Glowing blue optical fibers spread out against a dark blue background, with light points scattered across the fibers, illustrating technology and data transmission.

A Whole New World: Using Data Science Techniques to Find Patterns in the Disneyland Team’s Domains

Techniques to resolve word splitting, distance measurements and clustering approaches, homoglyph attacks, and bulk querying of DomainTools APIs

It’s a small world after all…so small that a financial cybercrime group shares a name with the Happiest Place on Earth – the Disneyland team. This group’s modus operandi is to spoof bank brands using Punycode, which allows browsers to render domain names with different alphabets, such as Cyrillic. This cybercrime group uses this tactic with the goal of big payouts from those in the financial sector. 

This discussion builds upon two previous presentations: Reel Big Phish: Hunting for Badness in a Sea of Noise and more recently our talk with Maltego which examined the indicators of compromise (IoCs) to connections using DNS names and Whois data. We’ll now go one step further and show what can be found by applying some common data science tools to the Disneyland data set. This will allow us to automatically identify targets, and group together attacker behavior across targets.

We’ll discuss approaches to resolve homoglyph attacks, word splitting, distance measurements and clustering techniques, and bulk querying of DomainTools APIs. Throughout the presentation, we’ll use the Disneyland team’s registered domains to demonstrate how to use data science techniques against a practical dataset to save analyst time and find patterns that would otherwise be hard to identify.