DOCSLIB.ORG

The Extension and Customisation of the Maltego Data-Mining Environment Into an Anti-Phishing System

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Extension and Customisation of the Maltego Data-Mining Environment Into an Anti-Phishing System The Extension and Customisation of the Maltego Data-Mining Environment into an Anti-Phishing System Submitted in partial fulfilment of the requirements of the degree of Bachelor of Science (Honours) of Rhodes University Matthew Marx Grahamstown, South Africa November 2, 2014 Contents 1 Introduction 1 1.1 Problem Statement and Research Goals . 1 1.2 Scope . 2 1.3 Document Structure . 3 2 Background 4 2.1 History and background . 4 2.1.1 Phishing and Pharming . 5 2.1.2 The Anatomy of a phishing attack . 5 2.2 The cost of a phishing attack . 7 2.2.1 Phishing and Data Breaches . 8 2.3 Online Identity . 9 2.3.1 ICANN . 9 2.3.2 WHOIS . 10 2.3.3 Certificate Authorities . 12 2.3.3.1 The role of Certificate Authorities in Phishing and Anti- Phishing . 12 2.3.4 PhishTank . 14 1 CONTENTS 2 2.4 Types of phishing attacks . 14 2.4.1 Clone Phishing . 14 2.4.2 Tabnabbing . 16 2.4.3 Spear Phishing . 16 2.5 Anti-Phishing methodologies . 17 2.5.1 Anti-Phishing Collectives . 18 2.5.1.1 Anti-Phishing Work Group . 18 2.5.1.2 US-CERT . 18 2.5.1.3 PhishTank . 19 2.5.2 Website take down . 19 2.5.3 Browser Anti-Phishing mechanisms . 19 2.5.3.1 Anti-Phishing Heuristics . 20 2.5.3.2 Phishing Blacklists . 20 2.5.4 Email Filtering and Content Filtering . 20 2.6 Abuse Reporting Mechanisms . 21 2.6.1 Blacklisting services . 21 2.6.2 Placing an abuse report with domain registrar . 21 2.7 Summary . 22 3 Design 23 3.1 System Goals . 23 3.2 Underlying Architecture . 24 3.2.1 Maltego . 24 CONTENTS 3 3.2.2 Maltego Machines . 29 3.2.3 Programming Languages . 30 3.2.4 Transforms . 31 3.3 Entities . 32 3.3.1 Domain . 34 3.3.2 Email Address: . 34 3.3.3 IPv4 . 34 3.3.4 Email Source . 34 3.3.5 Abuse Report Email . 35 3.3.6 EmailSourceDirectory . 35 3.3.7 Potential Phishing URL . 35 3.3.8 Suspicious Email Address . 35 3.3.9 Phishing Target . 36 3.3.10 Confirmed Phishing URL . 36 3.3.11 Phishing Kit . 36 3.4 Transforms . 36 3.4.1 Verify Phishing Link . 37 3.4.2 Generating Abuse Report Emails . 38 3.4.3 Directory Monitoring . 39 3.4.4 Link Extraction and analysis . 39 3.4.5 WHOIS . 40 3.5 Automating the process . 41 CONTENTS 4 4 Case Studies 43 4.1 An attack launched from a compromised server . 43 4.1.1 Background . 43 4.1.2 Exploration and Fingerprinting . 44 4.1.3 Analysis . 46 4.2 Correlating relationships between larger data-sets . 48 4.2.1 Background . 49 4.3 Automated monitoring . 52 5 Conclusion 55 5.1 Analysis of Goals . 55 5.2 Future Work . 56 5.2.1 Introducing additional online services . 56 5.2.2 Extension into analysis of attachments . 57 5.2.3 Reporting Mechanism . 57 5.2.4 Tool Integration . 57 References 59 A Appendix 62 List of Figures 2.1 The mechanics of a Phishing attack . 6 2.2 A Typical Phishing URL . 7 2.3 An example of a certificate verifying the identify of an online service . 13 2.4 A typical phishing email . 15 2.5 Tabnabbing . 16 2.6 Mechanics of a spear-phishing attack . 17 3.1 Creating a new graph . 26 3.2 Running a transform . 26 3.3 The transform produces a new IPv4 entity . 27 3.4 A more complex set of entities and relationships . 28 3.5 Block Layout . 29 3.7 Circular Layout . 29 3.6 Hierarchical Layout . 30 3.8 Regular expression used to extract links and URLs . 40 3.9 Regular expression used to email addresses . 40 4.1 Creating an email source entity . 45 5 LIST OF FIGURES 6 4.2 Analysis of the emailSource entity . 46 4.3 Exploring the domain involved in the attack . 46 4.4 http://www.venisetours.com . 47 4.5 The redirected page . 47 4.6 The redirected page . 48 4.7 Multiple emails represented in Phishtego . 49 4.8 Closed Systems . 50 4.9 Related Attacks . 50 4.10 Related Attacks with Malicious Links reported . 