole purpose of hosting kits: disable it, sinkhole the domain(s), block the payment method and assess whether you see the account IP’s signing up again. If a site or host is owned: eliminate the root cause, address any fallout and monitor the effectiveness of your mitigations.

In light of this, as a hunter it is very beneficial to employ a concept of ‘monitored hosts’ in your intelligence gathering operation. Don’t wait for specific items to pop up in feeds: if you know a host is likely to be a problem, go out there and gather the data yourself. Regularly feed historical data back into your processing pipeline to determine whether new data concerning those hosts exists – VirusTotal is excellent for this.

Shared hosting providers just don’t seem to care…

There is a handful of hosting providers who form a high percentage of our findings. Takedown requests get ignored, repeat offenders do not appear to get their accounts disabled, vulnerable CMS’s do not get patched and the root cause of host compromise does not ever get addressed. Further to these issues, we’re yet to come across a single hosting provider who are doing any sort of proactive assessment of what’s happening in their address space – even following supposed resolution of a compromise. Several NZ web hosts have remained on blacklist’s for as long as we’ve been monitoring them, which is potentially impacting hundreds of businesses hosted under these addresses.

I’m yet to decide whether this is the result of plain negligence or a general lack of understanding on how to deal with these problems, but it’s very clear that many hosting providers need to up their game. The squeal test was never intended to be used in the security space…

Phishing kits are not very covert…

All of our discovery is done through automation. The volume of data we are faced with is completely infeasible for manual assessment (though, this does occur on the resulting reports to tune out false-positives).

The base dataset is formed by pulling in feeds from likes of PhishTank, OpenPhish and CleanMX, and this is appended to data discovered through Google, VirusTotal and links extracted from spam traps (among other sources). All of this is within reach of hosting providers. It is not difficult to answer “are public feeds telling me that there are problems occurring in my address space?”. Cymon, VirusTotal and Shodan do a lot of the hard work for you and all have easy-to-use and well documented API’s.

Identical and statistically similar items are then filtered out of the base dataset, and the resulting items sent to a queue where multiple workers are able to identify locations of phishing activity by: similarity scoring of domains to brands of interest, inclusion of brand strings in the URL, inclusion of brand strings or domains in the page source, and inclusion of the brand logo in the page (where the domain owner isn’t the brand owner). Every known phishing kit we’ve tested is positively identified using at least one of these checks.

To successfully dupe someone into interacting with a phishing kit, you need the brand to be included in either the URL, page source or page appearance. Check all of those and you’ll find kits with a high level of reliability.

Sharing phishing data is essential…

Like it or not but so long as phishing nets results it’ll continue to be a method that criminals turn to. No gang is going to shun reliable income. Reporting phishing through the likes of PhishTank (verified entries are ingested by a handful of antivirus engines, who share with others) and Google SafeBrowsing is an effective method of having content blocked while waiting for hosting providers to eliminate a problem at it’s source (or, not). There have been very few cases where hosting providers have acted before content has been blocked by the browser itself.

Multi-factor authentication is essential for online survival…

Few kits we’ve found exhibited the ability (or intention) to harvest MFA tokens. From my years of experience serving as both the red and blue team for MSP’s, I can fairly confidently say it’s difficult to predict who will fall victim to phishing. I’ve seen a user with 40+ years of experience with computers lose their credentials to a page that was flagged by someone who is straight out of college. Similarly, that same person has also entered credentials into a page even after warnings from browser protections told them not to. The commonality between all incidents was that MFA prevented the stolen credentials from being abused (along with having a company funded password manager that discouraged password reuse, which I guess is also a valid point to make here).

If you want results you need to seek them…

Dumping a phishing URL in a tweet or a Slack channel is fine if you want to raise awareness of a threat, but you cannot rely on these modes of communication to prompt response to it. There will of course be exceptions, but if you want actual response to take place then you need to direct the data at the people who are able to execute that response. Most major organisations will have a contact to report phishing to, and they’ll in turn have contacts within hosting providers, browser and security vendors to quickly mitigate and resolve a matter. Where an organisation doesn’t have such a contact, the relevant CERT will have procedures in place and the authority to deal with a matter as their legislation permits – and this also isolates you from the backlash that some companies tend to throw at security researchers.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s