d dynamics of i f o li online scam s hosting infr hosting
play

D Dynamics of i f O li Online Scam S Hosting Infr Hosting - PowerPoint PPT Presentation

May 30, 2023 •271 likes •450 views

D Dynamics of i f O li Online Scam S Hosting Infr Hosting Infr rastructure rastructure Maria Konte, N Nick Feamster Georgi a Tech Jaeyeo on Jung Intel Re esearch Online Scams Online Scams Often advertised in spam p m

  1. D Dynamics of i f O li Online Scam S Hosting Infr Hosting Infr rastructure rastructure Maria Konte, N Nick Feamster Georgi a Tech Jaeyeo on Jung Intel Re esearch

  2. Online Scams Online Scams • Often advertised in spam p m messages g • URLs point to various po oint-of-sale sites • These scams continue to These scams continue to o be a menace o be a menace – As of August 2007, one in every 87 emails constit y tuted a phishing attack p g • Scams often hosted on b bullet-proof domains • Problem: Study the dyna y y amics of online scams, , as seen at a large spam sinkhole

  3. Online Scam Hosti Online Scam Hosti ing is Dynamic ing is Dynamic • The sites pointed to by a Th it i t d t b a URL that is received in URL th t i i d i an email message may point to different sites • Maintains agility as sites s are shut down, blacklisted, etc. • One mechanism for hos sting sites: fast flux

  4. Source: HoneyNet Project mics mics Overview of Dynam Overview of Dynam

  5. Why Study Dynam Why Study Dynam ics? ics? • Understanding U d t di – What are the possible inv ariants? – How many different scam -hosting sites are there? • Detection D i – Today: Blacklisting based d on URLs – Instead: Identify the netw work-level behavior of a scam- hosting site

  6. Summary of Findin Summary of Findin ngs ngs • What are the rates and e Wh t th extents of change? f h ? t d t t – Different from legitimate lo oad balance – Different cross different sc cam campaigns • How are dynamics imple emented ? ? – Many scam campaigns ch hange DNS mappings at all three locations in the DNS th l ti i th DNS S hi S hierarchy h • A, NS, IP address of N NS record • Conclusion: Might be a able to detect based on monitoring the dynamic it i th d i b h behavior of URLs i f URL

  7. Data Collection Data Collection • One month of email sp One month of email sp pamtrap data pamtrap data – 115,000 emails – 384 unique domains 384 unique domains – 24 unique spam campaig ns

  8. Top 3 Spam Camp Top 3 Spam Camp aigns aigns • Some campaigns hoste S i h t ed by thousands of IPs d b th d f IP • Most scam domains exh hibit some type of flux • Sharing of IP addresses s across different roles ( (authoritative NS and sc cam hosting) g)

  9. Time Between Cha Time Between Cha anges anges • How quickly do DNS-re H i kl d DNS ecord mappings d i change? • Scam domains change o g on shorter intervals than their TTL values • Domains within the sam Domains within the sam e campaign exhibit e campaign exhibit similar rates of change

  10. Rates of Change Rates of Change • Domains that exhibit fas • Domains that exhibit fas st flux change more st flux change more rapidly than legitimate d domains • Rates of change are inc • Rates of change are inc consistent with actual consistent with actual TTL values

  11. Rates of Accumula Rates of Accumula ation ation • How quickly do scams H i kl d s accumulate new IP l t IP addresses? • Rates of accumulation d differ across campaigns p g • Some scams only begin accumulating IP addresses after some tim addresses after some tim me me

  12. Rates of Accumula Rates of Accumula ation ation

  13. Location of Chang Location of Chang e in Hierarchy e in Hierarchy • Scam networks use a di S t k di fferent portion of the IP ff t ti f th IP address space than legi timate sites – 30/8 – 60/8 --- lots of legit timate sites, no scam sites • DNS lookups for scam d DNS l k f d d domains are often more i f widely distributed than th hose for legitimate sites

  14. Location in IP Add Location in IP Add dress Space dress Space • Scam campaign infrastru ucture is considerably more concentrated in the more concentrated in the e 80/8 90/8 range e 80/8-90/8 range

  15. Distribution of DN Distribution of DNS Records S Records

  16. Registrars Involved Registrars Involved d in Changes d in Changes • About 70% of domains s still active are registered g at eight domains • Three registrars respons g p sible for 257 domains (95% of those still marke ed as active)

  17. Conclusion Conclusion • Scam campaigns rely on S i l n a dynamic hosting d i h ti infrastructure • Studying the dynamics o of that infrastructure may help us develop better d detection methods • Dynamics – Rates of change differ fro g m legitimate sites, and differ g , across campaigns – Dynamics implemented at t all levels of DNS hierarchy • Location – Scam sites distributed mo Scam sites distributed mo ore across IP address space ore across IP address space http://www.cc.gatech.edu/res earch/reports/GT-CS-08-07.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hosting Platform Number of Units/Hosts Where AirBnB 550,000 192 Countries

