https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558767#M2004 <P>I stumbled accros this article on Bleeping Computers</P> <P><A href="https://www.bleepingcomputer.com/news/security/tiktok-flooded-by-elon-musk-cryptocurrency-giveaway-scams/" target="_blank">https://www.bleepingcomputer.com/news/security/tiktok-flooded-by-elon-musk-cryptocurrency-giveaway-scams/</A></P> <P>To my surprise the URL's mentioned in the article where considered safe.&nbsp;</P> <P>Palo Alto had these categorized as for example</P> <UL> <LI>Stock-Advice-and-Tools</LI> <LI>Low-Risk</LI> <LI>Newly-Registered-Domain</LI> </UL> <P>So I figured I would block the <STRONG>newly-registered-domain</STRONG> as these are often used by scammers or malicious users. They pop-up and disappear very frequently.&nbsp;</P> <P>Unfortunately that did not work. According to my logging the URL's are "not-resolved" and the domains itself appear to have a very short TTL (5 minutes)&nbsp;</P> <P>The only thing I could think of is to add these domains to my manual block list.&nbsp;</P> <P>&nbsp;</P> <P>So my question is basically, what can I do to block these sites in a pro-active way?&nbsp;<BR />These scammers appear to be pretty smart circumventing our safety systems.&nbsp;</P> <P>&nbsp;</P> <P>Any thoughts are more than welcome.</P> <P>&nbsp;</P> <P>Remko</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 20 Sep 2023 12:06:35 GMT Remko 2023-09-20T12:06:35Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558767#M2004 <P>I stumbled accros this article on Bleeping Computers</P> <P><A href="https://www.bleepingcomputer.com/news/security/tiktok-flooded-by-elon-musk-cryptocurrency-giveaway-scams/" target="_blank">https://www.bleepingcomputer.com/news/security/tiktok-flooded-by-elon-musk-cryptocurrency-giveaway-scams/</A></P> <P>To my surprise the URL's mentioned in the article where considered safe.&nbsp;</P> <P>Palo Alto had these categorized as for example</P> <UL> <LI>Stock-Advice-and-Tools</LI> <LI>Low-Risk</LI> <LI>Newly-Registered-Domain</LI> </UL> <P>So I figured I would block the <STRONG>newly-registered-domain</STRONG> as these are often used by scammers or malicious users. They pop-up and disappear very frequently.&nbsp;</P> <P>Unfortunately that did not work. According to my logging the URL's are "not-resolved" and the domains itself appear to have a very short TTL (5 minutes)&nbsp;</P> <P>The only thing I could think of is to add these domains to my manual block list.&nbsp;</P> <P>&nbsp;</P> <P>So my question is basically, what can I do to block these sites in a pro-active way?&nbsp;<BR />These scammers appear to be pretty smart circumventing our safety systems.&nbsp;</P> <P>&nbsp;</P> <P>Any thoughts are more than welcome.</P> <P>&nbsp;</P> <P>Remko</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 20 Sep 2023 12:06:35 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558767#M2004 Remko 2023-09-20T12:06:35Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558779#M2005 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222853">@Remko</a> ,</P> <P>&nbsp;</P> <P>It is interesting that your logs say "not-resolved", which means the NGFW was unable to connect to the cloud.&nbsp; See row 37 in the following URL.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC</A></P> <P>&nbsp;</P> <P>With normal cloud connectivity, you should be able to block the Unknown category (row 65) and URLs that have not been categorized should be blocked.</P> <P>&nbsp;</P> <P>There is always a balance between security and availability, and there is the potential that blocking Unknown may negatively impact sanctioned browsing.&nbsp; The table says that blocking Not-Resolved could be very disruptive.&nbsp; We don't want all web sites blocked that are not cached when the NGFW loses connectivity to the cloud.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 20 Sep 2023 12:35:34 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558779#M2005 TomYoung 2023-09-20T12:35:34Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558800#M2006 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>&nbsp;,</P> <P>&nbsp;</P> <P>Interesting finding. Very helpful ! <BR />I have never given this much thought as most websites are classified according to what is expected.&nbsp;</P> <P>As it appears our Palo Alto is missing the last step described at #37</P> <P>&nbsp;</P> <P><FONT size="2"><EM>Indicates that the website was not found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category. When a URL category lookup is performed, the firewall first checks the dataplane cache for the URL, if no match is found, it will then check the management plane cache, <FONT color="#FF00FF">and if no match is found there, it queries the URL database in the cloud</FONT>. When deciding on what action to take for traffic that is categorized as not-resolved, be aware that setting the action to block may be very disruptive to users.