Author: jpyorre

I’m currently building a process and interface to crawl known-bad phishing pages, where I take a screenshot and collect other data. That data is going to be used to find similar-looking screenshots and similar-behaving network traffic from streaming logs of visited URLs. This is initially for a talk I’m doing at DeepSec in Vienna this fall, but I hope there’s enough time to make a live website that people can try out instead of only uploading my code to GitHub.

So far, I’ve made a couple things:

1: A web interface where you can upload a list of URLs and get the approximate physical location of the hosting of those domains/subdomains. This is to support my need to figure out where to put web crawlers.

2: Web crawlers. I run 20 at a time in docker-compose. They accept URLs and domains and will try to get a screenshot and other data. More of them will be built in the locations where I see most phishing coming from.

3: An interface to group similar screenshots together in order to easily delete those that don’t contribute to a malicious dataset and to easily keep those that can be added to a malicious dataset.

And I’m working on:

  1. A sort of ‘analyst interface’ that shows information from the malicious dataset and then any hits for similar websites, all on a timeline. This is a lot of javascript and I do not like javascript…

I’ve been thinking about this for a while. I have a fantastic job working with Cisco Talos and hope to keep doing it for a while. My team is great and the work is fulfilling, challenging, fun, and satisfies my passions to help make cybersecurity better for a lot of people and organizations.

I also want to enable small businesses, non-profits, and even individuals to better secure themselves against malicious activity. Almost all my research is me trying to build tools that can be used by smaller organizations, but none of it is really a ‘product’ yet. I am working towards building various products and services that can be provided on a sliding scale price. Hopefully I can find customers for some of these, and then can use any money that’s made to fund scaling up the security of places that either can’t afford or don’t even think about security.

Large organizations have the resources to hire threat researchers, security engineers, build SOCs, and more, but the smaller ones are left to purchase (often) sub-par services that don’t deliver the same quality. We hear about breaches or ransomware or some other attack on large organizations where the initial attack vector was through a smaller contracted organization. So we have resource-heavy organizations who have the security defenses they need to protect themselves, but then we have small businesses with few or any resources handling some part of their business. It’s a major gap in security and needs to be dealt with.

I believe large security organizations should be providing the same amazing services they charge a lot for to these smaller organizations for sliding-scale fees, and in some cases, completely free of charge.

So my goal/dream is to build an organization where enterprise-level services are provided at enterprise prices to paying customers, but the money flows down to those that can’t afford it. Large organizations would benefit from a wider security net across industries and smaller organizations will be more secure.

I don’t yet know when it will happen, but I hope to eventually be able to turn Pyosec into a security company while funneling all low cost and free services through a non-profit. This would likely require me not having a regular day job, but for now I have a lot more work to do with my team and don’t intend to leave any time soon. In the meantime, I will continue thinking and strategizing how this will eventually come to fruition while doing what I can in my free time to continue research, giving presentations, and educating/working with non-profits and small businesses.

If you’ve found this site and are interested in having a chat about your organization or security posture, please reach out via the contact page. This isn’t me trying to sell something/build sales leads. I have skills and knowledge and want to help.

I had the wonderful opportunity to once again present my current work at Deepsec, in Vienna in November, 2023. I presented new work on URL Analysis at Scale.

The research resulted in building a web app and API that can use spelling, natural language processing, machine learning, and some other techniques to quickly analyze large lists of URLs or streaming URLs to find the ones that are likely malicious. It scales by using rabbitMQ and AWS Lambda’s to increase processing power as needed.

It took me about 3 months to create the project, and then I took a few months off after presenting. However, I’m back to working on it. My plan is to create a publicly accessible web app/API where others can use the detection I’ve built in.

The presentation slides can be found at https://pyosec.com/research/.

I presented on automating threat intelligence yesterday at QuBit in Sofia, Bulgaria.

