Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington
Fraud evolution Economically driven Pull vs push-based Much is Web-based Uses botnets extensively
Internet fraud has an infrastructure behind it Phishing Scam sites Drive-by downloads Socially-engineered malware
It is provisioned differently Flux in phishing Fast flux DNS flux Double flux Helps escape detection and promotes longevity of fraud
Observations 10-30% of phishing Web servers exhibit fast flux 60% of their DNS servers exhibit DNS flux Most fluxing Web servers are part of double-flux infrastructure Same machines act as Web and DNS servers in many cases One host name resolves to many IPs but many names share a common pool of IPs
Take away Fraud infrastructures have telltale signs It may be possible to create signatures that distinguish fraud infrastructures from regular Internet infrastructure Need to investigate what the signatures should look like
Caution DoS attacks do not have Web sites Hacked sites can be used to host fraud This talk takes a DNS perspective on fraud infrastructures Many by-pass DNS by using IP addresses Signatures in the absence of flux? Can criminals evolve to bypass signatures?