Blocking Scammer website (cryptocurrency)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking Scammer website (cryptocurrency)

L1 Bithead

I stumbled accros this article on Bleeping Computers

https://www.bleepingcomputer.com/news/security/tiktok-flooded-by-elon-musk-cryptocurrency-giveaway-s...

To my surprise the URL's mentioned in the article where considered safe. 

Palo Alto had these categorized as for example

  • Stock-Advice-and-Tools
  • Low-Risk
  • Newly-Registered-Domain

So I figured I would block the newly-registered-domain as these are often used by scammers or malicious users. They pop-up and disappear very frequently. 

Unfortunately that did not work. According to my logging the URL's are "not-resolved" and the domains itself appear to have a very short TTL (5 minutes) 

The only thing I could think of is to add these domains to my manual block list. 

 

So my question is basically, what can I do to block these sites in a pro-active way? 
These scammers appear to be pretty smart circumventing our safety systems. 

 

Any thoughts are more than welcome.

 

Remko

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Remko ,

 

Exactly!  What does "show url-cloud status" show?  https://docs.paloaltonetworks.com/advanced-url-filtering/administration/troubleshooting/pan-db-cloud...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hi @Remko ,

 

It is interesting that your logs say "not-resolved", which means the NGFW was unable to connect to the cloud.  See row 37 in the following URL.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

 

With normal cloud connectivity, you should be able to block the Unknown category (row 65) and URLs that have not been categorized should be blocked.

 

There is always a balance between security and availability, and there is the potential that blocking Unknown may negatively impact sanctioned browsing.  The table says that blocking Not-Resolved could be very disruptive.  We don't want all web sites blocked that are not cached when the NGFW loses connectivity to the cloud.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung ,

 

Interesting finding. Very helpful !
I have never given this much thought as most websites are classified according to what is expected. 

As it appears our Palo Alto is missing the last step described at #37

 

Indicates that the website was not found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category. When a URL category lookup is performed, the firewall first checks the dataplane cache for the URL, if no match is found, it will then check the management plane cache, and if no match is found there, it queries the URL database in the cloud. When deciding on what action to take for traffic that is categorized as not-resolved, be aware that setting the action to block may be very disruptive to users.

So the question that comes to mind is why it doesn't do the last step. Should this just work out-of-the-box or is it a setting that might be overlooked? Our device is able to do DNS queries just fine. I need to dig deeper to see if this is the case.

 

Remko

L1 Bithead

From what I understand is that the URL check works without configuration
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/how-url...

When I query the URL filtering site on PaloAltoNetworks it is classified as 

Remko_0-1695216188112.png

And the firewall gives the following

Remko_1-1695216336628.png

 

I am puzzled 🙂

Cyber Elite
Cyber Elite

Hi @Remko ,

 

Exactly!  What does "show url-cloud status" show?  https://docs.paloaltonetworks.com/advanced-url-filtering/administration/troubleshooting/pan-db-cloud...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

You might be onto something. 

It shows "nothing" 

Remko_0-1695217691373.png

 

Currently troubleshooting the ruleset. Unfortunately I need to leave from work and I will continue my efforts tomorrow. 
I appreciate the time and effort ! 

Remko

 

 

We noticed that it was some time ago that we had updated our Palo Alto. 
So this morning we updated both appliances and Voila. 

The cloud connection started working again. 

Remko_0-1695290533187.png

I still need to check the monitoring log but I believe we made some excellent progress. 

Thanks again ! 

 

As expected the domain is now correctly recognized and clasified. 

Remko_0-1695293497128.png

 

Case closed. 

  • 1 accepted solution
  • 6686 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!