At OpenDNS Labs we have developed a number of predictive models to hunt down evil on the Internet. We have discussed in previous blogs and conferences our algorithms NLPRank [1][2][3], Spike detector [4][5][6], and malicious IP space/rogue host detectors [7][8](section 14)[9][10][11][12][13][14][15].

In this blog we will discuss how we integrate all of these detection models to improve detection coverage of current threats and walk through a few interesting examples.

Phishing and Spikes

One of the recent samples we have found was a Facebook phishing campaign that was surfaced by our real-time alert system. Our model NLPRank detected the campaign of Facebook phishing sites spoofing Facebook under the second-level domain (2LD) 2nso3s[.]com. 

For this particular domain, when visiting the 2LD, 2nso3s[.]com from your browser, you would be directed to a URL that looks like:

http://facebook[.]com.accounts[.]login[.]userid[.]280964[.]2nso3s[.]com/wec/fbn/?next=http%3A%2F%2Fwww.facebook.com%2videos%2F%3A%4A%4ID%1A

As we can see in the path of the URL the next page routes you directly to the legitimate facebook[.]com after they have stolen the entered credentials. We also cross referenced this domain with our crowd-sourced system Phishtank, and found someone from the community submitted one of these hostnames.

Something to take note of here is that upon each subsequent request to the same FQDN, the third-level domain (3LD) appears to be rotating integers (indicative of fluxing domain name). Rotating subdomains is a technique similar to what Careto, also known as The Mask, malware uses. Here are some samples from Careto:

  • paypal.com[.]0[.]security-confirmation[.]9f15ebd9884fb6a44f873d4bdf41aebc.hvh7[.]hyd[.]me
  • www[.]paypal.com[.]0[.]login-confirmation.account-security[.]979e0a277a1848104c3ee6b4bc928152.231[.]hyd[.]me
  • www[.]paypal[.]com[.]confirmation[.]account-security[.]dbf2b36a883bddda923a341409e6b8abdbf2b36a883bddda923a341409e6b[.]wsedw[.]hyd[.]me
  • paypal[.]com[.]0[.]security-confirmation[.]fc1618c9ae39989770371191790a772b[.]er44.hyd[.]me

This domain hyd[.]me exhibits steady high volume traffic. In fact, it is a sinkholed domain by Kleissner & Associates, which has been acquired by LookingGlass.

Screen Shot 2015-09-03 at 3.04.00 PM

Going back to our initial 2LD 2nso3s[.]com serving the Facebook phishing urls, what is also interesting is the massive traffic spike, which is typically uncharacteristic of phishing domains. Here is the traffic pattern for 2nso3s[.]com:

Figure 1

Screen Shot 2015-09-02 at 10.36.04 AM

Visiting the domain in the browser shows that it is spoofing the Facebook login page:

Figure 3a:

Screen Shot 2015-09-02 at 11.34.47 AM

Figure 3b:

 

Screen Shot 2015-09-02 at 11.34.54 AM

Figure 3c:

Screen Shot 2015-09-02 at 11.34.41 AM

One can see from the above screenshots that the 3LD in the FQDN is rotating, this happens over tens of thousands of queries. Figure 4 shows another interesting catch exhibiting similar characteristics detected by the Spike and NLPRank models, ebayonline[.]cc:

Figure 4

Screen Shot 2015-09-02 at 11.26.38 AM

This sample one is also rotating through subdomains:

seo28.ebayonline[.]cc

seo115.ebayonline[.]cc

seo159.ebayonline[.]cc

Here is another sample of a spoofed brand domain that exhibits features detected by the 2 models, analytics-google[.]com:

Figure 5

Screen Shot 2015-09-02 at 10.53.08 AM

There are a lot of variations spoofing google-analytics, however they have much smaller request rate. For example, Figure 6 displays traffic from google–analytics[.]com:

Figure 6

Screen Shot 2015-09-02 at 11.18.20 AM

As we can see this spoofing domain has much lower traffic counts, which is more typical of phishing domains. Here is an example of a PayPal phish, mpaypaal[.]com, also exhibiting a low query count:

Screen Shot 2015-09-02 at 11.45.03 AM

When viewing the page we see the attacker copying the login for the original PayPal site and phishing for credentials:

Screen Shot 2015-09-02 at 11.45.23 AM

Investigate and Visualization

Going back to 2nso3s[.]com, data visualization and Investigate can provide some further interesting insights into this domain.

