CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing

Zhang, Penghui; Oest, Adam; Cho, Haehyun; Sun, Zhibo; Johnson, RC; Wardman, Brad; Sarker, Shaown; Kapravelos, Alexandros; Bao, Tiffany; Wang, Ruoyu; Shoshitaishvili, Yan; Doupé, Adam; Ahn, Gail-Joon

doi:10.1109/sp40001.2021.00021

Cited by 43 publications

(11 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These URLs can be used as a starting point for analyzing the full picture of attacks, or as intelligence for block lists that automatically detect spam e-mails and SMSs. Many experts share URLs after redirects, which sometimes cannot be analyzed because they are inaccessible without the proper referrer [66], and are not suitable information to prevent the spread of phishing emails and SMSs.…”

Section: Analysis Of the Detected Urls' Characteristicsmentioning

confidence: 99%

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Nakano¹,

Chiba²,

Koide³

et al. 2023

Preprint

View full text Add to dashboard Cite

The rise in phishing attacks via e-mail and short message service (SMS) has not slowed down at all. The first thing we need to do to combat the ever-increasing number of phishing attacks is to collect and characterize more phishing cases that reach end users. Without understanding these characteristics, anti-phishing countermeasures cannot evolve. In this study, we propose an approach using Twitter as a new observation point to immediately collect and characterize phishing cases via e-mail and SMS that evade countermeasures and reach users. Specifically, we propose CrowdCanary, a system capable of structurally and accurately extracting phishing information (e.g., URLs and domains) from tweets about phishing by users who have actually discovered or encountered it. In our three months of live operation, CrowdCanary identified 35,432 phishing URLs out of 38,935 phishing reports. We confirmed that 31,960 (90.2%) of these phishing URLs were later detected by the anti-virus engine, demonstrating that CrowdCanary is superior to existing systems in both accuracy and volume of threat extraction. We also analyzed users who shared phishing threats by utilizing the extracted phishing URLs and categorized them into two distinct groups -namely, experts and non-experts. As a result, we found that CrowdCanary could collect information that is specifically included in non-expert reports, such as information shared only by the company brand name in the tweet, information about phishing attacks that we find only in the image of the tweet, and information about the landing page before the redirect.

show abstract

Section: Analysis Of the Detected Urls' Characteristicsmentioning

confidence: 99%

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Nakano¹,

Chiba²,

Koide³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…However, if a site has a tracking script, it may detect the crawler and hinder its normal detection abilities, particularly for phishing sites. Zhang et al [72] revealed that Page Cloaking uses a combination of user interaction, bot behavior, and fingerprinting technology. Fingerprinting involves checking cookies, Referer, and User-agent to determine if the visitor is a person or an anti-phishing bot.…”

Section: Page Cloakingmentioning

confidence: 99%

Tracking the Web Tracking: Methods, Countermeasures, and Future Directions

Sim,

Heo,

Cho

2023

Preprint

Self Cite

View full text Add to dashboard Cite

A hidden shadow world that tracks Internet users' behaviors lies behind everyday websites. Web tracking analyzes online behaviors based on collected data and provides content that may interest the user. Web tracking collects vast amounts of data for various purposes, from sensitive personal information to trivial information such as settings and preferred information types, including the user's IP address, device, and search history. Although web tracking is largely a legitimate technology, there is a steady increase in illegal user tracking, data leakage, and illegal sale of data. Therefore, the need for techniques capable of detecting and preventing web trackers is becoming more important. This paper introduces a general description of web tracking technology, related research, and a website measurement tool that can identify web-based tracking. It also introduces techniques for preventing web tracking and discusses future research directions.

show abstract

“…For instance, Tian et al [85] evade PWD that use common blacklists, and their main proposal is to use ML as a detection engine to counter such "squatting" phishing websites. Hence, non-ML-PWD (e.g., [96]) are outside our scope.…”

Section: Related Workmentioning

confidence: 99%

SpacePhish: The Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

Conti

2022

Proceedings of the 38th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Existing literature on adversarial Machine Learning (ML) focuses either on showing attacks that break every ML model, or defenses that withstand most attacks. Unfortunately, little consideration is given to the actual cost of the attack or the defense. Moreover, adversarial samples are often crafted in the "feature-space", making the corresponding evaluations of questionable value. Simply put, the current situation does not allow to estimate the actual threat posed by adversarial attacks, leading to a lack of secure ML systems.We aim to clarify such confusion in this paper. By considering the application of ML for Phishing Website Detection (PWD), we formalize the "evasion-space" in which an adversarial perturbation can be introduced to fool a ML-PWD-demonstrating that even perturbations in the "feature-space" are useful. Then, we propose a realistic threat model describing evasion attacks against ML-PWD that are cheap to stage, and hence intrinsically more attractive for real phishers. Finally, we perform the first statistically validated assessment of state-of-the-art ML-PWD against 12 evasion attacks. Our evaluation shows (i) the true efficacy of evasion attempts that are more likely to occur; and (ii) the impact of perturbations crafted in different evasion-spaces. Our realistic evasion attempts induce a statistically significant degradation (3-10% at 𝑝 <0.05), and their cheap cost makes them a subtle threat. Notably, however, some ML-PWD are immune to our most realistic attacks (𝑝=0.22). Our contribution paves the way for a much needed re-assessment of adversarial attacks against ML systems for cybersecurity.

show abstract

CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing

Cited by 43 publications

References 30 publications

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Tracking the Web Tracking: Methods, Countermeasures, and Future Directions

SpacePhish: The Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

Contact Info

Product

Resources

About