TY - GEN
T1 - PhishFarm
T2 - 40th IEEE Symposium on Security and Privacy, SP 2019
AU - Oest, Adam
AU - Safaei, Yeganeh
AU - Doupe, Adam
AU - Ahn, Gail Joon
AU - Wardman, Brad
AU - Tyers, Kevin
N1 - Funding Information:
This work was partially supported by PayPal, Inc. and a grant from the Center for Cybersecurity and Digital Forensics at Arizona State University
Funding Information:
The authors would like to thank the reviewers for their insightful feedback and suggestions. This work was partially supported by PayPal, Inc. and a grant from the Center for Cy-bersecurity and Digital Forensics at Arizona State University.
Publisher Copyright:
© 2019 IEEE.
PY - 2019/5
Y1 - 2019/5
N2 - Phishing attacks have reached record volumes in recent years. Simultaneously, modern phishing websites are growing in sophistication by employing diverse cloaking techniques to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing the resilience of anti-phishing entities and browser blacklists to attackers' evasion efforts. We use PhishFarm to deploy 2,380 live phishing sites (on new, unique, and previously-unseen.com domains) each using one of six different HTTP request filters based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the occurrence and timeliness of native blacklisting in major web browsers to gauge the effectiveness of protection ultimately extended to victim users and organizations. Our experiments revealed shortcomings in current infrastructure, which allows some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple cloaking techniques representative of real-world attacks - including those based on geolocation, device type, or JavaScript - were effective in reducing the likelihood of blacklisting by over 55% on average. We also discovered that blacklisting did not function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly vulnerable to phishing attacks. Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms - but work remains to be done by anti-phishing entities to ensure users are adequately protected. Our PhishFarm framework is designed for continuous monitoring of the ecosystem and can be extended to test future state-of-the-art evasion techniques used by malicious websites.
AB - Phishing attacks have reached record volumes in recent years. Simultaneously, modern phishing websites are growing in sophistication by employing diverse cloaking techniques to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing the resilience of anti-phishing entities and browser blacklists to attackers' evasion efforts. We use PhishFarm to deploy 2,380 live phishing sites (on new, unique, and previously-unseen.com domains) each using one of six different HTTP request filters based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the occurrence and timeliness of native blacklisting in major web browsers to gauge the effectiveness of protection ultimately extended to victim users and organizations. Our experiments revealed shortcomings in current infrastructure, which allows some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple cloaking techniques representative of real-world attacks - including those based on geolocation, device type, or JavaScript - were effective in reducing the likelihood of blacklisting by over 55% on average. We also discovered that blacklisting did not function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly vulnerable to phishing attacks. Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms - but work remains to be done by anti-phishing entities to ensure users are adequately protected. Our PhishFarm framework is designed for continuous monitoring of the ecosystem and can be extended to test future state-of-the-art evasion techniques used by malicious websites.
KW - Anti-phishing-ecosystem
KW - Blacklisting
KW - Cloaking
KW - Phishing
KW - Security
KW - Web-browser
UR - http://www.scopus.com/inward/record.url?scp=85072921065&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85072921065&partnerID=8YFLogxK
U2 - 10.1109/SP.2019.00049
DO - 10.1109/SP.2019.00049
M3 - Conference contribution
AN - SCOPUS:85072921065
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1344
EP - 1361
BT - Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 19 May 2019 through 23 May 2019
ER -