💡This is a reader's perspective on the paper written by Adam Oest (from Arizona State University) and published at the USENIX Security Symposium 2020.
Brief Description
The authors seek to understand the timespan between the development of the phishing kit, the distribution, and the discovery of the phishing websites. They do that by analyzing the requests made by the phishing website to the benign website to request images and stylesheets. Using that, they find out that phishing webpages have on average 21 hours to abuse users until they are discovered by defenders.
Observations
I like the idea of providing an experiment that reduces the "Golden Hour duration", that is a term they claimed and is worth being the creators. However, there should be an easier metric to calculate the Golden Hour duration for phishing websites that target a specific brand, which there isn't considering it is required to have access to private information from the company to calculate that.
Another interesting experiment was to track the effectiveness of phishing emails by the reports that users do to the company. However, this is not related to the users who fall for the phishing attack because those are the ones who would not report the website. I need to check the study "Cognitive triaging of phishing attacks" before questioning if that is a research GAP.
I would also like to know what is the "public dump" they mention in Section 4.1, because that would be interesting to check. I wonder if that is a private repository from the company itself.
One last question I had was about the pros of using an asset served by the benign webpage. Is it to bypass detection metrics? Or is it just laziness from the attackers?
Initial Questions
The first question I had was regarding the user network traffic of phishing web pages. They mention that they do that by accessing private information from a specific company in the financial sector, which is not reproducible by future work, but it is a nice idea to take advantage of.
Where do the experiment ideas come from?
They mention that "Cognitive triaging of phishing attacks" uses a similar approach to understand the effectiveness of phishing email lures. That might be the main motivation behind the ideas.
What are the interesting ideas/results?
The first genius idea is to leverage requests to benign content as a tracker for phishing websites. That is a thing I have never seen before.
Nice preliminary study in Section 3.2 to understand that phishing pages usually request content from benign pages.
In Section 4.3, a nice confirmation of a metric visualized in the data with a report from APWG Q3 2019.
Nice geolocation experiment in Section 5.1 to verify the time at which the phishing page was being developed.
No comments:
Post a Comment