The Highly Insidious Extreme Phishing Attacks

One of the most severe and challenging threats to Internet security is phishing, which uses spoofed websites to steal users' passwords and online identities. Phishers mainly use spoofed emails or instant messages to lure users to the phishing websites. A spoofed email or instant message provides the first-layer context to entice users to click on a phishing URL, and the phishing website further provides the second-layer context with the look and feel similar to a targeted legitimate website to lure users to submit their login credentials. In this paper, we focus on the second-layer context to explore the extreme of phishing attacks; we explore the feasibility of creating extreme phishing attacks that have the almost identical look and feel as those of the targeted legitimate websites, and evaluate the effectiveness of such phishing attacks. We design and implement a phishing toolkit that can support both the traditional phishing and the newly emergent Web Single Sign-On (SSO) phishing; our toolkit can automatically construct unlimited levels of phishing webpages in real time based on user interactions. We design and perform a user study to evaluate the effectiveness of the phishing attacks constructed from this toolkit. The user study results demonstrate that extreme phishing attacks are indeed highly effective and insidious. It is reasonable to assume that extreme phishing attacks will be widely adopted and deployed in the future, and we call for a collective effort to effectively defend against them.

[1]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[2]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[3]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  S. Milgram Obedience to Authority: An Experimental View , 1975 .

[5]  S. Milgram BEHAVIORAL STUDY OF OBEDIENCE. , 1963, Journal of abnormal psychology.

[6]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.

[7]  Sunny Consolvo,et al.  Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning , 2014, SOUPS.

[8]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[9]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[10]  Christopher Krügel,et al.  There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits , 2008, WOOT.

[11]  Chuan Yue,et al.  The Devil Is Phishing: Rethinking Web Single Sign-On Systems Security , 2013, LEET.

[12]  Eric Medvet,et al.  Visual-similarity-based phishing detection , 2008, SecureComm.

[13]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[14]  Christopher Krügel,et al.  On the Effectiveness of Techniques to Detect Phishing Sites , 2007, DIMVA.

[15]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[16]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[17]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[18]  Carolyn Penstein Rosé,et al.  A Hierarchical Adaptive Probabilistic Approach for Zero Hour Phish Detection , 2010, ESORICS.

[19]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[20]  Minaxi Gupta,et al.  Behind Phishing: An Examination of Phisher Modi Operandi , 2008, LEET.

[21]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[23]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[24]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[25]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[26]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[27]  Xuhua Ding,et al.  Anomaly Based Web Phishing Page Detection , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[28]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[29]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[30]  Carolyn Penstein Rosé,et al.  CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites , 2011, TSEC.

[31]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Phishing Blacklists , 2009, CEAS 2009.

[32]  Haining Wang,et al.  BogusBiter: A transparent protection against phishing attacks , 2010, TOIT.

[33]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.

[34]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[35]  Niels Provos,et al.  A framework for detection and measurement of phishing attacks , 2007, WORM '07.

[36]  Brian Ryner,et al.  Large-Scale Automatic Classification of Phishing Pages , 2010, NDSS.

[37]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[38]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[39]  Chuan Yue Preventing the Revealing of Online Passwords to Inappropriate Websites with LoginInspector , 2012, LISA.