Researchers released new information this week that explains how scammers hide through using IP Range filtering.
In a Wednesday blog post, Bolster researchers said scammers will delay being detected as a malicious site by restricting which people see the malicious page and which ones are instead directed to a clean “legit” page. They do this by filtering specific IP ranges by time zones, operating systems, or IPs/IP ranges.
Bolster analyzed 19,000 phishing kits that threat actors accidentally left open and found the following:
- 41% of blocked IPs are from the U.S., India is the next closest with 7%.
- The most commonly blocked IPs/IP ranges were from Amazon Web Services.
- The most blocked company ISPs were Microsoft, Amazon, and T-Mobile.
"To increase the lifespan of attackers’ phishing campaigns, most threat actors implement evasion techniques to keep their activity from being detected by defenders and their intelligence tools,” explained Ryan McCurdy vice president of marketing at Bolster. “So, it’s in the attacker’s best interest that the attack remains active long enough to provide a return on this investment. And if only those targeted by the attack can access it, this makes it much more difficult for security professionals to detect and report it to the responsible organizations.”
McCurdy said Bolster’s research team scans millions of phishing URLs every day. From their research, he said they’ve compiled a list of blocked IPs that can help security teams combat phishing sites.
“Our research data is looking at the source code from phishing kits left exposed by hackers,” McCurdy said. “We then extracted the IP addresses on the block list. Those blocked IPs are used by hackers to avoid having their phishing site detected. By looking at our data and the list of blocked IPs, security professionals can host their scanners in data centers whose IPs are not on the block list.”
Tim McGuffin, director of adversarial engineering at LARES Consulting, added that attackers want to protect their infrastructure from defenders and keep it available to potential victims for as long as possible. McGuffin said many security companies use cloud resources for sandboxing, scanning, and identifying malicious content, so blocking access from other cloud services such as AWS and Azure while still allowing business and consumer IP addresses serves as an excellent move toward slowing down defenders.
“Filtering by time zone and user-agent are additional layers to an attacker's defense-in-depth methodology for protecting their infrastructure from known security companies and automated tooling,” McGuffin said. “Bolster's findings are significant because they show that defense is getting better and more proactive, forcing attackers to work to protect their infrastructure and prevent takedowns.”