This article discusses the malicious exploitation of Traffic Distribution Systems (TDS) by threat actors to redirect victims and mask their attack infrastructure. It examines the characteristics differentiating malicious TDS from benign ones, such as longer redirection chains and greater connectivity among URLs. Moreover, it outlines a machine learning-based detection system developed to identify malicious TDS infrastructures. Affected: phishing, malvertising, online gambling, darknet services
Keypoints :
- Threat actors exploit TDS to redirect traffic for phishing, malvertising, and gambling services.
- Malicious TDS infrastructure typically involves more URLs and connections compared to benign TDS networks.
- A machine learning-powered detection system has been developed to identify malicious TDS activities.
- Malicious TDS traffic contains longer redirection chains and demonstrates higher connectivity levels among URLs.
- Legitimate organizations also utilize TDS for marketing purposes.
- Malicious campaigns analyzed include phishing schemes and malvertising efforts.
- Adversaries adapt quickly to takedown attempts by frequently changing entry and landing points.
- Machine Learning models demonstrate over 93% precision in detecting malicious TDS.
MITRE Techniques :
- Traffic Direction (T1071): Attackers use TDS to redirect users through various intermediate domains before landing on malicious pages.
- Phishing (T1566): TDS infrastructure is used to host phishing campaigns, enticing users through legitimate-looking links.
- Malicious Advertising (T1207): TDS campaigns redirect visitors to unwanted advertising pages.
- Domain Generation Algorithms (DGA) (T1497): TDS utilizes generated domains to maintain dynamic and resilient redirection networks.
Indicator of Compromise :
- [Domain] 3adating[.]com
- [Domain] 7eh3gj[.]lol
- [Domain] ba3e7q[.]lol
- [Domain] dappadar[.]bio
- [Domain] dappadar[.]community
Full Story: https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribution-systems/