This was my first time giving this presentation, and as usual (for me), I was coding up to the moment I walked on stage. I thought it went really well and learned a lot from the audience. What I learned will feed back into additional research on my attempt to automate myself out of a job!

If interested in my code and slides, they can be found in the Research and Presentations section.

Phishing is an efficient method for an attacker to deliver malware or harvest credentials from unsuspecting victims. By sending out a mass or targeted email designed to look like it came from a bank or other legitimate source, an attacker can acquire a fair number of user credentials or deliver malware. Credentials can be used for identity theft, additional compromise or to send more seemingly legitimate phishing emails and convincing a user to install malware can give attackers access to a system.


Phishing will typically use domains from one of three sources:

  • Free hosting providers, often the most basic of phishes,
  • Paid hosting, typically used for targeted attacks. In an attempt to appear more legitimate, an attacker may use a domain that is similar in name to the domain they’re impersonating,
  • Compromised hosts or registrars. In these cases, a website is compromised and phishing content is hosted deep within the site
  • or the registrar is compromised and subdomains are configured to point to phishing content on the same or different servers.

To get an idea of what kinds of domains phishing attacks are using at present, We’ve analyzed a portion of data from phishtank.com.

Phishtank is a website run by OpenDNS where members submit potential phishes for review by other members of the community. When enough votes confirm a phishing attack, it is labeled as a verified phish. Phishtank is a relatively small slice of phishing content on the internet. We are only looking at a data set of just over 3 million reported phishing attempts. However, looking at the verified phishing attacks for just this month, we are able to see some basic patterns.


To get this data, we downloaded a copy of the verified phishing attempts that were online as of this month from the statistics page at phishtank.com and performed analysis on the data using python. With the Uniform Resource Name (the part after domain.com/), we were left with domains and subdomains. We then analyzed those using the OpenDNS Investigate API to collect ASN organizational information for each unique domain. That provided a summary of organizations responsible for domains hosting phishing content.

As of this writing, 3,256,785 phishes have been submitted to phishtank and 1,837,862 of those have been verified as valid.

31,219 are currently listed as online. In our analysis, we used only the second-level domain names from all the currently online phishes and removed duplicates, leaving 9,902 unique domain names.

1,072 of these domains had no organizational attribution as they no longer resolved to an IP address, leaving us with 8,830 domains still attributed to an ASN.

The following is a graphical view of the top 10 organizations with the most phishing content:


Let’s take a look at the worst offender in this analysis, CyrusOne.

CyrusOne provides colocation services, so they may not be directly responsible for maintaining the compromised or purchased hosts that are used in phishing attacks. They may be the leader in phishes from this data set at the moment simply due to their size, with two dozen data centers across the United States, Europe, and Asia.

Looking at specific domains from this set, we can see how phishing attacks operate when targeted or when using compromised or free hosting.

Targeted Hosting

serviceyourpaypal[.]com

This domain appears to have been purchased specifically for use in targeted phishing attacks with the goal of acquiring PayPal credentials and stealing money from PayPal customers.

serviceyourpaypal[.]com was registered on September 14, 2014 at launchpad[.]com. It’s using domain privacy services provided by privacyprotect[.]org to hide administrative and technical details for the person or organization who bought the domain name.

It is hosted at Hostgator, a well known and inexpensive hosting provider and is using a shared host at the IP address of 192.185.4[.]25. This IP address is hosting a total of 369 domain names.


We can see that there is a consistent, but small amount of DNS requests for this domain when looking at its requests through OpenDNS infrastructure. The domain is not serving any useful content at present, as can be seen in the following image:


However, serviceyourpaypal[.]com could be re-activated at any time and used in future PayPal-themed phishing campaigns. Because of its name similarity to paypal[.]com along with using an ASN other than what legitimate PayPal domains use.

applesverifications[.]com

applesverifications[.]com was registered on September 2, 2015 at launchpad[.]com and does not hide it’s whois information behind a privacy service. That doesn’t necessarily mean it’s factual. In some cases, adding whois privacy costs extra when registering a domain. The domain is hosted with Hostgator and its IP address hosts a total of 907 domains. It had the following content when last analyzed:


The DNS traffic had a very suspicious spike in traffic on May 10, 2015 after small and consistent amounts of DNS traffic, potentially indicating other campaigns or testing prior to this specific phishing campaign.


