Evaluating the Effectiveness of Phishing Reports on Twitter

Phishing attacks are an increasingly potent web-based threat, with nearly 1.5 million such websites being created on a monthly basis. In this work, we present the first study towards identifying phishing attacks through reports shared by security conscious users on Twitter. We evaluated over 16.4k such reports posted by 701 Twitter accounts between June to August 2021, which contained 11.1k unique URLs, and analyzed their effectiveness using various quantitative and qualitative measures. Our findings indicate that not only these reports share a high volume of legitimate phishing URLs, but they also contain more information regarding the phishing websites (which can expedite the process of identifying and removing these threats), when compared to two popular open-source phishing feeds: PhishTank and OpenPhish. We also noticed that the URLs in the Twitter reports had very little overlap with the URLs found on PhishTank and OpenPhish, and also remained active for longer periods of time. However, despite having these attributes, we found that these reports have very low interaction from other users on Twitter, especially from the domains and organizations which were targeted by the reported URLs. Moreover, nearly 31% of these URLs were still active even after a week of them being reported while also being detected by very few anti-phishing tools. This suggests that a large majority of these reports remain undiscovered and underutilized. Thus, this work highlights the utility of phishing reports shared on Twitter, and the benefits of using them as an open source knowledge base for identifying new phishing websites.