How to Generate Millions of Phishing Domains
A persuading area name is basic to the achievement of any phishing assault. With a solitary Python content, it’s conceivable to discover several accessible phishing spaces and even distinguish phishing sites sent by different programmers for purposes, for example, taking client qualifications.
Twist’s, made by @elceef, is a space name change seek device which recognizes phishing areas, bitsquatting (otherwise called typo squatting), and fake sites which share comparative looking space names. Dnstwist takes the given target space name and creates a rundown of potential phishing areas. The created space names are then questioned. In the event that a found space sidetracks to a web server, Dnstwist will record the area’s IP address.
Letters are appended to the end of the given domain name. Below is an example of Bank of America, one of the largest banks in the United States. Unlike some of the other options below, a simple addition is easy enough to spot by an end user if he or she just glances at the URL.
Letters in the given domain name are simply modified or changed. Below is an example for Wikipedia, the largest and most popular general reference website on the internet. This is a little trickier on the eyes than the “additions” above since a lot of people read words based on the first and last letter and don’t look at every letter individually.
Phishing campaigns using homoglyphs are referred to as homograph attacks, even though the alternative characters are referred to as homoglyphs and not homographs. These type of attacks still affect Firefox and most Android devices, and were recently made famous by Xudong Zheng, who created the first homoglyph phishing address for apple.com. Using Facebook as an example, I found there were many homoglyph phishing domains still available for as little as $11.
Letters are simply removed from the domain name. To my surprise, all of the Instagram domain names were listed as available. While someone will probably notice if the first or last letter in the domain name is missing, they might not notice one in the middle gone.
A period inserted at varying positions in the given domain name. Using Gizmodo as an example, we can see the domains “odo.com” and “zmodo.com” are available. It’s just a matter of creating convincing subdomains to make an effective phishing domain. Like “additions,” this might be more obvious than the other tricks here.
Vowels found in the given domain are swapped for different vowels. At a glance, many of these domains will likely fool most victims into clicking on fraudulent links. Again, this works since most people scan words using the first and last letter, not necessarily every letter in the middle. If a replaced vowel is the first or last letter, it probably won’t work as well.
Now that you know all of the tricks Dnstwist can use to find used and available phishing domains, let’s see how to actually use the tool.
Step 1:Set Up Dnstwist
Dnstwist relies on several Python dependencies which can be installed in Kali Linux by typing the below command into a terminal.
apt-get install python-dnspython python-geoip python-whois python-requests python-ssdeep python-cffi
Next, clone the Dnstwist GitHub repository.
Finally, use the cd command to change into the newly create “dnstwist” directory and use the command underneath it to view the available options.
cd dnstwist/ ./dnstwist.py --help
Step 2:Generate Phishing Domains with Dnstwist
To start generating phishing domains with Dnstwist, use the below command. There are several arguments being utilized in my example command, so jump down under the screenshot to see a quick breakdown.
./dnstwist.py --ssdeep --json --threads 40 website.com > website.com.json
>>The –ssdeep argument instructs Dnstwist to analyze the HTML found on each domain and compare it to the HTML of the given (real) website. The level of similarity will be expressed as a percentage. However, each website should be inspected manually regardless of the percentage level issued by Dnstwist. These percentages are merely there to aid security professionals in identifying which domains are most likely to be phishing domains.
>>Dnstwist supports two output formats which can be used with other applications. The –json output format was used in my above example but there’s also support for CSV outputs which can be enabled using the –cvs argument instead of the JSON format. To save either format to a file, the > filename redirect can be used to write the data to a given filename.
By default, Dnstwist will make only 10 requests at a time when enumerating available phishing domains. This number can be increased or decreased using the –threads argument and specifying a value.
A progress bar will print at the bottom of the Dnstwist terminal. Depending on network speed and number of threads, this can take several minutes to complete.
Always Pay Close Attention the Domain Names
As an attacker preparing to perform a phishing campaign during a red team engagement or a sysadmin preparing to defend against such attacks, Dnstwist is a fantastic tool which can be used to enumerate viable domains likely to be used for nefarious purposes. Dnstwist offers several key advantages over similar tools such as the ability to analyze and compare HTML of potential phishing domains, support for different output formats, and a wide variety of generated phishing domains.
If you’re just a regular end user visiting a website, pay extra close attention to the URL when you get there. While homoglyphs might be impossible to spot, the rest of these can be easily noticed if you spend more than a glance looking at them.
Hope you enjoyed this article on generating and detecting phishing domains with Dnstwist. Leave questions and comments below or message me on Twitter @tokyoneon_ if you need further explanation on any of this.