51 4.11 Closed Systems . 53 4.12 Closed Systems . 54 4.13 Automated email retrieval and transforms . 54 List of Tables 3.1 Maltego : Minimum Hardware Requirements . 25 3.2 A Summary of Phishtego Entities . 33 3.3 Verify Phishing URL . 37 3.4 Generating abuse report emails . 38 3.5 Monitoring a local directory for emails . 39 3.6 Link extraction and analysis . 39 3.7 WHOIS . 40 7 Abstract Phishing attacks prove to remain one of the most serious threats to data assets. In particular, the ease and lack of cost associated with setting up and running a successful attack mean that there is no substantial barrier to entry into the phishing world. One of the most important means of understanding and combating a phishing attack is to fingerprint the attack by extrapolating information contained in a phishing email. This includes a substantial amount of information that is contained in the emails headers that is often ignored in the viewing of an email. This project looks to provide an extension to the Maltego framework to provide exploration and reaction to a phishing campaign. In doing so it provides abuse reporting mechanisms and integration with both Google's SafeBrowsing and the Phishtank API. ACM Computing Classification System Classification Thesis classification under the ACM Computing Classification (2012 version, valid through 2014) I.4.3.2 [Security and privacy]: Phishing M.2.6.1 [Social and professional topics]: Computer Crime General terms: Phishing, Abuse Reporting, Attack Fingerprinting Acknowledgements This work was undertaken in the Distributed Multimedia CoE at Rhodes University, with financial support from Telkom SA, Tellabs, Genband, Easttel, Bright Ideas 39, THRIP and NRF SA (TP13070820716). The authors acknowledge that opinions, findings and conclusions or recommendations expressed here are those of the author(s) and that none of the above mentioned sponsors accept liability whatsoever in this regard. I would like to thank everyone that has supported me.
Load more

Recommended publications
  • CHAPTER 2: Getting to Know Your Targets LEARN MORE BUY
    Sample Chapter CHAPTER 2: Getting to Know Your Targets LEARN MORE BUY NOW ©2019 McGraw-Hill All-In-One_PE / CompTIA PenTest+® Certification Practice Exams / Jonathan Ammerman / 090-7 / Chapter 2 CHAPTER Getting to Know 2 Your Targets This chapter includes questions on the following topics: • Information gathering in a given scenario using appropriate techniques • A comparison of various tools and their use cases Following the pre-engagement meetings, the definition of the scope and rules of engagement, and the signing of contracts, a penetration tester is free to begin the next phase of an assessment: information gathering. It is generally accepted that there are two types of information gather- ing: passive and active. Passive information gathering consists of any collection of intelligence by means that are effectively invisible to the target in question; active information gathering will be discussed in Chapters 3 and 4. By its most basic definition, passive information gathering is the collection of information from publicly available sources; this could mean queries in any given search engine, harvesting information from public DNS servers, or searching for the target organization’s networks with tools such as Shodan or theharvester. To define it more precisely, passive information gathering is any collection of intelligence that may be useful in a penetration test without directly connecting or identifying oneself to the target of the penetration test. Although it is not terribly common to find a quick path to an exploitable process or service via passive information gathering, the data collected is still of importance to the overall penetration test; organizations often are unaware of just how wide their digital footprint is and will be amazed at the information you can find without them being aware.
