Phishing Kit Finder

all right so hopefully the Sun is yeah my presentation is about how I found fishing kits so when you found some fishing cats the numbers is too big so it's around about 20,000 fishing kits I found the research was started from March this year and I just took snapshot yesterday so the total number I have 20,000 my presentation would be divided in three phases so first phase is what the tool work how it works itself what sort of indicators and interesting stats I'm pulling from those fishing kits plus the second phase when it goes it's more about detail analysis of those fishing kits related to few New Zealand banks and third would be the demo of my tool

so before I start that's the boring stuff we need to get sorted so whatever I am presenting here it's just my interest and my hobby sort of thing nothing to attribute with my employer and all those fishing kits obviously can be used for malicious purposes so I promise that I haven't used for malicious purposes yeah so that's how I see the world and most of the information security guys here agree with me so I've been working in information security 10 years now last two years more specifically at the core member of cyber security incident response team and one of the New Zealand largest bank so obviously you work in the third you deal with those fishing things I mean that's the

biggest threat we have and everyone agree on that because it's targeting every other industry and you will see how easy it is to set up and what sort of information you can just get from user like login right so first I would want to give a shout out to the these guys the people the individuals or the group of people behind these names because I've been utilizing these api's to do some hunting yeah let's get started so how it all started it's when we work as a in a cert we see the fishing URL going for our employees or our customers what we do we just capture those URLs and then put the takedown request that's it I mean it's takedown

and that's it but that's going one step further to build some sort of intelligence behind what is those fishing kids being utilized more and more or only particular fishing kits being active for certain period and what sort of actors behind those fishing kids so all these information was really keen I was really keen to find out so after doing some research obviously I went to the dark world as well because I can't find this kind of information in the clear net so how it works when you talk to some scammers and they said that there are two kind of fishing gets one is duplicate and one is develop one so the duplicate one is really has really

good chances to picked up by all those avy or whatnot but the developer one is because they developed from scratch so they you can't match the hash of the page so obviously it's not really easy to detect so there are some price difference as well because for the duplicate one you can just get it in under ten dollars and obviously developer one you need some guys to actually develop it so it's around 50 US dollars something so when you ask them that okay I want to get the fishing kit what is the procedure so they gave you the zip file in that zip file they said to you that okay what you are targeting you are targeting some financial

institute or you just targeting some hotmail Gmail or Dropbox or whatnot so you tell them that okay I'm targeting this and then they said that this is the PHP file you just need to modify the to address to your email address where you want all those credential coming through so once you get that zip file you look after the compromised website or you actually put the shell up and compromise the site legit site to put your fishing kit over there and then unzip it so that you can send that complete URL to all those target audience now the third step would be the SMTP where you're gonna find the SMTP so you need to find the

open relay SMTP server where you can just bulk send those email addresses the fishing links target audience is really easily can be fine because you just go to the Google and do the scrapping and what I was your target audiences you can find so it would be really difficult to pull those fishing kits because they are getting really smarter so they put the geo logical filter place and the fishing kits so obviously if you are targeting New Zealand Bank so they expect you coming from New Zealand so obviously if you're coming from Russia or oh man yeah they will just it will not work so this is about the tool how it gonna work so

it's a continuous process running from March so the step one is it it has to automated and manual ways how it works so automated is getting URLs from fish tank and open fish and roughly I see 40 to 50 new URLs from both of those fish fish tank and open fish manual is we have the within a banks different banks we have the platform where we can share the Intel intelligence and obviously we can share that with certain set as well so once we find the fishing URL I just dump that into that script now you need to make sure that this square prong anonymously because the last thing you want is those bad guys see your IP

addresses or your user agent and all that stuff so for that yeah it's really hard because if they block you or they just want New Zealand specific so if you are using VPN or tour you will not be able to see those fishing us the second phase is once you have a fishing kit downloaded it will start pulling some indicators the Indian just interesting indicators like email addresses which attacker modify the cyber criminals modify their email address to this is the sample of how that pH P the thing they modify so the thing they modify is this to address and that's it and all that sort of information they are collecting from the customers they are targeting third and

that last step is just hash out those unique fishing gets and build the database of the unique because most of the time what happened that you see the fishing kit and it has been utilizing I've seen so many fishing gets being utilized again and again and again so they never change it so only way when they change the to address whole hash will be changed so it is obvious they are not they are the same person who are you to lysing those fishing kids this is the latest screenshot yesterday I took it says that how many fishing gates I have and as soon as you run this script it will give you all these latest

numbers in the database so the emails so far collected for those scammers or thirty thousand and the domains I have seen three thousands so if you see that twenty thousand is the total fishing kit and the unique one is four thousand so that makes sense I mean because most of the kids being utilized for different domains as well so there are different domains in here now what is that vt match so what I am doing as soon as I download the fishing kit I checked with the virustotal that if I are still able to detect it so out of those fishing kits unique ones only this number virustotal can detect it so what interesting things I have found so far

