Skip to main content
banner image
venafi logo

Finding Phishing Sites with CT

Finding Phishing Sites with CT

Helme phishing sites certificate transparency
November 1, 2018 | Featured Blogger: Scott Helme

I've spoken a couple of times recently about CT and it really is an awesome thing to have. We can now add one more wicked feature to our arsenal thanks to CT and Facebook, and that's the ability to easily detect phishing sites.

Certificate Transparency

I've got a great introduction post on CT so you can read that for more details but the TLDR is that CT requires all certificates issued by a CA be logged into public logs that we can search and monitor. This means no more secret certificates but it also means we can see all certificates being issued. Facebook have a great CT log monitoring tool to let you do this and you can get notifications via email or in the app every time a certificate is issued for your site, how cool is that!


You can head over to the Facebook CT Tool and sign up for notifications for your domains easily and it's completely free. Of course you can also sign up to monitor other domains too and I monitor quite a few out of interest, but we're never really going to see too much interesting info there other than their renewal schedule. What else can we look for though?


Phishing Sites

The web is going HTTPS and it's not just good sites it's bad sites too. Lots and lots of phishing sites are now using HTTPS because it's become easy and free to deploy. There has been a lot of discussion and resistance against CAs like Let's Encrypt issuing certs to these sites but I've spoken about that before, Let's Encrypt are enabling the bad guys, and why they should. Whether or not you agree with this happening, it is happening right now so how can we turn this to our advantage. Well, when a phishing site gets a certificate, we can see it in CT so we can know about the site probably before they've even brought it online! All we need to do is look for domains that are similar to popular sites or contain their domain as a substring. What if we kept an eye on the CT logs for certificates issued to or That would probably be a pretty good idea and it could certainly turn up some interesting information. I have some good news for you too, you can do this right now, for free!

Screen Shot 2018-10-31 at 1.49.59 PM.png

Facebook have added this capability to their CT log monitoring service and they will try to find all possible phishing variants of your domain and notify you when they get certificates!


Not only can you do this for your site, you can also do it for other sites and just to see what was happening in the Big Bad Web(TM), I enabled it for and to see. It didn't take long before I got a hit.

Screen Shot 2018-10-31 at 12.22.49 PM.png

In fact, it wasn't long before I was getting lots of hits. Soooooo many hits and when they're all sent to my phone as push notifications it quickly became apparent just how many phishing certs are issued to big domains like this.

Screen Shot 2018-11-01 at 11.27.01 AM.png

Still though, this is the system working, this is what CT enables us to do. You may have noticed just above that the phishing domain I got a notification for was already in SafeBrowsing by the time I looked at it. Now, there was a delay from the cert having been logged and me getting the notification, it seems Facebook went back a small period of time and sent me recent certs too, which is great. But think of what this means. When a phishing site gets a cert we can be notified about it and then go take a look to see if the site is a risk. If it is it can be reported to SafeBrowsing right away and we have the site taken down before they get chance to be fully online.

This post originally appeared on

Learn more about machine identity management. Explore now.

Related posts

Like this blog? We think you will love this.
Featured Blog

Scott Helme on TLS 1.3: Reasons for Rapid Gravitation May Surprise You [Interview]

What follows is an interview with Scott Helme about the move to TLS 1.3 and it

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS MIM For Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Featured Blogger: Scott Helme
Featured Blogger: Scott Helme

Scott Helme is an international speaker, security researcher and blogger that specializes in online security. He also founded and, free online tools to deploy better security. 

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more