We get asked all the time what can customers do about phishing. It's a problem that has faced the industry for quite some time and in 80% of cases is the vector in which threat actors attacked first, that being said it should be your first line of defense. So what can you do?
Deploy Defenses
The first thing to do is deploy a system that can protect you based on what is being observed by partners, DHS, ICS-ISAC, US-CERT, Jigsaw FirstWatch sensors, OSINT report and blogs and other direct reporting into our SOC. These threat exchanges provide a wealth of information that can be used to protect against phishing. Jigsaw Security brings in data from many sources and then scores the threat based on activity, effectively denying the threat actor the ability to get through email defenses. We do this using several methods to include the following:
Sinkhole of DNS Traffic deemed as malicious
Sinkhole of sending mail servers in which the hostname does not match information in the email or the sender
Forcing 2 step verification of unverified senders
But this only stops some of the vectors. What else can be done? Some organizations will have incoming inboxes for incoming mail, and separate outgoing email addresses. This allows specific scanning of content inbound for malicious content prior to being delivered. The Jigsaw Security solution works in addition to this method by scanning message but also denies access to the malicious content should something actually end up in your inbox.
Recent Activity
We have been reporting on some activity of interest from an IP address (105.0.6[.]51) which we have been seeing quite often and at multiple customer sites. We recommend just blocking the entire netblock as it is a frequent source of phishing activity. Additional indicators are included below for this activity.
IOCS
Please keep in mind that Jigsaw Security does not recommend using IOC's (Indicators of Compromise) to block this type of activity. IOC's are indicators of what may have already occurred. Don't forget to look in your history (packets, logging and other systems) to ensure that you have not already succumbed to these attacks. We use a method of identifying patterns in network traffic and files which is more accurate and will still detect the traffic even when IOC information changes. Threat actors will change their infrastructure once it is discovered so IOC's just make it more costly for the threat actors to operate but the problem still exist. Find out how FirstWatch denies access to the threat actor by using other methods of detection.
105.0.6[.]51 173.212.237[.]120 2k18bot.com abdulrehman.bottersking[.]xyz abdulrehman[.]ooo aboutwolrd[.]ml akmj-bot[.]ml aldi-panel[.]xyz ambil-pulsaku[.]cf ambil-skin-gratis2018.n4t[.]co ambil-skin18[.]gq ambil[.]ml androbot.siteku[.]xyz andromeda.pediame[.]xyz aqib[.]ga arrygorre[.]com arslan1337[.]com asmat-king[.]tk autofollowers[.]ooo autoinstapost[.]com autolike.onthewifi[.]com availabity-ddos[.]ml ayanbot[.]cf ayanbotserver[.]cf bagibagihadia[.]ooo bagibagipulsa01[.]ooo bkarich@hygieneering[.]com blog.dreamnesia[.]com bokep18-brazzers[.]ga bokephd-free[.]tk bokepjapan[.]ga bokepku[.]cf bokepvideo[.]ml mail.vvip-tsb[.]tk vvip-tsb[.]tk