research-article

Are You Human?: Resilience of Phishing Detection to Evasion Techniques Based on Human Verification

Authors:

Sourena Maroofi,

Maciej Korczyński,

Andrzej DudaAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 78 - 86

https://doi.org/10.1145/3419394.3423632

Published: 27 October 2020 Publication History

Abstract

Phishing is one of the most common cyberattacks these days. Attackers constantly look for new techniques to make their campaigns more lucrative by extending the lifespan of phishing pages. To achieve this goal, they leverage different anti-analysis (i.e., evasion) techniques to conceal the malicious content from anti-phishing bots and only reveal the payload to potential victims. In this paper, we study the resilience of anti-phishing entities to three advanced anti-analysis techniques based on human verification: Google re-CAPTCHA, alert box, and session-based evasion. We have designed a framework for performing our testing experiments, deployed 105 phishing websites, and provided each of them with one of the three evasion techniques. In the experiments, we report phishing URLs to major server-side anti-phishing entities (e.g., Google Safe Browsing, NetCraft, APWG) and monitor their occurrence in the blacklists. Our results show that Google Safe Browsing was the only engine that detected all the reported URLs protected by alert boxes. However, none of the anti-phishing engines could detect phishing URLs armed with Google re-CAPTCHA, making it so far the most effective protection solution of phishing content available to malicious actors. Our experiments show that all the major serverside anti-phishing bots only detected 8 out of 105 phishing websites protected by human verification systems. As a mitigation plan, we intend to disclose our findings to the impacted anti-phishing entities before phishers exploit human verification techniques on a massive scale.

References

[1]

Hang Hu and Gang Wang. End-to-end Measurements of Email Spoofing Attacks. In 27th USENIX Security Symposium, pages 1095--1112, 2018.

[2]

Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. Social Phishing. Communications of the ACM, 50(10):94--100, 2007.

Digital Library

[3]

Eric Medvet, Engin Kirda, and Christopher Kruegel. Visual-Similarity-Based Phishing Detection. In 4th International Conference on Security and Privacy in Communication Netoworks, pages 1--6, 2008.

[4]

Mahmood Moghimi and Ali Yazdian Varjani. New Rule-Based Phishing Detection Method. Expert Systems with Applications, 53:231--242, 2016.

[5]

Ozgur Koray Sahingoz, Ebubekir Buber, Onder Demir, and Banu Diri. Machine Learning Based Phishing Detection from URLs. Expert Systems with Applications, 117:345--357, 2019.

[6]

Jian Mao, Wenqian Tian, Pei Li, Tao Wei, and Zhenkai Liang. Phishing-Alarm: Robust and Efficient Phishing Detection via Page Component Similarity. IEEE Access, 5:17020--17030, 2017.

[7]

Samuel Marchal, Jérôme François, Radu State, and Thomas Engel. Phishstorm: Detecting Phishing with Streaming Analytics. IEEE Transactions on Network and Service Management, 11(4):458--471, 2014.

[8]

Anti-Phishing Working Group (APWG):Cross-Industry Global Group Supporting Tackling the Phishing Menace. http://www.antiphishing.org, 2020.

[9]

PhishTank: A Nonprofit Anti-Phishing Organization. http://www.phishtank.com, 2020.

[10]

COVID-19 Cyber Threat Coalition. https://www.cyberthreatcoalition.org, 2020.

[11]

X-Force Threat Intelligence Index, 2020. URL https://www.ibm.com/account/reg/us-en/signup?formid=urx-42703.

[12]

Sidharth Chhabra, Anupama Aggarwal, Fabricio Benevenuto, and Ponnurangam Kumaraguru. Phi.sh/ôiaL: The Phishing Landscape through Short URLs. In 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, pages 92--101, 2011.

[13]

Fortinet: Threat Landscape Report. https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-q2-2019.pdf, 2019.

[14]

Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. A Survey on Automated Dynamic Malware-Analysis Techniques and Tools. ACM Computing Surveys (CSUR), 44(2):1--42, 2008.

