Phishing is [still] the primary way attackers either commit a primary criminal act (i.e. phish a target to, say, install ransomware) or is the initial vehicle used to gain a foothold in an organization so they can perform other criminal operations to achieve some goal. As such, security teams, vendors and active members of the cybersecurity community work diligently to neutralize phishing campaigns as quickly as possible.<\/p>\n
One popular community tool\/resource in this pursuit is PhishTank<\/a> which is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge.<\/em><\/p>\n While the PhishTank API is useful for real-time anti-phishing operations the data is also useful for security researchers as we work to understand the ebb, flow and evolution of these attacks. One avenue of research is to track the various features associated with phishing campaigns which include (amongst many other elements) network (internet) location of the phishing site, industry being targeted, domain names being used, what type of sites are being cloned\/copied and a feature we’ll be looking at in this post: what percentage of new phishing sites use SSL encryption and — of these — which type of SSL certificates are “en vogue”.<\/p>\n Phishing sites are increasingly using and relying on SSL certificates because we in the information security industry spent a decade instructing the general internet surfing population to trust sites with the green lock icon near the location bar. Initially, phishers worked to compromise existing, encryption-enabled web properties to install phishing sites\/pages since they could leech off of the “trusted” status of the associated SSL certificates. However, the advent of services like Let’s Encrypt<\/a> have made it possible for attacker to setup their own phishing domains that look legitimate to current-generation internet browsers and prey upon the decade’s old “trust the lock icon” mantra that most internet users still believe. We’ll table that path of discussion (since it’s fraught with peril if you don’t support the internet-do-gooder-consequences-be-darned cabal’s personal agendas) and just focus on how to work with PhishTank data in R and take a look at the most prevalent SSL certs used in the past week (you can extend the provided example to go back as far as you like provided the phishing sites are still online).<\/p>\n You can use the Let’s setup all the packages we’ll need and cache a current copy of the PhishTank data. The package forces you to utilize your own caching strategy since it doesn’t make sense for it to decide that for you. I’d suggest either using the time-stamped approach below or using some type of database system (or, say, Apache Drill) to actually manage the data.<\/p>\n Here are the packages we’ll need:<\/p>\n NOTE: The Let’s take a look:<\/p>\n The data is really straightforward. We have unique ids for each site\/campaign the URL of the site along with a URL to extra descriptive info PhishTank has on the site\/campaign. We also know when the site was submitted\/discovered and other details, such as the network\/internet space the site is in:<\/p>\n We’re going to focus on recent phishing sites (in this case, ones that are less than a week old) and those that use SSL certificates:<\/p>\n Let’s ee how many are using SSL:<\/p>\n This percentage is lower than a recent “50% of all phishing sites use encryption” statistic going around of late. There are many reasons for the difference:<\/p>\n Despite the 20% deviation, 30% is still a decent percentage, and a green, “everything’s ??” icon is a still a valued prize so we shall pursue our investigation.<\/p>\n Now we need to retrieve all those certs. This can be a slow operation that so we’ll grab them in parallel. It’s also quite possible the “online”status above data frame glimpse is inaccurate (sites can go offline quickly) so we’ll catch certificate request failures with Let see how many request failures we had:<\/p>\n As noted in the introduction to the blog, when attackers want to use SSL for the lock icon ruse they can either try to piggyback off of legitimate domains or rely on Let’s Encrypt to help them commit crimes. Let’s see what the top p”apex” domains](https:\/\/help.github.com\/articles\/about-supported-custom-domains\/#apex-domains) were in use in the past week:<\/p>\n We can see that a large hosting provider (Accessing PhishTank From R<\/h3>\n
