Fortinet researchers studying phishing domains have found that South Africa was among the top 20 countries targeted in a large influx of recent phishing attacks.
In June and July, FortiGuard Labs observed a large influx of phishing domains being registered in batches by a phishing threat actor or group.
They immediately launched an investigation to uncover additional indicators of compromise (IOCs) related to this campaign. Because of some careless behaviours that – if avoided – could have masked their behaviour, they were able to learn the following:
∙ The phisher(s) abused a specific OVH (online virtual hosting) registrar in order to bulk register domain.
∙ They managed to register over 200 domains every day for over a week.
∙ Phishing domains were delivered to victims through phishing emails sent to more than 100 countries.
∙ Many of the registrant emails used the following pattern: <random_string>@e.o-w-o[.]info
∙ To support the backend, the phisher(s) had registered and consistently used the same group of dedicated name servers.
The researchers started with known phishing domains, finding registrants and name servers, and then iteratively expanded the search to bring in more related IOCs. After the expansion of some malicious seeds, they were then able to blacklist about 3 000 phishing IOCs.
Fortinet’s telemetry data revealed that the campaign targeted over 100 countries, with the highest number of visits – 2 111 – to the US. Also in the top 5 were China, Mexico, Vietnam and Kazakhstan. South Africa – with 167 visits – was number 17 in the top 20 countries targeted, followed by Thailand, Singapore and Italy.
This campaign stands out because the threat actor continually registered new domains and hosted their own dedicated DNS servers. As a result, Fortinet was able to monitor their campaign closely and can similarly monitor other phishing threat actors as long as they consistently used a dedicated infrastructure (IP address, Name Server, or WHOIS registrants), or used some unique URL patterns in their phishing sites.
Because many phishers are similarly careless, this monitoring technique can be re-used to find more phishers. For example, Fortinet was able to use this same strategy to catch the Microsoft Fake AntiVirus Group. This group has the following characteristics:
∙ They register their attacks using free domains, such as .tk, .ml, and .ga, etc. Fortinet has observed them registering over 100 new domains daily.
∙ They always use name servers hosted by Freenom (ns02[.]freenom[.]com)
∙ Host domains always use the same set of dedicated IP addresses.
Fortinet has been able to catch this group by monitoring their dedicated IP addresses.
Says Doros Hadjizenonos, regional sales director at Fortinet: “Cybercriminals tend to do the same things over and over again. Our recent Fortinet Threat Landscape Report for Q1 of 2019 showed that a surprising number of attackers use the exact same Web-based infrastructure, and leverage those resources at the exact same step on their attack cycle. Learn those patterns and you can begin to see and even anticipate an attack before it is even launched.”
However, not every cybercriminal is careless. Fortinet says phishing sites are usually hosted on compromised websites. As a result, the threat actor’s behaviour is easily concealed. Other methods for obscuring phishing activities often include
∙ Using compromised websites to host phishing sites
∙ Using free hosting websites
∙ Abusing free Microsoft Web services
∙ Using shared Web hosting services, and shared name server services
“The best approach to countering phishing attacks is to regularly train all personnel to be wary of unknown senders and to not click on links/attachments of suspicious emails,” says Hadjizenonos.