OpenDNS Security Labs has developed a replacement threat model for characteristic domain spoofing and targeted phishing attacks. known as NLPrank, the model uses tongue process to create a malicious language that’s capable of detection threatening domains in period of time.
In a web log post on weekday, OpenDNS Labs aforementioned that the model, developed by OpenDNS security investigator Jeremiah O’Connor, may be a “robust methodology for defensive against APT attacks like Anunak/Carbanak.”
Earlier on, a report by FireEye showed that corporations in geographic area, significantly in growing sectors like finance, ar in danger from APT teams United Nations agency ar wanting to steal belongings.
The Carbanak cluster launched a series of cyberespionage attacks that targeted banks and money establishments over 2 years. Anunak, a banking Trojan, might are a precursor to those attacks. within the attacks, the cluster gained entry to Associate in Nursing employee’s pc through spear phishing techniques to put in a backdoor.
“OpenDNS Security Labs builds prognosticative models to trace these forms of adversarial [APT] teams and block domains associated with their activities, so as to stay our customers safe,” O’Connor aforementioned during a web log post. “To produce these models, we have a tendency to mine our massive DNS knowledge infrastructure for knowledge concerning attacks then uncover the patterns inside. gazing the info associated with these attacks, we have a tendency to found that the domains during this specific Carbanak knowledge set exhibited similar patterns to domains related to DarkHotel and alternative APT knowledge sets.”
OpenDNS compared domains, and detected that they were made during a “similar lexical fashion.”
“A common spoofing schoolnique is that the impersonation of a legitimate package or tech company in Associate in Nursing email claiming a needed package update,” O’Connor aforementioned.
One of the common patterns was domains that merge bound wordbook words and school company strings. as an example, security-paypal-center.com, facebooklogin-facebook.com, and billingupdate-paypal.com. NLPrank was recently accustomed establish a cluster of advanced PayPal phishing attacks, and plenty of similar forms of phishing attacks spoofing corporations like Facebook, Dropbox and Gmail.
Another way NLPRank detects dishonest domain behavior is perceptive domains hosted on ASNs that ar unassociated with the corporate they’re spoofing.
OpenDNS aforementioned that it’s continued to check NLPRank to forestall false positives.
OpenDNS Develops New Threat Model to Detect Domains Used by APT Groups
Geen opmerkingen:
Een reactie posten