• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

PhishFinder: Hook, Line and Sinker

By Austin McBride
Posted on November 11, 2016
Updated on July 24, 2020

Share

FacebookTweetLinkedIn

Harvesting phishing sites for filtering has always been somewhat of an ongoing, uphill battle. Many phishing sites are designed to look as close to the legitimate webpages they’re imitating as possible. The more genuine looking, the greater the chance of someone willingly agreeing to hand over sensitive personal information, and also the tougher it is to determine if the site is legitimate or if it’s a phish. Additionally, phishing pages tend to have a high turnover rate, meaning that more often than not, the site will only be live for a day or two, sometimes even hours, before it’s discovered and taken down, or moved to a different URL. It’s reasons like these that have made tackling phishing sites a tedious chase.

New Recommender System on Phishtank To Automate Submission Verification

After searching for a solution to this obstacle, OpenDNS Labs came up with the idea of using its phishing detection model, NLPRank, as a recommender system on our community based phishing verification system, PhishTank, to improve phishing verification time.

This new, automated approach to the verification process is outlined as follows:

  1. The algorithm takes as input a submission (domain or URL)  from the submitter/community and checks them against any existing OpenDNS allow lists and ASN filters. This initial step is to filter out false positives and spammy submissions that are often submitted to PhishTank.
  2. If the URL makes it past these first few checkpoints, it then fetches the source code/content from the submission URL for review.
  3. That source code is then analyzed by our machine learning system, that in a nutshell, compares the submission content to a curated corpus of content from commonly spoofed brands and returns a similarity score. If the similarity score is above the predetermined threshold, the URL is labeled as a phish and gets sent to our Proxy for auto-blocking.

Figure 1 shows a diagram of how the system works:

screen-shot-2016-10-27-at-3-28-09-pm

Figure 1

The eventual plan is to integrate the results of our recommender system back into PhishTank and share results with the community. PhishTank’s current approach of “submit a domain and wait for the community to verify” has so far been formidable, as it continues to remain “best in class” as one of the largest sources for human curated data when it comes to phishing sites. However, the drawback here is that the current system continues to become more primitive as time marches on, and as the Time to Verify measurement grows larger, the efficacy of the feed suffers. This new recommender system increases the effectiveness of PhishTank and improves the overall experience for the thousands of users that utilize PhishTank’s verified phishes’ feed.

Rogue Infrastructure Detection

While this method is outstanding for real-time blocking of active phishes, it is reactive, but here at OpenDNS Labs we are all about pushing the limits to develop predictive models. So how do we evolve this system to be truly predictive and block these phishing sites and their hosting infrastructures before they’re even created? Consider the notion that phishes can sometimes be a bit like cockroaches. If you see one marching around your house, chances are there are a bunch more hanging out somewhere close by, out of sight. By taking the verified results of the NLPRank process, and pivoting through their server IPs using Investigate, we are able to uncover handfuls of other registered phishing domains acting as targets for the very phishing campaign that was initially discovered. Additionally when we continue to dig deeper through adversaries’ WHOIS records, specifically the email registrant, we uncover even more of the same tactics. By adding these IPs and registrants to our block list, we are able to stay ahead of the curve and greatly increase the chances of our users being protected from widespread phishing campaigns. Figure 2 shows a diagram of the Rogue Infrastructure Classification system.

  1. First we take dedicated phishing domains that we have caught with the recommender system.
  2. We then query OpenDNS Investigate for domains associated with the hosting IP and the registrant email address from their WHOIS records.
  3. We have then built a classifier using different features from the domains on these infrastructures to detect rogue registrants and IP addresses, and in turn push them to our block list.

In this sense we can predict the infrastructures phishers will use as they are being setup, and we are now blocking phishing sites even before they go live with spoofed content.

screen-shot-2016-10-27-at-3-20-35-pm

Figure 2

Our phishing recommender system is still in its very early stages of production, however the results and accuracy from its output thus far have been exceptional. As we push forward, and continue to mature our recommender system with PhishTank and OpenDNS data, we only stand to increase the level of security that is delivered to the thousands of OpenDNS users worldwide.

Here is an example of a dedicated phishing site we found, appleid-apple-icloud-safe-link[.]com, where we pivoted on the email address and also the server IP address, and were able to uncover this rogue hosting infrastructure.

Figure 3 displays some domains, IPs, and email registrants associated with a recent Apple phishing campaign that we have been tracking for a while now and that we visualized with OpenGraphiti. We were able to discover and block these actors with the new rogue hosting infrastructure detection system we have created.

Figure 4, 5, and 6 (below) show a specific example of the type of infrastructures we are catching and predictively blocking with these new techniques. We have had the hosting IP address for httpsaccounts-gooogle[.]cf on our block list since July but we are still seeing new phishing pages coming alive on this IP, which we are blocking before they are even up and running. This displays the power of our new rogue hosting classification system.

screen-shot-2016-11-02-at-12-28-00-pm

Figure 4

Figure 5 below shows the landing page serving the phishing content spoofing Gmail.

screen-shot-2016-11-03-at-3-39-30-pm

Figure 5

Figure 6 below shows the IP 45.63.0.49 polluted with phishing content:

screen-shot-2016-11-02-at-12-28-17-pm

Figure 6

As displayed from the results above we are uncovering new rogue hosting providers daily that are leveraged for phishing campaigns and other toxic content. The system is still evolving, however our findings are very promising and we look forward to sharing more of them with the community in the future.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella