Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/2/2016
03:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Catching Online Scammers, Dealers & Drug Dealers With DNS

Researchers at Black Hat Europe this week will demonstrate a streamlined technique for spotting and identifying illicit narcotics, counterfeiters, and other scammer websites and operations.

Takedowns of malicious or fraudulent websites is a temporary fix for online fraud and crime, mainly because the bad guys then just put up another website domain they have waiting in the wings.

Researchers at Black Hat Europe in London tomorrow will demonstrate a new technique they developed that uses Domain Name Service (DNS) analysis to more efficiently spot illegal websites and online criminal operations. Andrew Lewman, chief revenue officer at Farsight Security, and Stevan Keraudy, CTO of CybelAngel, teamed up with an approach that detects, analyzes, and clusters illegal websites to better root out domain abuse.

"It's new research and taking a network science approach to identify online criminal networks," Lewman says.

The method employs visualization and analysis of DNS requests to identify common threads that tie sketchy websites together, according to the researchers, who will detail their findings in the "Narcos, Counterfeiters, and Scammers: An Approach to Visualize Illegal Markets" presentation at Black Hat. They plan to show how they filtered thousands of counterfeiting websites via DNS cache-miss requests, and then drilled down to several hundred domain names that were tied to one illicit organization.

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

"The main problem is criminals have a lot of resources. They don't just create one website, they create thousands of them at one time and only put one online" at a time, Keraudy says. "As soon as they're spotted or taken down, they just look at one of those thousands of websites waiting in line and put one online. They are very organized," he says.

Thus the one-by-one website takedown approach by authorities is a time-consuming and ultimately, losing, battle.

Internet pioneer and DNS expert Paul Vixie has previously called for a "cooling-off period" for new Internet domain names to help thwart domain abuse. Vixie argues that there's no legitimate rationale for a new Internet domain name to go live less than a minute after it's registered. That pattern is often a red flag for malicious activity, an issue that the generation of inexpensive and quick-to-deploy domain names has spawned.

Vixie's concept of putting new domain names on hold for just a few minutes or hours is a practice that could deter malicious activity. "If they still exist then and are not taken down … and are not in a reputation system [blacklist], that means there's probably nothing wrong with them," Vixie, who is CEO of Farsight Security, said in an interview with Dark Reading last year.

Human-Readable
Lewman and Keraudy used Farsight's Passive DNS service, which gathers DNS response data in real-time, and CybelAngel's Web-crawling technology and data analysis algorithms, to allow the researchers to spot counterfeiters' domain names when those sites go live. "We converted passive DNS to visualization related to" a commonly counterfeited brand, for example, Keraudy says.

It's basically a way to convert that data into human-readable and easily understood intelligence about the bad sites and their operations.

"You get clustered visualization of those websites, so you can clearly visualize those [illicit] organizations," he says.

A company whose brand is being abused, such as a luxury handbag company, would then get specific details and information on that illegal organization, so they then can take legal action.

"We have a crawler on the suspicious websites with the goal of extracting as much information as possible, such as phone number, email, Whois" and other information, Keraudy says.

But even this more advanced method of rooting out domain abuse isn't likely to stop online scamming altogether.

"It will always be a cat-and-mouse game," Keraudy says. 

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lily652
50%
50%
Lily652,
User Rank: Moderator
11/7/2016 | 1:16:42 PM
http://prayertimesnow.com/

Nice to see this impressive article and wanna say thanks a lot for providing this much pretty info. I would like to share this with my friends to explore more about this 

DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12868
PUBLISHED: 2019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...