March 16, 2015 By Jaikumar Vijayan 3 min read

Cybercriminals apparently have a tendency to use the same (or at least similar) lexical styles when establishing domains for phishing and advanced persistent threat (APT) attacks, making it possible for security researchers to identify sites using natural language processing (NLP) techniques.

That’s according to OpenDNS Security Labs, which is prototyping a tool dubbed NLPRank to see if it can identify potentially malicious websites and phishing domains more quickly. Based on tests so far, the natural language processing tool could prove to be a “robust” method for defending against APTs, claimed OpenDNS security researcher Jeremiah O’Connor in a blog post.

Security researchers at OpenDNS recently analyzed DNS data associated with attacks carried out by the cybercrime group behind the Carbanak malware, which is believed to have stolen hundreds of millions of dollars from banks around the world in a sophisticated, multiyear APT campaign.

APT Campaigns

To penetrate banks and various other financial institutions, these cybercriminals would typically target employees through phishing emails laced with malware, which, when installed on a system, would allow them to take complete control of the compromised computer. At that point, they would move laterally across the network to other more critical systems, gain access to administrative accounts, control ATMs and siphon out huge sums of money.

When comparing the malicious domains and spoofing techniques used in the Carbanak campaign with those used in other APTs like the Darkhotel cyber espionage campaign, OpenDNS observed they were constructed in a similar lexical fashion. “One of the spoofing techniques often leveraged is the impersonation of a legitimate software or tech company in an email claiming a required software update,” O’Connor said.

Domains used in the Darkhotel campaign, for example, included,, and Meanwhile, the Carbanak APT used domains such as and Other instances of domain names sharing a similar lexical structure included, and

Lexical Similarities

In reviewing the attack data, OpenDNS discovered multiple cases of suspicious websites advertising fake Java updates, sharing the same infrastructure and exhibiting similar attack patterns, O’Connor said. Researchers discovered that APT groups have a tendency to spoof legitimate domains and use spear phishing tactics to obfuscate their criminal campaigns.

Because of the lexical similarities among the domains used in these criminal campaigns, it is possible to use NLP techniques to identify potentially malicious typo-squatting and targeted phishing domains, O’Connor said. NLP is basically a technique for extracting meaning from written words using specialized software. Its tools are used widely to read and interpret free text documents in a variety of applications and fields.

Natural Language Processing via Minimum-Edit Distance

According to O’Connor, OpenDNS’ NLPRank system uses NLP, HTML tag analysis and a method known as minimum-edit distance to see if it can distinguish between legitimate and malicious domains on the Internet.

The minimum-edit distance method checks for the distance between words in legitimate and typo-squatting domains. It is used in other applications like spell-checking and speech translation, as well, and offers a way to define and differentiate the language used by malicious domains from the one used by legitimate domains, O’Connor said.

Another process OpenDNS uses in conjunction with NLP to identify malicious domains is autonomous systems number (ASN) mapping. Malicious domains are usually hosted on IP networks that are not associated with the domain they’re attempting to spoof. For example, if a domain offering an Adobe update maps to an IP network that does not belong to Adobe, there is a good chance the domain is malicious. OpenDNS has built an ASN map of all legitimate domains on the Internet along with their appropriate ASNs, O’Connor said.

Using these methods, NLPRank has reportedly been able to spot several types of phishing attacks spoofing major companies such as Wells Fargo, Facebook, Dropbox and others.

More from

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure."The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President…

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today