In my previous post, Using Maltego to Hunt for Phishing Subdomains , I demonstrated how investigative link-analysis software like Maltego provides an in-depth view into domains, and how it can help to identify a domain serving such links by investigating the graph results for any related malicious activity connected to it.
In this blog post, we will employ a similar mindset. However, this time, we will be looking for domain typo-squatters and how to monitor for suspicious activity around a specific brand using several Maltego Transforms to uncover it.
Brand Spoofing and Phishing 🔗︎
Phishing , as defined in MITRE ATT&CK Technique T1566 , acts as one of the top concerns for cybersecurity, as it is easily abused and proliferated by low-level threat actors and seasoned nation state APT groups alike. It commonly serves as the initial attack vector for many threats—such as fraud, credential theft, ransomware, malware, and information theft to name a few. Its subset technique of brand impersonation, serves as a common social engineering tactic to facilitate and weaponize the various attacks conducted by cybercriminals.
Since most of our lives are now inseparably intertwined with the digital world and are tied to digital identities we register to various services online, such as payment services, messaging apps, social media, local government, etc. phishing has become a more prevalent method for many threat actor groups and cybercriminals.
According to Checkpoint’s Q3 report for 2020 , Microsoft and PayPal are some of the most impersonated and targeted brands in the world for phishing activity. With each of the services listed in the top 10 offering a large number of users and potential victims for exploitation by cybercriminals.
In this post, we will attempt to hunt for this attack technique of brand impersonation by looking for any domains spoofing these two brands: Microsoft and PayPal.
Setting Up Our Transforms 🔗︎
To begin our investigation, we first need to set up the Transforms we will need to gather our hunting data.
We will be using the following Hub items and data integrations offered by Maltego:
- Free community version of Social Links: Social Links CE
- Free version of VirusTotal: VirusTotal (Public API)
- RiskIQ PassiveTotal
- SSL Certificate Transparency Transforms
In case you haven’t done so already, you will need to register for free/community access API keys for VirusTotal , WhoisXML , and RiskIQ (PassiveTotal) to be able to use the Transforms once you have finished installing them via the Transform Hub.
Let the Hunt Begin: Investigating Typosquatting for Brand Protection in Maltego 🔗︎
For the purpose of this post, we will be using the PayPal and Microsoft brands as an example of hunting for typosquatting, brand monitoring, and impersonation. Hopefully, we will uncover all sorts of malicious activity performed by threat actors in the process of this investigation.
While I’ve mostly mentioned phishing, as it is a very common vector of attack using spoofed URLs, we may also uncover indicators related to other malicious activities—such as drive-by downloads, fraudulent websites, generic scams, malware campaigns, and more.
To begin our investigation, we will first paste the desired brand name (“PayPal” and “Microsoft”) to monitor as a Maltego Phrase Entity.
Now that we have the Phrase Entities into the graph, we will run the [WhoisXML] Brand Alert Transform which will begin the initial stage of gathering data. This Transform is a part of the Social Links CE bundle of Transforms, and the WhoIsXML API offering brand detection capabilities based on custom phrases.
This action has returned 51 domain results to our graph with “PayPal” as part of their domain name. Some of the results we receive may be legitimate PayPal Entities, however, our hunting hypothesis is that we should also find some malicious domains in their mix.
We immediately see that many of the domains in our Maltego graph stick out as being impersonations of the PayPal service by the suspicious naming scheme they’ve been registered with, trying to impersonate account login or support addresses supposedly belonging to PayPal.
For example, this phishing login page spoofing the German version of PayPal can be seen in the list of the URLs our query has caught:
Or this Spanish PayPal version one:
To recap, once we run the [WhoisXML] Brand Alert Transform, we will receive any and all domains containing our searched phrase in its name. Something to keep in mind is that this Transform utilizes various domain registration monitoring techniques like the certificate stream and will be time limited to freshly registered domains every time it is run. It is best to continuously repeat this process with whatever term or brand you are monitoring.
I repeated the process above for the Microsoft phrase and received the following results:
In the Microsoft graph, 31 domains have been returned, most of which seem to be parked domains, registered in the last 1 to 3 days, some with a very phishing-like premise. For example:
These would warrant further monitoring, reporting, and perhaps blocking.
In addition, as mentioned before we started this investigation, we may encounter all types of activity aside from phishing once you start hunting. Some of the other results in both graphs were fraudulent websites selling software bundles of the brands we’re monitoring, which, depending on the type of hunting you’re conducting for your organization, might interest you as well.
Taking This Information Further: Looking at Connected Infrastructure 🔗︎
As phishing campaigns have very quick turnaround times in terms of their longevity, some of our domain results may not yet be connected to a host and serve live phishing pages at the time we perform the above method, and we may be a little bit too early to catch their phishing kits. A second option would be that we could be late catching live domains, as the domain had already been reported or burned.
