AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
Phishing attacks constitute a major challenge for Internet Service Providers, as well as for email providers, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distribute...

PhishEye: Live Monitoring of Sandboxed Phishing Kits.

ACM Conference on Computer and Communications Security, pp.1402-1413, (2016)

Cited by: 76|Views280
EI

Abstract

Phishing is a form of online identity theft that deceives unaware users into disclosing their confidential information. While significant effort has been devoted to the mitigation of phishing attacks, much less is known about the entire life-cycle of these attacks in the wild, which constitutes, however, a main step toward devising compre...More

Code:

Data:

0
Introduction
  • Despite the large effort and the numerous solutions proposed by the security community, phishing attacks remain today one of the main threats on the Internet [1].
  • Phishers usually seek limited interactions with their victims as their main goal is to hijack sensitive data without disclosing the real nature of their phishing pages
  • They often redirect victims to the authentic website after they have provided their credentials, or they redirect them towards error pages to make them disconnect from the phishing site.
  • The behavior of third party visitors can be very similar to the behavior of real victims, which makes it difficult to separate these two actors within the same experimental setup
Highlights
  • Despite the large effort and the numerous solutions proposed by the security community, phishing attacks remain today one of the main threats on the Internet [1]
  • Phishing attacks constitute a major challenge for Internet Service Providers (ISPs), as well as for email providers, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page
  • We present a novel approach to sandbox live phishing kits that completely protects the privacy of end users
  • We found that 10 kits made use of resources directly fetched from the content distribution network (CDN) of the target organization
  • Our results show that Google Safe Browsing and PhishTank are not fast enough to blacklist new phishing kits, which leaves victims on their own to identify and protect against phishing attacks
Methods
  • The injected code protects all potential victims as long as they have not explicitly deactivated JavaScript in their browsers
  • For those users who may have deactivated JavaScript, the system injects a HTML noscript tag that redirects user to an error page so that they would disconnect from the honeypot.
  • HTTP Redirection Disruption: To make sure that the honeypot may not be used by the attacker as an elementary component of a broader malicious redirection chain [25], the system uses static analysis techniques to detect and disable any form of web redirection, and so to make sure that no users may be redirected from the honeypot towards any other malicious website under the control of the attacker
Results
  • Evaluation of Anti

    Phishing Techniques

    In 2006, a number of studies concluded that anti-phishing solutions [44], security indicators [10], and browsers toolbars [42] were ineffective in detecting phishing sites and protecting users.

    In 2007, Ludl et al [26] and Sheng et al [37] focused on the effectiveness of blacklists to prevent phishing, reaching different results.
  • In 2006, a number of studies concluded that anti-phishing solutions [44], security indicators [10], and browsers toolbars [42] were ineffective in detecting phishing sites and protecting users.
  • This study concluded that the blacklist approach is efficient in protecting users, especially Google which correctly recognized almost 90% of the malicious URLs [26].
  • Sheng et al evaluated five blacklists with phishing URLs less than 30 minutes old, collected from the University of Alabama Phishing Team’s email data repository.
  • The paper found that those blacklists were ineffective as most of them caught less than 20% of phishing pages at hour zero [37]
Conclusion
  • In this paper the authors present the design and implementation of a honeypot system especially designed to analyze and disarm phishing kits.
  • Using this infrastructure, the authors conducted a fivemonth experiment to understand and measure the entire life cycle of this type of attack.
  • The authors' results show that less victims divulge their credentials compared to previous studies conducted in 2009 [39], maybe due to an increased user education in the past seven years against this threat
Tables
  • Table1: Drop mechanisms of the live phishing kits behind this phenomenon (even though in some cases it could certainly be the case)
Download tables as Excel
Related work
  • The literature includes a large number of papers related to phishing attacks. We classify these papers into the following three categories: anatomy of phishing, anti-phishing techniques, and evaluation of anti-phishing techniques.

    6http://php.net/manual/en/language.operators. errorcontrol.php PhishTank GSB

    Number of victims (a) Kit 1 that is detected by GSB and PhishTank (b) Kit 2 that is detected by GSB and PhishTank (c) Kit 3 that is detected by GSB (d) Kit 4 that is detected by GSB

