PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists

Adam Oest, Y. Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, Kevin Tyers
{"title":"PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists","authors":"Adam Oest, Y. Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, Kevin Tyers","doi":"10.1109/SP.2019.00049","DOIUrl":null,"url":null,"abstract":"Phishing attacks have reached record volumes in recent years. Simultaneously, modern phishing websites are growing in sophistication by employing diverse cloaking techniques to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing the resilience of anti-phishing entities and browser blacklists to attackers' evasion efforts. We use PhishFarm to deploy 2,380 live phishing sites (on new, unique, and previously-unseen .com domains) each using one of six different HTTP request filters based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the occurrence and timeliness of native blacklisting in major web browsers to gauge the effectiveness of protection ultimately extended to victim users and organizations. Our experiments revealed shortcomings in current infrastructure, which allows some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple cloaking techniques representative of real-world attacks— including those based on geolocation, device type, or JavaScript— were effective in reducing the likelihood of blacklisting by over 55% on average. We also discovered that blacklisting did not function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly vulnerable to phishing attacks. Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms— but work remains to be done by anti-phishing entities to ensure users are adequately protected. Our PhishFarm framework is designed for continuous monitoring of the ecosystem and can be extended to test future state-of-the-art evasion techniques used by malicious websites.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-05-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"68","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00049","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 68

Abstract

Phishing attacks have reached record volumes in recent years. Simultaneously, modern phishing websites are growing in sophistication by employing diverse cloaking techniques to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing the resilience of anti-phishing entities and browser blacklists to attackers' evasion efforts. We use PhishFarm to deploy 2,380 live phishing sites (on new, unique, and previously-unseen .com domains) each using one of six different HTTP request filters based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the occurrence and timeliness of native blacklisting in major web browsers to gauge the effectiveness of protection ultimately extended to victim users and organizations. Our experiments revealed shortcomings in current infrastructure, which allows some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple cloaking techniques representative of real-world attacks— including those based on geolocation, device type, or JavaScript— were effective in reducing the likelihood of blacklisting by over 55% on average. We also discovered that blacklisting did not function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly vulnerable to phishing attacks. Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms— but work remains to be done by anti-phishing entities to ensure users are adequately protected. Our PhishFarm framework is designed for continuous monitoring of the ecosystem and can be extended to test future state-of-the-art evasion techniques used by malicious websites.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
PhishFarm:一个衡量规避浏览器网络钓鱼黑名单技术有效性的可扩展框架
近年来,网络钓鱼攻击达到了创纪录的水平。同时,现代网络钓鱼网站通过使用各种伪装技术来避免安全基础设施的检测,从而变得越来越复杂。在本文中,我们提出了PhishFarm:一个可扩展的框架,用于系统地测试反网络钓鱼实体和浏览器黑名单对攻击者逃避努力的弹性。我们使用PhishFarm部署了2380个实时网络钓鱼网站(在新的、唯一的和以前未见过的。com域名上),每个网站都使用基于真实网络钓鱼工具包的六种不同的HTTP请求过滤器之一。我们将这些网站的子集报告给了10个不同的反网络钓鱼实体,并测量了主要网络浏览器中本地黑名单的发生率和及时性,以衡量最终扩展到受害用户和组织的保护有效性。我们的实验揭示了当前基础设施的缺陷,这使得一些网络钓鱼网站不被安全社区注意到,而受害者仍然可以访问。我们发现,代表真实世界攻击的简单伪装技术——包括那些基于地理位置、设备类型或JavaScript的攻击——可以有效地将黑名单的可能性平均降低55%以上。我们还发现,在流行的移动浏览器(Chrome、Safari和Firefox)中,黑名单并没有发挥预期的作用,这使得这些浏览器的用户特别容易受到网络钓鱼攻击。在我们的研究结果披露之后,反网络钓鱼实体现在能够更好地检测和缓解几种伪装技术(包括那些针对移动用户的技术),黑名单在桌面和移动平台之间也变得更加一致——但反网络钓鱼实体仍需做更多的工作,以确保用户得到充分的保护。我们的PhishFarm框架是为持续监测生态系统而设计的,可以扩展到测试恶意网站使用的未来最先进的逃避技术。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation PrivKV: Key-Value Data Collection with Local Differential Privacy Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1