sunrise to sunset: analyzing the end-to-end life cycle and ... · analyzing the end-to-end life...
TRANSCRIPT
Sunrise to Sunset: Analyzing the End-to-end Life Cycle and
Effectiveness of Phishing Attacks at Scale
Adam Oest, Penghui Zhang, Adam Doupé, Gail-Joon AhnArizona State University
Brad Wardman, Eric Nunes, Jakub BurgisPayPal
Ali Zand, Kurt ThomasGoogle
Phishing is Growing as Malware Declines
2
Phishing
Web-based malware
Weekly Malicious Website Detections [1]
[1] Google Safe Browsing Transparency Report: https://transparencyreport.google.com/safe-browsing/overview
3
4
• Phishing kits “often” embed first-party JavaScript tracking code or images
Key Observation
5
ORGANIZATION TARGETED
BY PHISHERS
ANONYMIZED
WEB
EVENTS
Building an Analysis Framework
6
ANONYMIZED
WEB
EVENTS
KNOWN PHISHING
/ SUSPICIOUS URLS
ORGANIZATION TARGETED
BY PHISHERS
Overlapping URLs
E-MAIL PROVIDER /
PHISHING REPORTS
Attack timeline / detection
Session IDs
TRAFFIC
• victims
• crawlers
• attackers
Phishing URLs
FRAUD DATA
E-MAIL DATA
• Loss calculation
• Secure accounts
• Spam timings
• Reporting trends
Framework Design
7
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
8
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
9
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
10
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
11
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
12
ANONYMIZED
WEB
EVENTS
ORGANIZATION TARGETED
BY PHISHERS
E-MAIL PROVIDER /
PHISHING REPORTS
FRAUD DATA
E-MAIL DATA
End-to-end Timeline
13
• Source: large organization (top 10 most-phished)
• Visibility: 39.1% of known phishing domains
7.6% phishing success rate
Trackable by Golden Hour Estimated Total
Potential Victims Known User
Phishing Site Page Loads 15.6M 4.8M 39.9M
Suspected Successful Phish 482K 148K 1.2M
Oct 2018through
Sep 2019
“Golden Hour” Data Set
14
Proactive detection Reactive mitigation improvements
Secure affected user accounts
End-to-end Timeline of Phishing
15
Ratio: Traffic from browsers w/anti-phishing features vs. other browsers
Estimating Browser-based Detection
PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists Adam Oest, Yeganeh Safaei, Penghui Zhang, Brad Wardman, Kevin Tyers, Yan Shoshitaishvili, Adam Doupé, Gail-Joon Ahn. 2020 USENIX Security Symposium.
16
Potential Victim TrafficReported Phishing URLs
Phishing URLs vs Victim Traffic
17
Long-running Campaigns
18
Top 5%: 77.8%
Top 10%: 89.1%
Top 20: 23.6%
Top Campaigns: Majority of Victim Traffic
19
Bot evasion: Human Verification
20
Extensive Identity Theft
21
Extensive Identity Theft
22
Convincing Victims: Automatic Translation
23
Victim Reassurance
Conclusions
• End-to-end look at large-scale phishing attacks• Prioritizing mitigation of sophisticated phishing
• Golden Hour system deployed at major organization• Securing user accounts• Proactively discovering malicious URLs• Tracking COVID-19 phishing campaigns
• Future work• Collaborative, cross-organizational framework• Incorporation of signals beyond web requests
24