    Anatomy of Phishing

    The work most closely related to our study is from Waston et al, who described two phishing incidents [40] that were discovered by the Honeynet Project [38]. Authors describe how phishers behave and the techniques used to set up the phishing sites. One of the two phishing kits received 256 inbound HTTP requests, but apparently no personal data was submitted by the visitors. Yet, authors had to shut down the honeypot because they did not have any system that can avoid user data from being stolen. Our work adopts a similar honeypot-based approach but focuses on providing an ethical system to study how real-world phishing attacks are structured. McGrath et al [27] analyze the modus operandi of phishers, the characteristics of phishing URLs, the domains, and their hosting infrastructure. The authors also estimate the lifetime of phishing domain names by using periodically collected DNS records. Moore et al [30] present the evidence that miscreants use search engine (“Google Hacking”) to compromise and re-compromise machines, which are further used to host phishing sites. In another work, Moore et al [33] studied the temporal correlations between spam and phishing websites in order to understand the attackers behavior, and to evaluate the effectiveness of phishing site take-down. Sheng et al [36] conducted a demographic analysis of victims’ susceptibility to phishing attacks and discussed the effectiveness of educational materials.
Funding
  • This research was partly funded by the French Ministry of education and research under Cifre grant given to Xiao Han, and by the European Union’s Horizon 2020 project SUPERCLOUD under grant agreement 643964
Reference
  • Kaspersky: Top 7 Cyberthreats to Watch Out for in 2015-2016. http://usa.kaspersky.com/internet-security-center/threats/top-7-cyberthreats.
    Findings
  • G. Aaron and R. Manning. APWG global phishing report 2014. http://apwg.org/download/document/245/APWG Global Phishing Report 2H 2014.pdf.
    Locate open access versionFindings
  • G. Aaron and R. Manning. APWG phishing activity trends report 2015. https://docs.apwg.org/reports/apwg trends report q1-q3 2015.pdf.
    Locate open access versionFindings
  • E. Bursztein, B. Benko, D. Margolis, T. Pietraszek, A. Archer, A. Aquino, A. Pitsillidis, and S. Savage. Handcrafted fraud and extortion: Manual account hijacking in the wild. In Internet Measurement Conference (IMC), 2014.
    Google ScholarLocate open access versionFindings
  • D. Canali and D. Balzarotti. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In Annual Network and Distributed System Security Symposium (NDSS), 2013.
    Google ScholarLocate open access versionFindings
  • N. Chou, R. Ledesma, Y. Teraguchi, and J. C. Mitchell. Client-side defense against web-based identity theft. In Annual Network and Distributed System Security Symposium (NDSS), 2004.
    Google ScholarLocate open access versionFindings
  • R. Clayton, T. Moore, and N. Christin. Concentrating correctly on cybercrime concentration. In Workshop on the Economics of Information Security, 2015.
    Google ScholarLocate open access versionFindings
  • M. Cova, C. Kruegel, and G. Vigna. There is no free phish: An analysis of “free” and live phishing kits. In Workshop on Offensive Technologies (WOOT), 2008.
    Google ScholarLocate open access versionFindings
  • R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Symposium on Usable Privacy and Security, 2005.
    Google ScholarLocate open access versionFindings
  • R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In SIGCHI conference on Human Factors in computing systems, 2006.
    Google ScholarLocate open access versionFindings
  • S. Egelman, L. F. Cranor, and J. Hong. You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In SIGCHI Conference on Human Factors in Computing Systems, 2008.
    Google ScholarLocate open access versionFindings
  • I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In World Wide Web (WWW) Conference, 2007.
    Google ScholarLocate open access versionFindings
  • S. Garera, N. Provos, M. Chew, and A. D. Rubin. A framework for detection and measurement of phishing attacks. In Workshop on Recurring malcode, 2007.
    Google ScholarLocate open access versionFindings
  • S. Gupta and P. Kumaraguru. Emerging phishing trends and effectiveness of the anti-phishing landing page. In Electronic Crime Research (eCrime), 2014.
    Google ScholarLocate open access versionFindings
  • X. Han, N. Kheir, and D. Balzarotti. The role of cloud services in malicious software: Trends and insights. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2015.
    Google ScholarLocate open access versionFindings
  • J. Hong. The state of phishing attacks. Communications of the ACM, 2012.
    Google ScholarLocate open access versionFindings
  • T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 2007.
    Google ScholarLocate open access versionFindings
  • M. Jakobsson and S. Myers. Phishing and countermeasures: understanding the increasing problem of electronic identity theft. 2006.
    Google ScholarFindings
  • M. Jakobsson and J. Ratkiewicz. Designing ethical phishing experiments: a study of (rot13) ronl query features. In World Wide Web (WWW) Conference, 2006.
