Dating Phish: An Analysis of the Life Cycles of Phishing Attacks and Campaigns

Drury, Vincent; Lux, Luisa; Meyer, Ulrike

doi:10.1145/3538969.3538997

Cited by 8 publications

(4 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…( Legg, Blackman, 2019 , Van Der Heijden, Allodi, 2019 ) Dutch phishing rise march 2020 The rise of phishing emails in the Netherlands corresponds in a broad sense to the announced measurements taken by the Dutch government, and highly relates to the announcement classifying Covid-19 as a pandemic Trend shift Dutch Covid-19 restriction announcements Likely higher victimization rate Sec 4.2.1 Day and Time-depend susceptibility to phishing It is apparent that day of the week, and time of the day play an influential role in the assumptions of attackers that people are susceptible to phishing. Patterns follow work-week patterns of employees (mon-fri), with specific hours of breaktime, and email reading patterns Recurring Likely higher victimization rate Sec 4.2.2 Weekend pattern ( Lastdrager, 2018 , Ramzan, Wüest, 2007 ) peak pattern ( Drury et al., 2022 ) If we remove the dominant pattern, there are no other spikes appearing in the data. That means, it is likely that we have caught the most largest campaigns that are event/date specific.…”

Section: Methodsmentioning

confidence: 94%

The development of phishing during the COVID-19 pandemic: An analysis of over 1100 targeted domains

Hoheisel¹,

Capelleveen²,

Sarmah³

et al. 2023

Computers & Security

View full text Add to dashboard Cite

Section: Methodsmentioning

confidence: 94%

The development of phishing during the COVID-19 pandemic: An analysis of over 1100 targeted domains

Hoheisel¹,

Capelleveen²,

Sarmah³

et al. 2023

Computers & Security

View full text Add to dashboard Cite

“…Mansoori et al [35] attempted to detect geofencing by concurrently accessing malicious hosts from clients located in six geolocations and revealed the correlation between TLDs and targeted locations. Drury et al analyzed the life cycle of phishing sites to determine their survival time and campaign-specific characteristics [14]. Bijmans et al identified attacks using off-the-shelf phishing kits, observed them, and derived TTPs [17].…”

Section: Related Workmentioning

confidence: 99%

“…Such techniques bypass security researcher investigations and automatic malicious host detection systems, resulting in threat information not being shared and action being delayed. For example, an extensive study of phishing in [14] examined the possibility that there may be some attacks that cannot be observed due to cloaking.…”

Section: Introductionmentioning

confidence: 99%

Stargazer: Long-term and Multiregional Measurement of Timing/Geolocation-based Cloaking

et al. 2023

View full text Add to dashboard Cite

Malicious hosts have come to play a significant and varied role in today's cyber attacks. Some of these hosts are equipped with a technique called cloaking, which discriminates between access from potential victims and others and then returns malicious content only to potential victims. This is a serious threat because it can evade detection by security vendors and researchers and cause serious damage. As such, cloaking is being extensively investigated, especially for phishing sites. We are currently engaged in a longterm cloaking study of a broader range of threats. In the present study, we implemented Stargazer, which actively monitors malicious hosts and detects geographic and temporal cloaking, and collected 30,359,410 observations between November 2019 and February 2022 for 18,397 targets from 13 sites where our sensors are installed. Our analysis confirmed that cloaking techniques are widely abused, i.e., not only in the context of specific threats such as phishing. This includes geographic and time-based cloaking, which is difficult to detect with single-site or one-shot observations. Furthermore, we found that malicious hosts that perform cloaking include those that survive for relatively long periods of time, and those whose contents are not present in VirusTotal. This suggests that it is not easy to observe and analyze the cloaking malicious hosts with existing technologies. The results of this study have deepened our understanding of various types of cloaking, including geographic and temporal ones, and will help in the development of future cloaking detection methods.

show abstract

“…These datasets also face relevance challenges due to various factors. As these messages age, linked websites are often taken down swiftly, limiting learning opportunities about the smishing attack [5]. Moreover, older datasets become less effective as smishing campaigns evolve, leading to concept drift [20].…”

Section: Introductionmentioning

confidence: 99%

Program Models California State University-San Marcos

Erickson¹,

Anderson²,

Zlotkowski³

2023

Learning With the Community

View full text Add to dashboard Cite

While smishing (SMS Phishing) attacks have risen to become one of the most common types of social engineering attacks, there is a lack of relevant smishing datasets. One of the biggest challenges in the domain of smishing prevention is the availability of fresh smishing datasets. Additionally, as time persists, smishing campaigns are shut down and the crucial information related to the attack are lost. With the changing nature of smishing attacks, a consistent flow of new smishing examples is needed by both researchers and engineers to create effective defenses. In this paper, we present the community-sourced smishing datasets from the smishtank.com. It provides a wealth of information relevant to combating smishing attacks through the breakdown and analysis of smishing samples at the point of submission. In the contribution of our work, we provide a corpus of 1090 smishing samples that have been publicly submitted through the site. Each message includes information relating to the sender, message body, and any brands referenced in the message. Additionally, when a URL is found, we provide additional information on the domain, Virus-Total results, and a characterization of the URL. Through the open access of fresh smishing data, we empower academia and industries to create robust defenses against this evolving threat.

show abstract

Dating Phish: An Analysis of the Life Cycles of Phishing Attacks and Campaigns

Cited by 8 publications

References 10 publications

The development of phishing during the COVID-19 pandemic: An analysis of over 1100 targeted domains

The development of phishing during the COVID-19 pandemic: An analysis of over 1100 targeted domains

Stargazer: Long-term and Multiregional Measurement of Timing/Geolocation-based Cloaking

Program Models California State University-San Marcos

Contact Info

Product

Resources

About