A FortiGuard SE Threat Research Blog
As a threat researcher, I have learned that continually monitoring malicious activities often provides unique insights into criminal behavior. This is due to three things.
First, threat actors tend to be more like sheep than mavericks because they work in clusters. I don’t mean they work together; but when a particular attack strategy yields some success, you will soon see a lot of criminals targeting the same opportunity. Solving that problem means that you can shut down a lot of criminal activity in one fell swoop.
Second, cybercriminals tend to do the same things over and over again. Our recent Fortinet Threat Landscape Report for Q1 of 2019 showed that a surprising number of attackers use the exact same web-based infrastructure, and leverage those resources at the exact same step on their attack cycle. Learn those patterns and you can begin to see and even anticipate an attack before it is even launched.
And finally, they sometimes just make mistakes that uncover a process that might never be seen otherwise.
For example, this last June and July, the Fortinet Web Filtering team observed a large influx of Phishing domains being registered in batches by a Phishing threat actor or group. We immediately launched an investigation to uncover additional indicators of compromise (IOCs) related to this campaign. Because of some careless behaviors that if avoided could have masked their behavior, we were able to learn the following:
We started with known Phishing domains, find registrants and name servers. We then iteratively expand our search to bring in more related IOCs. After the expansion of some malicious seeds, we were then able to blacklist about 3000 Phishing IOCs.
Below is a sample of Registrant Activity for an email using the identified pattern shown above – firstname.lastname@example.org[.]info:
Based on our telemetry data, this phishing campaign targeted over 100 countries. Only the top twenty are listed here:
FortiGuard Labs uses a proprietary IOC tracking system that allows us to visualize how attacks spread and the relationship between data points. The image below is an interesting attack cluster. The blue dots are dedicated name servers. The green dots are unknown domains. And the red dots are known phishing domains. The large orange node at the center is a malicious registrant.
Because many Phishers are similarly careless, we can re-use this monitoring technique to find more phishers. For example, we were able to use this same strategy to catch the Microsoft Fake AntiVirus Group. This group has the following characteristics:
We have been able to catch this group by monitoring their dedicated IP addresses.
Phishing sites are usually hosted on compromised websites. As a result, the threat actor’s behavior is easily concealed. Other methods for obscuring Phishing activities often include
The first campaign analyzed in this report stands out because the threat actor continually registered new domains and hosted their own dedicated DNS servers. As a result, we were able to monitor their campaign closely. We can similarly monitor other phishing threat actors as long as they consistently use a dedicated infrastructure (IP address, Name Server, or WHOIS registrants), or use some unique URL patterns in their Phishing sites.
Of course, only a small percentage of Phishers use these detectable strategies. The best approach to countering Phishing attacks, therefore, is to regularly train all personnel to be wary of unknown senders and to not click on links/attachments of suspicious emails.
All detected websites and domains associated with this attack – more than 3,000 Phishing IOCs to date – have been blacklisted by the Fortinet web filtering solution, which is used by FortiMail, FortiGate, and FortiClient to prevent phishing and other web-based attacks. We will continue to add domains and websites associated with this phishing attack as they are uncovered.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.