Security Busters: Web browser security vs. rogue sites

URL blacklists are used by the majority of modern web browsers as a means to protect users from rogue web sites, i.e. those serving malware and/or hosting phishing scams. There is a plethora of URL blacklists/reputation services, out of which Google's Safe Browsing and Microsoft's SmartScreen stand out as the two most commonly used ones. Frequently, such lists are the only safeguard web browsers implement against such threats. In this paper, we examine the level of protection that is offered by popular web browsers on iOS, Android and desktop (Windows) platforms, against a large set of phishing and malicious URL. The results reveal that most browsers - especially those for mobile devices - offer limited protection against such threats. As a result, we propose and evaluate a countermeasure, which can be used to significantly improve the level of protection offered to the users, regardless of the web browser or platform they are using.

[1]  Zhi Xu,et al.  Abusing Notification Services on Smartphones for Phishing and Spamming , 2012, WOOT.

[2]  Félix Gómez Mármol,et al.  Security threats scenarios in trust and reputation models for distributed systems , 2009, Comput. Secur..

[3]  Wenke Lee,et al.  Classification of packed executables for accurate computer virus detection , 2008, Pattern Recognit. Lett..

[4]  Niels Provos,et al.  CAMP: Content-Agnostic Malware Protection , 2013, NDSS.

[5]  Javier Toret and Antonio Calleja-López Collective intelligence framework , 2014 .

[6]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[7]  Guofei Gu,et al.  EFFORT: Efficient and effective bot malware detection , 2012, 2012 Proceedings IEEE INFOCOM.

[8]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[9]  Imran Ashraf,et al.  Which web browser work best for detecting phishing , 2013, 2013 5th International Conference on Information and Communication Technologies.

[10]  Christopher Krügel,et al.  A layout-similarity-based approach for detecting phishing pages , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[11]  Christopher Krügel,et al.  Protecting users against phishing attacks with AntiPhish , 2005, 29th Annual International Computer Software and Applications Conference (COMPSAC'05).

[12]  Ranran Alice in Battlefield: An Evaluation of the Effectiveness of Various UI Phishing Warnings , 2013 .

[13]  Dimitris Gritzalis,et al.  A Qualitative Metrics Vector for the Awareness of Smartphone Security Users , 2013, TrustBus.

[14]  Jigyasu Dubey,et al.  A Survey on Phishing Attacks , 2014 .

[15]  Dr. M. Nazreen Banu,et al.  A Comprehensive Study of Phishing Attacks , 2013 .

[16]  Гарнаева Мария Александровна,et al.  Kaspersky security Bulletin 2013 , 2014 .

[17]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[18]  Ahmed Khan,et al.  Protecting from Zero-Day Malware Attacks , 2013 .

[19]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[20]  Dimitris Gritzalis,et al.  Delegate the smartphone user? Security awareness in smartphone platforms , 2013, Comput. Secur..

[21]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[22]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[23]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Phishing Blacklists , 2009, CEAS 2009.

[24]  Wenke Lee,et al.  McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[25]  Dimitris Gritzalis,et al.  Mobile devices: A phisher's paradise , 2014, 2014 11th International Conference on Security and Cryptography (SECRYPT).

[26]  Marcus A. Maloof,et al.  Learning to Detect and Classify Malicious Executables in the Wild , 2006, J. Mach. Learn. Res..

[27]  Cheng Zeng,et al.  QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks , 2013, Financial Cryptography Workshops.

[28]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[29]  A. Darwish,et al.  Eye tracking analysis of browser security indicators , 2012, 2012 International Conference on Computer Systems and Industrial Informatics.

[30]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[31]  Peter Mell,et al.  Guide to Malware Incident Prevention and Handling , 2005 .

[32]  Kang Li,et al.  Measuring and Detecting Malware Downloads in Live Network Traffic , 2013, ESORICS.

[33]  Angelos D. Keromytis,et al.  An Analysis of Rogue AV Campaigns , 2010, RAID.

[34]  Tommy W. S. Chow,et al.  Textual and Visual Content-Based Anti-Phishing: A Bayesian Approach , 2011, IEEE Transactions on Neural Networks.

[35]  Dimitris Gritzalis,et al.  Evaluating the Manageability of Web Browsers Controls , 2013, STM.

[36]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[37]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[38]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[39]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[40]  Rossouw von Solms,et al.  Phishing for phishing awareness , 2013, Behav. Inf. Technol..

[41]  Wenke Lee,et al.  ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads , 2011, WWW.

[42]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.