thanks for adding me Bradley.
Here in Oz, we have a very bad Smisihing problem. Very bad. People are losing their life savings every other day in the news. The gov/companies are not doing anything about it because we are finding so many scam phishing sites it’s unbelievable.
Anyways, I’m curious about finding NRD’s. I have tried many different lists, but most cost money. One free resource that seems to be the best with the newest domains is [dnpedia] (https://dnpedia.com/tlds/search.php) Updated daily with the freshest results of all NRD lists Ive tried. I just use the contains filter and search for ‘gov’ (mygov aussie as scammers are using abbreviations), auspost (or just post), road, toll, portal, login, aus, -au, au- and I find hundreds of phishing sites targeting Aussie public. I have to do this all manually - search, cut, paste, add domain etc. The API costs money and scraping will result in obfuscated results. Is there a good (as dnpedia) free NRD list somewhere that can make threat hunting easier? Or at least make it less time consuming? Cheers.
I’ve used Newly Registered Domains - Free Download Daily Domains List in the past (no API but the download URL just contains the date so it’s easy to automate the download each day). Looks like they might be capping the number of results now though…
Are you able to run something like GitHub - x0rz/phishing_catcher: Phishing catcher using Certstream? As long as the phishing sites have an HTTPS certificate, Certificate Transparency logs are probably the best way to find their new domains. Rather than the 24hr delay you’d get with a newly registered domains list, you’ll get the domain through within minutes of it being created
Thinking about it, this is a pretty good opportunity for Phish Report… The main work is getting these feeds set up in the first place, once they’re running the number of rules/patterns being checked can be very high.
@CyberSecApe, what’s your workflow look like for scanning through these lists for keywords? I assume it’s pretty noisy with false positives?
Bradley, the point you just bought up never even crossed my mind before.
Integration of Phish Report with the ability to actually find these NRDs and query them.
I have been primarily only using https://dnpedia.com/tlds/search.php and doing it all manually. Around 4pm here in Oz the new NRDs are listed, I will query ‘gov’ as for every ‘mygov’ (Australian Government Services Portal), there are 7 other ‘mygov’ phish sites without using that term. Sometimes I will find New Zealand gov sites. Which seems to be a growing trend of targeting NZ in all arenas. Then I move on to ‘post’, then ‘bank’, ‘bnk’, ‘login’, ‘toll’ (road toll Linkt etc), then after all that fun I end with ‘-au’ ‘au-’ and ‘aus’. When I have a list of 100 or so, I will run it through https://httpstatus.io/ the invaluable bulk checker, set the UA to Android Mobile (many sites redirect on PC) and then start manually checking just what the 200 sites are displaying. Then it’s onto URLSCAN, check the sites certs to see if other sites are in there also, then when I find a known brand, I screenshot, report, include screenshot in email etc. Then tweet the site so others and bots are aware also. On a good day, this can take anywhere from an hour to several if there is a lot of them. Also, apart from the known phish kit templates, I have been seeing more and more ‘generic’ aus-sales type sites which are just fake products at ‘bargain’ prices. Sorry for the wall of text mate.
Really appreciate the detail!
This lines up really nicely with some phishing site detection features I have planned for Phish Report, so I’ll let you know when they’re ready to try out