[15]

Alexei Bulazel and Bülent Yener. A Survey on Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web. In 1st Reversing and Offensive-oriented Trends Symposium, pages1--21. ACM, 2017.

Digital Library

[16]

Adam Oest, Yeganeh Safei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Gary Warner. Inside a Phishers Mind: Understanding the Anti-phishing Ecosystem Through Phishing Kit Analysis. In 2018 APWG Symposium on Electronic Crime Research (eCrime), pages1--12. IEEE, 2018.

[17]

Sourena Maroofi, Maciej Korczyński, Cristian Hesselman, Benoit Ampeau, and Andrzej Duda. COMAR: Classification of Compromised versus Maliciously Registered Domains. In 5th IEEE European Symposium on Security and Privacy, Euro S&P, 2020.

[18]

Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, and Elie Bursztein. Cloak of Visibility: Detecting When Machines Browse a Different Web. In 2016 IEEE Symposium on Security and Privacy (SP), pages743--758. IEEE, 2016.

[19]

Ian Fette, Norman Sadeh, and Anthony Tomasic. Learning to Detect Phishing Emails. In 16th International Conference on World Wide Web, pages 649--656, 2007.

Digital Library

[20]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits. USENIX Workshop on Offensive Technologies, 8:1--8, 2008.

[21]

Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers. PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists. In 2019 IEEE Symposium on Security and Privacy (SP), pages1344--1361. IEEE, 2019.

[22]

Yi-Min Wang and Ming Ma. Detecting Stealth Web Pages That Use Click-Through Cloaking. In Microsoft Research Technical Report, MSR-TR, 2006.

[23]

Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale. In 29th USENIX Security Symposium, 2020.

[24]

Threat Spotlight: Malicious use of reCaptcha, 2020. URL https://blog.barracuda.com/2020/04/30/threat-spotlight-malicious-recaptcha/.

[25]

Google reCAPTCHA v2, 2020. URL https://developers.google.com/recaptcha/docs/display.

[26]

PhishTank FAQ, 2020. URL https://www.phishtank.com/faq.php.

[27]

Comparison of web browsers, 2020. URL https://en.wikipedia.org/wiki/Comparison_of_web_browsers.

[28]

Oleksii Starov and Nick Nikiforakis. Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions. In 26th International Conference on World Wide Web, pages 1481--1490, 2017.

Digital Library

[29]

Multiple Sign-In Pages, 2015. URL https://support.google.com/mail/forum/AAAAK7un8RUoAsE-6wmaSU/?hl=en&gpf=%23!topic%2Fgmail%2FoAsE-6wmaSU.

[30]

Safe Browsing APIs (v4) - Caching, 2020. URL https://developers.google.com/safe-browsing/v4/caching.

[31]

Browsers Market Share, 2020. URL https://netmarketshare.com/browser-market-share.aspx.

[32]

Opera Browser FAQ, 2020. URL https://security.opera.com/mobile-browsers-faq/.

[33]

Najmeh Miramirkhani, Timothy Barron, Michael Ferdman, and Nick Nikiforakis. Panning for gold.com: Understanding the Dynamics of Domain Dropcatching. In In 27th International Conference on World Wide Web, pages 257--266, 2018.

Digital Library

[34]

Tobias Lauinger, Abdelberi Chaabane, Ahmet Salih Buyukkayhan, Kaan Onarlioglu, and William Robertson. Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers. In 26th USENIX Security Symposium, pages 865--880, 2017.

[35]

Alexa: Actionable Analytics for the Web. https://www.alexa.com.

[36]

Janice C Sipior, Burke T Ward, and Ruben A Mendoza. Online Privacy Concerns Associated with Cookies, Flash Cookies, and Web Beacons. Journal of Internet Commerce, 10(1):1--16, 2011.

[37]

Phishlabs. https://www.phishlabs.com.

[38]

Adam Oest, Yeganeh Safaei, Penghui Zhang, Brad Wardman, Kevin Tyers, Yan Shoshitaishvili, and Adam Doupé. Phishtime: Continuous longitudinal measurement of the effectiveness of anti-phishing blacklists. In 29th USENIX Security Symposium, pages 379--396, 2020.

