Unpatched flaws behind spike in DNS. implementation is critical to success in modern IP. the many variations a hack can take should consider.
Phishing, Spiking, and Bad Hosting. At Open. DNS Labs we have developed a number of predictive.
В models. В to hunt down evil. В on the Internet. We have discussed in previous blogs and conferences our algorithms. В NLPRank [1][2][3], Spike detector [4][5][6], and malicious IP space/rogue host detectors [7][8](section 1. In this blog we will discuss how we integrate all of these detection models to improve detection coverage of current threats and walk through a. В few interesting examples. Phishing and Spikes.
In October, the OpenDNS research team was in Europe presenting new threat detection models at two renowned security conferences. First, Security Researcher Thomas. How to address a spike in TCP and UDP flows. as well as source and destination IP. A data breach plan that addresses the many variations a hack can take should. Pixel Gun 3D Hack can generate 99999999 gold and coins with 1 hit 1 kill feature. Download this pixel 3d gun cheat for free on iOS and Android device. Hack Green WebSDR now has 60m Showing 1-3 of 3 messages. http:// Spike Re: Hack Green WebSDR now has 60m: g.ditch.
One of the recent. В samples. В we have found was a. В Facebook phishing.
В campaign. В that was surfaced by our real- time alert. В system. Our model NLPRank detected the campaign of Facebook. В phishing sites spoofing Facebook under the second- level domain (2.
LD) 2nso. 3s[.]com. В For this particular domain, when visiting the 2. LD, 2nso. 3s[.]com from your browser, you would be directed to a URL that looks like: http: //facebook[.]com. A%2. F%2. Fwww. facebook. F%3. A%4. A%4. ID%1. AAs we can see in the path of the URL the. В next page routes you directly to the legitimate facebook[.]com.
В after they have stolen the entered credentials. В We also cross referenced this domain with our crowd- sourced system Phishtank, and found someone from the community submitted one of these. В hostnames. Something to take note of here is. В that upon each subsequent request to the same FQDN, the third- level domain (3. LD) appears to be rotating integers (indicative of fluxing domain name). Rotating subdomains is a.
В technique similar to what Careto, also known as The Mask, malware uses. Here are some samples from Careto: paypal. This domain hyd[.]me exhibits steady high volume traffic. In fact, it is a sinkholed domain by Kleissner & Associates, which has been acquired by Looking. Glass. Going back to our initial 2. LD 2nso. 3s[.]com serving the Facebook phishing urls, what is also interesting is the massive traffic spike, which is typically uncharacteristic of phishing domains. Here is the traffic pattern for 2nso.
Figure 1. Visiting the domain in the browser shows that it is spoofing the Facebook login page: Figure 3a: Figure 3b: Figure 3c: One can see from the above screenshots that the 3. LD in the FQDN is rotating, this happens over tens of thousands of queries. В Figure 4. В shows another interesting catch. В exhibiting similar characteristics detected by. В the Spike and NLPRank models, ebayonline[.]cc: Figure 4. This sample one is also rotating through subdomains: seo.
Here is another sample of a spoofed brand domain that exhibits features detected. В by the 2 models, analytics- google[.]com: Figure 5.
There are a lot of variations spoofing google- analytics, however they have much smaller. В request rate. For example, Figure 6 displays traffic from. В google–analytics[.]com: Figure 6.
As we can see this spoofing domain has much lower traffic counts, which is. В more typical of. В phishing domains. В Here is an example of a Pay. Pal phish, mpaypaal[.]com, also exhibiting a low query count: When viewing the page we see the attacker copying the login for the original Pay.
Pal site and phishing for. В credentials: Investigate and Visualization. Going back to 2nso. Investigate can provide some further interesting insights into this domain. First of all, we can use our “Life of a Domain” visualization in order to get a better representation of the domain lifetime and all its key events. Let’s have a look: We can see a couple of things.
The two blue dots represent the domain registration and we can see here that our domain was registered pretty recently (mid- August 2. On this specific visualization, we typically see a couple of red circles showing when the domain was tagged/flagged by our analysts, which wasn’t the case here. Of course, now it’s all blocked).
We can also see that our domain was registered with an address in Mexico. Interestingly, the client traffic comes mainly from the US, Russia, France, and the UK. We have the phone number and an email address, which allows us to dig deeper in our investigation. From the email address “mireyadreedjs@yahoo. Investigate data, we can search our WHOIS database to discover which other domains were registered by the same account : 2nso. From these domains, we can keep mining and discover subdomains, attached URLs, IP addresses, and even hashes of the malware hosted on these servers.
