nuclei-templates icon indicating copy to clipboard operation
nuclei-templates copied to clipboard
Published 4 months ago verified publisher icon projectdiscovery

Phishing Templates

Open rxerium opened this issue 2 years ago • 1 comments

Hi team,

I've introduced a new category of templates called phishing to identify hosts operating as phishing websites, aiming to deceive users into divulging sensitive information or downloading harmful software. This pull request incorporates over 100 templates covering various aspects, including:

  • Password Managers
  • Finance / banking websites
  • Popular websites such as Google, Facebook, Amazon etc..
  • Shopping sites
  • Gaming platform websites
  • Anti virus sites
  • And more!

Do let me know if anything needs to be changed in terms of formatting / tags / template names etc..

Many thanks

Rishi

rxerium avatar Feb 18 '24 08:02 rxerium

Thanks so much for these templates @rxerium - a very interesting idea indeed. We're talking about these internally as we think this is a very cool idea.

olearycrew avatar Feb 19 '24 14:02 olearycrew

Hi all, very happy for this PR to be merged if all good on your end 😊

I'll create new PRs if I come up with any new ideas of phishing templates.

rxerium avatar Feb 28 '24 12:02 rxerium

@rxerium Sorry for the delay. I am still working on this, making sure we don't get any false positive results

princechaddha avatar Feb 28 '24 12:02 princechaddha

@rxerium, thank you so much for sharing these templates with the community and contributing to this project 🍻

I have moved the templates to the OSINT directory as they will come in handy for OSINT guys hunting for phishing websites. Thanks for expanding the templates by adding a new category. Also, do you have any source or reference for the templates? If yes, we can add it to the reference field otherwise, we are good to merge it

princechaddha avatar Feb 28 '24 18:02 princechaddha

Thanks for this @princechaddha. I don't but I think it might be useful to have some sort of guide which informs users how they can manually detect phishing websites, maybe one of the below?

  • https://www.metacompliance.com/blog/phishing-and-ransomware/5-ways-to-identify-a-phishing-website
  • https://www.egress.com/blog/phishing/how-to-identify-a-phishing-website
  • https://cwatch.comodo.com/how-to/identify-phishing-website.php

rxerium avatar Feb 28 '24 18:02 rxerium

Here are a few false positives I have found:

[amazon-phish] [http] [info] https://brandregistry.amazon.co.uk/ap/signin?openid.return_to=https%3A%2F%2Fbrandregistry.amazon.co.uk%2F&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=amzn_brand_desktop_uk&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&mons_redirect=sign_in
[iCloud-phish] [http] [info] https://publish.iwork.apple.com
[amazon-phish] [http] [info] https://vendorcentral.amazon.co.uk/ap/signin?openid.pape.preferred_auth_policies=SinglefactorWithPossessionChallenge&openid.return_to=https%3A%2F%2Fvendorcentral.amazon.co.uk%2F&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=amzn_vc_uk_v2&openid.mode=checkid_setup&intercept=false&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&pageId=amzn_vc_uk_auth&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&mons_redirect=sign_in
[amazon-phish] [http] [info] https://marketplacedeveloper.amazon.co.uk/ap/signin?openid.return_to=https%3A%2F%2Fmarketplacedeveloper.amazon.co.uk%2F&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=mde_eu_amazon&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&mons_redirect=sign_in
[amazon-phish] [http] [info] https://brandregistry.amazon.co.uk/ap/signin?openid.return_to=https%3A%2F%2Fbrandregistry.amazon.co.uk%2F&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=amzn_brand_desktop_uk&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&mons_redirect=sign_in

princechaddha avatar Feb 29 '24 03:02 princechaddha

Hey team, is this PR ready to be merged? Very happy to provide further input if necessary 😊

rxerium avatar Mar 06 '24 06:03 rxerium

I feel like this is not a good idea, but maybe I just don't understand the concept right.

  1. What is the real life usecase for this? I feel like people who use Nuclei are already knowledgeable enough to recognize fake website of their bank.
  2. Why are included templates like "adobe.com"? It's legit website from Adobe company. There are missing references (links) and descriptions in the templates why this specific website is marked as phishing.

Michal-Mikolas avatar Mar 06 '24 07:03 Michal-Mikolas

@rxerium @Michal-Mikolas, I believe this could be a good addition for OSINT enthusiasts hunting for phishing websites across the internet. However, it may not be useful for all users here and could produce false positive results if run internally by the companies of those particular websites, because the host matcher might not match, and the word match would. We can add these templates and configure them not to run on a default scan, but only during an OSINT profile scan. What do you guys think?

princechaddha avatar Mar 06 '24 07:03 princechaddha

Hey @Michal-Mikolas thanks for your message, those are 2 valid points and very happy to answer them

  1. Agreed. The primary use case for this would enable automation by running scans on a large number of assets at scale. Active monitoring of assets (you own/have permission to scan) was one of the driving forces behind this idea as the detection of phishing websites can be an indicator of domain takeover.
  2. When creating the templates I aimed to include common websites which include login forms, download links, data gathering forms and Adobe fit this criteria.

rxerium avatar Mar 06 '24 07:03 rxerium

We can add these templates and configure them not to run on a default scan, but only during an OSINT profile scan. What do you guys think?

@princechaddha I think that's a good idea :)

rxerium avatar Mar 06 '24 07:03 rxerium

Oh, wait... Sorry, my bad, I should just learn the proper template syntax first :-D

This means website with "Adobe: Creative, marketing and document management solutions" text but not in the "adobe.com" domain, right?

    matchers:
      - type: word
        words:
          - 'Adobe: Creative, marketing and document management solutions'

      - type: dsl
        dsl:
          - '!contains(host,"adobe.com")'

Now it makes perfect sense to me. Once again, sorry :-)

Michal-Mikolas avatar Mar 06 '24 08:03 Michal-Mikolas

Where in the adobe.com website is this "fraudulent solicitation"?

There isn't; adobe.com is a legitimate website hence why I have added the following to the template:

      - type: dsl
        dsl:
          - '!contains(host,"adobe.com")'

I am very happy to run down the template with you if it helps :)

Again, in the template file, there should be reference and description why the website is marked as phishing.

I have opted not to implement this due to the dynamic nature of phishing websites, which can closely mimic legitimate ones, i.e. we cannot confirm certain elements are present on a phishing website as they vary. One thing which we can do is reliably match the title and/or description of the phishing website.

rxerium avatar Mar 06 '24 08:03 rxerium

This means website with "Adobe: Creative, marketing and document management solutions" text but not in the "adobe.com" domain, right?

Yep that is correct and no worries! 😊

rxerium avatar Mar 06 '24 08:03 rxerium

Now after understanding the idea I think it's a great feature 😇

Michal-Mikolas avatar Mar 06 '24 08:03 Michal-Mikolas