[Rephrasing] Phishing in the Free Waters: A Study of Phishing Attacks Created using Free Website Building Services

 💡This is a reader's perspective on the paper written by Sayak Saha Roy (from the University of Texas at Arlington) and published at the Internet Measurement Conference 2023.

Brief Description

This paper is written around the idea of capturing phishing URLs from Twitter and Facebook that have distinct second-level domains associated with Free Website Building services (FWBs), which is an open-sourced crawler shared by the authors.

Observations

There is a typo in Section 5.5 "Blogpsot".

I think that the feature extraction section is the less impactful because the features chosen were fairly simple in my opinion. Even though I like the choices for ML models.

Besides that, I would really like to see Shoppify and Woocomerce in there too. Maybe the list of FWBs was too short.

Initial Questions

In the beginning of the paper, the first question I had was about the fingerprints in FWB-generated websites, mainly because the author states that they are indistinguishable from regular phishing websites built from phishing kits. In the end, I guess that they used the domain information to identify the FWB service used, which neglects the phishing pages that were published with custom domains (But that is out of scope of the dataset collection tool).

Another thing that I was curious about was the default cloaking techniques against web crawlers that are implemented by those FWBs. Unfortunately none, besides redirection buttons, were mentioned in the study.

At first, I thought that is was basically a study around "Scam Websites", which would be very nice to expand this study. I guess that Beyond Phish already covered a small part of this GAP and is probably working on some social media crawler to capture Scam Websites built with these tools.

Where do the experiment ideas come from?

I guess that the follow-up experiments all run around the analysis of the dataset creation method, which was clearly the first idea from the authors.

What are the interesting ideas/results?

One thing that I like about the study is the idea of capturing the URLs from social media such as Facebook and Twitter, and verifying how long it takes to appear on Public Sharing of URLs, such as PhishTank, OpenPhish. Mainly because it states that when it gets there, most of them would be way past the Golden Hour.

Another analysis that I like from the paper is the time it takes from both FWB services and Social Media services to shut down the websites/post, given that it was reported as phishing.

I also like to see a confirmation from Crawlphish on the idea that there are some websites that are just redirections to other phishing websites to evade detection.