TY - GEN
T1 - I'm SPARTACUS, No, I'm SPARTACUS
T2 - 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022
AU - Zhang, Penghui
AU - Sun, Zhibo
AU - Kyung, Sukwha
AU - Behrens, Hans Walter
AU - Basque, Zion Leonahenahe
AU - Cho, Haehyun
AU - Oest, Adam
AU - Wang, Ruoyu
AU - Bao, Tiffany
AU - Shoshitaishvili, Yan
AU - Ahn, Gail Joon
AU - Doupé, Adam
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/11/7
Y1 - 2022/11/7
N2 - Phishing is a ubiquitous and increasingly sophisticated online threat. To evade mitigations, phishers try to "cloak"malicious content from defenders to delay their appearance on blacklists, while still presenting the phishing payload to victims. This cat-and-mouse game is variable and fast-moving, with many distinct cloaking methods-we construct a dataset identifying 2,933 real-world phishing kits that implement cloaking mechanisms. These kits use information from the host, browser, and HTTP request to classify traffic as either anti-phishing entity or potential victim and change their behavior accordingly. In this work we present SPARTACUS, a technique that subverts the phishing status quo by disguising user traffic as anti-phishing entities. These intentional false positives trigger cloaking behavior in phishing kits, thus hiding the malicious payload and protecting the user without disrupting benign sites. To evaluate the effectiveness of this approach, we deployed SPARTACUS as a browser extension from November 2020 to July 2021. During that time, SPARTACUS browsers visited 160,728 reported phishing URLs in the wild. Of these, SPARTACUS protected against 132,274 sites (82.3%). The phishing kits which showed malicious content to SPARTACUS typically did so due to ineffective cloaking-the majority (98.4%) of the remainder were detected by conventional anti-phishing systems such as Google Safe Browsing or VirusTotal, and would be blacklisted regardless. We further evaluate SPARTACUS against benign websites sampled from the Alexa Top One Million List for impacts on latency, accessibility, layout, and CPU overhead, finding minimal performance penalties and no loss in functionality.
AB - Phishing is a ubiquitous and increasingly sophisticated online threat. To evade mitigations, phishers try to "cloak"malicious content from defenders to delay their appearance on blacklists, while still presenting the phishing payload to victims. This cat-and-mouse game is variable and fast-moving, with many distinct cloaking methods-we construct a dataset identifying 2,933 real-world phishing kits that implement cloaking mechanisms. These kits use information from the host, browser, and HTTP request to classify traffic as either anti-phishing entity or potential victim and change their behavior accordingly. In this work we present SPARTACUS, a technique that subverts the phishing status quo by disguising user traffic as anti-phishing entities. These intentional false positives trigger cloaking behavior in phishing kits, thus hiding the malicious payload and protecting the user without disrupting benign sites. To evaluate the effectiveness of this approach, we deployed SPARTACUS as a browser extension from November 2020 to July 2021. During that time, SPARTACUS browsers visited 160,728 reported phishing URLs in the wild. Of these, SPARTACUS protected against 132,274 sites (82.3%). The phishing kits which showed malicious content to SPARTACUS typically did so due to ineffective cloaking-the majority (98.4%) of the remainder were detected by conventional anti-phishing systems such as Google Safe Browsing or VirusTotal, and would be blacklisted regardless. We further evaluate SPARTACUS against benign websites sampled from the Alexa Top One Million List for impacts on latency, accessibility, layout, and CPU overhead, finding minimal performance penalties and no loss in functionality.
KW - cloaking
KW - phishing
KW - social engineering
KW - web security
UR - http://www.scopus.com/inward/record.url?scp=85143071644&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85143071644&partnerID=8YFLogxK
U2 - 10.1145/3548606.3559334
DO - 10.1145/3548606.3559334
M3 - Conference contribution
AN - SCOPUS:85143071644
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 3165
EP - 3179
BT - CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 7 November 2022 through 11 November 2022
ER -