Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
24
Unifying the Global Response to Cybercrime Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page Srishti Gupta, Ponnurangam K. (“PK”) IIIT – Delhi, India Presenter: Prateek Dewan 1
-
Upload
precog -
Category
Engineering
-
view
69 -
download
1
description
Each month, more attacks are launched with the aim of making web users believe that they are communicating with a trusted entity which compels them to share their personal, financial information. Acquired sensitive information is then used for personal benefits, like, gain access to money of the individuals from whom the information was taken. Phishing costs Internet users billions of dollars every year. A recent report highlighted phishing loss of around $448 million to organizations in April 2014. Researchers at Carnegie Mellon University (CMU) created an anti-phishing landing page supported by Anti-Phishing Working Group (APWG) with the aim to train users on how to prevent themselves from phishing attacks. It is used by financial institutions, phish site take down vendors, government organizations, and online merchants. When a potential victim clicks on a phishing link that has been taken down, he / she is redirected to the landing page. In this paper, we present the comparative analysis on two datasets that we obtained from APWG’s landing page log files; one, from September 7, 2008 - November 11, 2009, and other from January 1, 2014 - April 30, 2014. We found that the landing page has been successful in training users against phishing. Forty six percent users clicked lesser number of phishing URLs from January 2014 to April 2014 which shows that training from the landing page helped users not to fall for phishing attacks. Our analysis shows that phishers have started to modify their techniques by creating more legitimate looking URLs and buying large number of domains to increase their activity. We observed that phishers are exploiting Internet Corporation for Assigned Names and Numbers (ICANN) accredited registrars to launch their attacks even after strict surveillance. We saw that phishers are trying to exploit free subdomain registration services to carry out attacks. In this paper, we also compared the phishing e-mails used by phishers to lure victims in 2008 and 2014. We found that the phishing e-mails have changed considerably over time. Phishers have adopted new techniques like sending promotional e-mails and emotionally targeting users in clicking phishing URLs.
Transcript of Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
Unifying the Global Response to Cybercrime
Emerging Phishing Trends and Effectiveness of the Anti-Phishing
Landing Page Srishti Gupta, Ponnurangam K. (“PK”)
IIIT – Delhi, India
Presenter: Prateek Dewan
1
Unifying the Global Response to Cybercrime
Overview
• Problem • Dataset • Results • Discussion
2
Unifying the Global Response to Cybercrime
Phishing
• Social Engineering attack • Trick people to get personal
information • Computer Security Threat • ….
3
Unifying the Global Response to Cybercrime
Statistics
• APWG: 11% rise • EMC2: $448 million loss • 2013: ’Year of breach’ by Symantec • Peter Pan virus: UK (2014) • Evolving: Tabnabbing
4
Unifying the Global Response to Cybercrime
Problem
5
• Evolution of phishing URLs • Learning?
http://phish-education.apwg.org/r/
Unifying the Global Response to Cybercrime
Related Work
6
• Kumaraguru et al.- Data from APWG
• Analysed URLs from Oct 2008 - March 2009
• Analysed phishing emails for above period
Kumaraguru, Ponnurangam, Lorrie Faith Cranor, and Laura Mather. "Anti-phishing landing page: Turning a 404 into a teachable moment for end users." Sixth Conference on Email and Anti-Spam. 2009.
Unifying the Global Response to Cybercrime
Data Schema
7
IP Date Requesting URL Referrer Success Code Size Browser
• IP: IP address of user clicking the phishing URL • Date: Date on which the page was redirected to education
page • Requesting URL: The phishing URL
• Referrer: The page visited before coming to education page
• Success code: Status code of client requested • Size: Size of complete header
• Browser: Browser information of the user
Unifying the Global Response to Cybercrime
Dataset
8
Statisics Whole Dataset <=5 hits > 5 hits
Number of unique URLs 28, 471 17, 368 10, 833
Total Hits for all unique URLs 3, 646, 483 33, 073 3, 613, 410
Maximum number of hits for a single URL
342, 317 5 342, 317
Minimum number of hits for a single URL
1 1 6
Average number of hits per URL 104.9 1.6 300.2
Median number of hits per URL 2 1 17
Standard Deviation for the URLs 3077.2 1.1 5224.5
2008 dataset (Sept ’08 - Nov ’09): 21, 890 unique URLs
2014 dataset (Jan ’14 - Apr ’14)
Unifying the Global Response to Cybercrime
Countries
9
Vulnerable Host
• Vulnerable: Australia, France, Germany • Top host: USA, Czech, UK
2008: Peru, USA, Argentina USA, Hungary, France
Unifying the Global Response to Cybercrime
Structure of Phishing URL
10
• IP Address Obfuscation • Not significant, attackers buying domains
• Directory Structure Similarity • 2008: 18%; 2014: 38%
• Using same phishing kits
• Number of host components • Append authentic-looking word
• Length greater than 3 suspicious
• 2008: 7.8%; 2014: 17.4%
Unifying the Global Response to Cybercrime
Phishing Campaign
11
• Victims always greater • Attacks are always successful
Unifying the Global Response to Cybercrime
Learning
12
• 3, 359 unique users • 46% lesser hits
Unifying the Global Response to Cybercrime
Learning - User Distribution
13
• High percentage with lesser clicks • Less percentage with more clicks
Unifying the Global Response to Cybercrime
Popular TLDs
14
• .org most popular in 2008 • .com growing
• Country specific TLDs observed
Unifying the Global Response to Cybercrime
Non - ICANN Registrar
15
• No concrete policy • 45% 2008; 24% 2014
Unifying the Global Response to Cybercrime
ICANN Registrar
16
• 55% 2008; 75.6 % 2014 • Improper monitoring
https://www.icann.org/resources/pages/responsibilities-2014-03-14-en
Unifying the Global Response to Cybercrime
Browser Analysis
17
• User Agent String Parser API • Browser blacklists ineffective
Unifying the Global Response to Cybercrime
Observations (Bots)
18
• 2, 110 IP address • United States, China, Japan
• No requesting URL (linked content)
IP Address format Country Agent Type
157.55.XXX.XXX United States Bingbot
180.76.XXX.XXX China Baiduspider
199.30.XXX.XXX United States MSN bot
123.125.XXX.XXX China Baiduspider
176.195.XXX.XXX Russia Googlebot
Unifying the Global Response to Cybercrime
Referrer Analysis
19
• Phishing shifting target to OSM • c0m.at, registered in France - Malicious
Referrer Clicks
http://www.google.com 980
http://m.facebook.com 670
http://fasebook.c0m.at 640
http://www.facebook.cm 550
http://www.clixsense.com 220
http://www.youtube.com 181
http://servinox.com.co 132
http://www.akihabarashop.jp 130
http://dflogins.ls.fr 91
http://google.ro 90
Unifying the Global Response to Cybercrime
Phishing e-mails
20
• 170 matches • Logos, banners • Account Upgrade • Promotional • Winning cash prize • Helping e-mails
Unifying the Global Response to Cybercrime
Tag Cloud
21
Unifying the Global Response to Cybercrime
Discussion
22
• Sophisticated URL structuring • ICANN registrars exploited • Low cost, country specific TLDs used • Browser blacklists ineffective • Use of subdomain-services • Online Social Media to spread URLs • Changing emails pattern
Unifying the Global Response to Cybercrime
Questions ?
23
Unifying the Global Response to Cybercrime
For any queries, please write to
[email protected] h:p://precog.iiitd.edu.in/people/srish3/
24
