Researchers from Fortinet have discovered that South Africa was among the top 20 countries targeted in a recent slew of phishing attacks that employed the same techniques.
During June and July, FortiGuard Labs noted a large influx of phishing domains being registered in batches by a phishing group or actor, and began an investigation to uncover additional indicators of compromise (IOCs) related to this campaign.
The criminals abused a specific online virtual hosting registrar in order to bulk register domains and managed to register more than 200 domains each day for over a week. The researchers found that these phishing attempts targeted more than 100 countries.
The US had the highest number of visits, with 2111. Also in the top five were China, Mexico, Vietnam and Kazakhstan. SA, with 167 visits, came in at number 17 followed by Thailand, Singapore and Italy.
Many of the registrant e-mails used the pattern <random_string>@e.o-w-o[.]info. To support the backend, the phisher or phishers had registered and consistently used the same group of dedicated name servers, Fortinet said.
The researchers began with known phishing domains, finding registrants and name servers, and then iteratively expanded the search to bring in more related IOCs. After the expansion of some malicious seeds, they were then able to blacklist about 3 000 Phishing IOCs.
This campaign is unusual because its authors continually registered new domains and hosted their own dedicated DNS servers. As a result, Fortinet said it was able to monitor their campaign closely and can similarly monitor other phishing threat actors as long as they consistently employ a dedicated infrastructure (IP address, Name Server, or WHOIS registrants), or used some unique URL patterns in their phishing sites.
Doros Hadjizenonos, regional sales director at Fortinet, says cyber criminals tend to repeat their behaviours.
“Our recent Fortinet Threat Landscape Report for Q1 of 2019 showed that a surprising number of attackers use the exact same Web-based infrastructure and leverage those resources at the exact same step on their attack cycle. Learn those patterns and you can begin to see and even anticipate an attack before it is even launched.”
However, he stresses that not all attackers are careless. Phishing sites are usually hosted on compromised Web sites and, as a result, the threat actor’s behaviour is easily concealed.
“The best approach to countering phishing attacks is to regularly train all personnel to be wary of unknown senders and to not click on links or attachments in suspicious e-mails,” concludes Hadjizenonos.
Share