Abstract
We conducted a large-scale evaluation of some popular Anti-Phishing Entities (APEs). As part of this, we submitted arrays of CAPTCHA challenge-laden honey sites to 7 APEs. An analysis of the “click-through rates” during the visits from the APEs showed strong evidence for the presence of formidable human analysis systems in conjunction with automated crawler systems. In summary, we estimate that as many as 10% to 24% of URLs submitted to each of 4 APEs (Google Safe Browsing, Microsoft SmartScreen, Bitdefender and Netcraft) were likely visited by human analysts. In contrast to prior works, these measurements present a very optimistic picture for web security as, for the first time, they show presence of expansive human analysis systems to tackle suspicious URLs that might otherwise be challenging for automated crawlers to analyze.
This finding allowed us an opportunity to conduct the first systematic study of the robustness of the human analysis systems of APEs which revealed some glaring weaknesses in them. We saw that all the APEs we studied fall prey to issues such as lack of geolocation and client device diversity exposing their human systems to targeted evasive attacks. Apart from this, we also found a specific weakness across the entire APE ecosystem that enables creation of long-lasting phishing pages targeted exclusively against Android/Chrome devices by capitalizing on discrepancies in web sensor API outputs. We demonstrate this with the help of 10 artificial phishing sites that survived indefinitely despite repeated reporting to all APEs. We suggest mitigations for all these issues. We also conduct an elaborate disclosure process with all affected APEs in an attempt to persuade them to pursue these mitigations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Please refer to the numbers that were struck through in the gray cells in Table 1.
References
Free CAPTCHA-Service. http://captchas.net/
Google transparency report. https://transparencyreport.google.com/safe-browsing/search. Accessed 13 Jan 2022
Math Captcha. https://www.jotform.com/widgets/math-captcha
Puppeteer. https://github.com/puppeteer/puppeteer. Accessed 13 Jan 2022
ReCAPTCHA demo. https://www.google.com/recaptcha/api2/demo
Selenium. https://www.selenium.dev/. Accessed 13 Jan 2022
Statscounter: Browser market share. https://gs.statcounter.com/browser-market-share
User-agent switcher and manager. https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg
User-agent switcher and manager. https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/
Acharya, B., Vadrevu, P.: PhishPrint: evading phishing detection crawlers by prior profiling. In: 30th USENIX Security Symposium, USENIX Security 2021, 11–13 August 2021, pp. 3775–3792. USENIX Association (2021)
Das, A., Borisov, N., Caesar, M.: Tracking mobile web users through motion sensors: attacks and defenses. In: NDSS (2016)
Goodfellow, I.J., Bulatov, Y., Ibarz, J., Arnoud, S., Shet, V.D.: Multi-digit number recognition from street view imagery using deep convolutional neural networks. In: 2nd International Conference on Learning Representations, ICLR 2014, Banff, 14–16 April 2014, Conference Track Proceedings (2014)
Maroofi, S., Korczynski, M., Duda, A.: Are you human?: resilience of phishing detection to evasion techniques based on human verification. In: IMC 2020: ACM Internet Measurement Conference, Virtual Event, USA, 27–29 October 2020, pp. 78–86. ACM (2020)
Maroofi, S., Korczyński, M., Hesselman, C., Ampeau, B., Duda, A.: COMAR: classification of compromised versus maliciously registered domains. In: 2020 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 607–623. IEEE (2020)
Miramirkhani, N., Starov, O., Nikiforakis, N.: Dial one for scam: analyzing and detecting technical support scams. In: 22nd Annual Network and Distributed System Security Symposium NDSS, vol. 16 (2016)
Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Proceedings of W2SP 2012 (2012)
Oest, A., Safaei, Y., Doupé, A., Ahn, G.J., Wardman, B., Tyers, K.: PhishFarm: a scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists. In: 2019 IEEE Symposium on Security and Privacy (SP) (2019)
Oest, A., Safei, Y., Doupé, A., Ahn, G.J., Wardman, B., Warner, G.: Inside a phisher’s mind: understanding the anti-phishing ecosystem through phishing kit analysis. In: 2018 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–12. IEEE (2018)
Peng, P., Yang, L., Song, L., Wang, G.: Opening the blackbox of VirusTotal: analyzing online phishing scan engines. In: Proceedings of the Internet Measurement Conference, pp. 478–485 (2019)
Roy-Chowdhury, R.: Google: How we keep you safe online every day (2020). https://blog.google/technology/safety-security/how-we-keep-you-safe-online-every-day/
Vadrevu, P., Perdisci, R.: What you see is not what you get: discovering and tracking social engineering attack campaigns. In: Proceedings of the Internet Measurement Conference, pp. 308–321 (2019)
Ye, G., et al.: Yet another text captcha solver: a generative adversarial network based approach. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, 15–19 October 2018, pp. 332–348. ACM (2018)
Zhang, P., et al.: CrawlPhish: large-scale analysis of client-side cloaking techniques in phishing. In: 2021 IEEE Symposium on Security and Privacy (SP) (2021)
Acknowledgements
This work was inspired by a comment from an anonymous reviewer at IEEE SSP 2021 where we submitted our prior work [10]. We thank Wingate Jones for help in exploring AI-based techniques to evade APEs. We also thank all the anonymous reviewers for their very helpful feedback. This work was partly supported by the National Science Foundation (NSF) under grant CNS-2126655.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Acharya, B., Vadrevu, P. (2022). A Human in Every APE: Delineating and Evaluating the Human Analysis Systems of Anti-Phishing Entities. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-09484-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09483-5
Online ISBN: 978-3-031-09484-2
eBook Packages: Computer ScienceComputer Science (R0)