D Dynamics of i f O li Online Scam S Hosting Infr Hosting - - PowerPoint PPT Presentation

d dynamics of i f o li online scam s hosting infr hosting
SMART_READER_LITE
LIVE PREVIEW

D Dynamics of i f O li Online Scam S Hosting Infr Hosting - - PowerPoint PPT Presentation

May 30, 2023 271 likes •452 views

D Dynamics of i f O li Online Scam S Hosting Infr Hosting Infr rastructure rastructure Maria Konte, N Nick Feamster Georgi a Tech Jaeyeo on Jung Intel Re esearch Online Scams Online Scams Often advertised in spam p m

slide-1
SLIDE 1

D i f Dynamics of Hosting Infr Hosting Infr

Maria Konte, N Georgi Jaeyeo Intel Re

O li S Online Scam rastructure rastructure

Nick Feamster a Tech

  • n Jung

esearch

slide-2
SLIDE 2

Online Scams Online Scams

  • Often advertised in spam

p

  • URLs point to various po
  • These scams continue to

These scams continue to

– As of August 2007, one in every 87 emails constit y

  • Scams often hosted on b
  • Problem: Study the dyna

y y as seen at a large spam m messages g

  • int-of-sale sites
  • be a menace
  • be a menace

tuted a phishing attack p g

bullet-proof domains amics of online scams, , sinkhole

slide-3
SLIDE 3

Online Scam Hosti Online Scam Hosti

Th it i t d t b

  • The sites pointed to by a

an email message may

  • Maintains agility as sites

blacklisted, etc.

  • One mechanism for hos

ing is Dynamic ing is Dynamic

URL th t i i d i a URL that is received in point to different sites s are shut down, sting sites: fast flux

slide-4
SLIDE 4

Overview of Dynam Overview of Dynam mics mics

Source: HoneyNet Project

slide-5
SLIDE 5

Why Study Dynam Why Study Dynam

U d t di

  • Understanding

– What are the possible inv – How many different scam

D i

  • Detection

– Today: Blacklisting based – Instead: Identify the netw hosting site

ics? ics?

ariants?

  • hosting sites are there?

d on URLs work-level behavior of a scam-

slide-6
SLIDE 6

Summary of Findin Summary of Findin

Wh t th t d

  • What are the rates and e

– Different from legitimate lo – Different cross different sc

  • How are dynamics imple

– Many scam campaigns ch th l ti i th DNS three locations in the DNS

  • A, NS, IP address of N
  • Conclusion: Might be a

it i th d i monitoring the dynamic

ngs ngs

t t f h ? extents of change?

  • ad balance

cam campaigns

? emented?

hange DNS mappings at all S hi h S hierarchy NS record

able to detect based on b h i f URL behavior of URLs

slide-7
SLIDE 7

Data Collection Data Collection

One month of email sp

  • One month of email sp

– 115,000 emails 384 unique domains – 384 unique domains – 24 unique spam campaig

pamtrap data pamtrap data

ns

slide-8
SLIDE 8

Top 3 Spam Camp Top 3 Spam Camp

S i h t

  • Some campaigns hoste
  • Most scam domains exh
  • Sharing of IP addresses

(authoritative NS and sc (

aigns aigns

d b th d f IP ed by thousands of IPs hibit some type of flux s across different roles cam hosting) g)

slide-9
SLIDE 9

Time Between Cha Time Between Cha

H i kl d DNS

  • How quickly do DNS-re

change?

  • Scam domains change o

g their TTL values

  • Domains within the sam

Domains within the sam similar rates of change

anges anges

d i ecord mappings

  • n shorter intervals than

e campaign exhibit e campaign exhibit

slide-10
SLIDE 10

Rates of Change Rates of Change

  • Domains that exhibit fas
  • Domains that exhibit fas

rapidly than legitimate d

  • Rates of change are inc
  • Rates of change are inc

TTL values st flux change more st flux change more domains consistent with actual consistent with actual

slide-11
SLIDE 11

Rates of Accumula Rates of Accumula

H i kl d

  • How quickly do scams

addresses?

  • Rates of accumulation d
  • Some scams only begin

addresses after some tim addresses after some tim

ation ation

l t IP s accumulate new IP differ across campaigns p g accumulating IP me me

slide-12
SLIDE 12

Rates of Accumula Rates of Accumula ation ation

slide-13
SLIDE 13

Location of Chang Location of Chang

S t k di

  • Scam networks use a di

address space than legi

– 30/8 – 60/8 --- lots of legit

DNS l k f d

  • DNS lookups for scam d

widely distributed than th

e in Hierarchy e in Hierarchy

ff t ti f th IP fferent portion of the IP timate sites

timate sites, no scam sites

d i f domains are often more hose for legitimate sites

slide-14
SLIDE 14

Location in IP Add Location in IP Add

  • Scam campaign infrastru

more concentrated in the more concentrated in the

dress Space dress Space

ucture is considerably e 80/8 90/8 range e 80/8-90/8 range

slide-15
SLIDE 15

Distribution of DN Distribution of DNS Records S Records

slide-16
SLIDE 16

Registrars Involved Registrars Involved

  • About 70% of domains s

at eight domains

  • Three registrars respons

g p (95% of those still marke

d in Changes d in Changes

still active are registered g sible for 257 domains ed as active)

slide-17
SLIDE 17

Conclusion Conclusion

S i l

  • Scam campaigns rely on

infrastructure

  • Studying the dynamics o

help us develop better d

  • Dynamics

– Rates of change differ fro g across campaigns – Dynamics implemented at

  • Location

– Scam sites distributed mo Scam sites distributed mo

http://www.cc.gatech.edu/res

d i h ti n a dynamic hosting

  • f that infrastructure may

detection methods

m legitimate sites, and differ g , t all levels of DNS hierarchy

  • re across IP address space
  • re across IP address space

earch/reports/GT-CS-08-07.pdf