I've spoken a couple of time recently about CT and it really is an awesome thing to have. We can now add one more wicked feature to our arsenal thanks to CT and Facebook, and that's the ability to easily detect phishing sites.
I've got a great introduction post on CT so you can read that for more details but the TLDR is that CT requires all certificates issued by a CA be logged into public logs that we can search and monitor. This means no more secret certificates but it also means we can see all certificates being issued. Facebook have a great CT log monitoring tool to let you do this and you can get notifications via email or in the app every time a certificate is issued for your site, how cool is that!
You can head over to the Facebook CT Tool and sign up for notifications for your domains easily and it's completely free. Of course you can also sign up to monitor other domains too and I monitor quite a few out of interest, but we're never really going to see too much interesting info there other than their renewal schedule. What else can we look for though?
The web is going HTTPS and it's not just good sites it's bad sites too. Lots and lots of phishing sites are now using HTTPS because it's become easy and free to deploy. There has been a lot of discussion and resistance against CAs like Let's Encrypt issuing certs to these sites but I've spoken about that before, Let's Encrypt are enabling the bad guys, and why they should. Whether or not you agree with this happening, it is happening right now so how can we turn this to our advantage. Well, when a phishing site gets a certificate, we can see it in CT so we can know about the site probably before they've even brought it online! All we need to do is look for domains that are similar to popular sites or contian their domain as a substring. What if we kept an eye on the CT logs for certificates issued to
secure-paypal.com? That would probably be a pretty good idea and it could certainly turn up some interesting information. I have some good news for you too, you can do this right now, for free!
This is such an awesome feature and we're starting to see some of the power that CT gives us. You can now detect phishing domains that are homoglyphs of your site using CT! https://t.co/PDVdyYiWgY— Scott Helme (@Scott_Helme) May 4, 2018
Facebook have added this capability to their CT log monitoring service and they will try to find all possible phishing variants of your domain and notify you when they get certificates!
Not only can you do this for your site, you can also do it for other sites and just to see what was happening in the Big Bad Web(TM), I enabled it for
apple.com to see. It didn't take long before I got a hit.
Got my first hit! secure1.appleid[.]apple[.]com.eror404-log-please-isi-ya[.]ga pic.twitter.com/6Zv4ihck0D— Scott Helme (@Scott_Helme) May 16, 2018
In fact, it wasn't long before I was getting lots of hits. Soooooo many hits and when they're all sent to my phone as push notifications it quickly became apparent just how many phishing certs are issued to big domains like this.
Monitoring for paypal[.]com and apple[.]com might have been a mistake... They get a lot of phishing certs!! pic.twitter.com/sCLzaB3EZt— Scott Helme (@Scott_Helme) May 16, 2018
Still though, this is the system working, this is what CT enables us to do. You may have noticed just above that the phishing domain I got a notification for was already in SafeBrowsing by the time I looked at it. Now, there was a delay from the cert having been logged and me getting the notification, it seems Facebook went back a small period of time and sent me recent certs too, which is great. But think of what this means. When a phishing site gets a cert we can be notified about it and then go take a look to see if the site is a risk. If it is it can be reported to SafeBrowsing right away and we have the site taken down before they get chance to be fully online.