d dynamics of i f o li online scam s hosting infr hosting
play

D Dynamics of i f O li Online Scam S Hosting Infr Hosting - PowerPoint PPT Presentation

D Dynamics of i f O li Online Scam S Hosting Infr Hosting Infr rastructure rastructure Maria Konte, N Nick Feamster Georgi a Tech Jaeyeo on Jung Intel Re esearch Online Scams Online Scams Often advertised in spam p m


  1. D Dynamics of i f O li Online Scam S Hosting Infr Hosting Infr rastructure rastructure Maria Konte, N Nick Feamster Georgi a Tech Jaeyeo on Jung Intel Re esearch

  2. Online Scams Online Scams • Often advertised in spam p m messages g • URLs point to various po oint-of-sale sites • These scams continue to These scams continue to o be a menace o be a menace – As of August 2007, one in every 87 emails constit y tuted a phishing attack p g • Scams often hosted on b bullet-proof domains • Problem: Study the dyna y y amics of online scams, , as seen at a large spam sinkhole

  3. Online Scam Hosti Online Scam Hosti ing is Dynamic ing is Dynamic • The sites pointed to by a Th it i t d t b a URL that is received in URL th t i i d i an email message may point to different sites • Maintains agility as sites s are shut down, blacklisted, etc. • One mechanism for hos sting sites: fast flux

  4. Source: HoneyNet Project mics mics Overview of Dynam Overview of Dynam

  5. Why Study Dynam Why Study Dynam ics? ics? • Understanding U d t di – What are the possible inv ariants? – How many different scam -hosting sites are there? • Detection D i – Today: Blacklisting based d on URLs – Instead: Identify the netw work-level behavior of a scam- hosting site

  6. Summary of Findin Summary of Findin ngs ngs • What are the rates and e Wh t th extents of change? f h ? t d t t – Different from legitimate lo oad balance – Different cross different sc cam campaigns • How are dynamics imple emented ? ? – Many scam campaigns ch hange DNS mappings at all three locations in the DNS th l ti i th DNS S hi S hierarchy h • A, NS, IP address of N NS record • Conclusion: Might be a able to detect based on monitoring the dynamic it i th d i b h behavior of URLs i f URL

  7. Data Collection Data Collection • One month of email sp One month of email sp pamtrap data pamtrap data – 115,000 emails – 384 unique domains 384 unique domains – 24 unique spam campaig ns

  8. Top 3 Spam Camp Top 3 Spam Camp aigns aigns • Some campaigns hoste S i h t ed by thousands of IPs d b th d f IP • Most scam domains exh hibit some type of flux • Sharing of IP addresses s across different roles ( (authoritative NS and sc cam hosting) g)

  9. Time Between Cha Time Between Cha anges anges • How quickly do DNS-re H i kl d DNS ecord mappings d i change? • Scam domains change o g on shorter intervals than their TTL values • Domains within the sam Domains within the sam e campaign exhibit e campaign exhibit similar rates of change

  10. Rates of Change Rates of Change • Domains that exhibit fas • Domains that exhibit fas st flux change more st flux change more rapidly than legitimate d domains • Rates of change are inc • Rates of change are inc consistent with actual consistent with actual TTL values

  11. Rates of Accumula Rates of Accumula ation ation • How quickly do scams H i kl d s accumulate new IP l t IP addresses? • Rates of accumulation d differ across campaigns p g • Some scams only begin accumulating IP addresses after some tim addresses after some tim me me

  12. Rates of Accumula Rates of Accumula ation ation

  13. Location of Chang Location of Chang e in Hierarchy e in Hierarchy • Scam networks use a di S t k di fferent portion of the IP ff t ti f th IP address space than legi timate sites – 30/8 – 60/8 --- lots of legit timate sites, no scam sites • DNS lookups for scam d DNS l k f d d domains are often more i f widely distributed than th hose for legitimate sites

  14. Location in IP Add Location in IP Add dress Space dress Space • Scam campaign infrastru ucture is considerably more concentrated in the more concentrated in the e 80/8 90/8 range e 80/8-90/8 range

  15. Distribution of DN Distribution of DNS Records S Records

  16. Registrars Involved Registrars Involved d in Changes d in Changes • About 70% of domains s still active are registered g at eight domains • Three registrars respons g p sible for 257 domains (95% of those still marke ed as active)

  17. Conclusion Conclusion • Scam campaigns rely on S i l n a dynamic hosting d i h ti infrastructure • Studying the dynamics o of that infrastructure may help us develop better d detection methods • Dynamics – Rates of change differ fro g m legitimate sites, and differ g , across campaigns – Dynamics implemented at t all levels of DNS hierarchy • Location – Scam sites distributed mo Scam sites distributed mo ore across IP address space ore across IP address space http://www.cc.gatech.edu/res earch/reports/GT-CS-08-07.pdf

Recommend


More recommend