Bavaria relies on BigPhish in the fight against fraudulent domains
Bavaria uses the "BigPhish" software to combat cybercrime. It is to detect phishing domains shortly after they are registered and report them to investigators.
Bavaria's law enforcement agencies want to use BigPhish to identify, monitor and secure suspicious domains.
(Image: Philip Steury Photography/Shutterstock.com)
Phishing is one of the most common crimes on the Internet and fraudulent domains associated with it sometimes disappear faster than investigators can see. The Bavarian justice system now wants to use the "BigPhish" tool to identify and monitor phishing domains more quickly. The aim is not only to protect victims more effectively, but also to secure evidence for investigations in good time and recognize connections between cases.
On 19 June, Bavaria's Minister of Justice Georg Eisenreich signed a cooperation agreement with the Dutch research company TNO (Netherlands Organization for Applied Scientific Research), which developed BigPhish together with Dutch investigative authorities. The Bavarian Cybercrime Center (ZCB) is the first office to test the open source tool in Germany.
BigPhish as a building block in the fight against cybercrime
Phishing campaigns often target a large group of recipients; just this week there was a wave of fraud involving fake text messages and emails to bank customers. In most cases, the fraudulent phishing websites are online for less than a day and have already disappeared by the time the report reaches the investigators' desk. Securing such fugitive crime scenes in a timely manner is a problem that BigPhish aims to solve as soon as the domain appears.
In order to use a fraudulent website to steal victims' login details, the perpetrator has to do some preliminary work. Thanks to cybercrime-as-a-service, they do not need their own IT expertise, but can use tools and services provided by other more technically skilled criminals. For a campaign, the perpetrator obtains a phishing kit, a web space to host the website and a domain. To make the website appear more trustworthy, they also obtain a TLS certificate for the domain. When the website is ready to be used, the perpetrator begins to lure the victim to the fraudulent website via email, text message or chat.
In search of the phishing pattern
BigPhish continuously monitors the Certificate Transparency (CT) logs to filter out potential phishing domains from the stream of newly registered domain certificates. Suspicious domains are visited by the BigPhish crawler. The pages are examined for traces of phishing kits. Various phishing kits are analyzed in advance and their "fingerprints" (based on file paths in the source code) are identified. In addition, further suspicious indicators for phishing websites can be stored in BigPhish. Once the domain has been identified as a phishing domain, it is monitored further. The data collected on the phishing domains is stored in a database for the investigators. In addition to the domain, the information also includes the IP address and the provider of the server on which the phishing website is registered.
According to Eisenreich, the new tool should not only inform investigators quickly about new phishing websites, but also "enable automated warnings for potential victims to be issued more quickly the first time the website is accessed". The tool also stores information on older phishing websites in its database. With the help of the data, new investigative approaches to sites that have already been shut down and connections between different cases can be found.
Cooperation needed to combat cybercrime
The problem of discovering connections between cases in good time is not limited to phishing. Cooperation between law enforcement authorities is also to be improved in the area of cybertrafficking - this was decided by the justice ministers at their last spring conference in June on the initiative of Bavaria. To this end, a central nationwide cybertrading information platform (PDF) is to be introduced at the BKA.
Bavaria's investigators have been working together with researchers internationally for several years to advance online investigations with the help of software. For example, a Dark Web Monitor from TNO has been used since 2020 to shed light on the dark web. With the Complexity Science Hub Vienna (CSH), the blockchain analysis technology "GraphSense" was introduced at the ZCB in 2022 for the real-time analysis of virtual currency transactions. An AI "fake store detector" from the AIT Austrian Institute of Technology in Vienna has been in use in Bavaria since August 2023. This detector uses artificial intelligence to check unknown online stores for more than 21,000 features in real time. If a store is suspicious, the detector warns the investigators, who can then take action at an earlier stage. Just this week, the consumer advice center issued a warning about fake stores selling European Football Championship fan merchandise.
(nie)
