Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse

Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first large-scale, empirical study of combosquatting by analyzing more than 468 billion DNS records---collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.Comment: ACM CCS 1

FireEye: M-Trends Report 2020

En ediciones anteriores de M-Trends, observamos que algunas cosas cambian, otras permanecen igual. Por ejemplo, M-Trends 2010 discutió cómo el phishing era el método más común y exitoso que usaban los grupos APT [Advance Persistent Threat (amenazas persistentes avanzadas)] para obtener acceso inicial a una organización. Eso no ha cambiado. Muchos de los estudios de caso en M-Trends 2020 también comienzan con el phishing, perpetuando la creencia generalizada de que las personas suelen ser el eslabón más débil de la cadena de seguridad

HI-CFG: Construction by Binary Analysis, and Application to Attack Polymorphism

Abstract. Security analysis often requires understanding both the control and data-flow structure of a binary. We introduce a new program representation, a hybrid information- and control-flow graph (HI-CFG), and give algorithms to infer it from an instruction-level trace. As an application, we consider the task of generalizing an attack against a program whose inputs undergo complex transformations before reaching a vulnerability. We apply the HI-CFG to find the parts of the program that implement each transformation, and then generate new attack inputs under a user-specified combination of transformations. Structural knowledge allows our approach to scale to applications that are infeasible with monolithic symbolic execution. Such attack polymorphism shows the insufficiency of any filter that does not support all the same transformations as the vulnerable application. In case studies, we show this attack capability against a PDF viewer and a word processor.

Sniff‐Phish: A novel framework for resource intensive computation in cloud to detect email scam

International audienceAbstract Today, the growing significance of digitization across the globe has made the cybersecurity as inevitable. There are many threats in existence to induce harm and to make illegal activities in a device or a network. Email scam or phishing is a technique that most of the hackers use as baits to infiltrate into a system. After a systematic analysis of the infiltration process, a Chrome extension application named Sniff‐Phish is developed, where the resource intensive computational tasks are performed in cloud with which we could be able to detect various categories of real‐time email scams or phishing attacks like zero‐day and spear phishing. This extension application is based upon analyzing some basic criterion of the malicious URL and duly presenting the legitimacy level of the link in the form of a report. The accuracy obtains for Sniff‐Phish is 98% and covers a wide range of phishing websites, resulting in the less false positive rate of 1.2%. Considering the zero‐day and spear phishing detection rate of Sniff‐Phish, the overall experimental results prove that the proposed system outperforms the conventional phishing detection methods