research-article

Public Access

Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits

Authors:

Brian Kondracki,

Babak Amin Azad,

Oleksii Starov,

Nick NikiforakisAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 36 - 50

https://doi.org/10.1145/3460120.3484765

Published: 13 November 2021 Publication History

Abstract

For over a decade, phishing toolkits have been helping attackers automate and streamline their phishing campaigns. Man-in-the- Middle (MITM) phishing toolkits are the latest evolution in this space, where toolkits act as malicious reverse proxy servers of online services, mirroring live content to users while extracting cre- dentials and session cookies in transit. These tools further reduce the work required by attackers, automate the harvesting of 2FA- authenticated sessions, and substantially increase the believability of phishing web pages.

In this paper, we present the first analysis of MITM phishing toolkits used in the wild. By analyzing and experimenting with these toolkits, we identify intrinsic network-level properties that can be used to identify them. Based on these properties, we develop a machine learning classifier that identifies the presence of such toolkits in online communications with 99.9% accuracy.

We conduct a large-scale longitudinal study of MITM phishing toolkits by creating a data-collection framework that monitors and crawls suspicious URLs from public sources. Using this infrastruc- ture, we capture data on 1,220 MITM phishing websites over the course of a year. We discover that MITM phishing toolkits occupy a blind spot in phishing blocklists, with only 43.7% of domains and 18.9% of IP addresses associated with MITM phishing toolkits present on blocklists, leaving unsuspecting users vulnerable to these attacks. Our results show that our detection scheme is resilient to the cloaking mechanisms incorporated by these tools, and is able to detect previously hidden phishing content. Finally, we propose methods that online services can utilize to fingerprint requests origi- nating from these toolkits and stop phishing attempts as they occur.

Supplementary Material

MP4 File (CCS21-fp237.mp4)

CCS 2021 Presentation Video

Download
52.94 MB

References

[1]

2021. Amazon Web Services. https://aws.amazon.com.

[2]

2021. Apache Traffic Server. https://trafficserver.apache.org.

[3]

2021. Apache Web Server. https://apache.org.

[4]

2021. Certificate Transparency. https://certificate-transparency.org.

[5]

2021. CloudFlare. https://cloudflare.com.

[6]

2021. CredSniper. https://github.com/ustayready/CredSniper.

[7]

2021. Digital Ocean. https://digitalocean.com.

[8]

2021. Evilginx. https://github.com/kgretzky/evilginx2.

[9]

2021. Facebook Certificate Transparency API. https://developers.facebook.com/docs/certificate-transparency.

[10]

2021. JA3. https://github.com/salesforce/ja3.

[11]

2021. JA3er. https://ja3er.com.

[12]

2021. Let's Encrypt. https://letsencrypt.org.

[13]

2021. Linode. https://linode.com.

[14]

2021. Modlishka. https://github.com/drk1wi/Modlishka.

[15]

2021. Muraena. https://github.com/muraenateam/muraena.

[16]

2021. Necrobrowser. https://github.com/muraenateam/necrobrowser.

[17]

2021. Nginx. https://nginx.com.

[18]

2021. Openphish. https://openphish.com.

[19]

2021. Phishtank. https://phishtank.com.

[20]

2021. Reelphish. https://github.com/fireeye/ReelPhish.

[21]

2021. Selenium. https://selenium.dev.

[22]

2021. Squid Proxy Server. http://squid-cache.org.

[23]

2021. TLS Prober. https://github.com/WestpointLtd/tls_prober.

[24]

2021. TOR. https://torproject.org.

[25]

2021. VirusTotal. https://virustotal.com.

[26]

2021. VirusTotal Evilginx Analysis Results. https://www.virustotal.com/gui/file/35636566f7ce11d44c2acf6ce6dca00b730b39710e82000a0e92b4af4a75e52c/detection.

[27]

Sahar Abdelnabi, Katharina Krombholz, and Mario Fritz. 2020. VisualPhishNet: Zero-Day Phishing Website Detection by Visual Similarity. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[28]

Moruf A Adebowale, Khin T Lwin, Erika Sanchez, and M Alamgir Hossain. 2019. Intelligent web-phishing detection and protection scheme using integrated features of Images, frames and text. Expert Systems with Applications 115 (2019), 300--313.

[29]

Daniel R Alexander. 2015. Inferring the Presence of Reverse Proxies Through Timing Analysis. Technical Report. Naval Postgraduate School Monterey CA.

[30]

Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, and David Dagon. 2011. Detecting Malware Domains at the Upper DNS Hierarchy. In Proceedings of the 10th USENIX Security Symposium (USENIX Security), Vol. 11. 1--16.

[31]

APWG. 2017. Global Phishing Survey: Trends and Domain Name Use in 2016. Technical Report.

