Due to their prevalence in today's society and popularity for connecting financial resources and data sources, the internet and other connected networks have become a hub for criminal activity. Criminal enterprises and/or threat actors often attempt to install malware or other types of harmful software on systems by directing unsuspecting users to malicious network resources (e.g., malicious web addresses) through hyperlinks or other locators, for example.
Oftentimes online malware or phishing attack campaigns have a large number of these locators to implement the same or a similar attack payload. This ensures the viability of a threat vector, even when a locator or a subset of locators are identified and blacklisted by security personnel.
These types of attack campaigns are facilitated by kits that automatically generate locators (e.g., URLs and URIs) that may appear benign, but at the same time may direct intended target(s) to malicious resources. In an effort to make locators appear authentic and non-malicious, these kits may generate locators with technically-appropriate filenames (e.g., sys.php, xml.htm, etc.) and/or with names that appear to be legitimate directories found on a web server (e.g., xxx.com/admin/logfiles/sys.php).
Existing techniques for classifying malicious locators may enable users to build pattern-matching rules to identify classes and families of malware. However, these techniques are necessarily retrospective in scope, and are not well-suited to addressing new threats that have not been studied and classified.
A need exists, therefore, for methods and systems that overcome these deficiencies.