[39]

Phishing Activity Trends Report: 1st Quarter 2020 APWG. https://docs.apwg.org/reports/apwg_trends_report_q1_2020.pdf, 2020.

Cited By

Lee WHur JKim DQuek TGao DZhou JCardenas A(2024)Beneath the Phishing Scripts: A Script-Level Analysis of Phishing Kits and Their Impact on Real-World Phishing WebsitesProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3657013(856-872)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3657013
Lim KPark JKim DChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645535
Almashor MAhmed EPick BXue JAbuadbba SGaire RWang SCamtepe SNepal S(2023)Unraveling Threat Intelligence Through the Lens of Malicious URL CampaignsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630600(78-86)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3630590.3630600
Show More Cited By

Index Terms

Are You Human?: Resilience of Phishing Detection to Evasion Techniques Based on Human Verification
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks
      1. Phishing

Recommendations

Host-based intrusion detection system for secure human-centric computing

With the advancement of information communication technology, people can access many useful services for human-centric computing. Although this advancement increases work efficiency and provides greater convenience to people, advanced security threats ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Technological and Human Factors of Malware Attacks: A Computer Security Clinical Trial Approach

The success (or failure) of malware attacks depends upon both technological and human factors. The most security-conscious users are susceptible to unknown vulnerabilities, and even the best security mechanisms can be circumvented as a result of user ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '20: Proceedings of the ACM Internet Measurement Conference

October 2020

751 pages

ISBN:9781450381383

DOI:10.1145/3419394

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

IMC '20

Sponsor:

IMC '20: ACM Internet Measurement Conference

October 27 - 29, 2020

Virtual Event, USA

Acceptance Rates

IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
502
Total Downloads

Downloads (Last 12 months)111
Downloads (Last 6 weeks)9

Reflects downloads up to 21 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lee WHur JKim DQuek TGao DZhou JCardenas A(2024)Beneath the Phishing Scripts: A Script-Level Analysis of Phishing Kits and Their Impact on Real-World Phishing WebsitesProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3657013(856-872)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3657013
Lim KPark JKim DChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645535
Almashor MAhmed EPick BXue JAbuadbba SGaire RWang SCamtepe SNepal S(2023)Unraveling Threat Intelligence Through the Lens of Malicious URL CampaignsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630600(78-86)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3630590.3630600
Demir NHörnemann JGroße-Kampmann MUrban TPohlmann NHolz TWressnegger CMontpetit MLeivadeas AUhlig SJaved M(2023)On the Similarity of Web Measurements Under Different Experimental SetupsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624795(356-369)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624795
Park HLim KKim DYu DKoo H(2023)Demystifying the Regional Phishing Landscape in South KoreaIEEE Access10.1109/ACCESS.2023.333388311(130131-130143)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3333883
Aguilera AQuinteros PDongo ICardinale Y(2023)CrediBot: Applying Bot Detection for Credibility Analysis on TwitterIEEE Access10.1109/ACCESS.2023.332068711(108365-108385)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3320687
Li WManickam SLaghari SChong Y(2023)Uncovering the Cloak: A Systematic Review of Techniques Used to Conceal Phishing WebsitesIEEE Access10.1109/ACCESS.2023.329306311(71925-71939)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3293063
Subramani KMelicher WStarov OVadrevu PPerdisci RBarakat CPelsser CBenson TChoffnes D(2022)PhishInPatternsProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561467(589-604)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561467
Demir NGroße-Kampmann MUrban TWressnegger CHolz TPohlmann N(2022)Reproducibility and Replicability of Web Measurement StudiesProceedings of the ACM Web Conference 202210.1145/3485447.3512214(533-544)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512214
Jaber AFritsch LHaugerud H(2022)Improving Phishing Detection with the Grey Wolf Optimizer2022 International Conference on Electronics, Information, and Communication (ICEIC)10.1109/ICEIC54506.2022.9748592(1-6)Online publication date: 6-Feb-2022
https://doi.org/10.1109/ICEIC54506.2022.9748592
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents