EDITOR’S QUESTION
WHAT CAN
ORGANISATIONS DO
TO PREVENT THE
RISE IN PHISHING
ATTACKS?
//////////////////////////////////////////////////////////////////////////////////////////////////////////
F
ortinet researchers studying phishing
domains have found that South Africa
was among the top 20 countries
targeted in a large influx of recent phishing
attacks. FortiGuard Labs observed a large
influx of phishing domains being registered in
batches by a phishing threat actor or group.
They immediately launched an
investigation to uncover additional
indicators of compromise (IOCs) related to
this campaign. Because of some careless
behaviours that – if avoided – could have
masked their behaviour, they were able to
learn the following:
• The phisher(s) abused a specific OVH
(online virtual hosting) registrar in order
to bulk register domain
• They managed to register over 200
domains every day for over a week
• Phishing domains were delivered to
victims through phishing emails sent to
more than 100 countries
• Many of the registrant emails used the
following pattern: @e.o-
w-o[.]info
• To support the backend, the phisher(s)
had registered and consistently used the
same group of dedicated name servers
The researchers started with known phishing
domains, finding registrants and name
servers and then iteratively expanded the
search to bring in more related IOCs. After
the expansion of some malicious seeds,
they were then able to blacklist about 3,000
24
INTELLIGENTCIO
phishing IOCs. Fortinet’s telemetry data
revealed that the campaign targeted over
100 countries, with the highest number
of visits – 2,111 – to the US. Also in the
top five were China, Mexico, Vietnam and
Kazakhstan. South Africa – with 167 visits
– was number 17 in the top 20 countries
targeted, followed by Thailand, Singapore
and Italy.
This campaign stands out because the
threat actor continually registered new
domains and hosted their own dedicated
DNS servers. As a result, Fortinet was able
to monitor its campaign closely and can
similarly monitor other phishing threat
actors as long as they consistently used a
dedicated infrastructure (IP address, Name
Server or WHOIS registrants), or used some
unique URL patterns in their phishing sites.
Because many phishers are similarly careless,
this monitoring technique can be re-used to
find more phishers. For example, Fortinet was
able to use this same strategy to catch the
Microsoft Fake AntiVirus Group.
This group has the following characteristics:
• They register their attacks using free
domains, such as .tk, .ml and .ga. Fortinet
has observed them registering over 100
new domains daily
• They always use name servers hosted by
Freenom (ns02[.]freenom[.]com)
• Host domains always use the same set of
dedicated IP addresses
Fortinet has been able to catch this group by
monitoring their dedicated IP addresses.
Doros Hadjizenonos, Regional Sales Director
at Fortinet, said: “Cybercriminals tend to do
the same things over and over again.
“Our Fortinet Threat Landscape Report
for Q1 of 2019 showed that a surprising
number of attackers use the exact same
web-based infrastructure and leverage
those resources at the exact same step on
their attack cycle.
“Learn those patterns and you can begin to
see and even anticipate an attack before it is
even launched.”
However, not every cybercriminal is careless.
Fortinet says phishing sites are usually
hosted on compromised websites. As a
result, the threat actor’s behaviour is easily
concealed. Other methods for obscuring
phishing activities often include:
• Using compromised websites to host
phishing sites
• Using free hosting websites
• Abusing free Microsoft web services
• Using shared web hosting services and
shared name server services
“The best approach to countering phishing
attacks is to regularly train all personnel to
be wary of unknown senders and to not click
on links or attachments of suspicious emails,”
said Hadjizenonos.
www.intelligentcio.com