Post on 29-Jan-2016
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Visualization forData Sharing
John S. Quarterman
InternetPerilsJay SwoffordJim Maloney
Corillian19 April 2005APWG London
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Seeing the Undead
• BBC (22 March): U.K. leads world in zombie PCs
• Many of them used for phishing• See the undead horde to help stop
it.
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
The Ant Bed
• Destinations: Websense
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
The Ant Bed
• 49 phishing servers• mostly found by Websense• with routing paths to each• Looks like an ant bed.• For each ant we know:
– address– domain name where reverse DNS work– routing– likely geographical location– performance
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Analyzing the Ant Bed
• Identify data sources and gather data• Organize data in database• Analyze data for patterns using
– rules of behavior– visualization– data mining
• Enhance data in database from analysis• Visualize and report results to stakeholders• Use the above to prepare for next attack
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zooming In
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zooming 7
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zooming 7
Zooming in on 65.39.211.249
ebay.accountreturning.com
The previous slide shows 7 hops out from the destination
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zoomed
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Zoomed
• Two phishing nodes connected very similarly– ebay.accountreturning.com– charterone-information.net
• That's interesting in itself• Both connected via peer1.net• and via routers in Vancouver• Latencies from them to destinatons is low• Probably in Canada, possibly Vancouver
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Where in the World is65.75.176.120?
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Where in the World is65.75.176.120?
• Destination didn't respond to probes• Closest responding node: 64.154.102.5• assertive.managed.com• registered in San Diego, California• next hop out: assertive.above.net
– 64.125.30.94 so-0-0-0.er10a.sjc.us.above.net
– 64.125.30.90 so-2-0-0.er10a.sjc.us.above.net
• Routing indicates near San Jose, California
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Where in the World is65.75.176.120?
• But destination's netblock is registered to an individual in Ripley, Texas
• Destination didn't respond: no latency so can't tell whether it's in California or Texas
• Further examination could include:– hosting company offers distributed network?– or only one hosting center in California?– Are there other phishing nodes same center?
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
A Faked Domain
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
A Faked Domain
• 211.101.236.19 signin.ebay.com.sdll.us• Domain name appears to be in the U.S.• But SDLL is not a U.S. state code• It's registered to someone in San Diego• But its IP address is in China, prob.
Beijing• on capitalnet.com.cn• Nodes leading to it are also in China
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
FSTC Phases
• Financial Services Technology Consortium
• Counter-Phishing Initiative• Phishing Phases:
– Planning– Setup– Attack– Collection– Fraud– Post-Attack
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Visualization and Pattern Matching for FSTC
Phases• Collect data, visualize, analyze, etc. for each phase and for connections between, in order to:– help stop attacks– show how problems occurred– make problems visible for greater
awareness
Copyright 2005 InternetPerils, Inc
© 2 0 0 4 I n t e r n e t P e r i l s, Inc.
Contact Information
John Quarterman jsq@internetperils.com
www.internetperils.com