Hosting Platform Number of Units/Hosts Where AirBnB 550,000 192 Countries

LOOKING AT AIRBNB, HOMEWAY, AND OTHER ONLINE HOSTING PLATFORMS SEPTEMBER 7, 2016 Hosting Platform Number of Units/Hosts Where AirBnB 550,000 192 Countries FlipKey(TripAdvisor) 300,000 179 Countries VRBO (HomeAway) 575,000

946 views • 14 slides
Hosting Platform Number of Units/Hosts Where AirBnB 550,000 192 Countries FlipKey(Trip

Hosting Platform Number of Units/Hosts Where AirBnB 550,000 192 Countries FlipKey(Trip

LOOKING AT AIRBNB, HOMEWAY, AND OTHER ONLINE HOSTING PLATFORMS AUGUST 31, 2016 Hosting Platform Number of Units/Hosts Where AirBnB 550,000 192 Countries FlipKey(Trip Advisor) 300,000 179 Countries VRBO (HomeAway) 575,000 Worldwide

1.07k views • 14 slides
versions for Hosting Companies Xander Lammertink System & Network Engineering: RP1 Research

versions for Hosting Companies Xander Lammertink System & Network Engineering: RP1 Research

Fin ine-grained control of LAMP component versions for Hosting Companies Xander Lammertink System & Network Engineering: RP1 Research question How to migrate customers from LAMP hosting providers to a new type of LAMP hosting where

1.34k views • 17 slides
SLTNet Shared Web Hosting Services Confidential Public Shared Web Hosting Service Service

SLTNet Shared Web Hosting Services Confidential Public Shared Web Hosting Service Service

SLTNet Shared Web Hosting Services Confidential Public Shared Web Hosting Service Service Features Provide more capacity initially (300MB -1000MB) Language Support- ASP , PHP , ASP.NET v1.0/2.0/3.0/3.5/4.0 Database Support -

555 views • 10 slides
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal Avoid detection and take down of web sites used for illegal purposes Technique Host illegal content at many sites Rapidly

617 views • 19 slides
Overview of the Application pp Hosting Environment Stefan Zasada University College London y

Overview of the Application pp Hosting Environment Stefan Zasada University College London y

Overview of the Application pp Hosting Environment Stefan Zasada University College London y g 1 The Application Hosting Environment Environment Based on the idea of applications as web services Lightweight hosting environment

492 views • 24 slides
THE ART OF HOSTING Conversations that Matter September 18, 2018 POPULATION HEALTH INNOVATION LAB

THE ART OF HOSTING Conversations that Matter September 18, 2018 POPULATION HEALTH INNOVATION LAB

THE ART OF HOSTING Conversations that Matter September 18, 2018 POPULATION HEALTH INNOVATION LAB Welcome, Framing and Flow Provide an overview and background of Art of Hosting (AoH) training What does it mean to be a convener/host for

546 views • 15 slides
Meeting With Ken Dodds March 21, 2019 Many thanks to Holland & Knight LLP for hosting

Meeting With Ken Dodds March 21, 2019 Many thanks to Holland & Knight LLP for hosting

Small Business Committee Meeting With Ken Dodds March 21, 2019 Many thanks to Holland & Knight LLP for hosting Upcoming Events Cyber and Supply Chain Security Committee, March 27 Legislative and Market Dynamics Breakfast Forum,

730 views • 60 slides
Web Development Web Hosting and Domain Names CSCI-GA 1122 Web Development Web Hosting and

Web Development Web Hosting and Domain Names CSCI-GA 1122 Web Development Web Hosting and

Web Development Web Hosting and Domain Names CSCI-GA 1122 Web Development Web Hosting and Domain Names CSCI-GA 1122 Domain names serve as a more Domain Names memorable reference to Internet resources Domain names are used to identify

319 views • 13 slides
Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP

Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP

Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP Address Required for HTTPS The 'Host' Header Mass Virtual Hosting? HTTPD's Default configuration doesn't deal well with thousands of

967 views • 20 slides
Web Hosting and Domain Names Introduction to Web Design Web Hosting and Domain Names

Web Hosting and Domain Names Introduction to Web Design Web Hosting and Domain Names

Web Hosting and Domain Names Introduction to Web Design Web Hosting and Domain Names Introduction to Web Design Domain names serve as a more memorable reference to Domain Names Internet resources. Domain names are used to identify Internet

288 views • 11 slides
WEBSITE HOSTING FOR AGGIE MOMS Evan McClintock 16 Web Team Student Assistant The generosity

WEBSITE HOSTING FOR AGGIE MOMS Evan McClintock 16 Web Team Student Assistant The generosity

WEBSITE HOSTING FOR AGGIE MOMS Evan McClintock 16 Web Team Student Assistant The generosity of Century Club Members makes this FREE program possible. Hosting Program Features WordPress-based Platform. Free AggieMoms.org Subdomain

442 views • 8 slides
Advices to new fediverse administrators and developers Luc Didry September 7 2019 Introduction

Advices to new fediverse administrators and developers Luc Didry September 7 2019 Introduction

Framasoft Advices to new fediverse administrators and developers Luc Didry September 7 2019 Introduction Hosting an ActivityPub service is not like hosting another service 1 Hosting an ActivityPub service is not like hosting another service

