ABSTRACT
Phishing is a form of online identity theft that deceives unaware users into disclosing their confidential information. While significant effort has been devoted to the mitigation of phishing attacks, much less is known about the entire life-cycle of these attacks in the wild, which constitutes, however, a main step toward devising comprehensive anti-phishing techniques. In this paper, we present a novel approach to sandbox live phishing kits that completely protects the privacy of victims. By using this technique, we perform a comprehensive real-world assessment of phishing attacks, their mechanisms, and the behavior of the criminals, their victims, and the security community involved in the process -- based on data collected over a period of five months.
Our infrastructure allowed us to draw the first comprehensive picture of a phishing attack, from the time in which the attacker installs and tests the phishing pages on a compromised host, until the last interaction with real victims and with security researchers. Our study presents accurate measurements of the duration and effectiveness of this popular threat, and discusses many new and interesting aspects we observed by monitoring hundreds of phishing campaigns.
- Kaspersky: Top 7 Cyberthreats to Watch Out for in 2015--2016. http://usa.kaspersky.com/internet-security-center/threats/top-7-cyberthreats.Google Scholar
- G. Aaron and R. Manning. APWG global phishing report 2014. http://apwg.org/download/document/245/APWG_Global_Phishing_Report_2H_2014.pdf.Google Scholar
- G. Aaron and R. Manning. APWG phishing activity trends report 2015. https://docs.apwg.org/reports/apwg_trends_report_q1-q3_2015.pdf.Google Scholar
- E. Bursztein, B. Benko, D. Margolis, T. Pietraszek, A. Archer, A. Aquino, A. Pitsillidis, and S. Savage. Handcrafted fraud and extortion: Manual account hijacking in the wild. In Internet Measurement Conference (IMC), 2014. Google ScholarDigital Library
- D. Canali and D. Balzarotti. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In Annual Network and Distributed System Security Symposium (NDSS), 2013.Google Scholar
- N. Chou, R. Ledesma, Y. Teraguchi, and J. C. Mitchell. Client-side defense against web-based identity theft. In Annual Network and Distributed System Security Symposium (NDSS), 2004.Google Scholar
- R. Clayton, T. Moore, and N. Christin. Concentrating correctly on cybercrime concentration. In Workshop on the Economics of Information Security, 2015.Google Scholar
- M. Cova, C. Kruegel, and G. Vigna. There is no free phish: An analysis of "free" and live phishing kits. In Workshop on Offensive Technologies (WOOT), 2008. Google ScholarDigital Library
- R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Symposium on Usable Privacy and Security, 2005. Google ScholarDigital Library
- R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In SIGCHI conference on Human Factors in computing systems, 2006. Google ScholarDigital Library
- S. Egelman, L. F. Cranor, and J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In SIGCHI Conference on Human Factors in Computing Systems, 2008. Google ScholarDigital Library
- I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In World Wide Web (WWW) Conference, 2007. Google ScholarDigital Library
- S. Garera, N. Provos, M. Chew, and A. D. Rubin. A framework for detection and measurement of phishing attacks. In Workshop on Recurring malcode, 2007. Google ScholarDigital Library
- S. Gupta and P. Kumaraguru. Emerging phishing trends and effectiveness of the anti-phishing landing page. In Electronic Crime Research (eCrime), 2014.Google ScholarCross Ref
- X. Han, N. Kheir, and D. Balzarotti. The role of cloud services in malicious software: Trends and insights. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2015. Google ScholarDigital Library
- J. Hong. The state of phishing attacks. Communications of the ACM, 2012. Google ScholarDigital Library
- T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 2007. Google ScholarDigital Library
- M. Jakobsson and S. Myers. Phishing and countermeasures: understanding the increasing problem of electronic identity theft. 2006. Google ScholarDigital Library
- M. Jakobsson and J. Ratkiewicz. Designing ethical phishing experiments: a study of (rot13) ronl query features. In World Wide Web (WWW) Conference, 2006. Google ScholarDigital Library
- Y. Joshi, S. Saklikar, D. Das, and S. Saha. Phishguard: a browser plug-in for protection from phishing. In Internet Multimedia Services Architecture and Applications (IMSAA), 2008.Google ScholarCross Ref
