TY - GEN
T1 - CrawlPhish
T2 - 42nd IEEE Symposium on Security and Privacy, SP 2021
AU - Zhang, Penghui
AU - Oest, Adam
AU - Cho, Haehyun
AU - Sun, Zhibo
AU - Johnson, R. C.
AU - Wardman, Brad
AU - Sarker, Shaown
AU - Kapravelos, Alexandros
AU - Bao, Tiffany
AU - Wang, Ruoyu
AU - Shoshitaishvili, Yan
AU - Doupe, Adam
AU - Ahn, Gail Joon
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021/5
Y1 - 2021/5
N2 - Phishing is a critical threat to Internet users. Although an extensive ecosystem serves to protect users, phishing websites are growing in sophistication, and they can slip past the ecosystem's detection systems - and subsequently cause real-world damage - with the help of evasion techniques. Sophisticated client-side evasion techniques, known as cloaking, leverage JavaScript to enable complex interactions between potential victims and the phishing website, and can thus be particularly effective in slowing or entirely preventing automated mitigations. Yet, neither the prevalence nor the impact of client-side cloaking has been studied.In this paper, we present CrawlPhish, a framework for automatically detecting and categorizing client-side cloaking used by known phishing websites. We deploy CrawlPhish over 14 months between 2018 and 2019 to collect and thoroughly analyze a dataset of 112, 005 phishing websites in the wild. By adapting state-of-the-art static and dynamic code analysis, we find that 35, 067 of these websites have 1, 128 distinct implementations of client-side cloaking techniques. Moreover, we find that attackers' use of cloaking grew from 23.32% initially to 33.70% by the end of our data collection period. Detection of cloaking by our framework exhibited low false-positive and false-negative rates of 1.45% and 1.75%, respectively. We analyze the semantics of the techniques we detected and propose a taxonomy of eight types of evasion across three high-level categories: User Interaction, Fingerprinting, and Bot Behavior.Using 150 artificial phishing websites, we empirically show that each category of evasion technique is effective in avoiding browser-based phishing detection (a key ecosystem defense). Additionally, through a user study, we verify that the techniques generally do not discourage victim visits. Therefore, we propose ways in which our methodology can be used to not only improve the ecosystem's ability to mitigate phishing websites with client-side cloaking, but also continuously identify emerging cloaking techniques as they are launched by attackers.
AB - Phishing is a critical threat to Internet users. Although an extensive ecosystem serves to protect users, phishing websites are growing in sophistication, and they can slip past the ecosystem's detection systems - and subsequently cause real-world damage - with the help of evasion techniques. Sophisticated client-side evasion techniques, known as cloaking, leverage JavaScript to enable complex interactions between potential victims and the phishing website, and can thus be particularly effective in slowing or entirely preventing automated mitigations. Yet, neither the prevalence nor the impact of client-side cloaking has been studied.In this paper, we present CrawlPhish, a framework for automatically detecting and categorizing client-side cloaking used by known phishing websites. We deploy CrawlPhish over 14 months between 2018 and 2019 to collect and thoroughly analyze a dataset of 112, 005 phishing websites in the wild. By adapting state-of-the-art static and dynamic code analysis, we find that 35, 067 of these websites have 1, 128 distinct implementations of client-side cloaking techniques. Moreover, we find that attackers' use of cloaking grew from 23.32% initially to 33.70% by the end of our data collection period. Detection of cloaking by our framework exhibited low false-positive and false-negative rates of 1.45% and 1.75%, respectively. We analyze the semantics of the techniques we detected and propose a taxonomy of eight types of evasion across three high-level categories: User Interaction, Fingerprinting, and Bot Behavior.Using 150 artificial phishing websites, we empirically show that each category of evasion technique is effective in avoiding browser-based phishing detection (a key ecosystem defense). Additionally, through a user study, we verify that the techniques generally do not discourage victim visits. Therefore, we propose ways in which our methodology can be used to not only improve the ecosystem's ability to mitigate phishing websites with client-side cloaking, but also continuously identify emerging cloaking techniques as they are launched by attackers.
KW - Cloaking
KW - Evasion
KW - JavaScript
KW - Phishing
KW - Web-Security
UR - http://www.scopus.com/inward/record.url?scp=85115071617&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85115071617&partnerID=8YFLogxK
U2 - 10.1109/SP40001.2021.00021
DO - 10.1109/SP40001.2021.00021
M3 - Conference contribution
AN - SCOPUS:85115071617
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1109
EP - 1124
BT - Proceedings - 2021 IEEE Symposium on Security and Privacy, SP 2021
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 24 May 2021 through 27 May 2021
ER -