Visible to the public PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists

TitlePhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists
Publication TypeConference Paper
Year of Publication2019
AuthorsOest, Adam, Safaei, Yeganeh, Doupé, Adam, Ahn, Gail-Joon, Wardman, Brad, Tyers, Kevin
Conference Name2019 IEEE Symposium on Security and Privacy (SP)
ISBN Number978-1-5386-6660-9
Keywordsanti-phishing entities, anti-phishing-ecosystem, blacklisting, browser blacklists, browser phishing blacklists, Browsers, Cloaking, composability, compositionality, Computer crime, diverse cloaking techniques, Ecosystems, evasion techniques, HTTP request, Human Behavior, human factors, Internet, live phishing sites, Metrics, mobile browsers, mobile computing, modern phishing websites, native blacklisting, Organizations, PhishFarm framework, phishing, phishing attacks, phishing kits, pubcrawl, resilience, Resiliency, security, security of data, unsolicited e-mail, Web Browser Security, Web browsers, Web sites, web-browser

Phishing attacks have reached record volumes in recent years. Simultaneously, modern phishing websites are growing in sophistication by employing diverse cloaking techniques to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing the resilience of anti-phishing entities and browser blacklists to attackers' evasion efforts. We use PhishFarm to deploy 2,380 live phishing sites (on new, unique, and previously-unseen .com domains) each using one of six different HTTP request filters based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the occurrence and timeliness of native blacklisting in major web browsers to gauge the effectiveness of protection ultimately extended to victim users and organizations. Our experiments revealed shortcomings in current infrastructure, which allows some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple cloaking techniques representative of real-world attacks- including those based on geolocation, device type, or JavaScript- were effective in reducing the likelihood of blacklisting by over 55% on average. We also discovered that blacklisting did not function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly vulnerable to phishing attacks. Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms- but work remains to be done by anti-phishing entities to ensure users are adequately protected. Our PhishFarm framework is designed for continuous monitoring of the ecosystem and can be extended to test future state-of-the-art evasion techniques used by malicious websites.

Citation Keyoest_phishfarm_2019