CrawlPhish: Large-Scale Analysis of Client-Side Cloaking Techniques in Phishing

Zhang, Penghui; Oest, Adam; Cho, Haehyun; Sun, Zhibo; Johnson, RC; Wardman, Brad; Sarker, Shaown; Kapravelos, Alexandros; Bao, Tiffany; Wang, Ruoyu; Shoshitaishvili, Yan; Doupé, Adam; Ahn, Gail-Joon

doi:10.1109/msec.2021.3129992

Cited by 4 publications

(3 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…All of them suggested a significantly faster blacklist response time for protecting users more effectively. In addition, cybercriminals continue to use evasion techniques to make phishing websites remain online so that it is accessible to victim users for a long time [28,29,47]. These studies imply that, as far as the standard anti-phishing defense is operated in a reactive manner, phishing attacks will still remain a significant threat to Internet users.…”

Section: B Limitations Of Current Anti-phishing Systemsmentioning

confidence: 99%

Scam Pandemic: How Attackers Exploit Public Fear through Phishing

Bitaab¹,

Cho²,

Oest³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

As the COVID-19 pandemic started triggering widespread lockdowns across the globe, cybercriminals did not hesitate to take advantage of users' increased usage of the Internet and their reliance on it. In this paper, we carry out a comprehensive measurement study of online social engineering attacks in the early months of the pandemic. By collecting, synthesizing, and analyzing DNS records, TLS certificates, phishing URLs, phishing website source code, phishing emails, web traffic to phishing websites, news articles, and government announcements, we track trends of phishing activity between January and May 2020 and seek to understand the key implications of the underlying trends.We find that phishing attack traffic in March and April 2020 skyrocketed up to 220% of its pre-COVID-19 rate, far exceeding typical seasonal spikes. Attackers exploited victims' uncertainty and fear related to the pandemic through a variety of highly targeted scams, including emerging scam types against which current defenses are not sufficient as well as traditional phishing which outpaced the ecosystem's collective response.• Record-breaking attack volume. We observed that traffic to phishing websites reached record levels in March

show abstract

Section: B Limitations Of Current Anti-phishing Systemsmentioning

confidence: 99%

Scam Pandemic: How Attackers Exploit Public Fear through Phishing

Bitaab¹,

Cho²,

Oest³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Attackers create wellcrafted phishing websites with a look and feel of the legitimate sites they are trying to impersonate, thus making it very challenging for individuals to identify phishing sites. In addition, to avoid being detected, attackers have refined over the years their tactics and evasion techniques, as demonstrated in [1].…”

Section: Introductionmentioning

confidence: 99%

Phishing or Not Phishing? A Survey on the Detection of Phishing Websites

2023

View full text Add to dashboard Cite

Phishing is a security threat with serious effects on individuals as well as on the targeted brands. Although this threat has been around for quite a long time, it is still very active and successful. In fact, the tactics used by attackers have been evolving continuously in the years to make the attacks more convincing and effective. In this context, phishing detection is of primary importance. The literature offers many diverse solutions that cope with this issue and in particular with the detection of phishing websites. This paper provides a broad and comprehensive review of the state of the art in this field by discussing the main challenges and findings. More specifically, the discussion is centered around three important categories of detection approaches, namely, list-based, similarity-based and machine learning-based. For each category we describe the detection methods proposed in the literature together with the datasets considered for their assessment and we discuss some research gaps that need to be filled.

show abstract

“…However, each of these sources is either slow to update or has a low coverage of malicious URLs [1,12,23]. On the other hand, heuristic-based approaches, such as identifying input forms in a malicious URL to label it as phishing, tend to have both high false positives and false negatives as attackers increasingly adopt cloaking techniques to evade detection [24]. In light of this need, recent research utilized attack types labeled by individual VT scanners and the majority voting approach is employed to consider noises in VT reports [17].…”

Section: Introductionmentioning

confidence: 99%

A Large Scale Study and Classification of VirusTotal Reports on Phishing and Malware URLs

Choo¹,

Nabeel²,

Silva³

et al. 2022

Preprint

View full text Add to dashboard Cite

VirusTotal (VT) provides aggregated threat intelligence on various entities including URLs, IP addresses, and binaries. It is widely used by researchers and practitioners to collect ground truth and evaluate the maliciousness of entities. In this work, we provide a comprehensive analysis of VT URL scanning reports containing the results of 95 scanners for 1.577 Billion URLs over two years. Individual VT scanners are known to be noisy in terms of their detection and attack type classification. To obtain high quality ground truth of URLs and actively take proper actions to mitigate different types of attacks, there are two challenges: (1) how to decide whether a given URL is malicious given noisy reports and (2) how to determine attack types (e.g., phishing or malware hosting) that the URL is involved in, given conflicting attack labels from different scanners. In this work, we provide a systematic comparative study on the behavior of VT scanners for different attack types of URLs. A common practice to decide the maliciousness is to use a cut-off threshold of scanners that report the URL as malicious. However, in this work, we show that using a fixed threshold is suboptimal, due to several reasons: (1) correlations between scanners; (2) lead/lag behavior; (3) the specialty of scanners; (4) the quality and reliability of scanners. A common practice to determine an attack type is to use majority voting. However, we show that majority voting could not accurately classify the attack type of a URL due to the bias from correlated scanners. Instead, we propose a machine learning-based approach to assign an attack type to URLs given the VT reports.

show abstract

CrawlPhish: Large-Scale Analysis of Client-Side Cloaking Techniques in Phishing

Cited by 4 publications

References 7 publications

Scam Pandemic: How Attackers Exploit Public Fear through Phishing

Scam Pandemic: How Attackers Exploit Public Fear through Phishing

Phishing or Not Phishing? A Survey on the Detection of Phishing Websites

A Large Scale Study and Classification of VirusTotal Reports on Phishing and Malware URLs

Contact Info

Product

Resources

About