On the Effectiveness of Techniques to Detect Phishing Sites

Ludl, Christian; McAllister, Sean; Kirda, Engin; Kruegel, Christopher

doi:10.1007/978-3-540-73614-1_2

Cited by 133 publications

(82 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Abu-Nimeh et al [9] adopted the bag-of-words strategy and used a list of words frequently found on phishing sites as features to detect phish, which is not expressive and easy to defeat by attackers. In [16], Ludl et al came up with a total of 18 properties solely based on the HTML and URL. The J48 decision tree algorithm was applied on these features and achieved a TP of 83.09% and a FP of 0.43% over a corpus with 4149 good pages and 680 phishing pages.…”

Section: Methods For Automatic Phish Detectionmentioning

confidence: 99%

A Hierarchical Adaptive Probabilistic Approach for Zero Hour Phish Detection

Xiang

Pendleton

Hong

et al. 2010

Computer Security – ESORICS 2010

View full text Add to dashboard Cite

Abstract. Phishing attacks are a significant threat to users of the Internet, causing tremendous economic loss every year. In combating phish, industry relies heavily on manual verification to achieve a low false positive rate, which, however, tends to be slow in responding to the huge volume of unique phishing URLs created by toolkits. Our goal here is to combine the best aspects of human verified blacklists and heuristic-based methods, i.e., the low false positive rate of the former and the broad coverage of the latter. To that end, we present the design and evaluation of a hierarchical blacklist-enhanced phish detection framework. The key insight behind our detection algorithm is to leverage existing humanverified blacklists and apply the shingling technique, a popular nearduplicate detection algorithm used by search engines, to detect phish in a probabilistic fashion with very high accuracy. To achieve an extremely low false positive rate, we use a filtering module in our layered system, harnessing the power of search engines via information retrieval techniques to correct false positives. Comprehensive experiments over a diverse spectrum of data sources show that our method achieves 0% false positive rate (FP) with a true positive rate (TP) of 67.74% using searchoriented filtering, and 0.03% FP and 73.53% TP without the filtering module. With incremental model building capability via a sliding window mechanism, our approach is able to adapt quickly to new phishing variants, and is thus more responsive to the evolving attacks.

show abstract

Section: Methods For Automatic Phish Detectionmentioning

confidence: 99%

A Hierarchical Adaptive Probabilistic Approach for Zero Hour Phish Detection

Xiang

Pendleton

Hong

et al. 2010

Computer Security – ESORICS 2010

View full text Add to dashboard Cite

show abstract

“…Cybercriminals have also mitigated the efficacy of successful detections by churning through a large set of domains and URLs, with domain flux and URL fluxing [11,26,38,25]. Researchers, in turn, noting that this behavior is generally associated with malicious sites, have used it as a detection feature [20,31].…”

Section: Related Workmentioning

confidence: 99%

Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection

Corbetta

Invernizzi

Kruegel

et al. 2014

Research in Attacks, Intrusions and Defenses

Self Cite

View full text Add to dashboard Cite

Abstract. With JavaScript and images at their disposal, web authors can create content that is immediately understandable to a person, but is beyond the direct analysis capability of computer programs, including security tools. Conversely, information can be deceiving for humans even if unable to fool a program. In this paper, we explore the discrepancies between user perception and program perception, using content obfuscation and counterfeit "seal" images as two simple but representative case studies. In a dataset of 149,700 pages we found that benign pages rarely engage in these practices, while uncovering hundreds of malicious pages that would be missed by traditional malware detectors. We envision that this type of heuristics could be a valuable addition to existing detection systems. To show this, we have implemented a proofof-concept detector that, based solely on a similarity score computed on our metrics, can already achieve a high precision (95%) and a good recall (73%).

show abstract

“…Several approaches have been proposed to detect phishing sites such as analyzing page content, layout, and other anomalies [22,26,31]. In addition, studies have analyzed the modus operandi of the criminal operations behind phishing [23], and the effectiveness of phishing defenses [25].…”

Section: Related Workmentioning

confidence: 99%

The Underground Economy of Fake Antivirus Software

Stone-Gross

Abman

Kemmerer

et al. 2012

Economics of Information Security and Privacy III

Self Cite

View full text Add to dashboard Cite

Fake antivirus (AV) programs have been utilized to defraud millions of computer users into paying as much as one hundred dollars for a phony software license. As a result, fake AV software has evolved into one of the most lucrative criminal operations on the Internet. In this paper, we examine the operations of three large-scale fake AV businesses, lasting from three months to more than two years. More precisely, we present the results of our analysis on a trove of data obtained from several backend servers that the cybercriminals used to drive their scam operations. Our investigations reveal that these three fake AV businesses had earned a combined revenue of more than $130 million dollars.A particular focus of our analysis is on the financial and economic aspects of the scam, which involves legitimate credit card networks as well as more dubious payment processors. In particular, we present an economic model that demonstrates that fake AV companies are actively monitoring the refunds (chargebacks) that customers demand from their credit card providers. When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time. However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms.

show abstract

On the Effectiveness of Techniques to Detect Phishing Sites

Cited by 133 publications

References 5 publications

A Hierarchical Adaptive Probabilistic Approach for Zero Hour Phish Detection

A Hierarchical Adaptive Probabilistic Approach for Zero Hour Phish Detection

Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection

The Underground Economy of Fake Antivirus Software

Contact Info

Product

Resources

About