    [Show full text]
  • NCDAA Seminar: Digital Forensics AM Session
    NCDAA Seminar: Digital Forensics AM Session: Understanding the Data Context & Correlation Professor Matthew Miller, PhD University of Nebraska Kearney PM Session: Context & Correlation Shawn Kasal, Digital Forensic Expert 12 Points Technologies LLC Wednesday, October 9, 2019 Embassy Suites Hotel – La Vista Conference Center This page intentionally left blank. Text ~Learning ~ Outcomes INTRODUCTION • DOD • NC4 Cybercop • In-Q-Tel at University of Nebraska Kearney and Omaha • Expert Witness • GM, Ford Motor Company and Daimler Benz What does it take to construct, design and build a work product? A mix of ability, talent and skill is needed to construct and de- construct systems A system is larger and more complex than a computer network GeoPolitics is a system Our diversity, talent & backgrounds Our Team allow us to accomplish what others can not do. Arab Spring Election Reality Winner JP 3-13 • Computer Network Operations (CNO) consist of: • Computer Network Attack (CNA) • Computer Network Defense (CND) • Computer Network Exploitation (CNE) Computer Network Operations (CNO) • Broad term • Military and civilian application • Information is power • More critical decision-based information is digitized and conveyed over an ever- expanding network of computers and other electronic devices • Deliberate actions taken to leverage and optimize these networks to improve human endeavor and enterprise or, in warfare, to gain information superiority and deny the enemy this enabling capability CNO ≈ CNA ≈ CND ≈ CNE • What’s the difference? • Computer
    [Show full text]
  • OSINT Handbook September 2020
    OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 Aleksandra Bielska Noa Rebecca Kurz, Yves Baumgartner, Vytenis Benetis 2 Foreword I am delighted to share with you the 2020 edition of the OSINT Tools and Resources Handbook. Once again, the Handbook has been revised and updated to reflect the evolution of this discipline, and the many strategic, operational and technical challenges OSINT practitioners have to grapple with. Given the speed of change on the web, some might question the wisdom of pulling together such a resource. What’s wrong with the Top 10 tools, or the Top 100? There are only so many resources one can bookmark after all. Such arguments are not without merit. My fear, however, is that they are also shortsighted. I offer four reasons why. To begin, a shortlist betrays the widening spectrum of OSINT practice. Whereas OSINT was once the preserve of analysts working in national security, it now embraces a growing class of professionals in fields as diverse as journalism, cybersecurity, investment research, crisis management and human rights. A limited toolkit can never satisfy all of these constituencies. Second, a good OSINT practitioner is someone who is comfortable working with different tools, sources and collection strategies. The temptation toward narrow specialisation in OSINT is one that has to be resisted. Why? Because no research task is ever as tidy as the customer’s requirements are likely to suggest. Third, is the inevitable realisation that good tool awareness is equivalent to good source awareness. Indeed, the right tool can determine whether you harvest the right information.
    [Show full text]
  • Maltego Transforms for Threatqtm
    MALTEGO TRANSFORMS FOR THREATQ MALTEGO TRANSFORMS FOR THREATQTM Maltego Transforms for ThreatQTM enables users of Maltego to query ThreatQ for information on elements that could be part of an investigation. These transforms extend the visibility of Maltego to include threat intelligence stored within ThreatQ, including commercial, industry, private, OSINT (open source intelligence) and internal sources, so you can visualize and discover additional data relationships. Since ThreatQ is commonly deployed in private networks that are not directly accessible over the Internet, Maltego Transforms for ThreatQ are delivered WHAT IS MALTEGO? as ‘local transforms’ that can be installed locally on systems running the Maltego (by Paterva) is an Maltego client software. This ensures that connectivity between the client and interactive data mining tool the ThreatQ instance is direct and does not risk sending data to public that renders directed graphs for transform servers. link analysis. The tool is used in online investigations for finding INTEGRATION BENEFITS: relationships between pieces of information from various • Query information from all Threat Library sources quickly to find additional sources located on the Internet. context to support an investigation • Correlate internal and external threat data to accelerate online WHAT IS THREATQ? investigations ThreatQ is a threat intelligence platform (TIP) that enables users • Find relationships between threats, adversaries, indicators and incidents to build a custom Threat Library™ • Easily perform
    [Show full text]
  • 3.3 Maltego Transforms for Danish OSINT-Sources
