Phish-Net: Investigating phish clusters using drop email addresses

Zawoad, Shams; Dutta, Amit Kumar; Sprague, Alan P.; Hasan, Ragib; Britt, Jason; Warner, Gary

doi:10.1109/ecrs.2013.6805777

Cited by 11 publications

(8 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The number of phishing websites that rely on kits (as opposed to custom deployments) is unknown, but previous work by Zawoad et al found 10% of phishing sites active in 2013 left trace evidence of phishing kits [39]. This is a lower bound due to a limited coverage in the detection technique for phishing kits and because miscreants may delete traces of the kit after deployment.…”

Section: Phishing Kitsmentioning

confidence: 86%

“…The type of information stolen depends on the kits, but prior studies have shown that they harvest a victim's username, password, and geolocation information among other sensitive data [8,19,30,39]. Han et al estimated the success rate of kits by monitoring the activity of real visitors to infected honeypots, of which 9% submitted some data to the phishing page [19].…”

Section: Phishing Kitsmentioning

confidence: 99%

See 1 more Smart Citation

Data Breaches, Phishing, or Malware?

Thomas

Zand

et al. 2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

131

View full text Add to dashboard Cite

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016-March, 2017, we identify 788,000 potential victims of off-theshelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords-which originate from thousands of online services-enable an attacker to obtain a victim's valid email credentials-and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7-25% of exposed passwords match a victim's Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user's historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.

show abstract

Section: Phishing Kitsmentioning

confidence: 86%

Section: Phishing Kitsmentioning

confidence: 99%

Data Breaches, Phishing, or Malware?

Thomas

Zand

et al. 2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

131

View full text Add to dashboard Cite

show abstract

“…Work on phishing profiling was aimed to understand and observe attacker activities to better predict phishing emails [30], while some studies [35], [36] use it as a first step to improve the accuracy of a phishing/benign classifier. Seifollahi et al [37] focused more on the authorship analysis and identifying the cybercriminal groups, while Zawoad et al clustered emails in order to identify phishing attacks generated by off-the-shelf phishing kits [38]. Approaches have also looked at using semi-supervised phishing profiling to predict new spear phishing campaigns [39].…”

Section: B Email Clusteringmentioning

confidence: 99%

Using Clustering Algorithms to Automatically Identify Phishing Campaigns

Althobaiti,

Wolters,

Alsufyani

et al. 2023

IEEE Access

View full text Add to dashboard Cite

show abstract

“…[17] and [18] use a structural analysis technique comparing local domain files to create clusters of related phish. Zawoad et al cluster phishing websites using email addresses receiving the phished credentials [19]. These email addresses are found in the phishing kits used to create the phishing websites.…”

Section: Related Workmentioning

confidence: 99%

High-Performance Classification of Phishing URLs Using a Multi-modal Approach with MapReduce

Shrestha

Kharel

Britt

et al. 2015

2015 IEEE World Congress on Services

Self Cite

View full text Add to dashboard Cite

Classifying phishing websites can be expensive both computationally and financially given a large enough volume of suspect sites. A distributed cloud environment can reduce the computational time and financial cost significantly. To test this idea, we apply a multi-modal feature classification algorithm to classify phishing websites in a non-distributed and several distributed environments. A multi-modal approach combines both visual and text features for classification. The implementation extracts color feature and histogram feature from the screenshot of a phishing website and text from its html source code. Feature extraction and comparison is accomplished by applying the MapReduce framework. Implementing the multimodal approach in a distributed environment proves to reduce the runtime as well as the financial costs. We present results that show our work is 30 times faster than existing state of the art systems in phishing website classification problem. Keywords-Phishing, Map Reduce, Color code I. Contributions:The contributions of this paper are as follows:1. We develop a high performance multi-modal phishing website classification system using MapReduce.2. We conduct performance evaluations to demonstrate the significant performance and cost advantage of our system over the existing state-of-the-art.3. We conduct extensive experiments on real cloud using Amazon EMR and Amazon S3.Organization: The rest of the paper explores the details of the multi-modal phish classification algorithm and its performance in a non-distributed versus a distributed environment. In Section II, we discuss the related research. Section III presents our approach and algorithms. We describe our distance measures for the classification task in Section IV, and the classification technique in Section V. In Section VI, we discuss our experimental setup and results, and provide an analysis in

show abstract

Phish-Net: Investigating phish clusters using drop email addresses

Cited by 11 publications

References 15 publications

Data Breaches, Phishing, or Malware?

Data Breaches, Phishing, or Malware?

Using Clustering Algorithms to Automatically Identify Phishing Campaigns

High-Performance Classification of Phishing URLs Using a Multi-modal Approach with MapReduce

Contact Info

Product

Resources

About