Cybercriminals apparently have a tendency to use the same (or at least similar) lexical styles when establishing domains for phishing and advanced persistent threat (APT) attacks, making it possible for security researchers to identify sites using natural language processing (NLP) techniques.

That’s according to OpenDNS Security Labs, which is prototyping a tool dubbed NLPRank to see if it can identify potentially malicious websites and phishing domains more quickly. Based on tests so far, the natural language processing tool could prove to be a “robust” method for defending against APTs, claimed OpenDNS security researcher Jeremiah O’Connor in a blog post.

Security researchers at OpenDNS recently analyzed DNS data associated with attacks carried out by the cybercrime group behind the Carbanak malware, which is believed to have stolen hundreds of millions of dollars from banks around the world in a sophisticated, multiyear APT campaign.

APT Campaigns

To penetrate banks and various other financial institutions, these cybercriminals would typically target employees through phishing emails laced with malware, which, when installed on a system, would allow them to take complete control of the compromised computer. At that point, they would move laterally across the network to other more critical systems, gain access to administrative accounts, control ATMs and siphon out huge sums of money.

When comparing the malicious domains and spoofing techniques used in the Carbanak campaign with those used in other APTs like the Darkhotel cyber espionage campaign, OpenDNS observed they were constructed in a similar lexical fashion. “One of the spoofing techniques often leveraged is the impersonation of a legitimate software or tech company in an email claiming a required software update,” O’Connor said.

Domains used in the Darkhotel campaign, for example, included adobeupdates.com, adobeplugs.net, adoberegister.flashserv.net and microsoft-xpupdate.com. Meanwhile, the Carbanak APT used domains such as update-java.net and adobe-update.net. Other instances of domain names sharing a similar lexical structure included gmailboxes.com, microsoft-update-info.com and firefoxupdata.com.

Lexical Similarities

In reviewing the attack data, OpenDNS discovered multiple cases of suspicious websites advertising fake Java updates, sharing the same infrastructure and exhibiting similar attack patterns, O’Connor said. Researchers discovered that APT groups have a tendency to spoof legitimate domains and use spear phishing tactics to obfuscate their criminal campaigns.

Because of the lexical similarities among the domains used in these criminal campaigns, it is possible to use NLP techniques to identify potentially malicious typo-squatting and targeted phishing domains, O’Connor said. NLP is basically a technique for extracting meaning from written words using specialized software. Its tools are used widely to read and interpret free text documents in a variety of applications and fields.

Natural Language Processing via Minimum-Edit Distance

According to O’Connor, OpenDNS’ NLPRank system uses NLP, HTML tag analysis and a method known as minimum-edit distance to see if it can distinguish between legitimate and malicious domains on the Internet.

The minimum-edit distance method checks for the distance between words in legitimate and typo-squatting domains. It is used in other applications like spell-checking and speech translation, as well, and offers a way to define and differentiate the language used by malicious domains from the one used by legitimate domains, O’Connor said.

Another process OpenDNS uses in conjunction with NLP to identify malicious domains is autonomous systems number (ASN) mapping. Malicious domains are usually hosted on IP networks that are not associated with the domain they’re attempting to spoof. For example, if a domain offering an Adobe update maps to an IP network that does not belong to Adobe, there is a good chance the domain is malicious. OpenDNS has built an ASN map of all legitimate domains on the Internet along with their appropriate ASNs, O’Connor said.

Using these methods, NLPRank has reportedly been able to spot several types of phishing attacks spoofing major companies such as Wells Fargo, Facebook, Dropbox and others.

More from

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read