Catching phishing before they catch you

Paypal phishing, paypal phishing everywhere

Let’s catch some phishing domain names using CertStream!

What is Certificate Transparency?

Certificate authorities (CA) get hacked (it already happened), and sometimes they mistakenly issue rogue certificates… That is why Google’s Certificate Transparency project try to fix several structural flaws in the SSL certificate system by providing an open framework for monitoring and auditing SSL certificates in nearly real time, as they are being issued!

Certificate Transparency framework

CertStream + phishing keywords = ❤️

CertStream is a free service for getting data from the Certificate Transparency Log (CTL). Using their Python library to receive certificate log is quite easy:

Now all you have to do is monitor for suspicious keywords such as paypal, outlook, icloud, etc. to get early detection: detect phishing domains before they are even fully operational!

I made a quick proof of concept using the CertStream Python library, and it works like charm! Here are a few samples identified in just a couple of hours:

appleid[.]icloudlphone[.]com

paypalaccountupadate[.]com

apple[.]appleidsecured[.]com

recovery-my-paypal[.]com-locale-country-us[.]help-accessid[.]net

paypal-login[.]com[.]accounntreviews-highrisk[.]com

supports-apple-client-verified-info17[.]tk

secure[.]appleid[.]apple[.]com[.]ecc2a6[.]info

appleid[.]com-jp-unlock-cloud[.]net

www[.]com-jp-unlock-cloud[.]net

member-ticket1117-paypal-webapps00211138822[.]ml

*[.]com-login-required-attempt[.]com

accounts[.]login[.]yahoomail[.]support

support-appleid-login[.]com-servicss[.]com

account-information-paypal-blocked[.]tk

account-service.aactivitydisable[.]tk

myaccount-updated-security-limited-information[.]payungpal[.]com

myaccount-updated-security-limited-informations[.]payungpal[.]com

myaccount-updates-security-limited-information[.]payungpal[.]com

myaccount-updates-security-limited-informations[.]payungpal[.]com

myaccounts-updates-security-limited-information[.]payungpal[.]com

myaccounts-updates-security-limited-informations[.]payungpal[.]com

appleid[.]apple[.]com[.]datasecure[.]report

aple-verification[.]account-4pps-sing-in-manage-1nfo[.]com

www[.]aple-verification[.]account-4pps-sing-in-manage-1nfo[.]com

recovery-paypal[.]com-client[.]locale-country-us[.]net

Get results in seconds!

There are a few false positives but nothing too crippling. Feel free to edit the source code to suit your needs 👍