We can then use all this correlating data and build a map of the full infrastructure of the phishing campaign. All of this operated very simply using our homemade data miner script (more about that in a later blog), and we can visualize the result in 3.
D with Open. Graphiti. Once we’ve extracted and visualized all of these new candidates, we can use another interesting visualization called “Parallel Coordinates.” The idea is to represent the features of our candidates stacked all together in a graph representation. The horizontal axis represent the set of features of our vector (pictured here we have Investigate + Virus. Total features), the vertical one represents the values of those features taken by our vectors. See below : Considering that this simple diagram is displaying 1. We can see that these domains have a low popularity, which means those domains have seen a small amount of traffic.
They have only been created about 1. IP, one prefix, one ASN, and in only one country. They have a constant TTL set to a very high interval, about 9. TTL standard deviation is zero).
The geographical distance between their IPs are small, which is expected since they have only one. The entropy of the domains is pretty high due to the DGA part of the name. The status is - 1 for all of these, meaning that Open. DNS is actively blocking all of them at the moment. And finall,y they have 1. URLs that have been flagged on Virus.
Total. Dissecting hosting IP space. We can use our malicious IP space/rogue host monitoring models to investigate the hosting IP infrastructure of the 1. LDs registered by mireyadreedjs@yahoo. These 2. LDs are all hosted on IPs that are part of AS2. AS- CHOOPA – Choopa, LLC 8. Vultr, which is a child company of Choopa, LLC . Vultr is more or less a Digital.
Ocean clone trying to compete with it in the affordable VPS market. Vultr’s IP space spans more than 6. IPs located in North America, Europe, and Asia/Pacific. Its cost- effectiveness, however, made it an attractive platform for criminals to host exploit kit domains, phishing, and other gray content. In the table below, for reference, we show all the phishing 2. LDs with their corresponding IPs, prefixes, ASNs, and specific hoster, as well as the total number of phishing hostnames we recorded in relation to the IPs and a link to all hostnames on the IPs.
LDIPprefix. ASNhoster# of host- names on IPhostnames. Vultr. 3list of domains. Vultr. 45. 2list of domainsdv. Vultr. 19. 7list of domains. Vultr. 10. 1list of domains. Vultr. 28. 96list of domains.
Vultr. 91list of domains. Vultr. 16. 8list of domains. Vultr has been under our radar for quite some time as we’ve been monitoring its IP space in the past few months and flagged it as hosting, among other things, exploit kit domains and exploit kit nameservers, particularly Nuclear EK. In the table below, we share a sample of IPs on Vultr that we flagged in the past six months as hosting Nuclear EK landing domains.
IPprefix. ASNhoster. Vultr. 10. 4. 2. 38. Vultr. 10. 4. 2. 38. Vultr. 10. 4. 2. 38. Vultr. 10. 4. 2. 38. Vultr. 10. 7. 1. 91. Vultr. 10. 7. 1. 91.
Vultr. 10. 7. 1. 91. Vultr. 10. 7. 1. 91. Vultr. 10. 7. 1. 91. Vultr. 10. 7. 1. 91. Vultr. 10. 7. 1. 91.
Vultr. 10. 8. 6. 1. Vultr. 10. 8. 6. 1. Vultr. 10. 8. 6. 1. Vultr. 10. 8. 6. 1. Vultr. 10. 8. 6. 1. Vultr. 10. 8. 6. 1.
Vultr. 10. 8. 6. 1. Vultr. 10. 8. 6. 1. Vultr. 10. 8. 6. 1.
Vultr. 10. 8. 6. 1. Vultr. 18. 5. 9. 2. Vultr. 18. 5. 9. 2. Vultr. 45. 3. 2. 2. Vultr. 45. 3. 2. 2. Vultr. 45. 3. 2. 2. Vultr. 45. 3. 2. 2.
Vultr. 45. 3. 2. 2. Vultr. Takeaways. In conclusion, first, it is apparent from these findings that the integration of multiple models enhances our coverage and increases our detection rate. Combining NLPRank, Spike Detection, and the IP monitoring models provides a method to surface.
В large- scale phishing campaigns and automatically block them in. В real time. Second, bulletproof or abused hosting providers persistently cater to a diversity of “badness” whether it is phishing, exploit kits, malware, or gray content in general. Our global visibility into the attack surface comes in handy to consistently monitor and rapidly catch these threats from different angles. If you’d like to learn more about our research related to these topics, we will be presenting in October at Bru.
Con and Hack. lu.“Unified DNS View to Track Threats”, Dhia Mahjoub and Thomas Mathew, at Bru. Con“A Collective View of Current Trends in Criminal Hosting Infrastructures”, Dhia Mahjoub, at Hack.