Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
-
Upload
precog -
Category
Engineering
-
view
69 -
download
1
description
Transcript of Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
Unifying the Global Response to Cybercrime
Emerging Phishing Trends and Effectiveness of the Anti-Phishing
Landing Page Srishti Gupta, Ponnurangam K. (“PK”)
IIIT – Delhi, India
Presenter: Prateek Dewan
1
Unifying the Global Response to Cybercrime
Overview
• Problem • Dataset • Results • Discussion
2
Unifying the Global Response to Cybercrime
Phishing
• Social Engineering attack • Trick people to get personal
information • Computer Security Threat • ….
3
Unifying the Global Response to Cybercrime
Statistics
• APWG: 11% rise • EMC2: $448 million loss • 2013: ’Year of breach’ by Symantec • Peter Pan virus: UK (2014) • Evolving: Tabnabbing
4
Unifying the Global Response to Cybercrime
Problem
5
• Evolution of phishing URLs • Learning?
http://phish-education.apwg.org/r/
Unifying the Global Response to Cybercrime
Related Work
6
• Kumaraguru et al.- Data from APWG
• Analysed URLs from Oct 2008 - March 2009
• Analysed phishing emails for above period
Kumaraguru, Ponnurangam, Lorrie Faith Cranor, and Laura Mather. "Anti-phishing landing page: Turning a 404 into a teachable moment for end users." Sixth Conference on Email and Anti-Spam. 2009.
Unifying the Global Response to Cybercrime
Data Schema
7
IP Date Requesting URL Referrer Success Code Size Browser
• IP: IP address of user clicking the phishing URL • Date: Date on which the page was redirected to education
page • Requesting URL: The phishing URL
• Referrer: The page visited before coming to education page
• Success code: Status code of client requested • Size: Size of complete header
• Browser: Browser information of the user
Unifying the Global Response to Cybercrime
Dataset
8
Statisics Whole Dataset <=5 hits > 5 hits
Number of unique URLs 28, 471 17, 368 10, 833
Total Hits for all unique URLs 3, 646, 483 33, 073 3, 613, 410
Maximum number of hits for a single URL
342, 317 5 342, 317
Minimum number of hits for a single URL
1 1 6
Average number of hits per URL 104.9 1.6 300.2
Median number of hits per URL 2 1 17
Standard Deviation for the URLs 3077.2 1.1 5224.5
2008 dataset (Sept ’08 - Nov ’09): 21, 890 unique URLs
2014 dataset (Jan ’14 - Apr ’14)
Unifying the Global Response to Cybercrime
Countries
9
Vulnerable Host
• Vulnerable: Australia, France, Germany • Top host: USA, Czech, UK
2008: Peru, USA, Argentina USA, Hungary, France
Unifying the Global Response to Cybercrime
Structure of Phishing URL
10
• IP Address Obfuscation • Not significant, attackers buying domains
• Directory Structure Similarity • 2008: 18%; 2014: 38%
• Using same phishing kits
• Number of host components • Append authentic-looking word
• Length greater than 3 suspicious
• 2008: 7.8%; 2014: 17.4%
Unifying the Global Response to Cybercrime
Phishing Campaign
11
• Victims always greater • Attacks are always successful
Unifying the Global Response to Cybercrime
Learning
12
• 3, 359 unique users • 46% lesser hits
Unifying the Global Response to Cybercrime
Learning - User Distribution
13
• High percentage with lesser clicks • Less percentage with more clicks
Unifying the Global Response to Cybercrime
Popular TLDs
14
• .org most popular in 2008 • .com growing
• Country specific TLDs observed
Unifying the Global Response to Cybercrime
Non - ICANN Registrar
15
• No concrete policy • 45% 2008; 24% 2014
Unifying the Global Response to Cybercrime
ICANN Registrar
16
• 55% 2008; 75.6 % 2014 • Improper monitoring
https://www.icann.org/resources/pages/responsibilities-2014-03-14-en
Unifying the Global Response to Cybercrime
Browser Analysis
17
• User Agent String Parser API • Browser blacklists ineffective
Unifying the Global Response to Cybercrime
Observations (Bots)
18
• 2, 110 IP address • United States, China, Japan
• No requesting URL (linked content)
IP Address format Country Agent Type
157.55.XXX.XXX United States Bingbot
180.76.XXX.XXX China Baiduspider
199.30.XXX.XXX United States MSN bot
123.125.XXX.XXX China Baiduspider
176.195.XXX.XXX Russia Googlebot
Unifying the Global Response to Cybercrime
Referrer Analysis
19
• Phishing shifting target to OSM • c0m.at, registered in France - Malicious
Referrer Clicks
http://www.google.com 980
http://m.facebook.com 670
http://fasebook.c0m.at 640
http://www.facebook.cm 550
http://www.clixsense.com 220
http://www.youtube.com 181
http://servinox.com.co 132
http://www.akihabarashop.jp 130
http://dflogins.ls.fr 91
http://google.ro 90
Unifying the Global Response to Cybercrime
Phishing e-mails
20
• 170 matches • Logos, banners • Account Upgrade • Promotional • Winning cash prize • Helping e-mails
Unifying the Global Response to Cybercrime
Tag Cloud
21
Unifying the Global Response to Cybercrime
Discussion
22
• Sophisticated URL structuring • ICANN registrars exploited • Low cost, country specific TLDs used • Browser blacklists ineffective • Use of subdomain-services • Online Social Media to spread URLs • Changing emails pattern
Unifying the Global Response to Cybercrime
Questions ?
23
Unifying the Global Response to Cybercrime
For any queries, please write to
[email protected] h:p://precog.iiitd.edu.in/people/srish3/
24