At OpenDNS Labs we have developed a number of predictive models to hunt down evil on the Internet. We have discussed in previous blogs and conferences our algorithms NLPRank [1][2], Spike detector [3][4][5], and malicious IP space/rogue host detectors [6](section 14)[7][8][9][11].
In this blog we will discuss how we integrate all of these detection models to improve detection coverage of current threats and walk through a few interesting examples.
Phishing and Spikes
One of the recent samples we have found was a Facebook phishing campaign that was surfaced by our real-time alert system. Our model NLPRank detected the campaign of Facebook phishing sites spoofing Facebook under the second-level domain (2LD) 2nso3s[.]com.
For this particular domain, when visiting the 2LD, 2nso3s[.]com from your browser, you would be directed to a URL that looks like:
http://facebook[.]com.accounts[.]login[.]userid[.]280964[.]2nso3s[.]com/wec/fbn/?next=http%3A%2F%2Fwww.facebook.com%2videos%2F%3A%4A%4ID%1A
As we can see in the path of the URL the next page routes you directly to the legitimate facebook[.]com after they have stolen the entered credentials. We also cross referenced this domain with our crowd-sourced system Phishtank, and found someone from the community submitted one of these hostnames.
Something to take note of here is that upon each subsequent request to the same FQDN, the third-level domain (3LD) appears to be rotating integers (indicative of fluxing domain name). Rotating subdomains is a technique similar to what Careto, also known as The Mask, malware uses. Here are some samples from Careto:
- paypal.com[.]0[.]security-confirmation[.]9f15ebd9884fb6a44f873d4bdf41aebc.hvh7[.]hyd[.]me
- www[.]paypal.com[.]0[.]login-confirmation.account-security[.]979e0a277a1848104c3ee6b4bc928152.231[.]hyd[.]me
- www[.]paypal[.]com[.]confirmation[.]account-security[.]dbf2b36a883bddda923a341409e6b8abdbf2b36a883bddda923a341409e6b[.]wsedw[.]hyd[.]me
- paypal[.]com[.]0[.]security-confirmation[.]fc1618c9ae39989770371191790a772b[.]er44.hyd[.]me
This domain hyd[.]me exhibits steady high volume traffic. In fact, it is a sinkholed domain by Kleissner & Associates, which has been acquired by LookingGlass.
Going back to our initial 2LD 2nso3s[.]com serving the Facebook phishing urls, what is also interesting is the massive traffic spike, which is typically uncharacteristic of phishing domains. Here is the traffic pattern for 2nso3s[.]com:
Figure 1
Visiting the domain in the browser shows that it is spoofing the Facebook login page:
Figure 3a:
Figure 3b:
Figure 3c:
One can see from the above screenshots that the 3LD in the FQDN is rotating, this happens over tens of thousands of queries. Figure 4 shows another interesting catch exhibiting similar characteristics detected by the Spike and NLPRank models, ebayonline[.]cc:
Figure 4
This sample one is also rotating through subdomains:
seo28.ebayonline[.]cc
seo115.ebayonline[.]cc
seo159.ebayonline[.]cc
Here is another sample of a spoofed brand domain that exhibits features detected by the 2 models, analytics-google[.]com:
Figure 5
There are a lot of variations spoofing google-analytics, however they have much smaller request rate. For example, Figure 6 displays traffic from google–analytics[.]com:
Figure 6
As we can see this spoofing domain has much lower traffic counts, which is more typical of phishing domains. Here is an example of a PayPal phish, mpaypaal[.]com, also exhibiting a low query count:
When viewing the page we see the attacker copying the login for the original PayPal site and phishing for credentials:
Investigate and Visualization
Going back to 2nso3s[.]com, data visualization and Investigate can provide some further interesting insights into this domain.
First of all, we can use our “Life of a Domain” visualization in order to get a better representation of the domain lifetime and all its key events. Let’s have a look:
We can see a couple of things. The two blue dots represent the domain registration and we can see here that our domain was registered pretty recently (mid-August 2015) and is scheduled to expire the following year. On this specific visualization, we typically see a couple of red circles showing when the domain was tagged/flagged by our analysts, which wasn’t the case here. (Of course, now it’s all blocked).
