phishtime: continuous longitudinal measurement of the ......phishtime: continuous longitudinal...
TRANSCRIPT
PhishTime: Continuous Longitudinal Measurement of the
Effectiveness of Anti-phishing Blacklists
Adam Oest, Yeganeh Safaei, Penghui Zhang, Yan Shoshitaishvili, Adam Doupé, Gail-Joon AhnArizona State University
Brad Wardman, Kevin TyersPayPal
2
• Phishing attacks deceive users through malicious websites/messages
• May seem trivial on the surface…
• But phishing occurs at scale and works
Motivation
3
• Key ecosystem defense
• Default in major desktop + mobile browsers
• App and e-mail integration
• Automated crawler backend
• Goals
• Timely, comprehensive detection
• Low false positive rate
• Vulnerable to evasion techniques (“cloaking”) [1]
4
Anti-phishing Blacklists
[1] PhishFarm: A Scalable Framework for Measuring Evasion Techniques Against Browser Phishing Blacklists Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers. IEEE Symposium on Security & Privacy, May 2019.
Browser/Blacklist Selection
• Google Safe Browsing (GSB), MS SmartScreen, Opera
5
GSB86%
SmartScreen10%
Opera2%
None/Other2%
Desktop Blacklists
GSB83%
Opera3%
None/Other14%
Mobile Blacklists
Estimated market share as of December 2019
6
• Coverage: does blacklisting always occur?
• Speed: delay between attack deployment and blacklisting
• Consistency across platforms
Security implications of gaps?
Blacklist Evaluation Criteria
7
How vulnerable is the ecosystem, as a whole, to modern-day phishing?
• Continuous monitoring of blacklists• Long-term verification of baseline defenses• Identification of practical gaps
• Realistically evaluate blacklisting delays• Discover then test evasion used in the wild• Simulate ecosystem detection methods
Research Objectives
PhishTime Framework: Discovering Evasive Phishing in the Wild
8
Monitor Blacklisting of
Live Phishing URLsReport non-backlisted
Discard if blacklisted
Analyze non-
blacklisted sites
Design & Deploy
Experiments
w/ Artificial Websites*
(183 - 4.2%)
(4,393)
*using an enhanced version of the empirical testbed proposed in [1]
Artificial Website Configurations
9
A. Allow all traffic (control group)
B. Basic cloaking
C. Combinations of cloaking (redirection + .htaccess)
D. Combinations w/ infrastructure re-use
F. Innovative evasion techniques
G. New reporting protocols
Ba
seli
ne
Ty
pic
al
Em
erg
ing
10
11
Simultaneously reported to anti-phishing entities:
2,862 sites / 4,158 URLs total (new, randomized .com domains)
6 deployments+ 1 preliminary
A B C D F G
Longitudinal Experiments
Monitor blacklisting status for 1 week
Baseline Blacklisting
12
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
May-19 Jul-19 Sep-19 Oct-19 Nov-19 Dec-19
Google Safe Browsing Microsoft SmartScreen
Baseline Blacklisting
13
Blacklist Speed & Coverage
14
Desktop Chrome Mobile Firefox Mobile Chrome
Speed(hh:mm)
Coverage Coverage Speed Coverage
Baseline (no evasion) 00:50 99% 99% 24:04 53%
Basic Evasion 00:59 94% 94% - 0%
Typical Evasion 02:48 88% 88% 21:05 2%
Infrastructure Re-use 02:10 96% 96% 23:27 4%
Emerging Evasion - 0% 0% - 0%
15
Current Reporting Channels
16
• (re)submission of the URL alone is no goodagainst advanced cloaking
Reporting Protocol Shortcomings
17
URL Submission Metadata
18
Evidence-based Reporting
19
Enhanced Reporting vs. Evasive Phishing
Disclosures & Impact
20
Conclusions
• Longitudinal measurements are key to understanding ecosystem protections• Proactive anti-phishing approach• Discovering sophisticated attack variants• Not currently being done at the ecosystem level
• Sophisticated evasion remains a threat• Closing blacklisting gaps on mobile devices• Improving data sharing, reporting, detection
• Understanding the impact of blacklisting delays on victims [2]
21
[2] Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, Gail-Joon Ahn.USENIX Security Symposium, August 2020.
