A client asked us how we managed our phishing and specifically phishing threat intelligence as they had been struggling. Their SOC was overloaded with the high volume of daily emails reporting numerous benign and suspicious websites and URLs.
We asked them if they were using a SOAR platform/service, and what API’s they were specifically using? Surprise, they were using one of the industries leading SOAR platforms, but were not fully utilising 3rd party API’s for data enrichment. They basically were using the SO in SOAR but not the AR! So we provided them with some brief pointers into improving their SOAR capability.
SOAR = Security Orchestration Automation and Response.
Below, we take a brief look into how an effective threat intelligence program against phishing could be orchestrated.
We can use 3rd party API’s to provide further intelligence, data sources for monitoring and enrichment. A small number of these services are listed below:
As a starting point here are some opensource links usful for phishing threat intelligence:
- OpenPhish AI-powered list of potential phishing sites.
- PhishTank List of potential phishing sites.
- CertStream Suspicious domains observed on CertStream.
- URLhaus Malware URL exchange by Abuse.ch
- Twitter URLs being tweeted / pasted by various Twitter users.
Machine Learning / Predictive Data Analytics
Here you may optionally use Machine Learning (ML), keyword matching or hashing to detect potential threats:
- Keyword Matching
- Levenshtein Distance calculation - to stop potential typo squatting domains
- Entropy/Random character checks
- Encoded keywords (e.g. base64 encoded keywords)
Data Validation and Evidence Collection
Here we want to record as much supporting data about these URLs as possible:
- Domain & DNS info
- Registrar/Whois info
- Screenshot of the website/URL
- Hashes of web-pages, media, and any potential malware downloads
- Source info (e.g. log IP and browser type); some bad actors might have whitelisted certain domains/IP addresses in a specific targetted attack.
Further Enrichment via APIs
Here are some paid API services that can enrich your collected data, and help make determinations on the threat level of suspicious URLs/websites:
- VirusTotal A malware scanning and threat intelligence service.
- DomainTools A service that monitors and reports on domain registrations.
- Urlscan.io A service that scans websites, and enriches the data through a multitude of opensource, and closed source intelligence.
- Google Safe Browsing Safe Browsing is a service that Google’s security team built to identify unsafe websites across the web and notify users.
Any website’s/URL’s deemed malicious can then be send to the Response playbook/routines.
Determining the registrar is one of the information needed to take down a fraudulent domain. A simple Whois request can take care of that: It can identify the registrar and even display contact information (email and phone) for reporting abuse. If the domain name was registered by a reseller, it is also identified in the Whois information, in which case contacting the reseller may also be a good idea. Note though that contact information on Whois may be masked (via Private Domain Registration/WhoIs masking) for privacy and security reasons, and are instead replaced with the contact information of a forwarding service. ICANN accordingly requires them to publish terms of service and points of contact in cases of abuse or infringement.
What does it take to request a fraudulent domain takedown? The process is actually straightforward:
Contacting the Abuse Team by email address
The first move should always involve sending an email to the Abuse team of the concerned registrar. Those services are generally 24/7 (at least for the big registrars), or at least available during working hours. Some have an automated ticketing system that can provide a reference for further contacts, which makes the whole process a bit faster because you don’t have to repeat the whole story every time you contact someone.
Note that in cases of phishing websites or similar content where the cybercriminals actually built up a website, contacting the hosting company and the registrar simultaneously is recommended. Odds are good that the hosting company reacts faster than the registrar and already removed the fraudulent content. Some hosting companies will advise that the content can only be modified by the customer, especially if the owner’s website is compromised. In that case, go for the website administrator and try to have the content taken down as soon as possible. Some registrars and hosting services actually have an abuse portal/form where response could be faster than email.
Contacting the Abuse Team by phone and collaborating with CSIRTs if needed
It is also a good move to call the Abuse Team after sending an email, especially for urgent matters. You might have already received the ticket number from an automated email, and reaching them by phone can help spur a more proactive action. Some teams may handle incidents by number, and others might consider taking immediate action if the fraud is well-explained. In cases where the website is compromised, try contacting its owner by phone, too. If the first two steps have not provided immediate results, try searching for others who could help. Ask your own contacts if needed. This can also be a time to collaborate with a CSIRT team or a related public or private organisation.
Explain your report in detail
Disclose your report with as much detail as possible.
- Are you an information security professional, or system administrator?
- Someone who has encountered cybercriminal activity within your company’s online infrastructure?
- Did you stumble upon a malware hosted on your site?
- How does this report impact you or your organisation?
- How did you uncover the fraud and do you have the evidence of abuse to back it up?
- Does it need an urgent response and action?
When done in a timely manner, fraudulent domain monitoring, detection, and takedown help stops fraud in its tracks. It is often a collaboration between different teams from compiling the necessary evidence and contacting and working with the appropriate people to disclosing your report.
They can also be a deterrent: Once the cybercriminal realises you’re keeping up with his tricks, he will call it quits and move on.
Apart from having a proactive and ideally, automated domain monitoring as part of the organisation’s information security and risk management strategies, having a web reputation security mechanism within the online infrastructure also helps. This adds an additional layer of security for keeping malicious or fraudulent domains and websites at bay.
Take Down Services
There are many 3rd parties that can provide various levels of service and feedback with regards to takedowns, below is a list of free services that we know many of our clients utilise:
- Phish.report A free service that walks the user through collecting evidence and building a take down request.
When yout takedown isn’t working it may be worth contacting a 3rd Party that specialise in takedowns like Netcraft for a speedy resolution.