We can also see that our domain was registered with an address in Mexico. Interestingly, the client traffic comes mainly from the US, Russia, France, and the UK. We have the phone number and an email address, which allows us to dig deeper in our investigation.
From the email address “mireyadreedjs@yahoo.com” and using the Investigate data, we can search our WHOIS database to discover which other domains were registered by the same account :
2nso3s[.]com
2nsoe93[.]com
32nos35[.]com
34scw3[.]com
34swe2[.]com
3sn39s[.]com
3snose4[.]com
an340sm[.]com
dv324do[.]com
23oens9[.]com
23ud82[.]com
349sln2[.]com
3skd93[.]com
From these domains, we can keep mining and discover subdomains, attached URLs, IP addresses, and even hashes of the malware hosted on these servers. We can then use all this correlating data and build a map of the full infrastructure of the phishing campaign. All of this operated very simply using our homemade data miner script (more about that in a later blog), and we can visualize the result in 3D with OpenGraphiti.
Once we’ve extracted and visualized all of these new candidates, we can use another interesting visualization called “Parallel Coordinates.” The idea is to represent the features of our candidates stacked all together in a graph representation. The horizontal axis represent the set of features of our vector (pictured here we have Investigate + VirusTotal features), the vertical one represents the values of those features taken by our vectors. See below :
Considering that this simple diagram is displaying 100 domains at the same time, we can instantly guess at first sight that they have a lot in common given the small distance between all the curves. We can see that these domains have a low popularity, which means those domains have seen a small amount of traffic. They have only been created about 10 days ago (the age axis is on a log scale), mapping to only one IP, one prefix, one ASN, and in only one country. They have a constant TTL set to a very high interval, about 90,000 seconds (TTL standard deviation is zero). The geographical distance between their IPs are small, which is expected since they have only one. The entropy of the domains is pretty high due to the DGA part of the name. The status is -1 for all of these, meaning that OpenDNS is actively blocking all of them at the moment. And finall,y they have 10 or more URLs that have been flagged on VirusTotal.
Dissecting hosting IP space
We can use our malicious IP space/rogue host monitoring models to investigate the hosting IP infrastructure of the 13 2LDs registered by mireyadreedjs@yahoo.com. These 2LDs are all hosted on IPs that are part of AS20473, AS-CHOOPA – Choopa, LLC 86400, but more specifically they are all under the hoster Vultr, which is a child company of Choopa, LLC.
Vultr is more or less a DigitalOcean clone trying to compete with it in the affordable VPS market. Vultr’s IP space spans more than 65,000 IPs located in North America, Europe, and Asia/Pacific. Its cost-effectiveness, however, made it an attractive platform for criminals to host exploit kit domains, phishing, and other gray content.
In the table below, for reference, we show all the phishing 2LDs with their corresponding IPs, prefixes, ASNs, and specific hoster, as well as the total number of phishing hostnames we recorded in relation to the IPs and a link to all hostnames on the IPs.
| 2LD | IP | prefix | ASN | hoster | # of host-names on IP | hostnames |
|---|---|---|---|---|---|---|
|
3sn39s.com |
104.156.254.188 |
104.156.254.0/23 |
20473 |
Vultr |
3 | |
|
32nos35.com |
104.156.255.253 |
104.156.254.0/23 |
20473 |
Vultr |
452 | |
|
dv324do.com |
104.156.255.91 |
104.156.254.0/23 |
20473 |
Vultr |
197 | |
|
349sln2.com |
104.207.156.185 |
104.207.156.0/22 |
20473 |
Vultr |
101 | |
|
2nso3s.com |
104.238.179.129 |
104.238.178.0/23 |
20473 |
Vultr |
2896 | |
|
2nsoe93.com |
108.61.215.91 |
108.61.215.0/24 |
20473 |
Vultr |
91 | |
|
23oens9.com |
45.63.59.217 |
45.63.48.0/20 |
20473 |
Vultr |
168 |
Vultr has been under our radar for quite some time as we’ve been monitoring its IP space in the past few months and flagged it as hosting, among other things, exploit kit domains and exploit kit nameservers, particularly Nuclear EK.
In the table below, we share a sample of IPs on Vultr that we flagged in the past six months as hosting Nuclear EK landing domains.
|
IP |
prefix |
ASN |
hoster |
|---|---|---|---|
|
104.207.131.131 |
104.207.130.0/23 |
20473 |
Vultr |
|
104.238.158.135 |
104.238.158.0/23 |
20473 |
Vultr |
|
104.238.159.114 |
104.238.158.0/23 |
20473 |
Vultr |
|
104.238.159.118 |
104.238.158.0/23 |
20473 |
Vultr |
|
104.238.159.31 |
104.238.158.0/23 |
20473 |
Vultr |
|
107.191.46.115 |
107.191.46.0/23 |
20473 |
Vultr |
|
107.191.46.15 |
107.191.46.0/23 |
20473 |
Vultr |
|
107.191.46.249 |
107.191.46.0/23 |
20473 |
Vultr |
|
107.191.47.17 |
107.191.46.0/23 |
20473 |
Vultr |
|
107.191.47.188 |
107.191.46.0/23 |
20473 |
Vultr |
|
107.191.62.196 |
107.191.46.0/23 |
20473 |
Vultr |
|
107.191.63.163 |
107.191.62.0/23 |
20473 |
Vultr |
|
108.61.164.234 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.165.127 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.165.40 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.165.65 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.166.110 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.166.137 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.167.124 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.167.233 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.167.3 |
108.61.164.0/22 |
20473 |
Vultr |
|
108.61.171.167 |
108.61.170.0/23 |
20473 |
Vultr |
|
108.61.173.10 |
108.61.172.0/22 |
20473 |
Vultr |
|
108.61.175.63 |
108.61.172.0/22 |
20473 |
Vultr |
|
108.61.176.162 |
108.61.176.0/23 |
20473 |
Vultr |
|
108.61.177.116 |
108.61.176.0/23 |
20473 |
Vultr |
|
108.61.178.17 |
108.61.178.0/23 |
20473 |
Vultr |
|
108.61.188.117 |
108.61.188.0/23 |
20473 |
Vultr |
|
108.61.188.192 |
108.61.188.0/23 |
20473 |
Vultr |
|
108.61.188.213 |
108.61.188.0/23 |
20473 |
Vultr |
|
108.61.188.92 |
108.61.188.0/23 |
20473 |
Vultr |
|
108.61.189.1 |
108.61.188.0/23 |
20473 |
Vultr |
|
108.61.190.120 |
108.61.190.0/24 |
20473 |
Vultr |
|
108.61.190.132 |
108.61.190.0/24 |
20473 |
Vultr |
|
108.61.190.230 |
108.61.190.0/24 |
20473 |
Vultr |
|
108.61.198.45 |
108.61.198.0/23 |
20473 |
Vultr |
|
108.61.208.247 |
108.61.208.0/23 |
20473 |
Vultr |
|
185.92.220.196 |
185.92.220.0/23 |
20473 |
Vultr |
|
185.92.223.3 |
185.92.222.0/23 |
20473 |
Vultr |
|
45.32.232.130 |
45.32.232.0/21 |
20473 |
Vultr |
|
45.32.239.106 |
45.32.232.0/21 |
20473 |
Vultr |
|
45.32.239.163 |
45.32.232.0/21 |
20473 |
Vultr |
|
45.32.239.216 |
45.32.232.0/21 |
20473 |
Vultr |
|
45.32.239.61 |
45.32.232.0/21 |
20473 |
Vultr |
Takeaways
In conclusion, first, it is apparent from these findings that the integration of multiple models enhances our coverage and increases our detection rate. Combining NLPRank, Spike Detection, and the IP monitoring models provides a method to surface large-scale phishing campaigns and automatically block them in real time. Second, bulletproof or abused hosting providers persistently cater to a diversity of “badness” whether it is phishing, exploit kits, malware, or gray content in general. Our global visibility into the attack surface comes in handy to consistently monitor and rapidly catch these threats from different angles.
If you’d like to learn more about our research related to these topics, we will be presenting in October at BruCon and Hack.lu.
“Unified DNS View to Track Threats”, Dhia Mahjoub and Thomas Mathew, at BruCon
“A Collective View of Current Trends in Criminal Hosting Infrastructures”, Dhia Mahjoub, at Hack.lu
