The Extension and Customisation of the Maltego Data-Mining Environment Into an Anti-Phishing System

The Extension and Customisation of the Maltego Data-Mining Environment Into an Anti-Phishing System

The Extension and Customisation of the Maltego Data-Mining Environment into an Anti-Phishing System Submitted in partial fulfilment of the requirements of the degree of Bachelor of Science (Honours) of Rhodes University Matthew Marx Grahamstown, South Africa November 2, 2014 Contents 1 Introduction 1 1.1 Problem Statement and Research Goals . 1 1.2 Scope . 2 1.3 Document Structure . 3 2 Background 4 2.1 History and background . 4 2.1.1 Phishing and Pharming . 5 2.1.2 The Anatomy of a phishing attack . 5 2.2 The cost of a phishing attack . 7 2.2.1 Phishing and Data Breaches . 8 2.3 Online Identity . 9 2.3.1 ICANN . 9 2.3.2 WHOIS . 10 2.3.3 Certificate Authorities . 12 2.3.3.1 The role of Certificate Authorities in Phishing and Anti- Phishing . 12 2.3.4 PhishTank . 14 1 CONTENTS 2 2.4 Types of phishing attacks . 14 2.4.1 Clone Phishing . 14 2.4.2 Tabnabbing . 16 2.4.3 Spear Phishing . 16 2.5 Anti-Phishing methodologies . 17 2.5.1 Anti-Phishing Collectives . 18 2.5.1.1 Anti-Phishing Work Group . 18 2.5.1.2 US-CERT . 18 2.5.1.3 PhishTank . 19 2.5.2 Website take down . 19 2.5.3 Browser Anti-Phishing mechanisms . 19 2.5.3.1 Anti-Phishing Heuristics . 20 2.5.3.2 Phishing Blacklists . 20 2.5.4 Email Filtering and Content Filtering . 20 2.6 Abuse Reporting Mechanisms . 21 2.6.1 Blacklisting services . 21 2.6.2 Placing an abuse report with domain registrar . 21 2.7 Summary . 22 3 Design 23 3.1 System Goals . 23 3.2 Underlying Architecture . 24 3.2.1 Maltego . 24 CONTENTS 3 3.2.2 Maltego Machines . 29 3.2.3 Programming Languages . 30 3.2.4 Transforms . 31 3.3 Entities . 32 3.3.1 Domain . 34 3.3.2 Email Address: . 34 3.3.3 IPv4 . 34 3.3.4 Email Source . 34 3.3.5 Abuse Report Email . 35 3.3.6 EmailSourceDirectory . 35 3.3.7 Potential Phishing URL . 35 3.3.8 Suspicious Email Address . 35 3.3.9 Phishing Target . 36 3.3.10 Confirmed Phishing URL . 36 3.3.11 Phishing Kit . 36 3.4 Transforms . 36 3.4.1 Verify Phishing Link . 37 3.4.2 Generating Abuse Report Emails . 38 3.4.3 Directory Monitoring . 39 3.4.4 Link Extraction and analysis . 39 3.4.5 WHOIS . 40 3.5 Automating the process . 41 CONTENTS 4 4 Case Studies 43 4.1 An attack launched from a compromised server . 43 4.1.1 Background . 43 4.1.2 Exploration and Fingerprinting . 44 4.1.3 Analysis . 46 4.2 Correlating relationships between larger data-sets . 48 4.2.1 Background . 49 4.3 Automated monitoring . 52 5 Conclusion 55 5.1 Analysis of Goals . 55 5.2 Future Work . 56 5.2.1 Introducing additional online services . 56 5.2.2 Extension into analysis of attachments . 57 5.2.3 Reporting Mechanism . 57 5.2.4 Tool Integration . 57 References 59 A Appendix 62 List of Figures 2.1 The mechanics of a Phishing attack . 6 2.2 A Typical Phishing URL . 7 2.3 An example of a certificate verifying the identify of an online service . 13 2.4 A typical phishing email . 15 2.5 Tabnabbing . 16 2.6 Mechanics of a spear-phishing attack . 17 3.1 Creating a new graph . 26 3.2 Running a transform . 26 3.3 The transform produces a new IPv4 entity . 27 3.4 A more complex set of entities and relationships . 28 3.5 Block Layout . 29 3.7 Circular Layout . 29 3.6 Hierarchical Layout . 30 3.8 Regular expression used to extract links and URLs . 40 3.9 Regular expression used to email addresses . 40 4.1 Creating an email source entity . 45 5 LIST OF FIGURES 6 4.2 Analysis of the emailSource entity . 46 4.3 Exploring the domain involved in the attack . 46 4.4 http://www.venisetours.com . 47 4.5 The redirected page . 47 4.6 The redirected page . 48 4.7 Multiple emails represented in Phishtego . 49 4.8 Closed Systems . 50 4.9 Related Attacks . 50 4.10 Related Attacks with Malicious Links reported . 51 4.11 Closed Systems . 53 4.12 Closed Systems . 54 4.13 Automated email retrieval and transforms . 54 List of Tables 3.1 Maltego : Minimum Hardware Requirements . 25 3.2 A Summary of Phishtego Entities . 33 3.3 Verify Phishing URL . 37 3.4 Generating abuse report emails . 38 3.5 Monitoring a local directory for emails . 39 3.6 Link extraction and analysis . 39 3.7 WHOIS . 40 7 Abstract Phishing attacks prove to remain one of the most serious threats to data assets. In particular, the ease and lack of cost associated with setting up and running a successful attack mean that there is no substantial barrier to entry into the phishing world. One of the most important means of understanding and combating a phishing attack is to fingerprint the attack by extrapolating information contained in a phishing email. This includes a substantial amount of information that is contained in the emails headers that is often ignored in the viewing of an email. This project looks to provide an extension to the Maltego framework to provide exploration and reaction to a phishing campaign. In doing so it provides abuse reporting mechanisms and integration with both Google's SafeBrowsing and the Phishtank API. ACM Computing Classification System Classification Thesis classification under the ACM Computing Classification (2012 version, valid through 2014) I.4.3.2 [Security and privacy]: Phishing M.2.6.1 [Social and professional topics]: Computer Crime General terms: Phishing, Abuse Reporting, Attack Fingerprinting Acknowledgements This work was undertaken in the Distributed Multimedia CoE at Rhodes University, with financial support from Telkom SA, Tellabs, Genband, Easttel, Bright Ideas 39, THRIP and NRF SA (TP13070820716). The authors acknowledge that opinions, findings and conclusions or recommendations expressed here are those of the author(s) and that none of the above mentioned sponsors accept liability whatsoever in this regard. I would like to thank everyone that has supported me.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    75 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us