Hunting Phish Domains

Logstash Standard Output

Most organizations face a barrage of attacks every day from threat actors around the globe. Among the various vectors, attackers have found relatively high degree of success by (spear) phishing employees of the organization. This allows attackers to bypass perimeter defences and gain a foothold in the internal network.

SOC teams have multiple approaches to detect such phishing attempts. Most common ones are listed below:

  • An alert user notifies them of receiving suspicious email
  • Email gateway detects and notifies them of suspicious email
  • External threat intelligence feed providers
  • Brand/Domain monitoring services which notify if anyone is trying to create phishing pages or has bought a domain similar in name to the organization’s primary domain.
  • A threat detected internally – which when investigated might reveal a phishing email as the culprit

Most of these approaches are static in nature. For example, if a previous incident response had concluded that abcdbank.com was a malicious domain, the same is added in the blacklist for email and proxy filters. However, if the attacker simply changes the domain name to abcbdank.com, the filters will fail.

To improve efficiency in detecting such phishing domains being used to target your users, we explore the use of the ELK stack. Elasticsearch is a very powerful ‘search engine’ and ‘data-store’. It has gained popularity in the info-sec community due to it’s capabilities in extending data analytics and visualization via Kibana.

We will use three search options supported by Elasticsearch which will enable us to hunt for domains which are similar to the primary domain of the organization.

Assuming you receive your Proxy and DNS logs into ELK, we will demonstrate the efficiency of each search operation on Elasticsearch.

To generate a sample set of such phishing domains, which an attacker may use to trick employees, we will use the tool ‘URLCRAZY’ available in KALI Linux. As an example, we shall consider niiconsulting.com as the primary domain of the organization

Generating Typo Domains for niiconsulting.com
Generating Typo Domains for niiconsulting.com

DNSTwist and other online tools can also be used to generate such domains.

URLCrazy generates such domains using multiple ‘typo algorithms’

Typo Type Example
Character Omission niconsulting.com
Character Repeat niicconsulting.com
Character Swap nicionsulting.com
Character Replacement miiconsulting.com
Double Character Replacement nuuconsulting.com
Character Insertion niicoinsulting.com
Missing Dot wwwniiconsulting.com
Singular or Pluralize niiconsultings.com
Vowel Swap niiconsalting.com
Homophones nayeayeconsultayeng.com
Bit Flipping naiconsulting.com
Homoglyphs nilconsultlng.com
Wrong TLD niiconsulting.es

As can be seen above, the attacker has many avenues to trick a user who isn’t aware of the subtle changes in the domain names

From URLCrazy, we get a list of 184 such domains, which we ingest into Elasticsearch using Logstash.

Logstash Configuration
Logstash Configuration

A sample standard output is provided below:

Logstash Standard Output
Logstash Standard Output

We can view the ingested events in Kibana dashboard as well.

Using the ‘Dev Tools’ in Kibana 5.3 we can run different search queries against the data ingested in Elasticsearch.

Using the three search operators, we have different levels of success in finding the above ‘phish’ domains.

For regexp, we randomly select a substring of our primary domain and append regular expression syntax to the query. A sample search gives us a result of 103 such domain. However, it should be noted that in a large data-set, such a query will generate a lot of false-positive.

REGEXP Query
REGEXP Query
REGEXP Query Result
REGEXP Query Result

The above query could have returned a positive hit for domains like abcconsulting.com, associateconsult.com etc.

The second search operator is a simple wildcard search.

WILDCARD Query
WILDCARD Query
WILDCARD Query Result
WILDCARD Query Result

 

The above query returns the domain names with non-standard TLDs like .ch, .ca, .nl etc.

This is a useful query to identify any TLDs which users in your organization have visited which do not actually belong to the organization. There is a high probability of an attacker hosting phishing pages on such domains.

Lastly, we shall look at fuzzy search operator. This is a useful search capability of Elasticsearch which can help us hunt for domains created in the manner like URLCrazy mentioned above. Fuzzy search returns positive results for strings which are similar (not an exact match) to our original query.

So, while REGEXP and WILDCARD searches may not help us identify niiiconsulting.com, FUZZY search will be able to search for this domain and present us the result. From the primary domain, we generated 184 domains through URLCrazy, that we ingested in Elasticsearch. Using a fuzzy search query for the primary domain, we could successfully identify 163 domains.

FUZZY Query
FUZZY Query
FUZZY Query Result
FUZZY Query Result

 

 

 

 

The 21 domains that were missed consisted of 12 non-dot-com TLDs (which we can hunt using the wildcard search operator) and 9 domains which even fuzzy search was unable to find.

FUZZY Negation Query
FUZZY Negation Query
FUZZY Negation Query Result
FUZZY Negation Query Result

 

Wasim Halani

Currently heads the Innovation and Research (InR) team at Network Intelligence. He has almost 9 years of experience conducting penetration testing, vulnerability assessments and security audits. At NII, he also pioneered advance services like RedTeam Assessments, Spear Phishing and DDoS Simulations and Active Threat Hunting. He can be reached at Twitter and LinkedIn

Latest posts by Wasim Halani (see all)

Share This

Be the first to comment

Leave a Reply

Your email address will not be published.


*