[32]

Aaron Blum, Brad Wardman, Thamar Solorio, and Gary Warner. 2010. Lexical feature based phishing URL detection using online learning. In Proceedings of the 3rd ACM Workshop on Artificial Intelligence and Security. 54--60.

Digital Library

[33]

Davide Canali, Marco Cova, Giovanni Vigna, and Christopher Kruegel. 2011. Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the 20th International Conference on World Wide Web (WWW). ACM, 197--206.

Digital Library

[34]

Igino Corona, Battista Biggio, Matteo Contini, Luca Piras, Roberto Corda, Mauro Mereu, Guido Mureddu, Davide Ariu, and Fabio Roli. 2017. Deltaphish: Detecting phishing webpages in compromised websites. In Proceedings of the 2017 European Symposium on Research in Computer Security. Springer, 370--388.

[35]

Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide scanning and its security applications. In 22nd USENIX Security Symposium. 605--620.

[36]

Xiao Han, Nizar Kheir, and Davide Balzarotti. 2016. Phisheye: Live monitoring of sandboxed phishing kits. In Proceedings of the 2016 SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1402--1413.

Digital Library

[37]

Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster. 2016. PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1568--1579.

Digital Library

[38]

Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, and Elie Bursztein. 2016. Cloak of visibility: Detecting when machines browse a different web. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 743--758.

[39]

Ankit Kumar Jain and Brij B Gupta. 2018. Towards detection of phishing websites on client-side using machine learning based approach. Telecommunication Systems 68, 4 (2018), 687--700.

Digital Library

[40]

Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in plain sight: A longitudinal study of combosquatting abuse. In Proceedings of the 2017 SIGSAC Conference on Computer and Communications Security. ACM, 569--586.

Digital Library

[41]

Anh Le, Athina Markopoulou, and Michalis Faloutsos. 2011. Phishdef: Url names say it all. In Proceedings of the 2011 IEEE INFOCOM. IEEE, 191--195.

[42]

Xueni Li, Guanggang Geng, Zhiwei Yan, Yong Chen, and Xiaodong Lee. 2016. Phishing detection based on newly registered domains. In 2016 IEEE international conference on big data (big data). IEEE, 3685--3692.

[43]

Samuel Marchal, Jérôme François, Thomas Engel, et al. 2012. Proactive discovery of phishing related domain names. In International Workshop on Recent Advances in Intrusion Detection. Springer, 190--209.

Digital Library

[44]

Anutthamaa Martin, Na Anutthamaa, M Sathyavathy, Marie Manjari Saint Francois, Dr V Prasanna Venkatesan, et al. 2011. A framework for predicting phishing websites using neural networks. arXiv preprint arXiv:1109.1074 (2011).

[45]

S Matthew and Geoffrey Xie. 2013. Fingerprinting Reverse Proxies Using Timing Analysis of TCP Flows. Technical Report. Naval Postgraduate School Monterey CA.

[46]

Eric Medvet, Engin Kirda, and Christopher Kruegel. 2008. Visual-similarity-based phishing detection. In Proceedings of the 4th international conference on Security and privacy in communication netowrks. 1--6.

Digital Library

[47]

Antonio Nappa, Rana Faisal Munir, Irfan Khan Tanoli, Christian Kreibich, and Juan Caballero. 2016. RevProbe: detecting silent reverse proxies in malicious server infrastructures. In Proceedings of the 32nd Annual Conference on Computer Security Applications. 101--112.

Digital Library

[48]

Terry Nelms, Roberto Perdisci, Manos Antonakakis, and Mustaque Ahamad. 2016. Towards measuring and mitigating social engineering software download attacks. In Proceedings of the 25th USENIX Security Symposium (USENIX Security). 773--789.

Digital Library

[49]

Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers. 2019. Phishfarm: A scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1344--1361.

[50]

Adam Oest, Yeganeh Safei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Gary Warner. 2018. Inside a phisher's mind: Understanding the anti-phishing ecosystem through phishing kit analysis. In 2018 APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1--12.

[51]

Adam Oest, Yeganeh Safei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Gary Warner. 2018. Inside a Phisher's Mind: Understanding the Anti-Phishing Ecosystem Through Phishing Kit Analysis. In Proceedings of the 2018 APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1--12.

[52]

Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. 2020. Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale. In Proceedings of the 29th USENIX Security Symposium (USENIX Security).

[53]

Pawan Prakash, Manish Kumar, Ramana Rao Kompella, and Minaxi Gupta. 2010. Phishnet: predictive blacklisting to detect phishing attacks. In 2010 Proceedings IEEE INFOCOM. IEEE, 1--5.

[54]

Babak Rahbarinia, Roberto Perdisci, and Manos Antonakakis. 2015. Segugio: Efficient behavior-based tracking of malware-control domains in large ISP networks. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 403--414.

Digital Library

[55]

Steve Sheng, Brad Wardman, Gary Warner, Lorrie Cranor, Jason Hong, and Chengshan Zhang. 2009. An Empirical Analysis of Phishing Blacklists. (2009).

