Anti-Phishing, Anti-Fraud and Brand monitoring
Phishing and other fraudulent activities are growing rapidly and with increasingly sophisticated techniques that pose a significant threat to all organizations. Therefore, companies must always be alert, to protect themselves and their customers from these types of attacks, and act as soon as possible if they occur.
VirusTotal Enterprise offers you all of our toolset integrated on top of the largest crowdsourced malware database. It is your entry point for your investigations. Automate and integrate any task with your security solutions using VirusTotal API.
VirusTotal provides you with a set of essential data and tools to handle these threats:
- Analyze any ongoing phishing activity and understand its context and severity of the threat.
- Discover phishing campaigns impersonating your organization, assets, intellectual property, infrastructure or brand.
- Help get protected from supply-chain attacks, monitor any suspicious activity from trusted third parties.
- Protect your corporate information by monitoring any potential sensitive information being shared without your knowledge.
Find out if your business is used in a phishing campaign by searching for URLs or domain masquerading as your organization.
How to do it?
1. Go to VirusTotal Search: https://www.virustotal.com/gui/home/search
2. Create your query. For instance, the following query corresponds to the example in the video:
entity:url content:"brand to monitor" NOT
parent_domain:"your_organization_domain"
In this query we are looking for suspicious URLs (entity:url) that contain some strings related to our organization or brand (content:"brand to monitor") and that are NOT under the legitimate parent domain (parent_domain:"legitimate domain").
You can do this monitoring in many different ways. For instance, one thing you can add is the modifer p:1+ to indicate you want URLs detected as malicious by at least one AV engine.
Find more information about VirusTotal Search modifiers.
3. Launch your query using VirusTotal Search. You can also do the same using VirusTotal API
Find an example on how to launch your search via VT API .
Discover phishing campaigns abusing your brand.
How to do it?:
1. Go to VirusTotal Search: https://www.virustotal.com/gui/home/search
2. Create your query. For instance, the following query corresponds to the example in the video:
entity:url main_icon_dhash:"your icon dhash"
In this case we are using one of the features implemented in VirusTotal to help us detect fraudulent activity. We are looking for suspicious URLs (entity:url) having a favicon very similar to the one we are searching for (main_icon_dhash:"your icon dhash"). In this case, we won´t know what is the value of our icon dhash, so the easy way to do it would be to find our legitimate domain in VirusTotal, and then simply click on the icon to find all the websites using it. This is a very interesting indicator that can also be used to find binaries using the same icon.
Not only that, it can also be used to find PDFs and other files presented to the victim with very similar aspect. This is extremely useful to find related malicious activity.
We can make this search more precise, for instance we can search for some specific content inside the suspicious websites with content:"brand to monitor", or with p:1+ to indicate we want URLs detected as malicious by at least one AV engine.
Find more information about VirusTotal Search modifiers.
3. Launch your query using VirusTotal Search. You can also do the same using VirusTotal API
Find an example on how to launch your search via VT API.
Discover attackers waiting for a small keyboard error from your clients to launch their attacks.
How to do it?
1. Go to VirusTotal Search: https://www.virustotal.com/gui/home/search
2. Create your query. For instance, the following query corresponds to the example in the video:
entity:domain fuzzy_domain:"your_domain" NOT
parent_domain:"you_domain" last_update_date:2020-01-01+ p:1+
In this query we are looking for suspicious domains (entity:domain) that are written similar to a legitimate domain (fuzzy_domain:"your_domain" and are NOT under the legitimate parent domain (parent_domain:"legitimate domain"). We also check they were last updated after January 1, 2020 ( last_update_date:2020-01-01+).
You can do this monitoring in many ways. For instance, one thing you can add is the modifer p:1+ to indicate you want URLs detected as malicious by at least one AV engine.
Find more information about VirusTotal Search modifiers.
3. Launch your query using VirusTotal Search. You can also do the same using VirusTotal API.
Find an example on how to launch your search via VT API.
Track campaigns potentially abusing your infrastructure or targeting your organization thanks to VirusTotal Hunting.
In this example we use Livehunt to monitor any suspicious activity abusing our infrastructure. In particular, we specify a list of our IPs and domains so every time a new file containing any of them is uploaded to VirusTotal, we will receive a notification.
We also have the option to monitor if any uploaded file interacts with our infrastructure during execution.
How to do it?
1. Go to Ruleset creation page: https://www.virustotal.com/gui/hunting/rulesets/create
2. Create a rule including the domains and IPs corresponding to your organization as in the example below:
In the mark previous example you can find 2 different YARA rules using our VirusTotal module. The first rule looks for samples containing any of the listed IPs, and the second, for any of the listed domains. Both rules would trigger only if the file containing the infrastructure we are looking for is detected by at least 5 AntiVirus engines. Please note you could use IP ranges instead of particular IPs for instance.
If we would like to add to the rule a condition where we would be notified if the sample anyhow interacts with our infrastructure when detonated in any of our sandboxes, we could do the following:
Find more information about VirusTotal Hunting.