    Enhancing identification and reporting of potentially harmful public data on Danish organizations by Rasmus Lau Petersen Supervisor: Christian Damsgaard Jensen M.Sc.Eng.IT master thesis DTU Compute Technical University of Denmark Kongens Lyngby, August 1st, 2017 Summary (English) This master thesis aims to aid and enhance the current processes used to identify and report in Open Source Intelligence (OSINT) on Danish organizations. This is data generated by the daily work of the organization and its employees when they act and communicate. The data is collected by public registries or commercial 3rd parties, which can provide a valuable source of information for an attacker intending to target organizations. Security professionals are aware that such data exist and report on it as part of their services, but collecting it effectively is difficult. Relating it to the domain of the organizations acting under the different Danish legislation and standards can be difficult. The organizations themselves may have a good overview of the latter, but lack overview and awareness of OSINT and the attack scenarios this enables. We attempt to enhance the process of identification and reporting in two ways: By developing plug-ins (“transforms”) for the widely used OSINT-gathering program Maltego by Paterva and by developing a framework for inputting findings from Maltego to generate a report categorizing findings and relating them to common OSINT-enabled attack scenarios and applicable legislation, standards and guidelines. We examine current methodologies for conducting vulnerability- and penetration test assessments, standards, guidelines and Danish legislation pertaining to OSINT-data and identify and analyze a dozen common OSINT-enabled attack scenarios.
    [Show full text]
  • An Introduction to Open Source Intelligence
    An introduction to Open Source Intelligence www.8arc.com Introduction www.8arc.com Open Source Intel: what is it? where to find it? and why do we need it? www.8arc.com Data Information Intelligence www.8arc.com Closed vs Open Source Closed Open • Internal Corporate Information • Accounts • Intelligence Database • Whois • Risk Management Documents • Google (search engines) • Partner (Agency) Data • Public facing documents • Profiles: current + previous • Website Analytics (Internal) • News Channels • BI Data • Peer to Peer Forum • Financial Data • Website Analytics (External) • Intellectual Property • Social Media • CRMs • Company Information • HR records • Personnel details www.8arc.com “When I took office, only high energy physicists had ever heard of what is called the World Wide Web, now even my cat has it’s own page.” Bill Clinton, ex American President www.8arc.com We’re always looking for entities and links! The more we have the clearer the picture www.8arc.com Investigation Environment www.8arc.com Things to consider? • Stand alone network/machine • Dedicated broadband – dynamic IP address (mobile broadband) • Back up broadband & network/machine • Standard software – anti virus, firewall, IDS / IPS/ Operating System, browser etc. • Specialist software – OSINT / intelligence / evidential software & capture tools • Online legends • Visualisation Tools • Build a jumpkit www.8arc.com Also consider… • Define a set file structure • Set a file naming convention • Keep an investigation log / workbook • Investigation Plan • Risk assessment
    [Show full text]
  • Open Source Intelligence Tools and Resources Handbook
    OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 0 OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2018 Aleksandra Bielska Natalie Anderson, Vytenis Benetis, Cristina Viehman 1 Foreword I am delighted to share the latest version of our OSINT Tools and Resources Handbook. This version is almost three times the size of the last public release in 2016. It reflects the changing intelligence needs of our clients in both the public and private sector, as well as the many areas we have been active in over the past two years. No list of OSINT tools is perfect, nor is it likely to be complete. Indeed, such is the pace of change that by the time you read this document some of our suggestions may have been surpassed or have ceased to exist. Regrettably, today's tool might also be tomorrow's vulnerability. To counter the first problem, we have included a list of toolkits provided by other OSINT practitioners working to improve the state-of-the-art. To manage the second, we recommend that all tools be tested in a secure computing environment whenever possible. Work on the next iteration of the Handbook has already begun. For now, I hope this version contributes to improving your efficiency and effectiveness as a researcher, analyst, investigator or general OSINT practitioner. Please feel free to share it with your colleagues. To encourage its broadest possible dissemination, we are publishing the Handbook under a Creative Commons CC BY License. I would like to end by thanking my colleagues at i-intelligence for their efforts in compiling the Handbook.
    [Show full text]