![Page 1: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/1.jpg)
Sunrise to Sunset: Analyzing the End-to-end Life Cycle and
Effectiveness of Phishing Attacks at Scale
Adam Oest, Penghui Zhang, Adam Doupé, Gail-Joon AhnArizona State University
Brad Wardman, Eric Nunes, Jakub BurgisPayPal
Ali Zand, Kurt ThomasGoogle
![Page 2: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/2.jpg)
Phishing is Growing as Malware Declines
2
Phishing
Web-based malware
Weekly Malicious Website Detections [1]
[1] Google Safe Browsing Transparency Report: https://transparencyreport.google.com/safe-browsing/overview
![Page 3: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/3.jpg)
3
![Page 4: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/4.jpg)
4
• Phishing kits “often” embed first-party JavaScript tracking code or images
Key Observation
![Page 5: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/5.jpg)
5
ORGANIZATION TARGETED
BY PHISHERS
ANONYMIZED
WEB
EVENTS
Building an Analysis Framework
![Page 6: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/6.jpg)
6
ANONYMIZED
WEB
EVENTS
KNOWN PHISHING
/ SUSPICIOUS URLS
ORGANIZATION TARGETED
BY PHISHERS
Overlapping URLs
E-MAIL PROVIDER /
PHISHING REPORTS
Attack timeline / detection
Session IDs
TRAFFIC
• victims
• crawlers
• attackers
Phishing URLs
FRAUD DATA
E-MAIL DATA
• Loss calculation
• Secure accounts
• Spam timings
• Reporting trends
Framework Design
![Page 7: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/7.jpg)
7
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
![Page 8: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/8.jpg)
8
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
![Page 9: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/9.jpg)
9
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
![Page 10: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/10.jpg)
10
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
![Page 11: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/11.jpg)
11
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
![Page 12: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/12.jpg)
12
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
![Page 13: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/13.jpg)
13
• Source: large organization (top 10 most-phished)
• Visibility: 39.1% of known phishing domains
7.6% phishing success rate
Trackable by Golden Hour Estimated Total
Potential Victims Known User
Phishing Site Page Loads 15.6M 4.8M 39.9M
Suspected Successful Phish 482K 148K 1.2M
Oct 2018through
Sep 2019
“Golden Hour” Data Set
![Page 14: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/14.jpg)
14
Proactive detection Reactive mitigation improvements
Secure affected user accounts
End-to-end Timeline of Phishing
![Page 15: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/15.jpg)
15
Ratio: Traffic from browsers w/anti-phishing features vs. other browsers
Estimating Browser-based Detection
PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists Adam Oest, Yeganeh Safaei, Penghui Zhang, Brad Wardman, Kevin Tyers, Yan Shoshitaishvili, Adam Doupé, Gail-Joon Ahn. 2020 USENIX Security Symposium.
![Page 16: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/16.jpg)
16
Potential Victim TrafficReported Phishing URLs
Phishing URLs vs Victim Traffic
![Page 17: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/17.jpg)
17
Long-running Campaigns
![Page 18: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/18.jpg)
18
Top 5%: 77.8%
Top 10%: 89.1%
Top 20: 23.6%
Top Campaigns: Majority of Victim Traffic
![Page 19: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/19.jpg)
19
Bot evasion: Human Verification
![Page 20: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/20.jpg)
20
Extensive Identity Theft
![Page 21: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/21.jpg)
21
Extensive Identity Theft
![Page 22: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/22.jpg)
22
Convincing Victims: Automatic Translation
![Page 23: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/23.jpg)
23
Victim Reassurance
![Page 24: Sunrise to Sunset: Analyzing the End-to-end Life Cycle and ... · Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Adam](https://reader033.vdocument.in/reader033/viewer/2022051917/6009103965711851877fdc4d/html5/thumbnails/24.jpg)
Conclusions
• End-to-end look at large-scale phishing attacks• Prioritizing mitigation of sophisticated phishing
• Golden Hour system deployed at major organization• Securing user accounts• Proactively discovering malicious URLs• Tracking COVID-19 phishing campaigns
• Future work• Collaborative, cross-organizational framework• Incorporation of signals beyond web requests
24