D Dynamics of i f O li Online Scam S Hosting Infr Hosting Infr rastructure rastructure Maria Konte, N Nick Feamster Georgi a Tech Jaeyeo on Jung Intel Re esearch
Online Scams Online Scams • Often advertised in spam p m messages g • URLs point to various po oint-of-sale sites • These scams continue to These scams continue to o be a menace o be a menace – As of August 2007, one in every 87 emails constit y tuted a phishing attack p g • Scams often hosted on b bullet-proof domains • Problem: Study the dyna y y amics of online scams, , as seen at a large spam sinkhole
Online Scam Hosti Online Scam Hosti ing is Dynamic ing is Dynamic • The sites pointed to by a Th it i t d t b a URL that is received in URL th t i i d i an email message may point to different sites • Maintains agility as sites s are shut down, blacklisted, etc. • One mechanism for hos sting sites: fast flux
Source: HoneyNet Project mics mics Overview of Dynam Overview of Dynam
Why Study Dynam Why Study Dynam ics? ics? • Understanding U d t di – What are the possible inv ariants? – How many different scam -hosting sites are there? • Detection D i – Today: Blacklisting based d on URLs – Instead: Identify the netw work-level behavior of a scam- hosting site
Summary of Findin Summary of Findin ngs ngs • What are the rates and e Wh t th extents of change? f h ? t d t t – Different from legitimate lo oad balance – Different cross different sc cam campaigns • How are dynamics imple emented ? ? – Many scam campaigns ch hange DNS mappings at all three locations in the DNS th l ti i th DNS S hi S hierarchy h • A, NS, IP address of N NS record • Conclusion: Might be a able to detect based on monitoring the dynamic it i th d i b h behavior of URLs i f URL
Data Collection Data Collection • One month of email sp One month of email sp pamtrap data pamtrap data – 115,000 emails – 384 unique domains 384 unique domains – 24 unique spam campaig ns
Top 3 Spam Camp Top 3 Spam Camp aigns aigns • Some campaigns hoste S i h t ed by thousands of IPs d b th d f IP • Most scam domains exh hibit some type of flux • Sharing of IP addresses s across different roles ( (authoritative NS and sc cam hosting) g)
Time Between Cha Time Between Cha anges anges • How quickly do DNS-re H i kl d DNS ecord mappings d i change? • Scam domains change o g on shorter intervals than their TTL values • Domains within the sam Domains within the sam e campaign exhibit e campaign exhibit similar rates of change
Rates of Change Rates of Change • Domains that exhibit fas • Domains that exhibit fas st flux change more st flux change more rapidly than legitimate d domains • Rates of change are inc • Rates of change are inc consistent with actual consistent with actual TTL values
Rates of Accumula Rates of Accumula ation ation • How quickly do scams H i kl d s accumulate new IP l t IP addresses? • Rates of accumulation d differ across campaigns p g • Some scams only begin accumulating IP addresses after some tim addresses after some tim me me
Rates of Accumula Rates of Accumula ation ation
Location of Chang Location of Chang e in Hierarchy e in Hierarchy • Scam networks use a di S t k di fferent portion of the IP ff t ti f th IP address space than legi timate sites – 30/8 – 60/8 --- lots of legit timate sites, no scam sites • DNS lookups for scam d DNS l k f d d domains are often more i f widely distributed than th hose for legitimate sites
Location in IP Add Location in IP Add dress Space dress Space • Scam campaign infrastru ucture is considerably more concentrated in the more concentrated in the e 80/8 90/8 range e 80/8-90/8 range
Distribution of DN Distribution of DNS Records S Records
Registrars Involved Registrars Involved d in Changes d in Changes • About 70% of domains s still active are registered g at eight domains • Three registrars respons g p sible for 257 domains (95% of those still marke ed as active)
Conclusion Conclusion • Scam campaigns rely on S i l n a dynamic hosting d i h ti infrastructure • Studying the dynamics o of that infrastructure may help us develop better d detection methods • Dynamics – Rates of change differ fro g m legitimate sites, and differ g , across campaigns – Dynamics implemented at t all levels of DNS hierarchy • Location – Scam sites distributed mo Scam sites distributed mo ore across IP address space ore across IP address space http://www.cc.gatech.edu/res earch/reports/GT-CS-08-07.pdf
Recommend
More recommend