1.23k views • 60 slides
PUFFIN PUFFIN FREE WEBAPP HOSTING FOR AVERAGE USERS FREE WEBAPP HOSTING FOR AVERAGE USERS Jarek

PUFFIN PUFFIN FREE WEBAPP HOSTING FOR AVERAGE USERS FREE WEBAPP HOSTING FOR AVERAGE USERS Jarek

PUFFIN PUFFIN FREE WEBAPP HOSTING FOR AVERAGE USERS FREE WEBAPP HOSTING FOR AVERAGE USERS Jarek Lipski / loomchild.net puffin.rocks / LET'S START WITH... LET'S START WITH... A DEMO A DEMO WHAT IS IT? WHAT IS IT? Platform Catalog

373 views • 8 slides
Disaster Recovery: Types of Hosting and How they Differ April 9, 2014 1. Who is Digital Realty?

Disaster Recovery: Types of Hosting and How they Differ April 9, 2014 1. Who is Digital Realty?

Disaster Recovery: Types of Hosting and How they Differ April 9, 2014 1. Who is Digital Realty? Table of 2. Definitions contents 3. Types of hosting for Disaster Recovery 4. Wholesale Colocation 5. Retail Colocation 6. Managed Services

345 views • 15 slides
WELCOMMON, an innovative project for hosting and social inclusion of refugees # WELCOMMON is an

WELCOMMON, an innovative project for hosting and social inclusion of refugees # WELCOMMON is an

WELCOMMON, an innovative project for hosting and social inclusion of refugees # WELCOMMON is an innovative community center for hosting and promoting the social inclusion of refugees. It is implemented by the social enterprise Wind of Renewal

344 views • 12 slides
Compatible rewriting of noncommutative polynomials for proving operator identities C.Chenavier

Compatible rewriting of noncommutative polynomials for proving operator identities C.Chenavier

Compatible rewriting of noncommutative polynomials for proving operator identities C.Chenavier C.Hofstadler C.G.Raab G.Regensburger Johannes Kepler Universitt, Linz, Austria 45th ISSAC Kalamata, Greece, July 20-23, 2020 Chenavier,

697 views • 59 slides
Reproducibility in Data Science Juliana Freire Visualization, Imaging and Data Analysis Center

Reproducibility in Data Science Juliana Freire Visualization, Imaging and Data Analysis Center

Reproducibility in Data Science Juliana Freire Visualization, Imaging and Data Analysis Center (VIDA) Computer Science & Engineering Center for Data Science (CDS) VISUALIZATION IMAGING AND DATA ANALYSIS CENTER Data-Driven Exploration

557 views • 34 slides
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom March, 2017 www.iaik.tugraz.at Introduction In the case of AES, several alternative representations (algebraic representation [

627 views • 52 slides
CPSC 875 CPSC 875 John D McGregor John D. McGregor Risk, Uncertainty, and Options Dynamic

CPSC 875 CPSC 875 John D McGregor John D. McGregor Risk, Uncertainty, and Options Dynamic

CPSC 875 CPSC 875 John D McGregor John D. McGregor Risk, Uncertainty, and Options Dynamic environment Dynamic environment http://www.ignify.com/Ignify-eCommerce- Technical-Architecture.asp Risk 1 Risk 1 An event that could happen and if

585 views • 37 slides
Introduction to Pairings ECC Summer School Diego F. Aranha November 12, 2017 Institute of

Introduction to Pairings ECC Summer School Diego F. Aranha November 12, 2017 Institute of

Introduction to Pairings ECC Summer School Diego F. Aranha November 12, 2017 Institute of Computing University of Campinas What is a pairing? 1 Why a bilinear pairing? e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S )

947 views • 46 slides
ICS 6B Boolean Algebra & Logic Boolean Algebra & Logic Lecture Notes for Summer Quarter,

ICS 6B Boolean Algebra & Logic Boolean Algebra & Logic Lecture Notes for Summer Quarter,

ICS 6B Boolean Algebra & Logic Boolean Algebra & Logic Lecture Notes for Summer Quarter, 2008 Michele Rousseau Set 1 Administrative Details, Ch. 1.1, 1.2 Todays Lecture Administrative details Course Mechanics

481 views • 30 slides
A Reputational Theory of Firm Dynamics Simon Board Moritz Meyer-ter-Vehn UCLA May 6, 2014

A Reputational Theory of Firm Dynamics Simon Board Moritz Meyer-ter-Vehn UCLA May 6, 2014

Introduction Model Best-Response Equilibrium Observable Informed The End Appendix A Reputational Theory of Firm Dynamics Simon Board Moritz Meyer-ter-Vehn UCLA May 6, 2014 Introduction Model Best-Response Equilibrium Observable

600 views • 45 slides
beta against the por.olio Distressed porfolio Average loss on

beta against the por.olio Distressed porfolio Average loss on

beta against the por.olio Distressed porfolio Average loss on asset i Distressed porfolio Distressed porfolio different defini8on Average loss on asset

1.07k views • 77 slides

More recommend