IP Geolocation


Analytical Approaches and Justification


Overview

  • Task: Gather Phishing Urls from PhishTank CSV file and mash it up with data from Maxmind binary database of IP geolocated countries
  • Value: See where Phishing sites are located and to what extent

Process

  • Step 1 : Download Phishtank data
  • Step 2 : Download binary Maxmind Country DB
  • Step 3 : Analysis with PHP program
    • Extract hostnames from urls in Phishtank data
    • Do DNS lookup for each hostname to get IP address
    • Lookup country of IP address in Maxmind database
    • Tally totals for each country


Key Insights and Intelligence


  • Overview
    • Over 8,000 Phishing Urls used from PhishTank
    • Hostname from Urls converted to IP address through DNS query
    • Some hostnames returned multiple IPs
    • Over 10,000 IPs geolocated using Maxmind DB Country data
  • Key Takeaways
    • Most Phising sites look to be in the US. Possible reasons is that US has a lot of computing resources for malicious actors to use. Or a target is more likely to be compromised if site is in country.
    • This analysis best run periodically (ie. weekly) over time to see trends in where in the world are Phishing sites. Data can be coordinated with other analysis to detect threats against the Electronic Payment Processing space.