PhishEye: Live Monitoring of Sandboxed Phishing Kits

Authors:
Xiao Han

Orange Labs and Eurecom, Chatillon, France

Orange Labs and Eurecom, Chatillon, France
View Profile

,
Nizar Kheir

Orange Labs, Chatillon, France

Orange Labs, Chatillon, France
View Profile

,
Davide Balzarotti

Eurecom, Biot Sophia Antipolis, France

Eurecom, Biot Sophia Antipolis, France
View Profile

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2016Pages 1402–1413https://doi.org/10.1145/2976749.2978330

Published:24 October 2016Publication History

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1402–1413

ABSTRACT

Phishing is a form of online identity theft that deceives unaware users into disclosing their confidential information. While significant effort has been devoted to the mitigation of phishing attacks, much less is known about the entire life-cycle of these attacks in the wild, which constitutes, however, a main step toward devising comprehensive anti-phishing techniques. In this paper, we present a novel approach to sandbox live phishing kits that completely protects the privacy of victims. By using this technique, we perform a comprehensive real-world assessment of phishing attacks, their mechanisms, and the behavior of the criminals, their victims, and the security community involved in the process -- based on data collected over a period of five months.

Our infrastructure allowed us to draw the first comprehensive picture of a phishing attack, from the time in which the attacker installs and tests the phishing pages on a compromised host, until the last interaction with real victims and with security researchers. Our study presents accurate measurements of the duration and effectiveness of this popular threat, and discusses many new and interesting aspects we observed by monitoring hundreds of phishing campaigns.

