Looking at Phish Report from a business perspective, I am thinking clients may want a ‘total’ package if you will. Now, as the title suggests, ‘if’ there was a magic wand…
Finding Malicious Brand Domains.
- the ability to integrate the certstream watch and other NRD lists that are very recent and using a user-defined set of query keywords/wildcards.
- the ability to have those unrefined lists in the program downloaded.
- the lists would be run through httpstatus.io or similar to check which sites are active, then;
-the ability to sort out the operating sites into another group, ‘to take down’ group, ‘not yet operational’ group, ‘watch/keep an eye on’ group
-ability to add XYZ Brand into XYZ groups. (recheck non-200 sites until they become operational/200, then auto added to operational group)
-ability to see if site uses same certificate with other registered sites, cert.sh and also add the additional sites (usually same brand)
-some way to automate the email reporting.submissions. (somewhat time consuming)
-Twitter integration that will allows report of domain details to be picked up by the twitter bots for blocklists/analysis/additional reporting. Would also tweet the brand handle that is being impersonated so brand can take action also.
Presently, I am manually scouring NRDs, which is fine, as I have found that only using generic keywords, lets say Pepsi, wont return PapsiColaa or PopsiDrink. Scammers are increasingly moving away from the brand keywords as they have been made aware that the brand names are just getting caught too easily.
When I find a trove of suspicious domains, then its all into notepad in sections of brands, then manually run each section through httpstatus to see if 200, manually cut/paste 200 domains to see if brand or parked. More moving around domains and sections in notepad. Then, manually check each 200 brand domain with urlscan, crt.sh to see if other domains using same certificate, etc. Only then will I use Phish Report to report and finally tweet out the malicious domain with screenshot, urlscan url, hashtags for the bots, etc.
Pretty time consuming. But, Phish Report shaves off a great deal of time presently.
Am unsure if any of the above is feasible, but those features sure would make a one-stop shop if you will. No real need to go outside the program as everything you need would be right there.
Presently, I have looked and I cannot find anything remotely close to the above magic wand features in any program, but they would be appealing to a company that just wants one product instead of many.