Firewall News

Top Menu

  • Home
  • Our Blog
  • Contact Us

Main Menu

  • Software Updates
  • Alerts & Bugs
  • Out of the Box
  • Home
  • Our Blog
  • Contact Us

Firewall News

Firewall News

  • Software Updates
    • WatchGuard logo

      TDR 6.0.0 is now integrated into WatchGuard Cloud

      04/01/2021
      0
    • Sophos Logo

      XG Firewall 17.5 MR14 Released

      30/07/2020
      0
    • Sophos Logo

      Sophos Firewall Manager SFM 17.1 MR4 Released

      27/07/2020
      0
    • Sophos Logo

      Sophos Enterprise console - Endpoint Security and Control v10.8.9 for Windows has ...

      16/07/2020
      0
    • Sophos Logo

      Sophos iView v3 MR-2 Released

      07/07/2020
      0
    • Sophos Logo

      SD-RED Firmware 3.0.002 Pattern Update

      06/07/2020
      0
    • Sophos Logo

      XG Firewall 17.5 MR13 Released

      06/07/2020
      0
    • Sophos Logo

      End-of-Life (EoL) announcement for old firmware v17 and v17.1 for XG Firewall

      03/07/2020
      0
    • WatchGuard logo

      Fireware 12.5.4 Now Available

      01/07/2020
      0
  • Alerts & Bugs
    • Sophos Logo

      Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

      29/03/2022
      0
    • Sophos Logo

      Sophos: Important Product Lifecycle Updates

      03/03/2022
      0
    • WatchGuard logo

      WatchGuard Support Alert

      23/02/2022
      0
    • Sophos Logo

      Sophos: Important Product Lifecycle Reminder

      03/02/2022
      0
    • Sophos Logo

      Sophos: Product Lifecycle Information: Extended Support for Windows 7 and Windows Server ...

      31/01/2022
      0
    • Sophos Logo

      End-of-Life (EoL) announcement for Sophos SSL VPN Client

      29/11/2021
      0
    • WatchGuard logo

      WatchGuard: macOS Monterey 12.0.1 Does Not Support the AuthPoint Logon App

      09/11/2021
      0
    • Sophos Logo

      Sophos UTM Manager (SUM) End of Distribution

      04/11/2021
      0
    • WatchGuard logo

      WatchGuard: End of Sale Notice: AP420

      01/11/2021
      0
  • Out of the Box
    • WatchGuard’s Firebox T80 Earns 5-Star Rating in SC Labs Review

      17/11/2020
      0
    • WatchGuard Wins Big in CRN 2020 Tech Innovator Awards

      16/11/2020
      0
    • Coronavirus scams: what to look for and how to stop them

      02/04/2020
      0
    • Dell SonicWALL TZ 300

      Out the Box - Dell SonicWALL TZ 300

      05/07/2016
      0
    • Dell SonicWALL TZ SOHO

      Out the Box - Dell SonicWALL TZ SOHO

      05/07/2016
      0
    • WatchGuard Firebox T50

      WatchGuard Firebox T50

      31/03/2016
      0
    • WatchGuard Firebox M200

      WatchGuard Firebox M200

      31/03/2016
      0
FortinetNews
Home›News›Fortinet›Tracking Down a Big Phish

Tracking Down a Big Phish

By admin
29/08/2019
1524
0
Share:

FortiGuard SE Threat Research Blog    


As a threat researcher, I have learned that continually monitoring malicious activities often provides unique insights into criminal behavior. This is due to three things.

First, threat actors tend to be more like sheep than mavericks because they work in clusters. I don’t mean they work together; but when a particular attack strategy yields some success, you will soon see a lot of criminals targeting the same opportunity. Solving that problem means that you can shut down a lot of criminal activity in one fell swoop.

Second, cybercriminals tend to do the same things over and over again. Our recent Fortinet Threat Landscape Report for Q1 of 2019 showed that a surprising number of attackers use the exact same web-based infrastructure, and leverage those resources at the exact same step on their attack cycle. Learn those patterns and you can begin to see and even anticipate an attack before it is even launched.

And finally, they sometimes just make mistakes that uncover a process that might never be seen otherwise.

Leveraging Simple Mistakes to Catch Phishers

For example, this last June and July, the Fortinet Web Filtering team observed a large influx of Phishing domains being registered in batches by a Phishing threat actor or group. We immediately launched an investigation to uncover additional indicators of compromise (IOCs) related to this campaign. Because of some careless behaviors that if avoided could have masked their behavior, we were able to learn the following:

  • The Phisher(s) abused a specific OVH (online virtual hosting) registrar in order to bulk register domain.
  • They managed to register over 200 domains every day for over a week.
  • Phishing domains were delivered to victims through phishing emails sent to more than 100 countries.
  • Many of the registrant emails used the following pattern: <random_string>@e.o-w-o[.]info
  • To support the backend, the Phisher(s) had registered and consistently used the same group of dedicated name servers.

Investigation Method:

We started with known Phishing domains, find registrants and name servers. We then iteratively expand our search to bring in more related IOCs. After the expansion of some malicious seeds, we were then able to blacklist about 3000 Phishing IOCs.

Below is a sample of Registrant Activity for an email using the identified pattern shown above – [email protected][.]info:

Top Targeted Countries

Based on our telemetry data, this phishing campaign targeted over 100 countries. Only the top twenty are listed here:

Phishing Campaign Graph

FortiGuard Labs uses a proprietary IOC tracking system that allows us to visualize how attacks spread and the relationship between data points. The image below is an interesting attack cluster. The blue dots are dedicated name servers. The green dots are unknown domains. And the red dots are known phishing domains. The large orange node at the center is a malicious registrant.

