💡This is a reader's perspective on the paper written by Hugo Bijmans (from the Netherlands Organisation for Applied Scientific Research) and published at the USENIX Security Symposium 2021.
Brief Description
The authors propose a way of categorizing phishing kits and checking how are they being used in the wild. To do that, they propose a graph-based community identification of phishing kits by source code similarity and observe CertStream URLs to crawl for certain fingerprints identified on each phishing kit in their dataset.
Observations
GAP: Study on brand impersonation and phishing kit detection. Which are the more common impersonated brands. Are there phishing kits with different brand impersonations?
The only sources of phishing kits they studied were Telegram and PhishFinder-like tools. There is room for improvement on websites such as phishunt.io or private datasets.
Another interesting idea is to compare the clustering of the phishing kits or logo identification with the favicons of the website. I still wonder how many phishing webpages do not have a favicon, or a favicon not related to the brand impersonation.
I like the heuristic approach to finding URLs in CertStream. But they could use an existing phishing detection tool for that.
One drawback of this approach is that you have to identify the phishing kit source code to identify it in the wild.
Initial Questions
One of the main problems I face in code comparison of phishing websites is Code Obfuscation. Therefore I asked myself if they handled that somehow to compare the phishing kits with the live webpages. In the end, they use specific path/string-based fingerprints in certain files to identify what phishing kit is being used.
Where do the experiment ideas come from?
I think it might have come from the moment they accessed free phishing kits from Telegram groups.
What are the interesting ideas/results?
Nice time explanation of the experiments in Section 3.4.
Nice experiment with evasion techniques used in phishing kits. That may lead to some other very interesting experiments.
Nice explanation in Section 7 on features of phishing pages that do appear on PhishTank vs phishing pages that do not even get there (might be more complex ones).
No comments:
Post a Comment