So once we have a list of domains we think are spoofing our brand’s name, and we consider them to be malicious because they host phishing or other malicious files, we can pivot these results in our graph to gain a deeper insight into their connected infrastructure.
Using the [PassiveTotal] Passive DNS Transform, I’ve picked a phishing domain which was hosting a live phishing kit just two hours before the writing of this post but is currently down as my target for deeper insight. This would give us the corresponding IP resolutions observed by PassiveTotal. We should also try this by selecting all the results we have initially received to get the most commonly shared infrastructure by all domains.
Once we have the server hosting our initially observed phishing domain, we can now run a second PassiveTotal Transform, this time the [PassiveTotal] Get Passive DNS with Time Transform. It returns similar results to the one we previously used, listing all the IP resolutions they have observed. However, by identifying them in time, we can look at the most recent activity.
Once we return the results to the graph, we need to delete any and all old activity resulting in a graph similar to the one above—displaying only the most recent resolutions. We can see that this server has been used to actively target PayPal for phishing activity in the past 3 days. It would be a safe assumption to make that this IP address will continue to be used for phishing activity at least in the near future. The same advice as before stands—monitor, report, and consider blocking this server.
A quick way to see where we should focus on additional steps to verify the contents of your graph results, would be by using the Annotate Domain [VirusTotal Public API] Transform available in the VirusTotal Public API Transforms.
This will display a graph with the domains which have already been marked as malicious or suspicious by VirusTotal’s engines.
Anything warranting your attention for a more manual approach can be taken into other means of investigation, like submission to sandboxes, manual browsing, or pivoting (as shown in the previous step).
To further pinpoint where our analysis efforts should focus, particularly if our graph has a large infrastructure to sift through, the Maltego SSL To Certificate Transform can pinpoint any certificates being shared, which may point to a specific campaign being launched by looking at many domains sharing certificate results in the graph.
As we can see in our graph, a particular certificate is being used by many different domains and IPs if we look closely at its details. However, this may change and vary depending on the different stages of the campaign in which the piece of infrastructure we are currently examining is. So, constant re-evaluation is warranted.
In this case, these domains are sharing certificates of their hosting provider which is currently parking their domain. We can now look further into this provider and its IP range to uncover more potential malicious activity.
Brand Monitoring with SSL Certificates 🔗︎
Taking this approach further, we can also use the To Certificates [Cert Spotter] Transform to monitor for any SSL certificates being issued to a domain your brand or company owns. Most phishing attacks will use domain validated certificates offered by free SSL certificate providers such as “Let’s Encrypt.” The Anti-Phishing Working Group (APWG), says in its Q3 2020 report for phishing trends that 80% of phishing sites have SSL encryption with a majority of them being such certificates, which are considered to be weaker and more vulnerable for impersonating brands.
Monitoring for any sort of certificate being issued to one of your domains could alert you to any possible hostile take-over of your asset, and potential malicious activity being attached to it.
Running this Transform on our chosen brands of PayPal or Microsoft will result in a very large graph with legitimate certificates, since it’s unlikely that a domain using Extended Validation certificates would be hit like that.
However, a potential loop in security, like forgetting to renew a certificate, an unkept and forgotten server, or any kind of domain take-over may remain undetected until you check for yourself. This may be even more relevant to a smaller organization using weaker types of certificates, which are more easily impersonated.
Remember, even if you’re positive that you’re looking at a known list of certificates - you should still check for additionally associated domains, or unknown subdomains connected to those certificates by running the To Domains Transform, to possibly discover if any are present or unknown to you.
This graph contains the domain links associated with each individual certificate connected to our brand, in this case—PayPal, sorted by ball size of shared certificates.
A less complicated example , which you can practice on your own with a smaller sample size would be the Maltego.com domain. Here you can see how external infrastructure being used for cloud documentation, and customer service links between Maltego and other companies using these services by connecting their SSL certificates to Maltego’s domain.
If your company domain has similar third-party integrations, periodically checking how, where, and to whom your infrastructure is connected via your SaaS or other cloud solutions would be a healthy practice to identify potential security holes. Either for expired certificates, which can be used for attack vectors like data exfiltration, business disruptions, domain take over, or for unknown indicators warranting further investigation.
The threat of phishing is dynamic, evolving, and will likely continue to grow as time goes on. Tools like Maltego where you can utilize different data providers and hunting techniques like brand monitoring and link analysis to uncover such threats can be an asset to accompany the more traditional on-premise solutions an organization will have to protect itself from these threats.
About the Author 🔗︎
This guest post was written by Andrei Kornev, a Security Researcher from www.deependresearch.org , a non-profit team which conducts threat research and intelligence analysis with emphasis on malware, botnet tracking, underground economy and cybercrime.