Brad Wardman

Lexical feature based phishing URL detection using online learning

Phishing is a form of cybercrime where spammed emails and fraudulent websites entice victims to provide sensitive information to the phishers. The acquired sensitive information is subsequently used to steal identities or gain access to money. This paper explores the possibility of utilizing confidence weighted classification combined with content based phishing URL detection to produce a dynamic and extensible system for detection of present and emerging types of phishing domains. Our system is capable of detecting emerging threats as they appear and subsequently can provide increased protection against zero hour threats unlike traditional blacklisting techniques which function reactively.

High-performance content-based phishing attack detection

Phishers continue to alter the source code of the web pages used in their attacks to mimic changes to legitimate websites of spoofed organizations and to avoid detection by phishing countermeasures. Manipulations can be as subtle as source code changes or as apparent as adding or removing significant content. To appropriately respond to these changes to phishing campaigns, a cadre of file matching algorithms is implemented to detect phishing websites based on their content, employing a custom data set consisting of 17,992 phishing attacks targeting 159 different brands. The results of the experiments using a variety of different content-based approaches demonstrate that some can achieve a detection rate of greater than 90% while maintaining a low false positive rate.

Automating phishing website identification through deep MD5 matching

The timeliness of phishing incident response is hindered by the need for human verification of whether suspicious URLs are actually phishing sites. This paper presents a method for automating the determination, and demonstrates the effectiveness of this method in reducing the number of suspicious URLs that need human review through a method of comparing new URLs and their associated Web content with previously archived content of confirmed phishing sites. The results can be used to automate shutdown requests, to supplement traditional ldquoURL black listrdquo toolbars allowing blocking of previously unreported URLs, or to indicate dominant phishing site patterns which can be used to prioritize limited investigative resources.

Identifying vulnerable websites by analysis of common strings in phishing URLs

It has been shown that most phishing sites are created by means of a vulnerable web server being re-purposed by a phisher to host a counterfeit website without the knowledge of the servers owner. In this paper, we examine common vulnerabilities which allow these phishing sites to be created and suggest a method for identifying common attack methods, as well as, help inform webmasters and their hosting companies in ways that help them to defend their servers. Our method involves applying a Longest Common Substring algorithm to known phishing URLs, and investigating the results of that string to identify common vulnerabilities, exploits, and attack tools which may be prevalent among those who hack servers for phishing. Following a Case Study approach, we then select four prevalent attacks that are suggested by our methodology, and use our findings to identify the underlying vulnerability, and document statistics showing that these vulnerabilities are responsible for the creation of phishing websites. Digging further, we identify attack tools created to exploit these vulnerabilities and how they are detected by current intrusion detection signatures. We suggest a means by which this work could be integrated with Intrusion Detection Systems to allow webmasters or hosting providers to reduce their vulnerability to hosting phishing websites.

Reeling in Big Phish with a Deep MD5 Net

Phishing continues to grow as phishers discover new exploits and attack vectors for hosting malicious content; the traditional response using takedowns and blacklists does not appear to impede phishers significantly. A handful of law enforcement projects — for example the FBIs Digital PhishNet and the Internet Crime and Complaint Center (ic3.gov) — have demonstrated that they can collect phishing data in substantial volumes, but these collections have not yet resulted in a significant decline in criminal phishing activity. In this paper, a new system is demonstrated for prioritizing investigative resources to help reduce the time and effort expended examining this particular form of online criminal activity. This research presents a means to correlate phishing websites by showing that certain websites are created by the same phishing kit. Such kits contain the content files needed to create the counterfeit website and often contain additional clues to the identity of the creators. A clustering algorithm is presented that uses collected phishing kits to establish clusters of related phishing websites. The ability to correlate websites provides law enforcement or other potential stakeholders with a means for prioritizing the allocation of limited investigative resources by identifying frequently repeating phishing offenders.

Analysis of Back-Doored Phishing Kits

This paper analyzes the “back-doored” phishing kits distributed by the infamous Mr-Brain hacking group of Morocco. These phishing kits allow an additional tier of cyber criminals to access the credentials of Internet victims. Several drop email obfuscation methods used by the hacking group are also discussed.

Phishing: Crime that pays

Email phishing requires functional countermeasures, as does any crime that results in millions of dollars in yearly losses. Many financial institutions currently combat phishing by contracting takedown companies that remove relevant phishing websites as soon as possible after they are detected. By comparing the median time necessary for professionals to take a phishing website down to the average time it takes for a phishing website to turn a profit for its creator, I have demonstrated the overall ineffectiveness of the takedown process. On average, takedown companies fail to eradicate phishing websites before their creators garner valuable information from multiple victims. Furthermore, forensic evidence that could lead to the arrest of the cybercriminals responsible for the phishing websites is often ignored because these takedown companies do not profit from cooperating with criminal investigations. Hence, there is no deterrence against phishing. An anti-phishing protocol that involves website takedown, but also includes investigation and eventual prosecution would likely be more effective than a self-perpetuating system that concludes after a malicious website is terminated.