    Google ScholarLocate open access versionFindings
  • Y. Joshi, S. Saklikar, D. Das, and S. Saha. Phishguard: a browser plug-in for protection from phishing. In Internet Multimedia Services Architecture and Applications (IMSAA), 2008.
    Google ScholarLocate open access versionFindings
  • P. Kumaraguru, L. F. Cranor, and L. Mather. Anti-phishing landing page: Turning a 404 into a teachable moment for end users. In Conference on Email and Anti-Spam (CEAS), 2009.
    Google ScholarLocate open access versionFindings
  • P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. F. Cranor, and J. Hong. Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In Anti-phishing working groups annual eCrime researchers summit, 2007.
    Google ScholarLocate open access versionFindings
  • P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong. Teaching johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 2010.
    Google ScholarLocate open access versionFindings
  • A. Le, A. Markopoulou, and M. Faloutsos. Phishdef: Url names say it all. In Conference on Computer Communications (INFOCOM), 2011.
    Google ScholarLocate open access versionFindings
  • Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang. Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In Security and Privacy (S&P), 2013.
    Google ScholarLocate open access versionFindings
  • C. Ludl, S. McAllister, E. Kirda, and C. Kruegel. On the effectiveness of techniques to detect phishing sites. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2007.
    Google ScholarLocate open access versionFindings
  • D. K. McGrath and M. Gupta. Behind phishing: An examination of phisher modi operandi. In Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008.
    Google ScholarLocate open access versionFindings
  • E. Medvet, E. Kirda, and C. Kruegel. Visual-similarity-based phishing detection. In Security and Privacy in Communication Netowrks Conference, 2008.
    Google ScholarLocate open access versionFindings
  • T. Moore and R. Clayton. Examining the impact of website take-down on phishing. In Anti-phishing working groups annual eCrime researchers summit, 2007.
    Google ScholarFindings
  • T. Moore and R. Clayton. Evil searching: Compromise and recompromise of internet hosts for phishing. In Financial Cryptography and Data Security. 2009.
    Google ScholarFindings
  • T. Moore and R. Clayton. Discovering phishing dropboxes using email metadata. In eCrime Researchers Summit (eCrime), 2012.
    Google ScholarLocate open access versionFindings
  • T. Moore and R. Clayton. Ethical dilemmas in take-down research. In Financial Cryptography and Data Security. 2012.
    Google ScholarFindings
  • T. Moore, R. Clayton, and H. Stern. Temporal correlations between spam and phishing websites. In Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009.
    Google ScholarLocate open access versionFindings
  • K. Onarlioglu, U. O. Yilmaz, D. Balzarotti, and E. Kirda. Insights into user behavior in dealing with internet attacks. In Annual Network and Distributed System Security Symposium (NDSS), 2012.
    Google ScholarLocate open access versionFindings
  • Y. Pan and X. Ding. Anomaly based web phishing page detection. In Annual Computer Security Applications Conference (ACSAC), 2006.
    Google ScholarLocate open access versionFindings
  • S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In SIGCHI Conference on Human Factors in Computing Systems, 2010.
    Google ScholarLocate open access versionFindings
  • S. Sheng, B. Wardman, G. Warner, L. F. Cranor, J. Hong, and C. Zhang. An empirical analysis of phishing blacklists. In Conference on Email and Anti-Spam (CEAS), 2009.
    Google ScholarLocate open access versionFindings
  • L. Spitzner. The honeynet project: Trapping the hackers. Security and Privacy (S&P), 2003.
    Google ScholarFindings
  • Trusteer. Measuring the Effectiveness of In-the-Wild Phishing Attacks. https://web.archive.org/web/20120324061250/http://www.trusteer.com/sites/default/files/ Phishing- Statistics- Dec-2009- FIN.pdf.
    Locate open access versionFindings
  • D. Watson, T. Holz, and S. Mueller. Know your enemy: Phishing. https://www.honeynet.org/papers/phishing, 2005.
    Findings
  • C. Whittaker, B. Ryner, and M. Nazif. Large-scale automatic classification of phishing pages. In Annual Network and Distributed System Security Symposium (NDSS), 2010.
    Google ScholarLocate open access versionFindings
  • M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In SIGCHI conference on Human Factors in computing systems, 2006.
    Google ScholarLocate open access versionFindings
  • G. Xiang and J. I. Hong. A hybrid phish detection approach by identity discovery and keywords retrieval. In World Wide Web (WWW) conference, 2009.
    Google ScholarLocate open access versionFindings
  • Y. Zhang, S. Egelman, L. Cranor, and J. Hong. Phinding phish: Evaluating anti-phishing tools. In Annual Network and Distributed System Security Symposium (NDSS), 2007.
    Google ScholarLocate open access versionFindings
  • Y. Zhang, J. I. Hong, and L. F. Cranor. Cantina: a content-based approach to detecting phishing web sites. In World Wide Web (WWW) Conference, 2007.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科