- P. Kumaraguru, L. F. Cranor, and L. Mather. Anti-phishing landing page: Turning a 404 into a teachable moment for end users. In Conference on Email and Anti-Spam (CEAS), 2009.Google Scholar
- P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. F. Cranor, and J. Hong. Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In Anti-phishing working groups annual eCrime researchers summit, 2007. Google ScholarDigital Library
- P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong. Teaching johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 2010. Google ScholarDigital Library
- A. Le, A. Markopoulou, and M. Faloutsos. Phishdef: Url names say it all. In Conference on Computer Communications (INFOCOM), 2011.Google ScholarCross Ref
- Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang. Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In Security and Privacy (S&P), 2013. Google ScholarDigital Library
- C. Ludl, S. McAllister, E. Kirda, and C. Kruegel. On the effectiveness of techniques to detect phishing sites. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2007. Google ScholarDigital Library
- D. K. McGrath and M. Gupta. Behind phishing: An examination of phisher modi operandi. In Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008. Google ScholarDigital Library
- E. Medvet, E. Kirda, and C. Kruegel. Visual-similarity-based phishing detection. In Security and Privacy in Communication Netowrks Conference, 2008. Google ScholarDigital Library
- T. Moore and R. Clayton. Examining the impact of website take-down on phishing. In Anti-phishing working groups annual eCrime researchers summit, 2007. Google ScholarDigital Library
- T. Moore and R. Clayton. Evil searching: Compromise and recompromise of internet hosts for phishing. In Financial Cryptography and Data Security. 2009. Google ScholarDigital Library
- T. Moore and R. Clayton. Discovering phishing dropboxes using email metadata. In eCrime Researchers Summit (eCrime), 2012.Google Scholar
- T. Moore and R. Clayton. Ethical dilemmas in take-down research. In Financial Cryptography and Data Security. 2012. Google ScholarDigital Library
- T. Moore, R. Clayton, and H. Stern. Temporal correlations between spam and phishing websites. In Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009. Google ScholarDigital Library
- K. Onarlioglu, U. O. Yilmaz, D. Balzarotti, and E. Kirda. Insights into user behavior in dealing with internet attacks. In Annual Network and Distributed System Security Symposium (NDSS), 2012.Google Scholar
- Y. Pan and X. Ding. Anomaly based web phishing page detection. In Annual Computer Security Applications Conference (ACSAC), 2006. Google ScholarDigital Library
- S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In SIGCHI Conference on Human Factors in Computing Systems, 2010. Google ScholarDigital Library
- S. Sheng, B. Wardman, G. Warner, L. F. Cranor, J. Hong, and C. Zhang. An empirical analysis of phishing blacklists. In Conference on Email and Anti-Spam (CEAS), 2009.Google Scholar
- L. Spitzner. The honeynet project: Trapping the hackers. Security and Privacy (S&P), 2003. Google ScholarDigital Library
- Trusteer. Measuring the Effectiveness of In-the-Wild Phishing Attacks. https://web.archive.org/web/20120324061250/http://www.trusteer.com/sites/default/files/Phishing-Statistics-Dec-2009-FIN.pdf.Google Scholar
- D. Watson, T. Holz, and S. Mueller. Know your enemy: Phishing. https://www.honeynet.org/papers/phishing, 2005.Google Scholar
- C. Whittaker, B. Ryner, and M. Nazif. Large-scale automatic classification of phishing pages. In Annual Network and Distributed System Security Symposium (NDSS), 2010.Google Scholar
- M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In SIGCHI conference on Human Factors in computing systems, 2006. Google ScholarDigital Library
- G. Xiang and J. I. Hong. A hybrid phish detection approach by identity discovery and keywords retrieval. In World Wide Web (WWW) conference, 2009. Google ScholarDigital Library
- Y. Zhang, S. Egelman, L. Cranor, and J. Hong. Phinding phish: Evaluating anti-phishing tools. In Annual Network and Distributed System Security Symposium (NDSS), 2007.Google Scholar
- Y. Zhang, J. I. Hong, and L. F. Cranor. Cantina: a content-based approach to detecting phishing web sites. In World Wide Web (WWW) Conference, 2007. Google ScholarDigital Library
Index Terms
- PhishEye: Live Monitoring of Sandboxed Phishing Kits
Recommendations
Detecting Insider Theft of Trade Secrets
Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
AbstractSide-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
Comments