First of all, we can use our “Life of a Domain” visualization in order to get a better representation of the domain lifetime and all its key events. Let’s have a look:

Screen Shot 2015-09-02 at 11.23.09 AM

We can see a couple of things. The two blue dots represent the domain registration and we can see here that our domain was registered pretty recently (mid-August 2015) and is scheduled to expire the following year. On this specific visualization, we typically see a couple of red circles showing when the domain was tagged/flagged by our analysts, which wasn’t the case here. (Of course, now it’s all blocked).

We can also see that our domain was registered with an address in Mexico. Interestingly, the client traffic comes mainly from the US, Russia, France, and the UK. We have the phone number and an email address, which allows us to dig deeper in our investigation.

From the email address “mireyadreedjs@yahoo.com” and using the Investigate data, we can search our WHOIS database to discover which other domains were registered by the same account :

2nso3s[.]com
2nsoe93[.]com
32nos35[.]com
34scw3[.]com
34swe2[.]com
3sn39s[.]com
3snose4[.]com
an340sm[.]com
dv324do[.]com
23oens9[.]com
23ud82[.]com
349sln2[.]com
3skd93[.]com

From these domains, we can keep mining and discover subdomains, attached URLs, IP addresses, and even hashes of the malware hosted on these servers. We can then use all this correlating data and build a map of the full infrastructure of the phishing campaign. All of this operated very simply using our homemade data miner script (more about that in a later blog), and we can visualize the result in 3D with OpenGraphiti.

og_multimodel

Once we’ve extracted and visualized all of these new candidates, we can use another interesting visualization called “Parallel Coordinates.” The idea is to represent the features of our candidates stacked all together in a graph representation. The horizontal axis represent the set of features of our vector (pictured here we have Investigate + VirusTotal features), the vertical one represents the values of those features taken by our vectors. See below :

Screen Shot 2015-09-02 at 11.20.04 AM

Considering that this simple diagram is displaying 100 domains at the same time, we can instantly guess at first sight that they have a lot in common given the small distance between all the curves. We can see that these domains have a low popularity, which means those domains have seen a small amount of traffic. They have only been created about 10 days ago (the age axis is on a log scale), mapping to only one IP, one prefix, one ASN, and in only one country. They have a constant TTL set to a very high interval, about 90,000 seconds (TTL standard deviation is zero). The geographical distance between their IPs are small, which is expected since they have only one. The entropy of the domains is pretty high due to the DGA part of the name. The status is -1 for all of these, meaning that OpenDNS is actively blocking all of them at the moment. And finall,y they have 10 or more URLs that have been flagged on VirusTotal.

Dissecting hosting IP space

We can use our malicious IP space/rogue host monitoring models to investigate the hosting IP infrastructure of the 13 2LDs registered by mireyadreedjs@yahoo.com. These 2LDs are all hosted on IPs that are part of AS20473, AS-CHOOPA – Choopa, LLC 86400, but more specifically they are all under the hoster Vultr, which is a child company of Choopa, LLC .

Vultr is more or less a DigitalOcean clone trying to compete with it in the affordable VPS market. Vultr’s IP space spans more than 65,000 IPs located in North America, Europe, and Asia/Pacific. Its cost-effectiveness, however, made it an attractive platform for criminals to host exploit kit domains, phishing, and other gray content.

vultr-locations

In the table below, for reference, we show all the phishing 2LDs with their corresponding IPs, prefixes, ASNs, and specific hoster, as well as the total number of phishing hostnames we recorded in relation to the IPs and a link to all hostnames on the IPs.

2LD IP prefix ASN hoster # of host-names on IP hostnames

3sn39s.com

104.156.254.188

104.156.254.0/23

20473

Vultr

3

list of domains

32nos35.com

104.156.255.253

104.156.254.0/23

20473

Vultr

452

list of domains

dv324do.com

104.156.255.91

104.156.254.0/23

20473

Vultr

197

list of domains

349sln2.com
349sln2.com

104.207.156.185

104.207.156.0/22

20473

Vultr

101

list of domains

2nso3s.com
34swe2.com

104.238.179.129

104.238.178.0/23

20473

Vultr

2896

list of domains

2nsoe93.com
34scw3.com

108.61.215.91

108.61.215.0/24

20473

Vultr

91

list of domains

23oens9.com
23ud82.com

45.63.59.217

45.63.48.0/20

20473

Vultr

168

list of domains

Vultr has been under our radar for quite some time as we’ve been monitoring its IP space in the past few months and flagged it as hosting, among other things, exploit kit domains and exploit kit nameservers, particularly Nuclear EK.

In the table below, we share a sample of IPs on Vultr that we flagged in the past six months as hosting Nuclear EK landing domains.

IP

prefix

ASN

hoster

104.207.131.131

104.207.130.0/23

20473

Vultr

104.238.158.135

104.238.158.0/23

20473

Vultr

104.238.159.114

104.238.158.0/23

20473

Vultr

104.238.159.118

104.238.158.0/23

20473

Vultr

104.238.159.31

104.238.158.0/23

20473

Vultr

107.191.46.115

107.191.46.0/23

20473

Vultr

107.191.46.15

107.191.46.0/23

20473

Vultr

107.191.46.249

107.191.46.0/23

20473

Vultr

107.191.47.17

107.191.46.0/23

20473

Vultr

107.191.47.188

107.191.46.0/23

20473

Vultr

107.191.62.196

107.191.46.0/23

20473

Vultr

107.191.63.163

107.191.62.0/23

20473

Vultr

108.61.164.234

108.61.164.0/22

20473

Vultr

108.61.165.127

108.61.164.0/22

20473

Vultr

108.61.165.40

108.61.164.0/22

20473

Vultr

108.61.165.65

108.61.164.0/22

20473

Vultr

108.61.166.110

108.61.164.0/22

20473

Vultr

108.61.166.137

108.61.164.0/22

20473

Vultr

108.61.167.124

108.61.164.0/22

20473

Vultr

108.61.167.233

108.61.164.0/22

20473

Vultr

108.61.167.3

108.61.164.0/22

20473

Vultr

108.61.171.167

108.61.170.0/23

20473

Vultr

108.61.173.10

108.61.172.0/22

20473

Vultr

108.61.175.63

108.61.172.0/22

20473

Vultr

108.61.176.162

108.61.176.0/23

20473

Vultr

108.61.177.116

108.61.176.0/23

20473

Vultr

108.61.178.17

108.61.178.0/23

20473

Vultr

108.61.188.117

108.61.188.0/23

20473

Vultr

108.61.188.192

108.61.188.0/23

20473

Vultr

108.61.188.213

108.61.188.0/23

20473

Vultr

108.61.188.92

108.61.188.0/23

20473

Vultr

108.61.189.1

108.61.188.0/23

20473

Vultr

108.61.190.120

108.61.190.0/24

20473

Vultr

108.61.190.132

108.61.190.0/24

20473

Vultr

108.61.190.230

108.61.190.0/24

20473

Vultr

108.61.198.45

108.61.198.0/23

20473

Vultr

108.61.208.247

108.61.208.0/23

20473

Vultr

185.92.220.196

185.92.220.0/23

20473

Vultr

185.92.223.3

185.92.222.0/23

20473

Vultr

45.32.232.130

45.32.232.0/21

20473

Vultr

45.32.239.106

45.32.232.0/21

20473

Vultr

45.32.239.163

45.32.232.0/21

20473

Vultr

45.32.239.216

45.32.232.0/21

20473

Vultr

45.32.239.61

45.32.232.0/21

20473

Vultr

Takeaways

In conclusion, first, it is apparent from these findings that the integration of multiple models enhances our coverage and increases our detection rate. Combining NLPRank, Spike Detection, and the IP monitoring models provides a method to surface large-scale phishing campaigns and automatically block them in real time. Second, bulletproof or abused hosting providers persistently cater to a diversity of “badness” whether it is phishing, exploit kits, malware, or gray content in general. Our global visibility into the attack surface comes in handy to consistently monitor and rapidly catch these threats from different angles.

If you’d like to learn more about our research related to these topics, we will be presenting in October at BruCon and Hack.lu.

“Unified DNS View to Track Threats”, Dhia Mahjoub and Thomas Mathew, at BruCon

“A Collective View of Current Trends in Criminal Hosting Infrastructures”, Dhia Mahjoub, at Hack.lu

This post is categorized in: