Security researchers working at OpenDNS’ Security Labs have developed NLPRank, a new system that helps detect – quickly and relatively accurately – phishing and malware-download sites set up by APT threat actors.
They noticed that the phishing emails sent to employees of the various targeted organizations included links to malicious domains whose names were constructed by using names of tech companies and popular software (Microsoft, Adobe, Firefox, Facebook, Java, GMail etc.) and certain words like “login,” “update,” “security center,” “register,” “billing,” and so on. These cleverly crafted domain names certainly added an aura of legitimacy to the malicious domains.
OpenDNS, whose Global Network processes an estimated 60 billion DNS queries daily, has created a “corpus of domains that elicit a common pattern where adversaries merge together certain dictionary words and tech company strings,” and fed them to NLPRank.
But the tool bases its decisions to block certain domains on more than just their names. It uses certain WHOIS data patterns (for example, if the domain was registered just days or hours before), analyzes the sites’ HTML tags and ASN data.
“For example, you would expect an Adobe domain advertising an update to be associated with an ASN associated with Adobe (ex. 14365, 44786, etc.), or a Java update to be associated with an Oracle ASN (ex. 41900, 1215, etc.),” explained Jeremiah O’Connor. “Both of the Carbanak domains mentioned above using those company names as substrings came from: ASN 44050, PIN-AS Petersberg Internet Network LLC in Russia.”
The tool successfully identifies domain spoofing/targeted phishing attacks mounted by APT groups, and should help detect malicious domains that are specially set up for such campaigns: often put up just minutes before the phishing emails are sent, so that web reputation services can’t manage to block them before the targeted individuals manage to visit them.