utilizing this - is that so I have fishing kits available in my database of all these brand because these are the bands which like prominent to me and I have searched it but obviously there are some other fishing gets bands as well so because my background is from financial institute I am more focused on this side so I wanted to know that what sort of fishing kits available for which banks so some stats as I've been showing you that email extracted so this is kind of old from that snapshot so still the hotmail is the first choice for the guys cybercriminals loving the hotmail most common brand in the database I have to Apple now this

chart is interesting is when the kid got modified so I still have downloaded three kids which were modified in 2006 and they have been continuously utilizing their that get to even in 2017 so obviously nothing has changed since 2006 and they keep utilizing those kids okay now I will do some deeper sort of investigation for those financial Institute's in New Zealand so first first up is the Westpac so total I have 115 URLs fishing URLs which my script crawl so these are the dates when those kids have been downloaded and these are the domains right so kit has been modified these these are kind of recent ones you can see this one is 2015 and this

one 2015 the other threat intelligence piece I do here is I check the email address with have I been pawned so what I what I have seen what happened is that they want to fake their identity so what they see what they get is the email addresses from the data breaches and they start taking over those email addresses and utilizing those email address for this malicious purposes there were few incidents happened when I managed to find out whole lot of phishing sites by just doing the reverse lookup to the actor email address so for example this is the email address at reverse lookup that how many two means this guy has so yeah they were that's

why I'm doing reverse lookup as well so as you can see that this email address have been born in daily mesh dailymotion and myspace so there are chances that someone who is saying behind this is not actually behind this so this is for ASB total number of fish I found that and these are different fishing kits so same story goes modified email addresses yeah so this guy is actually I have to add then some research and this guy is actually targeting ASB for years and years and his email address constantly I keep looking at the new fishing kits and there's some email addresses there and if you simply google this email address you can find all of his bank details and

everything so yeah so last one is the Kiwi bank obviously I can't do analysis for all the times because of the timing sort of thing yep so interesting thing in that is that this guy have been known for all those New Zealand banks the kids I have for ASB B and Zed and respec this guy is pretty common in all those fishing kids and yeah if you search him he will be he has a profile on Facebook and you can see but I'm not saying it's saying that he's actually the guy behind it right so what sort of logs they are collecting so it's really interesting how people fall for those fishes I mean it's really they

are collecting everything I mean so if you can see that user is actually giving ATM pain phone pain what is the secret name of your first pet and I mean password is fine I mean you can give passwords they are collecting every every detail so when I was doing these analysis because I as I mentioned that I am pulling down zip file PHP file PNG and then txt files that's what I'm crawling all of the sudden in few months after July I have started seeing this crime side dot txt in most of those logs I have pulled down from those sites so I mean I was really confused because lots of domain has this crime side dot exe

then I have started having chat in my circle and asking different guys that hey was that's crime side dot txt so when you open those crime side dot exe you find all those information that cPanel I mean if it's a cPanel this is the user of the attacker or the cyber criminal is the IP addresses he used and these are the email addresses of the cyber criminal being utilized for those sending those credential so I found that this is done by one of the white hat hacker who actually go to those compromised website put the shell up and then take over the server clean all that phishing links and then just drop that crime site dot txt so there are some

good guys actually doing work on behalf of the organization's as well so as you see that FBI head office at gmail.com I want I was keen I wanted to know that do my database have that sort of email address and have I seen it before so yes when I search with the email address I found this email address associated with the Aliexpress phishing it so yeah I mean this has been utilized previously as well right so now it's time for recorded demo

any other

so no and I checked with the having pond so this email address is not one on

so now it's ears

so this demo was recorded two months back that's why you see the so now the same thing is this is the hatch of that fishing kit this is the domain and this is the modified date that's the date when it was downloaded that's the email address and no positive value so to such this email address if there is another fishing kit associated with the simulator

so yeah there's one this October and this is the domain so this email it has been used for different kids different hashes

exactly same thing ash then it's downloaded domain name and it's from open fish you can see that's the guy

so now you can see that so that is you bang bang bang so there are three different and you will see that this being detected by virustotal as a positive and it's also associated with Westpac so this email address is also

and it's not being born or nothing on this so that's my talk it's really interesting what information you can get from those fishing kits obviously I have to I can't show you all that stuff it's some credit card information and all that stuff also so yeah that's it thank you if anyone has any questions yep

so there are two methods I'm crawling on basis us off so one is the open directory so if you find I found the index off so you just look for that and the other is you just put the zip on on the end of that you are named so is V dot zip and respect order

so that's not being a employee of financial institute I can't directly contact them so what we do we just share the Intel with certain set so it's certain Z responsibilities they can contact so anyone else cool I think thank you thank you [Applause]

you