Using This Pattern to Catch Other Phishers

Because many Phishers are similarly careless, we can re-use this monitoring technique to find more phishers. For example, we were able to use this same strategy to catch the Microsoft Fake AntiVirus Group. This group has the following characteristics:

  • They register their attacks using free domains, such as .tk, .ml, and .ga, etc. We have observed them registering over 100 new domains daily.
  • They always use name servers hosted by Freenom (ns02[.]freenom[.]com)
  • Host domains always use the same set of dedicated IP addresses.

We have been able to catch this group by monitoring their dedicated IP addresses.

Not All Phishers are This Careless

Phishing sites are usually hosted on compromised websites. As a result, the threat actor’s behavior is easily concealed. Other methods for obscuring Phishing activities often include

  • Using compromised websites to host phishing sites 
  • Using free hosting websites
  • Abusing free Microsoft web services
  • Using shared web hosting services, and shared name server services

Conclusion

The first campaign analyzed in this report stands out because the threat actor continually registered new domains and hosted their own dedicated DNS servers. As a result, we were able to monitor their campaign closely. We can similarly monitor other phishing threat actors as long as they consistently use a dedicated infrastructure (IP address, Name Server, or WHOIS registrants), or use some unique URL patterns in their Phishing sites.

Of course, only a small percentage of Phishers use these detectable strategies. The best approach to countering Phishing attacks, therefore, is to regularly train all personnel to be wary of unknown senders and to not click on links/attachments of suspicious emails.

Solution

All detected websites and domains associated with this attack – more than 3,000 Phishing IOCs to date – have been blacklisted by the Fortinet web filtering solution, which is used by FortiMail, FortiGate, and FortiClient to prevent phishing and other web-based attacks. We will continue to add domains and websites associated with this phishing attack as they are uncovered.

By Raymond Chan

Previous Article

Trend Micro Positioned as a Leader Again ...

Next Article

Monetising mistakes: how to tackle cloud misconfiguration

0
Shares
  • 0
  • +
  • 0
  • 0
  • 0
  • 0

Related articles More from author

  • Fortinet
    FortinetNews

    Fortinet Introduces Self-Learning Artificial Intelligence Appliance for Sub-Second Threat Detection

    24/02/2020
    By admin
  • Sophos Cybersecurity made simple
    NewsSophos

    Media Alert: Sophos Uncovers New Version of Snatch Ransomware

    10/12/2019
    By admin
  • NewsSophos

    Reducing TCO: How a three-person security team saved hundreds of hours every month

    31/07/2020
    By admin
  • Francisco Partners and Elliott Management to Acquire the Dell Software Group
    News

    Dell Software Group sold to help fund looming EMC deal

    21/06/2016
    By admin
  • NewsSonicWALL

    SonicWall Firewall Certified via NetSecOPEN Laboratory Testing, Earns Perfect Security Effectiveness Score Against Private CVE Attacks

    20/02/2020
    By admin
  • NewsWatchGuard

    Six WatchGuard Channel Leaders Named to 2020 CRN Channel Chiefs List; Michelle Welch, SVP of Marketing Honored on Elite 50 ...

    10/02/2020
    By admin

  • WatchGuard logo
    Alerts & BugsWatchGuard

    WatchGuard Gateway AV Signature Service Updates Failing

  • WatchGuard logo
    NewsWatchGuard

    WatchGuard Report Details COVID-19 Impact on Security Threat Landscape

  • Sophos Intercept X server
    NewsSophos

    SE Labs names Intercept X Best Small Business Endpoint Product

Timeline

  • 29/03/2022

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

  • 03/03/2022

    Sophos: Important Product Lifecycle Updates

  • 01/03/2022

    Shoring up your cybersecurity posture in light of ongoing crisis

  • 23/02/2022

    WatchGuard Support Alert

  • 03/02/2022

    Sophos: Important Product Lifecycle Reminder

Sponsored Links

Latest Comments

  • Paul Sillars
    on
    21/06/2016
    I received this in an email this morning, it was the first I heard about it ...

    Dell Software Group sold to help fund looming EMC deal

  • Paul Sillars
    on
    20/06/2016
    This is going to be an interesting one to watch. Especially after today's announcement that ...

    Ingram Micro gets distribution access to Dell’s security range in Australia

Find us on Facebook

Firewall.News Logo

This site serves more as a reference point for some of the major security vendor's updates and product/press releases

It will never be a definitive list, but it helps our customers keep up to date and also allows us to express our comment and observations as well.

About us

  • PO Box 451, North Lakes, Queensland, 4509, Australia
  • [email protected]
  • Recent

  • Popular

  • Comments

  • Sophos Logo

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

    By admin
    29/03/2022
  • Sophos Logo

    Sophos: Important Product Lifecycle Updates

    By admin
    03/03/2022
  • Shoring up your cybersecurity posture in light of ongoing crisis

    By admin
    01/03/2022
  • WatchGuard logo

    WatchGuard Support Alert

    By admin
    23/02/2022
  • Dell SonicWALL Supermassive

    Ingram Micro gets distribution access to Dell’s security range in Australia

    By admin
    14/06/2016
  • Francisco Partners and Elliott Management to Acquire the Dell Software Group

    Dell Software Group sold to help fund looming EMC deal

    By admin
    21/06/2016
  • WatchGuard Firebox M500 – The Cure for HTTPS Performance Headaches

    By admin
    05/03/2015
  • Sophos Logo

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

    By admin
    29/03/2022
  • Paul Sillars
    on
    21/06/2016

    Dell Software Group sold to help fund looming EMC deal

    I received this in ...
  • Paul Sillars
    on
    20/06/2016

    Ingram Micro gets distribution access to Dell’s security range in Australia

    This is going to ...

Follow Me

  • Contact
  • About Us
  • Home