Detecting Malicious URLs with Certificate Transparency Logs and Facebook
Brian Krebs published a new blog today that highlights how half of all Phishing Sites are now HTTPS. End User Awareness to look for websites that aren’t encrypted as a telltale sign that the website might not be legitimate might be a thing in the past. This just simply means the data being transmitted is not secured.
So how do we look at protecting users from clicking on websites that are now using HTTPS? How do we improve our detection capabilities when users click on a phishing URL using HTTPS?
Recently, I started looking at a Certificate Transparency Monitoring Tool from Facebook…..Surprisingly, yes Facebook.
How does this tool work? When a certificate is registered with a Certificate Authority, this transaction is stored in a Certificate Transparency Log. The Certificate Transparency Logs from the different Certificate Authorities are consumed and allow Facebook users/developers to search for new certificates for domains they subscribe too. Facebook will search for any certificate where the domain name is present or part of a subject alternative name. Facebook will alert if the domain appears to be potentially phishing or not.
You can receive these alerts through either a Facebook push notification, e-mail or through a Webhook using their API.
Setting up alerts for e-mail notifications for your domain or another domain is easy to do with their Certificate Transparency Monitoring Tool.
Receiving these notifications through their API and a Webhook does require a little bit of development effort to setup a Webhook endpoint, but this can be achieved and the data can be used to correlate against URL logs in a SIEM or added to a dynamic block list for domains marked as potentially phishing.
Since bad actors are starting to adopt HTTPS to evade detection, registering these certificates also allow us as network defenders to detect possible phishing domains based on their registered certificate name.