Tracking Down a Big Phish
FortiGuard SE Threat Research Blog
As a threat researcher, I have learned that continually monitoring malicious activities often provides unique insights into criminal behavior. This is due to three things.
First, threat actors tend to be more like sheep than mavericks because they work in clusters. I don’t mean they work together; but when a particular attack strategy yields some success, you will soon see a lot of criminals targeting the same opportunity. Solving that problem means that you can shut down a lot of criminal activity in one fell swoop.
Second, cybercriminals tend to do the same things over and over again. Our recent Fortinet Threat Landscape Report for Q1 of 2019 showed that a surprising number of attackers use the exact same web-based infrastructure, and leverage those resources at the exact same step on their attack cycle. Learn those patterns and you can begin to see and even anticipate an attack before it is even launched.
And finally, they sometimes just make mistakes that uncover a process that might never be seen otherwise.
Leveraging Simple Mistakes to Catch Phishers
For example, this last June and July, the Fortinet Web Filtering team observed a large influx of Phishing domains being registered in batches by a Phishing threat actor or group. We immediately launched an investigation to uncover additional indicators of compromise (IOCs) related to this campaign. Because of some careless behaviors that if avoided could have masked their behavior, we were able to learn the following:
- The Phisher(s) abused a specific OVH (online virtual hosting) registrar in order to bulk register domain.
- They managed to register over 200 domains every day for over a week.
- Phishing domains were delivered to victims through phishing emails sent to more than 100 countries.
- Many of the registrant emails used the following pattern: <random_string>@e.o-w-o[.]info
- To support the backend, the Phisher(s) had registered and consistently used the same group of dedicated name servers.
We started with known Phishing domains, find registrants and name servers. We then iteratively expand our search to bring in more related IOCs. After the expansion of some malicious seeds, we were then able to blacklist about 3000 Phishing IOCs.
Below is a sample of Registrant Activity for an email using the identified pattern shown above – [email protected][.]info:
Top Targeted Countries
Based on our telemetry data, this phishing campaign targeted over 100 countries. Only the top twenty are listed here:
Phishing Campaign Graph
FortiGuard Labs uses a proprietary IOC tracking system that allows us to visualize how attacks spread and the relationship between data points. The image below is an interesting attack cluster. The blue dots are dedicated name servers. The green dots are unknown domains. And the red dots are known phishing domains. The large orange node at the center is a malicious registrant.
Using This Pattern to Catch Other Phishers
Because many Phishers are similarly careless, we can re-use this monitoring technique to find more phishers. For example, we were able to use this same strategy to catch the Microsoft Fake AntiVirus Group. This group has the following characteristics:
- They register their attacks using free domains, such as .tk, .ml, and .ga, etc. We have observed them registering over 100 new domains daily.
- They always use name servers hosted by Freenom (ns02[.]freenom[.]com)
- Host domains always use the same set of dedicated IP addresses.
We have been able to catch this group by monitoring their dedicated IP addresses.
Not All Phishers are This Careless
Phishing sites are usually hosted on compromised websites. As a result, the threat actor’s behavior is easily concealed. Other methods for obscuring Phishing activities often include
- Using compromised websites to host phishing sites
- Using free hosting websites
- Abusing free Microsoft web services
- Using shared web hosting services, and shared name server services
The first campaign analyzed in this report stands out because the threat actor continually registered new domains and hosted their own dedicated DNS servers. As a result, we were able to monitor their campaign closely. We can similarly monitor other phishing threat actors as long as they consistently use a dedicated infrastructure (IP address, Name Server, or WHOIS registrants), or use some unique URL patterns in their Phishing sites.
Of course, only a small percentage of Phishers use these detectable strategies. The best approach to countering Phishing attacks, therefore, is to regularly train all personnel to be wary of unknown senders and to not click on links/attachments of suspicious emails.
All detected websites and domains associated with this attack – more than 3,000 Phishing IOCs to date – have been blacklisted by the Fortinet web filtering solution, which is used by FortiMail, FortiGate, and FortiClient to prevent phishing and other web-based attacks. We will continue to add domains and websites associated with this phishing attack as they are uncovered.
By Raymond Chan