CrawlPhish: Large-scale analysis of client-side cloaking techniques in phishing

Penghui Zhang, Adam Oest, Haehyun Cho, Zhibo Sun, R. C. Johnson, Brad Wardman, Shaown Sarker, Alexandros Kapravelos, Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, Adam Doupe, Gail Joon Ahn

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Phishing is a critical threat to Internet users. Although an extensive ecosystem serves to protect users, phishing websites are growing in sophistication, and they can slip past the ecosystem's detection systems - and subsequently cause real-world damage - with the help of evasion techniques. Sophisticated client-side evasion techniques, known as cloaking, leverage JavaScript to enable complex interactions between potential victims and the phishing website, and can thus be particularly effective in slowing or entirely preventing automated mitigations. Yet, neither the prevalence nor the impact of client-side cloaking has been studied.In this paper, we present CrawlPhish, a framework for automatically detecting and categorizing client-side cloaking used by known phishing websites. We deploy CrawlPhish over 14 months between 2018 and 2019 to collect and thoroughly analyze a dataset of 112, 005 phishing websites in the wild. By adapting state-of-the-art static and dynamic code analysis, we find that 35, 067 of these websites have 1, 128 distinct implementations of client-side cloaking techniques. Moreover, we find that attackers' use of cloaking grew from 23.32% initially to 33.70% by the end of our data collection period. Detection of cloaking by our framework exhibited low false-positive and false-negative rates of 1.45% and 1.75%, respectively. We analyze the semantics of the techniques we detected and propose a taxonomy of eight types of evasion across three high-level categories: User Interaction, Fingerprinting, and Bot Behavior.Using 150 artificial phishing websites, we empirically show that each category of evasion technique is effective in avoiding browser-based phishing detection (a key ecosystem defense). Additionally, through a user study, we verify that the techniques generally do not discourage victim visits. Therefore, we propose ways in which our methodology can be used to not only improve the ecosystem's ability to mitigate phishing websites with client-side cloaking, but also continuously identify emerging cloaking techniques as they are launched by attackers.

Original languageEnglish (US)
Title of host publicationProceedings - 2021 IEEE Symposium on Security and Privacy, SP 2021
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1109-1124
Number of pages16
ISBN (Electronic)9781728189345
DOIs
StatePublished - May 2021
Event42nd IEEE Symposium on Security and Privacy, SP 2021 - Virtual, San Francisco, United States
Duration: May 24 2021May 27 2021

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2021-May
ISSN (Print)1081-6011

Conference

Conference42nd IEEE Symposium on Security and Privacy, SP 2021
Country/TerritoryUnited States
CityVirtual, San Francisco
Period5/24/215/27/21

Keywords

  • Cloaking
  • Evasion
  • JavaScript
  • Phishing
  • Web-Security

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'CrawlPhish: Large-scale analysis of client-side cloaking techniques in phishing'. Together they form a unique fingerprint.

Cite this