PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists

Oest, Adam; Safaei, Yeganeh; Doupé, Adam; Ahn, Gail-Joon; Wardman, Brad; Tyers, Kevin

doi:10.1109/sp.2019.00049

Cited by 77 publications

(63 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As detailed in Table 1, our dataset contains 531,970,560 phishing emails. We caution this is an underestimate of all email-based phishing, due to the possibility of evasion and detection latency [44], as well as non-URL phishing.…”

Section: Detecting Attack Targetsmentioning

confidence: 95%

Who is targeted by email-based phishing and malware?

Simoiu

Zand

Thomas

et al. 2020

Proceedings of the ACM Internet Measurement Conference

View full text Add to dashboard Cite

As technologies to defend against phishing and malware often impose an additional financial and usability cost on users (such as security keys), a question remains as to who should adopt these heightened protections. We measure over 1.2 billion email-based phishing and malware attacks against Gmail users to understand what factors place a person at heightened risk of attack. We find that attack campaigns are typically short-lived and at first glance indiscriminately target users on a global scale. However, by modeling the distribution of targeted users, we find that a person's demographics, location, email usage patterns, and security posture all significantly influence the likelihood of attack. Our findings represent a first step towards empirically identifying the most at-risk users.

show abstract

Section: Detecting Attack Targetsmentioning

confidence: 95%

Who is targeted by email-based phishing and malware?

Simoiu

Zand

Thomas

et al. 2020

Proceedings of the ACM Internet Measurement Conference

View full text Add to dashboard Cite

show abstract

“…Phishing based attacks are typically an online variant of offline fraud, using misdirection and passing off, e.g. see [23].…”

Section: Related Workmentioning

confidence: 99%

Web Browser Privacy: What Do Browsers Say When They Phone Home?

Leith

2021

IEEE Access

View full text Add to dashboard Cite

We measure the data sent to their back-end servers by five browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser and Microsoft Edge, during normal web browsing on both desktop and mobile devices. Our aim is to assess the privacy risks associated with this data exchange between a browser and its back-end servers. With regard to shared services, all of the browsers make use of a safe browsing service to mitigate phishing attacks and our measurements indicate that this raises few privacy concerns. Similarly, with regard to the Chrome extension update service accessed by Chromiumbase browsers (Chrome, Brave, Edge). Overall, we find that both the desktop and mobile versions of Brave do not use any identifiers allowing tracking of IP address over time, and do not share details of web pages visited with backend servers. In contrast, Chrome, Firefox, Safari and Edge all share details of web pages visited with backend servers. Additionally, Chrome, Firefox and Edge all share long-lived identifiers that can be used to link connections together and so potentially allow tracking over time. In the case of Edge these are device and hardware identifiers that are hard/impossible for users to change. On mobile devices, but not desktop devices, Firefox also shares device identifiers.

show abstract

“…They sell phishing kits in underground marketplaces and accept custom requests for kit creation [3,29]. Phishing kits include server-side and client-side evasion techniques using server directives (.htaccess files), server-side scripts, and JavaScript to interfere with detection by the security community [28,29]. The evasion is carried out based on a client IP address, referrer, and user agent.…”

Section: Phishing Kit and Evasionmentioning

confidence: 99%

Identifying the Phishing Websites Using the Patterns of TLS Certificates

Sakurai

Watanabe²,

Okuda³

et al. 2021

JCSANDM

View full text Add to dashboard Cite

With the recent rise of HTTPS adoption on the Web, attackers have begun “HTTPSifying” phishing websites. HTTPSifying a phishing website has the advantage of making the website appear legitimate and evading conventional detection methods that leverage URLs or web contents in the network. Further, adopting HTTPS could also contribute to generating intrinsic footprints and provide defenders with a great opportunity to monitor and detect websites, including phishing sites, as they would need to obtain a public-key certificate issued for the preparation of the websites. The potential benefits of certificate-based detection include (1) the comprehensive monitoring of all HTTPSified websites by using certificates immediately after their issuance, even if the attacker utilizes dynamic DNS (DDNS) or hosting services; this could be overlooked with the conventional domain-registration-based approaches; and (2) to detect phishing websites before they are published on the Internet. Accordingly, we address the following research question: How can we make use of the footprints of TLS certificates to defend against phishing attacks? For this, we collected a large set of TLS certificates corresponding to phishing websites from Certificate Transparency (CT) logs and extensively analyzed these TLS certificates. We demonstrated that a template of common names, which are equivalent to the fully qualified domain names, obtained through the clustering analysis of the certificates can be used for the following promising applications: (1) The discovery of previously unknown phishing websites and (2) understanding the infrastructure used to generate the phishing websites. Furthermore, we developed a real-time monitoring system using the analysis techniques. We demonstrate its usefulness for the practical security operation. We use our findings on the abuse of free certificate authorities (CAs) for operating HTTPSified phishing websites to discuss possible solutions against such abuse and provide a recommendation to the CAs.

show abstract

PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists

Cited by 77 publications

References 32 publications

Who is targeted by email-based phishing and malware?

Who is targeted by email-based phishing and malware?

Web Browser Privacy: What Do Browsers Say When They Phone Home?

Identifying the Phishing Websites Using the Patterns of TLS Certificates

Contact Info

Product

Resources

About