PhishFarm: A scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists

Adam Oest, Yeganeh Safaei, Adam Doupe, Gail Joon Ahn, Brad Wardman, Kevin Tyers

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

Phishing attacks have reached record volumes in recent years. Simultaneously, modern phishing websites are growing in sophistication by employing diverse cloaking techniques to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing the resilience of anti-phishing entities and browser blacklists to attackers' evasion efforts. We use PhishFarm to deploy 2,380 live phishing sites (on new, unique, and previously-unseen.com domains) each using one of six different HTTP request filters based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the occurrence and timeliness of native blacklisting in major web browsers to gauge the effectiveness of protection ultimately extended to victim users and organizations. Our experiments revealed shortcomings in current infrastructure, which allows some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple cloaking techniques representative of real-world attacks - including those based on geolocation, device type, or JavaScript - were effective in reducing the likelihood of blacklisting by over 55% on average. We also discovered that blacklisting did not function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly vulnerable to phishing attacks. Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms - but work remains to be done by anti-phishing entities to ensure users are adequately protected. Our PhishFarm framework is designed for continuous monitoring of the ecosystem and can be extended to test future state-of-the-art evasion techniques used by malicious websites.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1344-1361
Number of pages18
ISBN (Electronic)9781538666609
DOIs
StatePublished - May 2019
Event40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States
Duration: May 19 2019May 23 2019

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2019-May
ISSN (Print)1081-6011

Conference

Conference40th IEEE Symposium on Security and Privacy, SP 2019
CountryUnited States
CitySan Francisco
Period5/19/195/23/19

    Fingerprint

Keywords

  • Anti-phishing-ecosystem
  • Blacklisting
  • Cloaking
  • Phishing
  • Security
  • Web-browser

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Cite this

Oest, A., Safaei, Y., Doupe, A., Ahn, G. J., Wardman, B., & Tyers, K. (2019). PhishFarm: A scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists. In Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019 (pp. 1344-1361). [8835369] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2019.00049