phishing search with Maltego

The REG.RU security team in their work often encounters scammers, spammers, phishing domains, account hacking, attempts to hijack domains, etc. Using the example of searching for the creator of phishing sites, I will tell you how we detect such violators using Maltego.

I will note in advance that:

  • only law enforcement agencies can determine the fact of fraud and impose punishment. But we also conduct our own investigations based on the data that we have in order to independently take legal action in case of an obvious offense;

  • the article is not advertising, all examples, cases, names (both proper and domain names) are fictitious, any matches are random.

A little about Maltego

Maltego is a program for collecting information from various sources and then presenting it in a convenient form. It is actively used in investigations and intelligence based on open and closed sources.

Information in the program is visualized in the form of a graph:

The graph consists of objects (Entities) and connections between them (Links). Any unit of information can act as an object: domain name, IP address, organization, client data (full name and phone number), etc.

You can add objects and connections manually or automatically using transformations (Transforms) – scripts that find data about existing objects in different sources and add this data to the graph already in the form of new objects. There is a set of ready-made transformations for different tasks. For example, if you need information about an IP address, then using the built-in transformations, you can find out data from Whois, location, address reputation (Fraud-check) and check it against Tor’a nodes.

You can expand the set of transformations in the Transforms Hub, a built-in marketplace.

For some transformations, you may need the API key of the service from which you want to get data.

To work with data from internal sources, you can create your own transformations.

Maltego is distributed in two versions – free and paid. Free versions are CaseFile and Community Edition. The commercial variant is called Maltego One and has three plans: Pro, Enterprise and Enterprise On-premise. Current editions and their features are available on the official site.

Case with phishing sites

And now consider a fictional, but quite typical investigation.

A task: find the creator of phishing sites, as well as all his domains and accounts. Before you ban a scammer’s accounts and start a procedure for identifying administrator data on his domains, you need to make sure that the domains are phishing.

What we have: to register a new account on REG.RU, you need to specify your email and phone number. And to register a domain, also a full name with passport data (depending on the domain zone). In the logs, you can find IP addresses, cookies, User-Agent and other parameters of the attacker’s system. From all this data, a digital fingerprint of the alleged intruder can be compiled. The more input data, the greater the chance of finding relationships.

Handling and collating large amounts of data from different sources manually is time consuming and boring. Therefore, I will use Maltego. With its help, having written your own scripts, you can read logs and databases, and then display the result in the form of a graph with objects and relationships between them.

First you need to create a new graph and place the MOB-VTB24.RU domain on it. The toolbar (Entity Palette) has objects of different types that can be moved to the workspace. I’ll drag the “Domain” object from the panel to the graph and specify the desired domain name.

More objects can be added from the clipboard with automatic type recognition. If it is recognized incorrectly, you can correct it manually from the “Change Type” menu.

Adding new object types

Now you can get information about the owner of the domain specified during registration:

We need to create a new type of object – “User”, and write transformations to search for a domain in our database (in the article, all queries to the database are simplified).

In the “Entities” tab, I create a “User” object and set the main property for it – “user_id”.

The object has been created. It’s time to write a transformation that will display domain and account data on a graph in the form of objects and links.

Creating transformations

To write transformations, I used the library maltego_trx for Python 3.6 and above. Command to install it:

pip install maltego-trx

Command to create a new project:

maltego-trx start new_project

Transform files will be stored in new_project/transforms/.

Now let’s create a new class and inherit it from “DiscoverableTransform”. I override the “create_entities” method, inside which there will be all the logic of finding data and adding objects to the graph. The “response.addEntity” method is responsible for placing objects on the graph.

from maltego_trx.transform import DiscoverableTransform
import MySQLdb

# Наследуем наш класс от DiscoverableTransform
class SearchDomain(DiscoverableTransform):

   Выполняет поиск домена.
   # Переопределяем метод create_entities
   def create_entities(cls, request, response):
       # Получаем входящее значение
       email = request.Value
       # Инициализируем подключение к базе
       db = MySQLdb.connect(host="",
       cursor = db.cursor(MySQLdb.cursors.DictCursor)
       # Выполняем поиск по таблице domains
       cursor.execute("""select user_id, name, phone, email
                           from domain
                           where domain = %s
           """, [domain])
      rows = cursor.fetchall()
       # В зависимости от поля добавляем на граф
       # объекты соответствующих типов
       for row in rows:
           response.addEntity('yourorganization.User', row['user_id'])
           response.addEntity('maltego.Person', row['name'])
           response.addEntity('maltego.PhoneNumber', row['phone'])
           response.addEntity('maltego.EmailAddress', row['email'])

When adding an object, you must use the “Unique Type Name” that was specified when creating the “User” object. In my case it is “yourorganization.User”. Classes for built-in objects can be imported from the library.

from maltego_trx.entities import Person
response.addEntity(Person, row['name'])

If there are many objects, you can map fields and objects.

field_map = {
   'user_id': 'yourorganization.User',
   'name': 'maltego.Person',
   'phone': 'maltego.PhoneNumber',
   'email': 'maltego.EmailAddress'
for row in rows:
   for field in row:
       if field_map.get(field):
           response.addEntity(field_map[field], row[field])

Adding transformations

The finished transformation must be added to Maltego. To do this, in the “Transforms” tab, select “New Local Transform” and fill in the fields. In the “Input Entity Type” field, I select the type of object with which the transformation works:

I specify the path to the Python3 interpreter:


  • — main script;

  • local- says that the transformation works locally;

  • searchdomain is the transformation name corresponding to the class name.

To check if the class was created correctly, you can list all transformations of the project with the command python3 list.

Launching transformations

Now we can start the transformation:

As a result of work on the graph, objects appeared:

Logs of transformation work are written in Output. You can also display debugging information there to search for errors in the script. To do this, in the transformation settings you need to activate “Show debug info”.

Through the interface or code, you can mark objects on the graph and add comments to them:

from maltego_trx.maltego import BOOKMARK_CLRS
           me = response.addEntity(
               'yourorganization.User', user_id
           me.setBookmark(BOOKMARK_CLRS["red"]) #добавить заметку

           me.setNote("Регистрирует фишинговые домены") #добавить флажок

In the meantime, the suspect has already been found. On the graph there is his full name, mail and phone. Based on this data, you can do a reverse search.

Reverse lookup

Reverse search requires new transformations. I add them by analogy with “SearchDomain” and start the search. The result is new domains and an account.

The found domain names look suspicious, as they are associated with banks and BlaBlaCar and Drom services.

After searching again only I get 88 more domains by number:

I upload information on new accounts and get new mailboxes and phones. To find the IP addresses from which the accounts were logged in, I use authorization logs in the search.

Repeated searches using new objects resulted in the following network:

To get a complete list of domains, I will simplify a large and incomprehensible graph by sorting data by type. The resulting list can already be exported in the desired format.

It remains to remove unnecessary objects from the graph and upload the final list of domains and accounts. Using it, you can already work on blocking accounts and domains.

This is one of the possible options for working with Maltego when investigating and analyzing a large amount of information. In the future, more sources can be added and scripts improved to protect potential victims from fraud.


Maltego simplifies investigations through search automation and clear data visualization. The tool is suitable for both internal investigations and for searching for information in open sources (OSINT – Open source intelligence). Obviously, in the article I did not cover all of its capabilities: there are convenient functions for analyzing information on a graph, there are data export options, and the search can be upgraded by combining scripts into “machines”. Let me know if you’re interested in learning more about something.

I also recommend a series of articles about Maltego from @Wolchara000.

Cycle articles

Similar Posts

Leave a Reply