Cybercriminals apparently have a tendency to use the same (or at least similar) lexical styles when establishing domains for phishing and advanced persistent threat (APT) attacks, making it possible for security researchers to identify sites using natural language processing (NLP) techniques.

That’s according to OpenDNS Security Labs, which is prototyping a tool dubbed NLPRank to see if it can identify potentially malicious websites and phishing domains more quickly. Based on tests so far, the natural language processing tool could prove to be a “robust” method for defending against APTs, claimed OpenDNS security researcher Jeremiah O’Connor in a blog post.

Security researchers at OpenDNS recently analyzed DNS data associated with attacks carried out by the cybercrime group behind the Carbanak malware, which is believed to have stolen hundreds of millions of dollars from banks around the world in a sophisticated, multiyear APT campaign.

APT Campaigns

To penetrate banks and various other financial institutions, these cybercriminals would typically target employees through phishing emails laced with malware, which, when installed on a system, would allow them to take complete control of the compromised computer. At that point, they would move laterally across the network to other more critical systems, gain access to administrative accounts, control ATMs and siphon out huge sums of money.

When comparing the malicious domains and spoofing techniques used in the Carbanak campaign with those used in other APTs like the Darkhotel cyber espionage campaign, OpenDNS observed they were constructed in a similar lexical fashion. “One of the spoofing techniques often leveraged is the impersonation of a legitimate software or tech company in an email claiming a required software update,” O’Connor said.

Domains used in the Darkhotel campaign, for example, included,, and Meanwhile, the Carbanak APT used domains such as and Other instances of domain names sharing a similar lexical structure included, and

Lexical Similarities

In reviewing the attack data, OpenDNS discovered multiple cases of suspicious websites advertising fake Java updates, sharing the same infrastructure and exhibiting similar attack patterns, O’Connor said. Researchers discovered that APT groups have a tendency to spoof legitimate domains and use spear phishing tactics to obfuscate their criminal campaigns.

Because of the lexical similarities among the domains used in these criminal campaigns, it is possible to use NLP techniques to identify potentially malicious typo-squatting and targeted phishing domains, O’Connor said. NLP is basically a technique for extracting meaning from written words using specialized software. Its tools are used widely to read and interpret free text documents in a variety of applications and fields.

Natural Language Processing via Minimum-Edit Distance

According to O’Connor, OpenDNS’ NLPRank system uses NLP, HTML tag analysis and a method known as minimum-edit distance to see if it can distinguish between legitimate and malicious domains on the Internet.

The minimum-edit distance method checks for the distance between words in legitimate and typo-squatting domains. It is used in other applications like spell-checking and speech translation, as well, and offers a way to define and differentiate the language used by malicious domains from the one used by legitimate domains, O’Connor said.

Another process OpenDNS uses in conjunction with NLP to identify malicious domains is autonomous systems number (ASN) mapping. Malicious domains are usually hosted on IP networks that are not associated with the domain they’re attempting to spoof. For example, if a domain offering an Adobe update maps to an IP network that does not belong to Adobe, there is a good chance the domain is malicious. OpenDNS has built an ASN map of all legitimate domains on the Internet along with their appropriate ASNs, O’Connor said.

Using these methods, NLPRank has reportedly been able to spot several types of phishing attacks spoofing major companies such as Wells Fargo, Facebook, Dropbox and others.

More from

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…