BlockPhish: Phishing Website Detection Tool
We’re releasing an open-source project today that we’re really excited about. It helps teams identify phishing websites targeting their organization during the early phases of a phishing campaign, ideally before the attack has been launched.
Phishing attacks are currently one of the most common attack styles affecting people in the cryptocurrency space. With a low-barrier to entry and limited punitive options, phishing attacks are widespread and relentless. While traditional banks use sophisticated fraud engines and in-house resources to protect their users against this type of threat, in the decentralized world of cryptocurrencies, end users aren’t afforded these same protections.
To exacerbate the issue, typical communication channels used by organizations in this space, such as Telegram and Slack, do little to protect users against these attacks. Email providers who have had the misfortune of being targeted by phishing for decades, have developed sophisticated fraud detection engines to combat spam.
In order to address this problem, a multi-tiered approach is necessary. In the field of information assurance, this is what’s known as “defense in depth”. A detailed description of this can be found in an upcoming blog post The Phishing Killchain.
BlockPhish helps to identify attacks during the weaponization phase. Detecting attacks at an early phase lowers the chances of users being exposed to the attack and gives defenders more time to respond. Due to takedowns taking up to several days to perform, it’s critical to find these websites as early in the lifecycle as possible.
Phishing attacks commonly involve either a homograph or typosquatting element. Homograph attacks use characters that appear similar to deceive victims. A basic example of this would be using pavpal.com in place of paypal.com. This can be extended to abusing unicode characters, for example, an attacker could change an ‘a’ character in paypal.com to a Cyrillic lowercase ‘a’ with diaeresis, which would result in pӓypal.com. Typosquatting attacks are a similar technique, which rely on common misspellings or variations, for example paypall.com or paypals.com.
Attackers will often register SSL certificates for their phishing website to appear more legitimate. BlockPhish uses natural language processing (NLP) on a stream of newly registered SSL certificates to identify homograph and typosquatting attacks on a target website. For example, if you are monitoring myetherwallet.com, BlockPhish will help detect when an attacker registers an SSL certificate with a certificate authority for myëthërwallet.com.
We’ve integrated Google sheets into BlockPhish to act as a makeshift security operations center (SOC). If you follow our guidelines on the github page, you’ll receive notification emails from Google when new links are added above a threshold set by you.
Once you’ve received the notification, you have a number of options. A detailed guide will be outlined in an upcoming blog post How to React to Phishing Attacks. However, your main goal during this time is to limit the effect the campaign has on your users. Possible options include getting the site blacklisted by Safe Browsing, convincing the hosting provider to take the site down, or notifying your users of an ongoing attack.
This approach to detecting phishing websites has a number of inherent limitations.
It won’t find websites that were set up before you began monitoring.
It won’t help find clones that aren’t using SSL.
It won’t identify phishing websites that clone the content, but use a very different name to the ones that you’re monitoring.
NLP is hard to get right, so it probably won’t be 100% accurate, it’ll have false positives and false negatives.
We hope that you or your team find this project useful. We’d love to hear from you if you do use it, and contributions to the code base are welcome!
iosiro offers a comprehensive suite of anti-phishing services including monitoring Slack channels, performing website takedowns, and running BlockPhish as a managed service.