Detecting phishing domains using Certificate Transparency
Protect the Graph·Wednesday, May 2, 2018
By David Huang, Bartosz Niemczura and Amy Xu
We are extending the capabilities of our Certificate Transparency Monitoring tool to make it easier for developers to learn about new domains that are maliciously created to implement phishing attacks. Our tool alerts website owners of these scams so that they can take action to protect their domain and the people who use their websites.

PHISHING ATTACKS

Attackers are constantly developing new ways to deceive people, and so we must come up with new ways to help protect people from these threats. Phishing websites try to trick people into revealing their passwords, credit card numbers, or other sensitive information. One of the techniques we are seeing involves registering a domain that looks very similar to the legitimate website that the attacker wants to impersonate. The phishing website can look identical to the real website in an attempt to fool people into giving up their personal information.
Phishing domains can be difficult to recognize and enumerate because of various techniques that make a phishing URL look more legitimate. Some of the attacks that we have observed include:
  • Using different characters to construct a malicious domain that looks similar to a legitimate domain (aka homograph attacks):
    • faceb00k[.]com: the letter “o”s in “facebook” are replaced by the number “zero”
    • facebook[.]com: the letter "о" is actually the Cyrillic small letter “o” (0x43E), not the Latin "o" (0x6F)
  • Combining recognizable brand names with other keywords to create fake domains (aka combo squatting):
    • helpdesk-facebook[.]com
    • facebook[.]com-legit.com
  • Taking advantage of small screens on mobile devices which cannot display the full domain:
    • facebook[.]com.long.subdomain.that.will.not.be.fully.shown.on.mobile.devices.com
  • Common misspellings or typos (aka typo-squatting):
    • faecbook[.]com
    • faceboook[.]com
To make their malicious domains look more credible, attackers nowadays even obtain valid TLS certificates for them. Due to the presence of a valid security certificate, browsers may display a “secure” indicator — a green padlock and/or word "secure" — for a phishing website. These browser security indicators correctly indicate a secure, encrypted connection, but that doesn't stop the phishing website from tricking people into sharing their information.

DETECTING PHISHING DOMAINS

Certificate Transparency Logs are designed to keep a record of all valid security certificates issued by publicly-trusted Certificate Authorities. We have been using these logs to monitor certificates issued for domains owned by Facebook and have created tools to help developers take advantage of the same approach. Using these tools, developers can learn about certificates that are mis-issued for the domains they control.
We are extending the capabilities of our Certificate Transparency Monitoring Tool to send alerts when certificates are issued for potential phishing domains. Every time a new certificate appears in any public Certificate Transparency Log, our tool analyzes the domains specified by the certificate for phishing attempts by taking into consideration the most common spoofing techniques — such as those described above. If it suspects that the domain is likely associated with phishing, it can notify subscribers of the tool for the legitimate domain by sending email, push, or on-site notifications, depending on their preference.
To enable free phishing domain monitoring service and manage your subscriptions, please visit: developers.facebook.com/tools/ct/subscriptions
We are also extending our Webhook API to help developers easily integrate this new phishing detection feature into their external systems. In order to receive a webhook request every time Facebook detects a phishing attempt on your domain, please follow the steps described in the Certificate Transparency Webhook documentation.

EARLY RESULTS

Using this tool, we have caught a number of phishing sites that tried to impersonate our services and have banned those domains, for example:
  • Facebook: facеbook[.]ml (punycode: xn—facbook-9gg[.]ml), facebook.com-help.10014005192[.]com
  • Whatsapp: whɑtsɑpp[.]com (punycode: xn—whtspp-cxcc[.]com), ɯhatsapp[.]com (punycode: xn—hatsapp-fid[.]com)
  • Instagram: instagram.com-verify[.]me, instagram.com-acc[.]gq

RESPONDING TO A PHISHING ATTEMPT

If you receive a notification about a phishing attempt and confirm that it is trying to impersonate your site, consider taking actions to protect your website and the domains you own. You can:
  • Reach out to domain registrars to suspend bad domains in case of intellectual property infringement,
  • Reach out to browser vendors to blacklist bad domains and display UI warnings indicating deceptive websites,
  • Reach out to the relevant Certificate Authority to revoke certificates for the phishing domain if possible,
  • Educate people who use your service in case of an attack to increase their vigilance.
By taking action to shut down bad domains that are created solely to trick people, legitimate website owners can protect their sites and help prevent others from falling for harmful scams.
David Huang is a security engineer on the Product Security team. Bartosz Niemczura is a software engineer on the Product Security team. Amy Xu is a software engineer on the Product Security team.