Compromised Hosting

bankruptcylawyershawaii[.]net

bankruptcylawyershawaii[.]net appears to be a legitimate website, but was compromised at some point and used in an attempt to harvest credentials with the following phishing page:


Looking at the html source of this page, we can see that clicking the ‘Verify’ button will send credentials to the file: weba-akp.php, which is stored locally on the website. This is the standard behavior in most commodity phishing attacks in which the phish utilizes a compromised site. Often, credentials are sent to an email that’s configured statically in the php or other file with code designed to be run on the server.


The domain was registered on March 21, 2014 at godaddy[.]com. The whois data is not hidden as it was with the more targeted serviceyourpaypal[.]com.

The domain is using private nameservers provided by Hostgator. These name servers are used by customers of Hostgators reseller, dedicated and VPS hosting plans. The IP address this domain uses as its A record is hosting a total of 11 domains.

When viewing DNS requests, it’s impossible to miss the suspicious spike in traffic around April 18. That is most likely when this phishing campaign was active.


Free Hosting

upgrade2015a.wix[.]com

The next phish was located at the free hosting provider, wix[.]com. Anyone can use wix[.]com to host a free website. As of June 29, 2015, the following phishing page was online at upgrade2015a.wix[.]com:


Wix[.]com is hosted at GoDaddy and owned/administered by Incapsula. Incapsula only had 17 domains seen used in phishing from this data set and wasn’t actually part of the top 10 worst ASN’s, but it’s a good example of free hosting being used in phishing.

Looking at the DNS requests for this subdomain, there is an obvious change in the requests which suggests this campaign started on June 26, 2015. There may have been some testing on June 23, when we see only a few requests.


Conclusion

Using just a small sample of reported phishing content, we can capture a fairly good picture of which hosting providers may be more vulnerable to compromise or more forgiving of malicious behavior. This information can be useful when considering where to host your website or online service. Additionally, just a quick analysis of data from Phishtank can be used to build a training set of indicators to look for when working to protect users across a network.

An average of 1,200 phishing messages were verified each day on PhishTank during the month of January 2015. Most phishing attempts are delivered through email. However, some phishing attacks leverage social networking. This is an analysis of one phishing attack seen on Facebook.

A Facebook user reported seeing the following on their newsfeed:


Clicking on this image or the link in the text directs the victim to the domain, tgd37[.]tk, where they would have seen the following:


This image was actually hosted within a frame. The frame was grabbing content from nomiup[.]com/coasterpa, as shown in the following html code:


Visiting nomiup[.]com/coasterpa directly, we saw the image. Looking at the source code, there was an inline frame leading to where the image was hosted, at i[.]imgur[.]com/m8GyCcC.jpg and a link to a third URI: giftscrd-1[.]com/Loginp:


Clicking on the play button or anywhere on the image loaded the following page from giftscrd-1[.]com/Loginp:


Rather than coding the display, the attacker used a background image of the Facebook login screen, which was linked directly from i[.]imgur[.]com/g2fm2mB.png, instead of using the previous iframe redirection techniques. The two text fields meant for the victim’s username and password were haphazardly thrown on top of the image, which would most-likely have gone unnoticed to a victim who managed to get this far in the process.

Clicking the ‘Log In’ button would submit the entered text to giftscrd-1[.]com/get.php, as seen in this snippet of html code:


Once get.php processed the credential submission, the victim would finally be redirected to a YouTube video located at www[.]youtube[.]com/watch?v=C7_keOOwqZo. The video is a compilation of roller coaster accidents:


Investigating the domains

The first domain in the Facebook lure, tgd37[.]tk, had been hosted on the IP address 195.20.42[.]203 since January 22, 2015 and has not been seen on any other IP addresses as of this writing.


tgd37[.]tk had no traffic until January 23, 2015, when a relatively large spike of DNS requests was seen via the OpenDNS infrastructure.


