💡This is a reader's perspective on the paper written by Penghui Zhang (from Arizona State University) and published at the ACM Conference on Computer and Communications Security 2022.
Brief Description
The authors propose a tool that abuses the cloaking techniques that phishing websites use to protect users against them. The idea is that if crawlers can't see the phishing page, then users will not as well. They also evaluate a lot of server-side cloaking abused by phishing websites regarding how are they used in the wild. In the end, they evaluate how benign pages are affected by that.
Observations
I don't understand the idea of using a blacklist of URLs to enhance the tool. Is it because only the behavior analysis was not enough or was it to enhance the time performance of the tool in malicious websites?
Another idea I had while reading the paper was to try to mimic some other type of client-side fingerprinting. Which is a huge study GAP I want to explore later, as a tool to systematically modify fingerprinting inputs.
In Section 4.4 they mention that uncloaked websites take 28 minutes to be detected. But is it 28 minutes starting from when?
In Section 5 they mention the hashing of the URLs to store it for future usage, however, I am not sure if it is a good option since it is easy to create a different hash from the same domain using a simple unused query parameter.
Initial Questions
One thing that I had in mind was, how did they intercept the network connections to rewrite the HTTP header parameters? While they do not mention specifically that, they expose that their tool is a browser extension, and there are a lot of extensions that modify HTTP requests. Therefore, it might be possible in that way. (Btw, never done anything like that. What an interesting thing to try).
Where do the experiment ideas come from?
All the ideas of the paper are around the crawler-imitating idea. After that, they create the extension and think about the experiments.
What are the interesting ideas/results?
Nice idea on the impact on benign websites. Besides that there are a lot of experiments around that, for example, verifying a large group of URLs from Alexa Top 1M, manually verifying the results in a smaller dataset, using the extension for a month as a regular user, and verifying the impact of 2FA on the tool.
I like the modularization of the tool into "profiles" that can be modified and tested separately in the experiments section.
In the disclaimer section, I like the attention given to the usage of user data.
Finally, I really like the deep analysis of the False Positives in Section 6.6 as it gave a lot of insights into the behavior of the tool.
No comments:
Post a Comment