Download - Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page

Unifying the Global Response to Cybercrime

Emerging Phishing Trends and Effectiveness of the Anti-Phishing

Landing Page Srishti Gupta, Ponnurangam K. (“PK”)

IIIT – Delhi, India

Presenter: Prateek Dewan

1


Overview

•  Problem •  Dataset •  Results •  Discussion

2


Phishing

•  Social Engineering attack •  Trick people to get personal

information •  Computer Security Threat •  ….

3


Statistics

•  APWG: 11% rise •  EMC2: $448 million loss •  2013: ’Year of breach’ by Symantec •  Peter Pan virus: UK (2014) •  Evolving: Tabnabbing

4


Problem

5

•  Evolution of phishing URLs •  Learning?

http://phish-education.apwg.org/r/


Related Work

6

•  Kumaraguru et al.- Data from APWG

•  Analysed URLs from Oct 2008 - March 2009

•  Analysed phishing emails for above period

Kumaraguru, Ponnurangam, Lorrie Faith Cranor, and Laura Mather. "Anti-phishing landing page: Turning a 404 into a teachable moment for end users." Sixth Conference on Email and Anti-Spam. 2009.


Data Schema

7

IP Date Requesting URL Referrer Success Code Size Browser

•  IP: IP address of user clicking the phishing URL •  Date: Date on which the page was redirected to education

page •  Requesting URL: The phishing URL

•  Referrer: The page visited before coming to education page

•  Success code: Status code of client requested •  Size: Size of complete header

•  Browser: Browser information of the user


Dataset

8

Statisics Whole Dataset <=5 hits > 5 hits

Number of unique URLs 28, 471 17, 368 10, 833

Total Hits for all unique URLs 3, 646, 483 33, 073 3, 613, 410

Maximum number of hits for a single URL

342, 317 5 342, 317

Minimum number of hits for a single URL

1 1 6

Average number of hits per URL 104.9 1.6 300.2

Median number of hits per URL 2 1 17

Standard Deviation for the URLs 3077.2 1.1 5224.5

2008 dataset (Sept ’08 - Nov ’09): 21, 890 unique URLs

2014 dataset (Jan ’14 - Apr ’14)


Countries

9

Vulnerable Host

•  Vulnerable: Australia, France, Germany •  Top host: USA, Czech, UK

2008: Peru, USA, Argentina USA, Hungary, France


Structure of Phishing URL

10

•  IP Address Obfuscation •  Not significant, attackers buying domains

•  Directory Structure Similarity •  2008: 18%; 2014: 38%

•  Using same phishing kits

•  Number of host components •  Append authentic-looking word

•  Length greater than 3 suspicious

•  2008: 7.8%; 2014: 17.4%


Phishing Campaign

11

•  Victims always greater •  Attacks are always successful


Learning

12

•  3, 359 unique users •  46% lesser hits


Learning - User Distribution

13

•  High percentage with lesser clicks •  Less percentage with more clicks


Popular TLDs

14

•  .org most popular in 2008 •  .com growing

•  Country specific TLDs observed


Non - ICANN Registrar

15

•  No concrete policy •  45% 2008; 24% 2014


ICANN Registrar

16

•  55% 2008; 75.6 % 2014 •  Improper monitoring

https://www.icann.org/resources/pages/responsibilities-2014-03-14-en


Browser Analysis

17

•  User Agent String Parser API •  Browser blacklists ineffective


Observations (Bots)

18

•  2, 110 IP address •  United States, China, Japan

•  No requesting URL (linked content)

IP Address format Country Agent Type

157.55.XXX.XXX United States Bingbot

180.76.XXX.XXX China Baiduspider

199.30.XXX.XXX United States MSN bot

123.125.XXX.XXX China Baiduspider

176.195.XXX.XXX Russia Googlebot


Referrer Analysis

19

•  Phishing shifting target to OSM •  c0m.at, registered in France - Malicious

Referrer Clicks

http://www.google.com 980

http://m.facebook.com 670

http://fasebook.c0m.at 640

http://www.facebook.cm 550

http://www.clixsense.com 220

http://www.youtube.com 181

http://servinox.com.co 132

http://www.akihabarashop.jp 130

http://dflogins.ls.fr 91

http://google.ro 90


Phishing e-mails

20

•  170 matches •  Logos, banners •  Account Upgrade •  Promotional •  Winning cash prize •  Helping e-mails