Facebook CT tool

Facebook has updated a phishing detection toolkit it developed two years ago. The update now allows webmasters who sign up for the tool to detect homograph (Unicode-based lookalike) domains created for their websites.

The tool in question is named Certificate Transparency Monitoring, a Facebook-hosted application. Any website owner can sign-up for free for this service using their Facebook account.

Webmaster can add their domains to a dashboard, and Facebook's tool will scan public Certificate Transparency (CT) logs.

CT logs hold information about new domains that recently obtained an SSL certificate, and they are about to become mandatory for browsers.

Facebook's tool will warn website owners about new sites found in these CT logs that use a similar name to theirs.

Facebook launched this tool in 2016 on the premise that if someone gets an SSL certificate for a site with a domain very similar to another, they are most likely to carry out a phishing attack to collect user credentials or financial information.

Support for homograph attacks

Today, Facebook updated the Certificate Transparency Monitoring tool with a new feature to detect a new type of phishing attack that has become very popular in the past year.

The new attack is called an "IDN homograph attack" and is the practice of registering domains with internationalized Unicode characters in its name.

For example, users can register coịnbạse.com, which will be a totally unique domain in the eyes of a computer. (Take a closer look at the domain again to notice the small dots under the "i" and "a" characters.)

Such attacks have become quite prevalent, with several incidents reported in the past year alone [1, 2, 3].

Support for homograph attacks comes to complete the tool's ability to detect other types of mangled domains, such as those that combine different words (helpdesk-facebook[.]com), common misspellings (faecbook[.]com), or those who nest multiple subdomains to hide the real domain offscreen (facebook[.]com.long.subdomain.that.will.not.be.fully.shown.on.mobile.devices.com).

Tool also gets email alerts

Furthermore, Facebook has also added the ability to alert domain owners via email when a new suspected phishing domain pops up in CT logs.

Past reports and surveys have shown that phishing attacks are usually the most effective in the first few hours after a phishing campaign starts, so, getting alerts and acting as quickly as possible may avert a serious cyber-security incident for your users or employees.

Once domain owners are aware of such domain, they can contact the certificate authority that issued it to have it revoked, contact browser vendors to blacklist the domain, reach out to domain registrars to suspend it, and also alert staff or users about an incoming attack.

In case some webmasters don't own a Facebook account, there are self-hosted alternatives to this tool, such as Certstreamcatcher. Another tool that monitors CT logs, but doesn't alert you about phishing domains, is Cert Spotter.

Facebook's devs have a small obsession with detecting phishing attempts, and for a good reason, as they have to guard over 2.2 billion users. In the past, they have added anti-phishing features to Facebook accounts, but have also awarded prizes for novel anti-phishing techniques.

Related Articles:

Phishing Attacks Distributed Through CloudFlare's IPFS Gateway

Fraudster Targets Cryptocurrency Wallets with a Variety of Info Stealers

Largest Cyber Attack Against Iceland Driven by Complex Phishing Scheme

Facebook States 30 Million People Affected by Last Month's "View As" Bug

Facebook Vulnerability Affecting 50 Million Users Allowed Account Takeover