The criminals who operate phishing scams often deliver harvested credentials to email accounts under their control - but it is difficult, in the general case, to identify these so-called `dropboxes'. We devise three techniques to identify dropboxes and associated phishing websites by leveraging lists of known phishing websites and metadata maintained by email providers. We demonstrate the techniques' effectiveness using data held by anti-phishing organizations and an email provider. To directly identify dropboxes, we posted fake but distinctive credentials into 170 PayPal phishing pages and inspected an email provider's anti-spam metadata. This metadata recorded the presence of our credentials matching 28 of the phishing pages sending credentials to 17 distinct dropboxes at this particular email provider. We indirectly identified 24 additional dropboxes by searching for email subjects similar to previously-uncovered dropboxes. Based on these findings, we estimate an upper bound of 120 - 160 criminals ran phishing attacks against PayPal in July 2012, a smaller figure than might be expected from the 26 900 PayPal distinct phishing URLs they are known to have employed, spread across 13 018 different hostnames. Finally, in some cases we could extend our metadata processing by running an `intersection attack'. Whenever victims receive the same URLs as other victims, it is likely that the common URL is for a phishing page. Preliminary evidence suggests that the false positive rate for intersection attacks is low. Furthermore, it can be used to notify impersonated brands immediately after victims disclose their credentials and identify more phishing sites faster than traditional methods currently achieve.
[1]
George Danezis,et al.
Statistical Disclosure or Intersection Attacks on Anonymity Systems
,
2004,
Information Hiding.
[2]
Lorrie Faith Cranor,et al.
Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit 2007, Pittsburgh, Pennsylvania, USA, October 4-5, 2007
,
2007,
eCrime Researchers Summit.
[3]
Cormac Herley,et al.
Evaluating a trial deployment of password re-use for phishing prevention
,
2007,
eCrime '07.
[4]
M. Patrick Collins,et al.
Fishing for phishes: applying capture-recapture methods to estimate phishing populations
,
2007,
eCrime '07.
[5]
Tyler Moore,et al.
Examining the impact of website take-down on phishing
,
2007,
eCrime '07.
[6]
Gary Warner,et al.
Automating phishing website identification through deep MD5 matching
,
2008,
2008 eCrime Researchers Summit.
[7]
Christopher Krügel,et al.
There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits
,
2008,
WOOT.
[8]
Tyler Moore,et al.
Temporal Correlations between Spam and Phishing Websites
,
2009,
LEET.
[9]
Gary Warner,et al.
Analysis of Back-Doored Phishing Kits
,
2011,
IFIP Int. Conf. Digital Forensics.