phishing_catcher
phishing_catcher copied to clipboard
use frequency of significant parts of domain for scoring
While playing around with the script and the stream i often saw something like this:
[!] Likely : catfinder-beta.corp.amazon.com (score=84)
[!] Likely : catfinder-test.corp.amazon.com (score=84)
[!] Likely : catfinder.corp.amazon.com (score=83)
[!] Likely : cctracker.corp.amazon.com (score=81)
[!] Likely : cefeedback.corp.amazon.com (score=83)
[!] Likely : cepromotions.corp.amazon.com (score=82)
[!] Likely : contractcentral-gamma.corp.amazon.com (score=82)
[!] Likely : contractcentral.amazon.com (score=80)
[!] Likely : cornerstone.amazon.com (score=81)
[!] Likely : cosmos-dashboard.corp.amazon.com (score=82)
[!] Likely : cube-dub.corp.amazon.com (score=83)
[!] Likely : cube-metrics.corp.amazon.com (score=84)
[!] Likely : cube-pdx.corp.amazon.com (score=84)
[!] Likely : cube-preview.corp.amazon.com (score=84)
[!] Likely : cube-showcase.corp.amazon.com (score=84)
[!] Likely : cube.amazon.com (score=80)
[!] Likely : daenerys-beta.corp.amazon.com (score=84)
[!] Likely : dvatools.corp.amazon.com (score=82)
[!] Likely : dxa-dashboard.corp.amazon.com (score=83)
[!] Likely : fleet-widget.corp.amazon.com (score=85)
[!] Likely : fm-console.corp.amazon.com (score=83)
[!] Likely : fua.corp.amazon.com (score=81)
[!] Likely : gcxgiftfindertools-eu.corp.amazon.com (score=86)
[!] Likely : gcxgiftfindertools-fe.corp.amazon.com (score=86)
Therefore i thought that one could find the last part acting like the tld (.com or .co.uk - compare #38 ) and ignore that. The afterwards rightmost part - in this example corp.amazon - is them checked for how often it appeared in the stream in the last say hour (or day,...) and based on that, its score is computed: the highrr this number, the higher the score...