On January 23, 2015, the number of requests went to 2 at 4:00 PM, 6 at 6:00 PM, 10 at 7:00 PM and 26 by 9:00 PM. There were no further requests after 11:00 PM.


Overall, there weren’t many requests in this phishing campaign, but we can probably assume that the first few requests might have been tests while the majority of them around 9:00 PM were potentially victims falling for the click-bait on their Facebook newsfeed.

At the time of this analysis, the IP address hosting tgd37[.]tk, 195.20.42.203 was hosting 113 domains and belonged to freenom[.]com, a free hosting provider based in Amsterdam. Historical DNS data shows that this IP address has been used to host a total of 434 domains over its history.

In the html source code of tgd37[.]tk was a google analytics account number, UA-23441223-3. Looking into this account, we were able to find other domains it was watching, but were unable to access any analytic information for this domain.

The second domain, called in the iframe at tgd37[.]tk was nomiup[.]com. DNS lookups of nomiup[.]com using the OpenDNS infrastructure looked a little more normal:


nomiup[.]com has been hosted at 108.175.158[.]12 since September 15, 2014.


As of this writing, there were 723 domains hosted on 108.175.158[.]12. Historical DNS data showed that this IP address had hosted a total of 1,235 domains for its entire history to this point and that it was owned by Arvixe, a hosting provider in Santa Rosa, CA

nomiup[.]com had only the following content at its root, which was a little odd considering the amount of DNS requests. It’s possible that nomiup[.]com had been used as a landing page for other campaigns, which may describe the traffic.


The iframe in the source code of nomiup[.]com/coasterpa contained an image link to the fake video image and, if clicked, led the victim to giftscrd-1[.]com/Loginp

The root of giftscrd-1[.]com didn’t have an index page, so the following directories and server software version were shown:


Each directory contained the same html which linked to the fake Facebook login page.

DNS requests for this domain from the end of December, 2014 to late January, 2015 spiked up fairly often, potentially showing the use of giftscrd-1[.]com in various phishing campaigns.


giftscrd-1[.]com was also hosted with Arvixe and historical DNS showed that it had been hosted at the IP address 23.91.126[.]104 since December 12, 2014.


23.91.126[.]104 was providing hosting for giftscrd-1[.]com and two other domains that might have been employing legitimate hosting services provided by Arvixe:


DNS requests to these other domains did look a little suspicious though:

ns2[.]giftscrd[.]arvixevps[.]com:


stats[.]giftscrd[.]arvixevps[.]com:


What was the attacker attempting to accomplish?

In an attempt to answer this question, I created a Facebook profile and entered the credentials into the form fields. Sometime within about 24 hours, I was alerted to a login from IP address 198.23.103[.]79


This IP address belonged to the VPN provider, Private Internet Access, which demonstrates that the attacker was protecting their actual location:


While my decoy Facebook profile was designed to be as realistic as possible, it’s unfortunate that he didn’t have any friend connections. The attacker may have logged in and quickly noticed that there would be no point in taking over the account or doing anything malicious.

Actions taken

Phishing is an effective way for attackers to exploit individuals in order to deliver malware or acquire user credentials. Finding the source of a phishing attempt, any contextual information and the goal of the attack increases the ability to mitigate it. In the case of this phishing attack, the three domains, tgd37[.]tk, nomiup[.]com and giftscrd-1[.]com would be blocked or watched to determine if anyone might have visited them. Additionally, domains associated with the Google Analytics account might be investigated further and blocked. If someone had visited any of these domains, it would be recommended that they change their Facebook password and update credentials for any accounts sharing the same password as their Facebook account.