Fortinet researchers studying phishing domains have found that South Africa was among the top 20 countries targeted in a large influx of recent Phishing attacks.
In June and July 2019, FortiGuard Labs observed a large influx of phishing domains being registered in batches by a phishing threat actor or group.
They immediately launched an investigation to uncover additional indicators of compromise (IOCs) related to this campaign. Because of some careless behaviours that - if avoided - could have masked their behaviour, they were able to learn the following:
The researchers started with known phishing domains, finding registrants and name servers, and then iteratively expanded the search to bring in more related IOCs. After the expansion of some malicious seeds, they were then able to blacklist about 3000 phishing IOCs.
Fortinet’s telemetry data revealed that the campaign targeted over 100 countries, with the highest number of visits – 2111 – to the US. Also in the top 5 were China, Mexico, Vietnam and Kazakhstan.
South Africa – with 167 visits – was number 17 in the top 20 countries targeted, followed by Thailand, Singapore and Italy.
This campaign stands out because the threat actor continually registered new domains and hosted their own dedicated DNS servers. As a result, Fortinet was able to monitor their campaign closely and can similarly monitor other phishing threat actors as long as they consistently used a dedicated infrastructure (IP address, Name Server, or WHOIS registrants), or used some unique URL patterns in their Phishing sites.
Because many phishers are similarly careless, this monitoring technique can be re-used to find more phishers. For example, Fortinet was able to use this same strategy to catch the Microsoft Fake AntiVirus Group. This group has the following characteristics:
Fortinet has been able to catch this group by monitoring their dedicated IP addresses.
Doros Hadjizenonos, regional sales director at Fortinet, says “Cybercriminals tend to do the same things over and over again. Our recent Fortinet Threat Landscape Report for Q1 of 2019 showed that a surprising number of attackers use the exact same web-based infrastructure, and leverage those resources at the exact same step on their attack cycle. Learn those patterns and you can begin to see and even anticipate an attack before it is even launched.”
However, not every cybercriminal is careless. Fortinet says phishing sites are usually hosted on compromised websites. As a result, the threat actor’s behaviour is easily concealed. Other methods for obscuring phishing activities often include:
“The best approach to countering Phishing attacks is to regularly train all personnel to be wary of unknown senders and to not click on links/attachments of suspicious emails,” notes Hadjizenonos.