phi.sh/$ocial: the phishing landscape through short urls
DESCRIPTION
Size, accessibility, and rate of growth of Online Social Media (OSM) has attracted cyber crimes through them. One form of cyber crime that has been increasing steadily is phishing, where the goal (for the phishers) is to steal personal information from users which can be used for fraudulent purposes. Although the research community and industry has been developing techniques to identify phishing attacks through emails and instant messaging (IM), there is very little research done, that provides a deeper understanding of phishing in online social media. Due to constraints of limited text space in social systems like Twitter, phishers have begun to use URL shortener services. In this study, we provide an overview of phishing attacks for this new scenario. One of our main conclusions is that phishers are using URL shorteners not only for reducing space but also to hide their identity. We observe that social media websites like Facebook, Habbo, Orkut are competing with e-commerce services like PayPal, eBay in terms of traffic and focus of phishers. Orkut, Habbo, and Facebook are amongst the top 5 brands targeted by phishers. We study the referrals from Twitter to understand the evolving phishing strategy. A staggering 89% of references from Twitter (users) are inorganic accounts which are sparsely connected amongst themselves, but have large number of followers and followees. We observe that most of the phishing tweets spread by extensive use of attractive words and multiple hashtags. To the best of our knowledge, this is the first study to connect the phishing landscape using blacklisted phishing URLs from PhishTank, URL statistics from bit.ly and cues from Twitter to track the impact of phishing in online social media.TRANSCRIPT
Phi.sh/$oCiaL: The Phishing Landscape
through Short URLsSidharth Chhabra*, Anupama Aggarwal†,
Fabricio Benevenuto‡, Ponnurangam Kumaraguru†
*Delhi College of Engineering, †IIIT-Delhi, †Federal University of Ouro Preto
1
Motivation
2
3
4
Phishing via Short URLs
5
• Most popular - June 2010 - January 2011 *
• Most abused URL shortener
• 23.48% of short URL services
http://techblog.avira.com/en/
*
6
Research Aim
7
Analysis of Phishing Tweets containing Bitly
• How is Bitly used by Phishers?
• Who is Targeted ?
• Which Locations are Affected ?
8
System Architecture
9
URL TimeIs a
PhishIs
Up
Data Collection
10
URL TimeIs a
PhishIs
Up
Phishing
URLs
Data Collection
10
URL TimeIs a
PhishIs
Up
Phishing
URLs
Data Collection
10
URL TimeIs a
PhishIs
Up
Phishing
URLs
Short
URLs
Data Collection
10
URL TimeIs a
PhishIs
Up
Phishing
URLs
Short
URLsLong URL
Short URL
Created by
Lookup API
Data Collection Filtering
10
Referral Analysis
URL TimeIs a
PhishIs
Up
Phishing
URLs
Short
URLsLong URL
Short URL
Created by
Lookup API
Brand Analysis Temporal Analysis
Geographical Analysis
Behavioral Analysis
Text AnalysisNetwork Analysis
Data Collection Filtering
Analysis
10
Vote if PhishingVote if PhishingVote if Phishing
Yes No Unknown
Online
Yes 11,081 392 1,234
Online No 1,02,175 5,991 68,731Online
Unknown 4,863 523 795
1 January - 31 December, 2010
Dataset
11
Vote if PhishingVote if PhishingVote if Phishing
Yes No Unknown
Online
Yes 11,081 392 1,234
Online No 1,02,175 5,991 68,731Online
Unknown 4,863 523 795
1 January - 31 December, 2010
Dataset
11
Dataset
• 990 public Twitter users who posted phish tweets
• 864 user accounts present at the time of analysis
• 2000 past tweets for each of 516 users
12
Results
13
For 50% URLs, Space Gain < 37%
14
Social Network Websites targeted
15
516Twitterusers
213 inorganic
303 organic
Phish activity is majorly automated16
516Twitterusers
213 inorganic
303 organic
153 compromised
150 legitimate
Phish activity is majorly automated16
Sparse Network, High Reciprocity
17
Brazil is most targeted followed by US and Canada
18
Limitations
19
• Reliance on PhishTank
• 90% URLs offline when voted
• Small number of active voters
20
Conclusion
21
• URLs shorteners used to hide identity
• Change in landscape of phishing - OSNs target
• Phishing activity is automated
• Lack of phishing communities
• Brazil had highest phish URL clickthrough
22
Future Work
23
• Analyze the use of URL shorteners like goo.gl, tinyurl etc.
• Develop an algorithm to detect phishing on Twitter
24