</EM></FONT></P> <P>So the question that comes to mind is why it doesn't do the last step. Should this just work out-of-the-box or is it a setting that might be overlooked? Our device is able to do DNS queries just fine. I need to dig deeper to see if this is the case.</P> <P>&nbsp;</P> <P>Remko</P> Wed, 20 Sep 2023 13:17:12 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558800#M2006 Remko 2023-09-20T13:17:12Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558804#M2007 <P>From what I understand is that the URL check works without configuration<BR /><A href="https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/how-url-filtering-works" target="_blank">https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/how-url-filtering-works</A><BR /><BR /></P> <P>When I query the URL filtering site on PaloAltoNetworks it is classified as&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Remko_0-1695216188112.png" style="width: 556px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53884iF4A1CC3BBE67C1DF/image-dimensions/556x317/is-moderation-mode/true?v=v2" width="556" height="317" role="button" title="Remko_0-1695216188112.png" alt="Remko_0-1695216188112.png" /></span></P> <P>And the firewall gives the following</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Remko_1-1695216336628.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53885iB6F9A4EBC952D505/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Remko_1-1695216336628.png" alt="Remko_1-1695216336628.png" /></span></P> <P>&nbsp;</P> <P>I am puzzled <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 20 Sep 2023 13:28:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558804#M2007 Remko 2023-09-20T13:28:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558805#M2008 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222853">@Remko</a> ,</P> <P>&nbsp;</P> <P>Exactly!&nbsp; What does "show url-cloud status" show?&nbsp; <A href="https://docs.paloaltonetworks.com/advanced-url-filtering/administration/troubleshooting/pan-db-cloud-connectivity-issues" target="_blank">https://docs.paloaltonetworks.com/advanced-url-filtering/administration/troubleshooting/pan-db-cloud-connectivity-issues</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 20 Sep 2023 13:29:14 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558805#M2008 TomYoung 2023-09-20T13:29:14Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558816#M2009 <P>You might be onto something.&nbsp;</P> <P>It shows "nothing"&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Remko_0-1695217691373.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53887i7F2A16369917128C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Remko_0-1695217691373.png" alt="Remko_0-1695217691373.png" /></span></P> <P>&nbsp;</P> <P>Currently troubleshooting the ruleset. Unfortunately I need to leave from work and I will continue my efforts tomorrow.&nbsp;<BR />I appreciate the time and effort !&nbsp;<BR /><BR />Remko</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 20 Sep 2023 13:56:27 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558816#M2009 Remko 2023-09-20T13:56:27Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558982#M2011 <P>We noticed that it was some time ago that we had updated our Palo Alto.&nbsp;<BR />So this morning we updated both appliances and Voila.&nbsp;</P> <P>The cloud connection started working again.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Remko_0-1695290533187.png" style="width: 562px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53917i6A706B97D1112EBA/image-dimensions/562x215/is-moderation-mode/true?v=v2" width="562" height="215" role="button" title="Remko_0-1695290533187.png" alt="Remko_0-1695290533187.png" /></span></P> <P>I still need to check the monitoring log but I believe we made some excellent progress.&nbsp;</P> <P>Thanks again !&nbsp;</P> <P>&nbsp;</P> Thu, 21 Sep 2023 10:03:00 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558982#M2011 Remko 2023-09-21T10:03:00Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558987#M2012 <P>As expected the domain is now correctly recognized and clasified.&nbsp;<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Remko_0-1695293497128.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53918i17BC0B90D82CF33B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Remko_0-1695293497128.png" alt="Remko_0-1695293497128.png" /></span></P> <P>&nbsp;</P> <P>Case closed.&nbsp;</P> Thu, 21 Sep 2023 13:12:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/blocking-scammer-website-cryptocurrency/m-p/558987#M2012 Remko 2023-09-21T13:12:23Z