If you work in the Info Sec world you know that phishing is a pain in the neck, especially when you’ve been targeted by a large phishing campaign. I’ve been through these massive phishing attacks, and it is not fun!
One such attack, about a year ago, was especially difficult because the attackers were using very unique tactics and spoofing lots of internal e-mail communications.
Our procedure was to go and find the company that was hosting these phishing URLs and e-mail them to tell them to shut the site down immediately. Hosting companies like weebly.com, jimdo.com, webs.com, etc. were pretty good at shutting these sites down as soon as they were put online, but this process would take about 5 to 10 minutes and sucked!
Since this last attack, I decided to automate this process. This new script/tool is a PowerShell Module called PhishReporter.
The PowerShell module can be downloaded on GitHub: https://github.com/MSAdministrator/PhishReporter
This PowerShell Module is designed to send notifications to hosting companies that host phishing URLs by utilizing the major WHOIS/RDAP Abuse Point of Contact (POC) information.
- This function takes in a .msg file and strips links from a phishing URL.
- After getting the phishig email, it is then converted to it’s IP Address.
- Once the IP Address of the hosting website is identified, then we check which WHOIS/RDAP to search.
- Each major WHOIS/RDAP is represented: ARIN, APNIC, AFRNIC, LACNIC, & RIPE.
- We call the specific WHOIS/RDAP’s API to determine the Abuse POC.
- Once we have the POC, we send them an email telling them to shut the website down. This email contains the original email as an attachment, the original phishing link, and e-mail body telling them to remove the website.
This Module came out of necessity. I was sick of trying to contact these individual sites, so I have began automating our response time to these events.
The next steps for this project are to fully integrate into Outlook and automate this even further by enabling a simple text search or based on a selected ‘folder’ event. Please share with the Security community and contribute/improve as you deem fit. I only ask that you share your edits back with this project.