[56]

Gianluca Stringhini, Christopher Kruegel, and Giovanni Vigna. 2010. Detecting spammers on social networks. In Proceedings of the 26th Annual Computer Security Applications Conference. 1--9.

Digital Library

[57]

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, et al. 2017. Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials. In Proceedings of the 2017 SIGSAC Conference on Computer and Communications Security. ACM, 1421--1434.

Digital Library

[58]

Enis Ulqinaku, Daniele Lain, and Srdjan Capkun. 2019. 2FA-PP: 2nd Factor Phishing Prevention. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (WiSec). 60--70.

Digital Library

[59]

Matthew S Weant. 2013. Fingerprinting reverse proxies using timing analysis of TCP flows. Technical Report. Naval Postgraduate School Monterey CA.

[60]

Nicholas Weaver, Christian Kreibich, Martin Dam, and Vern Paxson. 2014. Here be web proxies. In Proceedings of the International Conference on Passive and Active Network Measurement. Springer, 183--192.

Digital Library

[61]

Colin Whittaker, Brian Ryner, and Marria Nazif. 2010. Large-scale automatic classification of phishing pages. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS).

Cited By

Brezeanu GArchip AArtene C(2025)Phish Fighter: Self Updating Machine Learning Shield Against Phishing Kits Based on HTML Code AnalysisIEEE Access10.1109/ACCESS.2025.352599813(4460-4486)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3525998
Stafeev APellegrino GBalzarotti DXu W(2024)SoKProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698941(719-737)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698941
Yuan YApruzzese GConti M(2024)Multi-SpacePhish: Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors Using Machine LearningDigital Threats: Research and Practice10.1145/36382535:2(1-51)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3638253
Show More Cited By

Index Terms

Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks
      1. Phishing

Recommendations

Fighting against phishing attacks: state of the art and future challenges

In the last few years, phishing scams have rapidly grown posing huge threat to global Internet security. Today, phishing attack is one of the most common and serious threats over Internet where cyber attackers try to steal user's personal or financial ...
A phishing analysis of web based systems
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security

Phishing is form of identity theft that uses the social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers. It is a kind of attack in which phishers use spoofed emails and fraudulent web ...
Phish-IDetector: Message-Id Based Automatic Phishing Detection
ICETE 2015: Proceedings of the 12th International Joint Conference on e-Business and Telecommunications - Volume 4

Phishing attacks are a well known problem in our age of electronic communication. Sensitive information

like credit card details, login credentials for account, etc. are targeted by phishers. Emails are the most

common channel for launching phishing ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation
Office of Naval Research

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
1,979
Total Downloads

Downloads (Last 12 months)650
Downloads (Last 6 weeks)47

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Brezeanu GArchip AArtene C(2025)Phish Fighter: Self Updating Machine Learning Shield Against Phishing Kits Based on HTML Code AnalysisIEEE Access10.1109/ACCESS.2025.352599813(4460-4486)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3525998
Stafeev APellegrino GBalzarotti DXu W(2024)SoKProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698941(719-737)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698941
Yuan YApruzzese GConti M(2024)Multi-SpacePhish: Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors Using Machine LearningDigital Threats: Research and Practice10.1145/36382535:2(1-51)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3638253
Lim KPark JKim DChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645535
Blancaflor EYuan D. Vicedor CRamos JRecena JDe Luna J(2024)A Comprehensive Case Study on MaxPhisher: Investigating the Features and Impact of Phishing Toolkits2024 3rd International Conference on Computer Technologies (ICCTech)10.1109/ICCTech61708.2024.00017(94-98)Online publication date: 1-Feb-2024
https://doi.org/10.1109/ICCTech61708.2024.00017
Li WManickam SChong YLeng WNanda P(2024)A State-of-the-Art Review on Phishing Website Detection TechniquesIEEE Access10.1109/ACCESS.2024.351497212(187976-188012)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3514972
Bartłomiejczyk MEl Fray I(2024)Device Risk Analysis Protocol for SMS-Based OTP AuthenticationIEEE Access10.1109/ACCESS.2024.344593112(123177-123192)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3445931
Tsouvalas BNikiforakis N(2024)Knocking on Admin’s Door: Protecting Critical Web Applications with DeceptionDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_15(283-306)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_15
Liu RLin YZhang YLee PDong JCalandrino JTroncoso C(2023)Knowledge expansion and counterfactual interaction for reference-based phishing detectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620469(4139-4156)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620469
Hasselquist DGawell EKarlström ACarlsson N(2023)Phishing in Style: Characterizing Phishing Websites in the Wild2023 7th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA58422.2023.10199059(1-4)Online publication date: 26-Jun-2023
https://doi.org/10.23919/TMA58422.2023.10199059
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten