• Irena Damsky

Detecting phishing from pDNS

During May and the beginning of June I’ve presented my research about detecting phishing from passive DNS at several conferences in the US and Europe.

The abstract of the presentation is:

Passive DNS (pDNS) have been utilized by threat researchers for several years and allow us to gather information on domain usage worldwide. Since data fidelity varies depending upon the scope, timeline, and vantage point of sensor networks, pDNS visibility provides a multitude of different and exciting results for analysts to review.

In this presentation we will quickly recap DNS and pDNS, review different approaches to detecting phishing using pDNS and focus on demonstrating different heuristics and operational procedures that can help increase actual detection while minimizing false positives.

In this talk I had three main points that I wanted to show:

1. What is Passive DNS —

The methodology that I am presenting on the detection part can be done on multiple other data sets of DNS resolutions, the reason I’ve chosen pDNS is to demonstrate this data set. Even though Passive DNS exists since 2004, and is used by many security practitioners, many others are not familiar with this technology and data set. As I believe this is a wonderful data set, it was really important for me to share it with the world and have more people be aware of it and hopefully using it.

2. Simple ways of detecting Phishing —

Many of the features that phishing domains use are very simple to recognize, even with an unarmed eye. You don’t need to be a specialist in phishing or in infosec in general to know that a domain like “faceb00k.com” is suspicious and should be treated as such.

3. Do not over complicate things!

We love to over complicate things! we think that unless we use the most innovative techniques we will not be able to do our jobs correctly. In this presentation I am trying to show that sometimes, the simplest things combined can be enough to get pretty good results without involving super duper techniques such as machine learning, neural networks, block-chain, big data, artificial intelligence and.. have I forgotten any other big and fancy buzz words?

My slides are available here — note — these slides are from the CONFidence presentation on June 4th. There are other versions of these slides from Security Fest, HackInBo and APWG eCrime congress available on my website at damsky.tech/events, just scroll to the correct event to download the slides.

And a recording of the session from Security Fest in Gotenborg, Sweden is here:

I hope the next and updated version of this research will be accepted to more conferences as I have been submitting it to other events and already have new content for it!

Let me know in the comments if you have any questions about or ideas for this research!

85 views0 comments



©2018 by Damsky - Cyber Threat Intelligence Research, Training and Consulting.