References

Kaspersky: Top 7 Cyberthreats to Watch Out for in 2015--2016. http://usa.kaspersky.com/internet-security-center/threats/top-7-cyberthreats.Google Scholar
G. Aaron and R. Manning. APWG global phishing report 2014. http://apwg.org/download/document/245/APWG_Global_Phishing_Report_2H_2014.pdf.Google Scholar
G. Aaron and R. Manning. APWG phishing activity trends report 2015. https://docs.apwg.org/reports/apwg_trends_report_q1-q3_2015.pdf.Google Scholar
E. Bursztein, B. Benko, D. Margolis, T. Pietraszek, A. Archer, A. Aquino, A. Pitsillidis, and S. Savage. Handcrafted fraud and extortion: Manual account hijacking in the wild. In Internet Measurement Conference (IMC), 2014. Google ScholarDigital Library
D. Canali and D. Balzarotti. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In Annual Network and Distributed System Security Symposium (NDSS), 2013.Google Scholar
N. Chou, R. Ledesma, Y. Teraguchi, and J. C. Mitchell. Client-side defense against web-based identity theft. In Annual Network and Distributed System Security Symposium (NDSS), 2004.Google Scholar
R. Clayton, T. Moore, and N. Christin. Concentrating correctly on cybercrime concentration. In Workshop on the Economics of Information Security, 2015.Google Scholar
M. Cova, C. Kruegel, and G. Vigna. There is no free phish: An analysis of "free" and live phishing kits. In Workshop on Offensive Technologies (WOOT), 2008. Google ScholarDigital Library
R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Symposium on Usable Privacy and Security, 2005. Google ScholarDigital Library
R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In SIGCHI conference on Human Factors in computing systems, 2006. Google ScholarDigital Library
S. Egelman, L. F. Cranor, and J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In SIGCHI Conference on Human Factors in Computing Systems, 2008. Google ScholarDigital Library
I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In World Wide Web (WWW) Conference, 2007. Google ScholarDigital Library
S. Garera, N. Provos, M. Chew, and A. D. Rubin. A framework for detection and measurement of phishing attacks. In Workshop on Recurring malcode, 2007. Google ScholarDigital Library
S. Gupta and P. Kumaraguru. Emerging phishing trends and effectiveness of the anti-phishing landing page. In Electronic Crime Research (eCrime), 2014.Google ScholarCross Ref
X. Han, N. Kheir, and D. Balzarotti. The role of cloud services in malicious software: Trends and insights. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2015. Google ScholarDigital Library
J. Hong. The state of phishing attacks. Communications of the ACM, 2012. Google ScholarDigital Library
T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 2007. Google ScholarDigital Library
M. Jakobsson and S. Myers. Phishing and countermeasures: understanding the increasing problem of electronic identity theft. 2006. Google ScholarDigital Library
M. Jakobsson and J. Ratkiewicz. Designing ethical phishing experiments: a study of (rot13) ronl query features. In World Wide Web (WWW) Conference, 2006. Google ScholarDigital Library
Y. Joshi, S. Saklikar, D. Das, and S. Saha. Phishguard: a browser plug-in for protection from phishing. In Internet Multimedia Services Architecture and Applications (IMSAA), 2008.Google ScholarCross Ref
P. Kumaraguru, L. F. Cranor, and L. Mather. Anti-phishing landing page: Turning a 404 into a teachable moment for end users. In Conference on Email and Anti-Spam (CEAS), 2009.Google Scholar
P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. F. Cranor, and J. Hong. Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In Anti-phishing working groups annual eCrime researchers summit, 2007. Google ScholarDigital Library
P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong. Teaching johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 2010. Google ScholarDigital Library
A. Le, A. Markopoulou, and M. Faloutsos. Phishdef: Url names say it all. In Conference on Computer Communications (INFOCOM), 2011.Google ScholarCross Ref
Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang. Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In Security and Privacy (S&P), 2013. Google ScholarDigital Library
C. Ludl, S. McAllister, E. Kirda, and C. Kruegel. On the effectiveness of techniques to detect phishing sites. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2007. Google ScholarDigital Library
D. K. McGrath and M. Gupta. Behind phishing: An examination of phisher modi operandi. In Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008. Google ScholarDigital Library
E. Medvet, E. Kirda, and C. Kruegel. Visual-similarity-based phishing detection. In Security and Privacy in Communication Netowrks Conference, 2008. Google ScholarDigital Library
T. Moore and R. Clayton. Examining the impact of website take-down on phishing. In Anti-phishing working groups annual eCrime researchers summit, 2007. Google ScholarDigital Library
T. Moore and R. Clayton. Evil searching: Compromise and recompromise of internet hosts for phishing. In Financial Cryptography and Data Security. 2009. Google ScholarDigital Library
T. Moore and R. Clayton. Discovering phishing dropboxes using email metadata. In eCrime Researchers Summit (eCrime), 2012.Google Scholar
T. Moore and R. Clayton. Ethical dilemmas in take-down research. In Financial Cryptography and Data Security. 2012. Google ScholarDigital Library
T. Moore, R. Clayton, and H. Stern. Temporal correlations between spam and phishing websites. In Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009. Google ScholarDigital Library
K. Onarlioglu, U. O. Yilmaz, D. Balzarotti, and E. Kirda. Insights into user behavior in dealing with internet attacks. In Annual Network and Distributed System Security Symposium (NDSS), 2012.Google Scholar
Y. Pan and X. Ding. Anomaly based web phishing page detection. In Annual Computer Security Applications Conference (ACSAC), 2006. Google ScholarDigital Library
S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In SIGCHI Conference on Human Factors in Computing Systems, 2010. Google ScholarDigital Library
S. Sheng, B. Wardman, G. Warner, L. F. Cranor, J. Hong, and C. Zhang. An empirical analysis of phishing blacklists. In Conference on Email and Anti-Spam (CEAS), 2009.Google Scholar
L. Spitzner. The honeynet project: Trapping the hackers. Security and Privacy (S&P), 2003. Google ScholarDigital Library
Trusteer. Measuring the Effectiveness of In-the-Wild Phishing Attacks. https://web.archive.org/web/20120324061250/http://www.trusteer.com/sites/default/files/Phishing-Statistics-Dec-2009-FIN.pdf.Google Scholar
D. Watson, T. Holz, and S. Mueller. Know your enemy: Phishing. https://www.honeynet.org/papers/phishing, 2005.Google Scholar
C. Whittaker, B. Ryner, and M. Nazif. Large-scale automatic classification of phishing pages. In Annual Network and Distributed System Security Symposium (NDSS), 2010.Google Scholar
M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In SIGCHI conference on Human Factors in computing systems, 2006. Google ScholarDigital Library
G. Xiang and J. I. Hong. A hybrid phish detection approach by identity discovery and keywords retrieval. In World Wide Web (WWW) conference, 2009. Google ScholarDigital Library
Y. Zhang, S. Egelman, L. Cranor, and J. Hong. Phinding phish: Evaluating anti-phishing tools. In Annual Network and Distributed System Security Symposium (NDSS), 2007.Google Scholar
Y. Zhang, J. I. Hong, and L. F. Cranor. Cantina: a content-based approach to detecting phishing web sites. In World Wide Web (WWW) Conference, 2007. Google ScholarDigital Library

Index Terms

PhishEye: Live Monitoring of Sandboxed Phishing Kits
1. Information systems
  1. World Wide Web
    1. Web mining
      1. Web log analysis
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks
      1. Phishing
  2. Software and application security
    1. Web application security

Recommendations

D-ward: source-end defense against distributed denial-of-service attacks
Read More
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
Read More
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
October 2016
1924 pages
ISBN:9781450341394
DOI:10.1145/2976749
General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Best Student Paper
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '16 Paper Acceptance Rate137of831submissions,16%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 64
  Total Citations
  View Citations
- 2,013
  Total Downloads
- Downloads (Last 12 months)384
- Downloads (Last 6 weeks)47
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

PhishEye: Live Monitoring of Sandboxed Phishing Kits

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

D-ward: source-end defense against distributed denial-of-service attacks

Detecting Insider Theft of Trade Secrets

Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures