PhishReporter: PowerShell Module

If you work in the Info Sec world you know that phishing is a pain in the neck, especially when you’ve been targeted by a large phishing campaign.  I’ve been through these massive phishing attacks, and it is not fun!

One such attack, about a year ago, was especially difficult because the attackers were using very unique tactics and spoofing lots of internal e-mail communications.

Our procedure was to go and find the company that was hosting these phishing URLs and e-mail them to tell them to shut the site down immediately.  Hosting companies like weebly.com, jimdo.com, webs.com, etc. were pretty good at shutting these sites down as soon as they were put online, but this process would take about 5 to 10 minutes and sucked!

Since this last attack, I decided to automate this process.  This new script/tool is a PowerShell Module called PhishReporter.

The PowerShell module can be downloaded on GitHub: https://github.com/MSAdministrator/PhishReporter

This PowerShell Module is designed to send notifications to hosting companies that host phishing URLs by utilizing the major WHOIS/RDAP Abuse Point of Contact (POC) information.

  1. This function takes in a .msg file and strips links from a phishing URL.
  2. After getting the phishig email, it is then converted to it’s IP Address.
  3. Once the IP Address of the hosting website is identified, then we check which WHOIS/RDAP to search.
  4. Each major WHOIS/RDAP is represented: ARIN, APNIC, AFRNIC, LACNIC, & RIPE.
  5. We call the specific WHOIS/RDAP’s API to determine the Abuse POC.
  6. Once we have the POC, we send them an email telling them to shut the website down. This email contains the original email as an attachment, the original phishing link, and e-mail body telling them to remove the website.

This Module came out of necessity. I was sick of trying to contact these individual sites, so I have began automating our response time to these events.

The next steps for this project are to fully integrate into Outlook and automate this even further by enabling a simple text search or based on a selected ‘folder’ event. Please share with the Security community and contribute/improve as you deem fit. I only ask that you share your edits back with this project.

Advertisements

One thought on “PhishReporter: PowerShell Module

  1. Hey Josh, love the idea of a Phishing Reporting add in. I was thinking of trying to develop one myself when I ran across your post. I am having trouble complying it and was hoping you had a few tips for me. I get these errors when I try to build PhishReporter. Any ideas? I directly downloaded your code from Github (Sorry I but I couldn’t find your email…)

    >C:\Program Files (x86)\MSBuild\14.0\bin\Microsoft.Common.CurrentVersion.targets(2884,5): warning MSB3327: Unable to find code signing certificate in the current user’s Windows certificate store. To correct this, either disable signing of the ClickOnce manifest or install the certificate into the certificate store.
    1>C:\Program Files (x86)\MSBuild\14.0\bin\Microsoft.Common.CurrentVersion.targets(2884,5): error MSB3326: Cannot import the following key file: . The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user’s personal certificate store.
    1>C:\Program Files (x86)\MSBuild\14.0\bin\Microsoft.Common.CurrentVersion.targets(2884,5): error MSB3321: Importing key file “PhishReporter_TemporaryKey.pfx” was canceled.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s