Anti-Phishing, Anti-Fraud and Brand monitoring

Phishing and other fraudulent activities are growing rapidly and with increasingly sophisticated techniques that pose a significant threat to all organizations. Therefore, companies must always be alert, to protect themselves and their customers from these types of attacks, and act as soon as possible if they occur.

How can VirusTotal help you?

VirusTotal Enterprise offers you all of our toolset integrated on top of the largest crowdsourced malware database. It is your entry point for your investigations. Automate and integrate any task with your security solutions using VirusTotal API.

VirusTotal provides you with a set of essential data and tools to handle these threats:

  • Analyze any ongoing phishing activity and understand its context and severity of the threat.
  • Discover phishing campaigns impersonating your organization, assets, intellectual property, infrastructure or brand.
  • Help get protected from supply-chain attacks, monitor any suspicious activity from trusted third parties.
  • Protect your corporate information by monitoring any potential sensitive information being shared without your knowledge.

Use Cases

Discover malicious activity impersonating your organization

Find out if your business is used in a phishing campaign by searching for URLs or domain masquerading as your organization.

How to do it?

1. Go to VirusTotal Search: https://www.virustotal.com/gui/home/search

2. Create your query. For instance, the following query corresponds to the example in the video:

entity:url content:"brand to monitor" NOT parent_domain:"your_organization_domain"

In this query we are looking for suspicious URLs (entity:url) that contain some strings related to our organization or brand (content:"brand to monitor") and that are NOT under the legitimate parent domain (parent_domain:"legitimate domain").

You can do this monitoring in many different ways. For instance, once thing you can add is the p:1+ to indicate we want URLs detected as malicious by at least one AV engine.

You can find more information about VirusTotal Search modifiers here.

3. Launch your query using VirusTotal Search. You can also do the same using VirusTotal API

Find an example on how to launch your search via VT API here.

Brand Monitoring

Discover phishing campaigns abusing your brand.

How to do it?:

1. Go to VirusTotal Search: https://www.virustotal.com/gui/home/search

2. Create your query. For instance, the following query corresponds to the example in the video:

entity:url main_icon_dhash:"your icon dhash"

In this case we are using one of the features implemented in VirusTotal to help us detect fraudulent activity. We are looking for suspicious URLs (entity:url) having a favicon very similar to the one we are searching for (main_icon_dhash:"your icon dhash"). In this case, we won´t know what is the value of our icon dhash, so the easy way to do it would be to find our legitimate domain in VirusTotal, and then simply click on the icon to find all the websites using it. This is a very interesting indicator that can also be used to find binaries using the same icon.

Not only that, it can also be used to find PDFs and other files presented to the victim with very similar aspect. This is extremely useful to find related malicious activity.

We can make this search more specific, for instance we can search for some specific content inside the suspicious websites with content:"brand to monitor", or with p:1+ to indicate we want URLs detected as malicious by at least one AV engine.

You can find more information about VirusTotal Search modifiers here.

3. Launch your query using VirusTotal Search. You can also do the same using VirusTotal API

Find an example on how to launch your search via VT API here.

Typosquatted Domains

Discover attackers waiting for a small keyboard error from your clients to launch their attacks.

How to do it?

1. Go to VirusTotal Search: https://www.virustotal.com/gui/home/search

2. Create your query. For instance, the following query corresponds to the example in the video:

entity:domain fuzzy_domain:"your_domain" NOT parent_domain:"you_domain" last_update_date:2020-01-01+ p:1+

In this query we are looking for suspicious domains (entity:domain) that are written similar to a legitimate domain (fuzzy_domain:"your_domain" and are NOT under the legitimate parent domain (parent_domain:"legitimate domain"). We also check they were last updated after January 1, 2020 ( last_update_date:2020-01-01+).

You can do this monitoring in many different ways. For instance, once thing you can add is the p:1+ to indicate we want URLs detected as malicious by at least one AV engine.

You can find more information about VirusTotal Search modifiers here.

3. Launch your query using VirusTotal Search. You can also do the same using VirusTotal API

Find an example on how to launch your search via VT API here.

Hunt malicious activity abusing your infrastructure

Track campaigns potentially abusing your infrastructure or targeting your organization thanks to VirusTotal Hunting.

In this example we use Livehunt to monitor any suspicious activity abusing our infrastructure. In particular, we specify a list of our IPs and domains so every time a new file containing any of them is uploaded to VirusTotal, we will receive a notification.

We also have the option to monitor any uploaded file interacts with our infrastructure during execution.

How to do it?

1. Go to Ruleset creation page: https://www.virustotal.com/gui/hunting/rulesets/create

2. Create a rule including the domains and IPs corresponding to your organization as in the example below:

import "vt"
rule ip_addresses {
  strings:
    $ip1 = /(xxx.xxx.xxx.xxx)/ /* your first IP to monitor here */
    $ip2 = /(xxx.xxx.xxx.xxx)/ /* your second IP to monitor here */
    $ip3 = /(xxx.xxx.xxx.xxx)/ /* your third IP to monitor here */
  condition:
    any of them and vt.metadata.analysis_stats.malicious > 5
}

rule domains {
  strings:
    $domain = /.{,20}.www.yourdomain1.com/i
    $domain2 = /.{,20}.yourdomain2.com/i
    $domain3 = /.{,20}.yourdomain3.net/i
  condition:
    any of them and vt.metadata.analysis_stats.malicious > 5
}

In the mark previous example you can find 2 different YARA rules using our VirusTotal module. The first rule looks for samples containing any of the listed IPs, and the second, for any of the listed domains. Both rules would trigger only if the file containing the infrastructure we are looking for is detected by at least 5 AntiVirus engines. Please note you could use IP ranges instead of particular IPs for instance.

If we would like to add to the rule a condition where we would be notified if the sample anyhow interacts with our infrastructure when detonated in any of our sandboxes, we could do the following:

import "vt"
rule monitor_who_contacts_my_infrastructure
{
  strings:
    $ip_range = "xxx.xxx.xxx" /* your first 3 octets of your IP range */
    $domain = "yourdomain"
  condition:
    for any req in vt.behaviour.dns_lookups : (
      req.hostname contains $domain or
      for any ip in req.resolved_ips: (
        ip contains $ip_range
      )
    )
}

You can find more information about VirusTotal Hunting here .

But we are always open to new ideas and use cases from our customers!

Please reach out to us if we can help you with anything else.

Contact us