aquarium<\/code> package [GL<\/a>|GH<\/a>] to gain access to the data provided by PhishTank’s API (you need to sign up for access and put you API key into the PHISHTANK_API_KEY<\/code> environment variable which is best done via your ~\/.Renviron<\/code> file).<\/p>\nlibrary(psl) # git[la|hu]b\/hrbrmstr\/psl\nlibrary(curlparse) # git[la|hu]b\/hrbrmstr\/curlparse\nlibrary(aquarium) # git[la|hu]b\/hrbrmstr\/aquarium\nlibrary(gt) # github\/rstudio\/gt\nlibrary(furrr)\nlibrary(stringi)\nlibrary(openssl)\nlibrary(tidyverse)\n<\/code><\/pre>\npsl<\/code> and curlparse<\/code> packages are optional. Windows users will find it difficult to get them working and it may be easier to review the functions provided by the urlparse<\/code> package and substitute equivalents for the domain()<\/code> and apex_domain()<\/code> functions used below. Now, we get a copy of the current PhishTank dataset & cache it:<\/p>\nif (!file.exists(\"~\/Data\/2018-12-23-fishtank.rds\")) {\n xdf <- pt_read_db()\n saveRDS(xdf, \"~\/Data\/2018-12-23-fishtank.rds\")\n} else {\n xdf <- readRDS(\"~\/Data\/2018-12-23-fishtank.rds\")\n}\n<\/code><\/pre>\nglimpse(xdf)\n## Observations: 16,446\n## Variables: 9\n## $ phish_id <chr> \"5884184\", \"5884138\", \"5884136\", \"5884135\", ...\n## $ url <chr> \"http:\/\/internetbanking-bancointer.com.br\/lo...\n## $ phish_detail_url <chr> \"http:\/\/www.phishtank.com\/phish_detail.php?p...\n## $ submission_time <dttm> 2018-12-22 20:45:09, 2018-12-22 18:40:24, 2...\n## $ verified <chr> \"yes\", \"yes\", \"yes\", \"yes\", \"yes\", \"yes\", \"y...\n## $ verification_time <dttm> 2018-12-22 20:45:52, 2018-12-22 21:26:49, 2...\n## $ online <chr> \"yes\", \"yes\", \"yes\", \"yes\", \"yes\", \"yes\", \"y...\n## $ details <list> [<209.132.252.7, 209.132.252.0\/24, 7296 468...\n## $ target <chr> \"Other\", \"Other\", \"Other\", \"PayPal\", \"Other\"...\n<\/code><\/pre>\nglimpse(xdf$details[1])\n## List of 1\n## $ :'data.frame': 1 obs. of 6 variables:\n## ..$ ip_address : chr \"209.132.252.7\"\n## ..$ cidr_block : chr \"209.132.252.0\/24\"\n## ..$ announcing_network: chr \"7296 468\"\n## ..$ rir : chr \"arin\"\n## ..$ country : chr \"US\"\n## ..$ detail_time : chr \"2018-12-23T01:46:16+00:00\"\n<\/code><\/pre>\nfilter(xdf, verified == \"yes\") %>%\n filter(online == \"yes\") %>%\n mutate(diff = as.numeric(difftime(Sys.Date(), verification_time), \"days\")) %>%\n filter(diff <= 7) %>%\n { all_ct <<- nrow(.) ; . } %>%\n filter(grepl(\"^https\", url)) %>%\n { ssl_ct <<- nrow(.) ; . } %>%\n mutate(\n domain = domain(url),\n apex = apex_domain(domain)\n ) -> recent\n<\/code><\/pre>\n(ssl_ct)\n## [1] 383\n\n(pct_ssl <- ssl_ct \/ all_ct)\n## [1] 0.2919207\n<\/code><\/pre>\n\n
safely()<\/code> and cache the results:<\/p>\ncert_dl <- purrr::safely(openssl::download_ssl_cert)\n\nplan(multiprocess)\n\nif (!file.exists(\"~\/Data\/recent.rds\")) {\n\n recent <- mutate(recent, cert = future_map(domain, cert_dl))\n saveRDS(recent, \"~\/Data\/recent.rds\")\n\n} else {\n recent <- readRDS(\"~\/Data\/recent.rds\")\n}\n<\/code><\/pre>\n(failed <- sum(map_lgl(recent$cert, ~is.null(.x$result))))\n## [1] 25\n\n(failed \/ nrow(recent))\n## [1] 0.06527415\n<\/code><\/pre>\ncount(recent, apex, sort = TRUE)\n## # A tibble: 255 x 2\n## apex n\n## <chr> <int>\n## 1 000webhostapp.com 42\n## 2 google.com 17\n## 3 umbler.net 8\n## 4 sharepoint.com 6\n## 5 com-fl.cz 5\n## 6 lbcpzonasegurabeta-viabcp.com 4\n## 7 windows.net 4\n## 8 ashaaudio.net 3\n## 9 brijprints.com 3\n## 10 portaleisp.com 3\n## # ... with 245 more rows\n<\/code><\/pre>\n000webhostapp.com<\/code>) bore a decent number of these sites, but Google Sites (which is what the full domain represented by the google.com<\/code> apex domain here is usually pointing to) Microsoft SharePoint (sharepoint.com<\/code>) and Microsoft forums (windows.net<\/code>) are in active use as well (which is smart give the pervasive trust associated with those properties). There are 241 distinct apex domains in this 1-week set so what is the SSL cert diversity across these pages\/campaigns?<\/p>\n