In general, typosquatting domain names (ra lnbowbankcom) are misspelled variants of target domain names (rainbowbankcom), registered to profit from users’ typing mistakes or deceive users into believing that they are the correct target domain. Mallory chose the typosquatting domain ra lnbowbankcom as it looks very similar to the bank’s real domain name. He set up a fake bank website called ra lnbowbankcom on a rented host with IP address 10.123.3455. Mallory started off by creating a website mimicking a known bank, rainbowbankcom. These IP addresses are what machines use on the Internet to find each other and to be able to communicate. Emilia: The protagonist and the leader of a law enforcement team tasked with stopping the phishing attacks launched lately against Rainbow Bank’s customers.īefore his venture into fast fluxing, Mallory learned that the domain name system translates domain names that are easy to remember for humans (e.g., ) to IP addresses (e.g., 34.107.151.202) understood by machines.Alice: Unsuspecting customer of Rainbow Bank.Bart: Mallory’s friend who compromises machines and builds botnets.Mallory: The villain involved in phishing.Mallory would like to harvest user credentials that he can later sell on various illicit underground markets. To explain how fast flux works and to provide background, we will start with a fictitious example of a phishing operator, Mallory. The term "fast flux" originates from April Lorenzen, who observed early use of this technique. Fast Flux Fictional Scenarioįast flux networks can be used to support a wide variety of criminal endeavors, such as phishing, scams, malware distribution and botnet operations. Palo Alto Networks provides protection against fast flux and DGA domains leveraging our classifiers in multiple Palo Alto Networks Next-Generation Firewall security subscriptions, including URL Filtering and DNS Security. We observe scammers using fast flux domains to operate social engineering pages in many different languages, cybercriminals infecting machines with Smoke Loader malware and using fast fluxing for their command and control (C2) domains and finally, we show how fast flux domains are used to operate illicit adult and gambling sites. We illustrate how cybercriminals use single fast flux networks and more advanced techniques such as double flux (when the domain name resolution becomes part of the fast flux network) and Domain Generation Algorithms (DGAs) to hamper domain denylisting and takedown efforts.Īdditionally, we cover three case studies that show the wide range of malicious activities that fast fluxing can be used for. In this blog, we provide a fictional scenario of a cat-and-mouse game between cybercriminals and law enforcement. A fast flux network is "fast" because, using DNS, it quickly rotates through many bots, using each one for only a short time to make IP-based denylisting and takedown efforts difficult. Therefore, operators need to rely on peculiar techniques such as frequently changing their IP addresses and using botnets or bulletproof hosting (hosting providers who tend not to respond to takedown requests). The main difference is that fast flux networks are used to enable illegal and malicious activities. The motivation for cybercriminals to build fast flux networks is similar to that of benign service providers, who build redundancy in their systems to ensure uptime, for example, by utilizing Round Robin in the Domain Name System (RRDNS) or Content Delivery Networks (CDNs). It is critical for these cybercriminals to maintain their networks' uptime to avoid losses to their revenue streams, including phishing and scam campaigns, botnet rental and illegal gambling operations. Fast flux is a technique used by cybercriminals to increase their infrastructure's resilience by making law enforcement takedown of their servers and denylisting of their IP addresses harder.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |