An Empirical Analysis of Phishing Blacklists

In this paper, we study the eectiveness of phishing blacklists. We used 191 fresh phish that were less than 30 minutes old to conduct two tests on eight anti-phishing toolbars. We found that 63% of the phishing campaigns in our dataset lasted less than two hours. Blacklists were ineective when protecting users initially, as most of them caught less than 20% of phish at hour zero. We also found that blacklists were updated at dierent speeds, and varied in coverage, as 47% - 83% of phish appeared on blacklists 12 hours from the initial test. We found that two tools using heuristics to complement blacklists caught signicantly more phish initially than those using only blacklists. However, it took a long time for phish detected by heuristics to appear on blacklists. Finally, we tested the toolbars on a set of 13,458 legitimate URLs for false positives, and did not nd any instance of mislabeling for either blacklists or heuristics. We present these ndings and discuss ways in which anti-phishing tools can be improved.

[1]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[2]  Emil Sit,et al.  An empirical study of spam traffic and the use of DNS black lists , 2004, IMC '04.

[3]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[4]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[5]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[6]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[7]  Xuhua Ding,et al.  Anomaly Based Web Phishing Page Detection , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[8]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[9]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[10]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[11]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[12]  Christopher Krügel,et al.  On the Effectiveness of Techniques to Detect Phishing Sites , 2007, DIMVA.

[13]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[14]  Niels Provos,et al.  A framework for detection and measurement of phishing attacks , 2007, WORM '07.

[15]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[16]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[17]  Suku Nair,et al.  A comparison of machine learning techniques for phishing detection , 2007, eCrime '07.

[18]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[19]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[20]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[21]  Jason I. Hong,et al.  A hybrid phish detection approach by identity discovery and keywords retrieval , 2009, WWW '09.

[22]  Pieter H. Hartel Review of "P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, T. Pham, School of phish: a real-world evaluation of anti-phishing training" , 2010 .