This presentation forms part of the CTA's Threat Intelligence Practitioners' Summit
Thursday 25 September 17:00 - 17:30, Small Talks room
James Slaughter (Fortinet)
The internet has proven to be one of the 20th century’s most transformative technical innovations. A tool that allows the instantaneous dissemination and consumption of information. It has lowered the barrier to obtaining knowledge and has placed tools and services within reach of those that would previously have been excluded. Unfortunately, due to the free and open nature of the internet it has also provided a vehicle for those with malign intent. One specific example of this is the typosquatting of known corporation and brand domains for fraud or espionage.
Even in an age of enhanced security awareness and detection tooling there are still several advantages for this type of attack. From a command-and-control perspective, these types of domains can allow activity to hide in the existing traffic, only becoming apparent on closer inspection. From a misinformation or disinformation perspective, the “good enough” rule applies. A news website with a similar name containing trade dress for a trusted source can project views in line with the attacker. Finally, the more well-known case of phishing can entice a user to divulge personal details or download malware in the belief they are at a trusted location.
The detection and tracking of typosquatting has proven to be an interesting challenge. It necessitated the development of a methodology and strategy for hunting. This methodology is based on being intelligence-led against a set list of targets and keywords. This prevents us from having to boil the ocean by searching for and then analysing everything. The output of this work lends itself well to community sharing and outreach.
We also had to develop corresponding tooling to fit the “small team” resourcing available for the intelligence requirements to search for potential targets as well as the management of the tracking and investigation of suspect domains. We have named this tool Octopus and it will be demonstrated throughout the presentation.
This methodology has allowed us to obtain some interesting finds in a relatively brief period of time. One such example is a believed attempt by the intelligence services of Iran to gather information on possible dissident activity using the lure of fake march in the name of an activist. Additionally, a facsimile of a Fortinet web property was discovered. It employed full trade dress and offered updates to several Fortinet products. Unfortunately, each download turned out to be Lumma Stealer. An exploration of the discovery of both examples and subsequent investigation and follow-up will be undertaken.
By attending this talk, security researchers, intel analysts and threat analysts will gain insights into this threat vector and why it is still relevant. We will also walk through real-world case studies based on Fortinet’s findings. Attendees will leave equipped with strategies to understand, hunt and counter this type of activity in different environments.
 |
James Slaughter Who Am I? I'm Canadian, eh! I'm currently a senior threat intel engineer at Fortinet, where I have day-to-day responsibility for looking for "interesting samples", reversing them and then passing the results on to our customers and government partners, as well as the development of collection tools. Prior to Fortinet I spent eight years working at NatWest as the Cyber Threat Hunting and Analytics Tech Lead, and 10 years at BlackBerry as a dev. My hobbies match my vocation. You can usually find me tinkering with malware or code that I stick up on GitHub. |
Back to VB2025 conference page