skip to main content
10.1145/3460120.3484765acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits

Published: 13 November 2021 Publication History

Abstract

For over a decade, phishing toolkits have been helping attackers automate and streamline their phishing campaigns. Man-in-the- Middle (MITM) phishing toolkits are the latest evolution in this space, where toolkits act as malicious reverse proxy servers of online services, mirroring live content to users while extracting cre- dentials and session cookies in transit. These tools further reduce the work required by attackers, automate the harvesting of 2FA- authenticated sessions, and substantially increase the believability of phishing web pages.
In this paper, we present the first analysis of MITM phishing toolkits used in the wild. By analyzing and experimenting with these toolkits, we identify intrinsic network-level properties that can be used to identify them. Based on these properties, we develop a machine learning classifier that identifies the presence of such toolkits in online communications with 99.9% accuracy.
We conduct a large-scale longitudinal study of MITM phishing toolkits by creating a data-collection framework that monitors and crawls suspicious URLs from public sources. Using this infrastruc- ture, we capture data on 1,220 MITM phishing websites over the course of a year. We discover that MITM phishing toolkits occupy a blind spot in phishing blocklists, with only 43.7% of domains and 18.9% of IP addresses associated with MITM phishing toolkits present on blocklists, leaving unsuspecting users vulnerable to these attacks. Our results show that our detection scheme is resilient to the cloaking mechanisms incorporated by these tools, and is able to detect previously hidden phishing content. Finally, we propose methods that online services can utilize to fingerprint requests origi- nating from these toolkits and stop phishing attempts as they occur.

Supplementary Material

MP4 File (CCS21-fp237.mp4)
CCS 2021 Presentation Video

References

[1]
2021. Amazon Web Services. https://aws.amazon.com.
[2]
2021. Apache Traffic Server. https://trafficserver.apache.org.
[3]
2021. Apache Web Server. https://apache.org.
[4]
2021. Certificate Transparency. https://certificate-transparency.org.
[5]
2021. CloudFlare. https://cloudflare.com.
[6]
2021. CredSniper. https://github.com/ustayready/CredSniper.
[7]
2021. Digital Ocean. https://digitalocean.com.
[8]
2021. Evilginx. https://github.com/kgretzky/evilginx2.
[9]
2021. Facebook Certificate Transparency API. https://developers.facebook.com/docs/certificate-transparency.
[10]
2021. JA3. https://github.com/salesforce/ja3.
[11]
2021. JA3er. https://ja3er.com.
[12]
2021. Let's Encrypt. https://letsencrypt.org.
[13]
2021. Linode. https://linode.com.
[14]
2021. Modlishka. https://github.com/drk1wi/Modlishka.
[15]
2021. Muraena. https://github.com/muraenateam/muraena.
[16]
2021. Necrobrowser. https://github.com/muraenateam/necrobrowser.
[17]
2021. Nginx. https://nginx.com.
[18]
2021. Openphish. https://openphish.com.
[19]
2021. Phishtank. https://phishtank.com.
[20]
2021. Reelphish. https://github.com/fireeye/ReelPhish.
[21]
2021. Selenium. https://selenium.dev.
[22]
2021. Squid Proxy Server. http://squid-cache.org.
[23]
2021. TLS Prober. https://github.com/WestpointLtd/tls_prober.
[24]
2021. TOR. https://torproject.org.
[25]
2021. VirusTotal. https://virustotal.com.
[26]
2021. VirusTotal Evilginx Analysis Results. https://www.virustotal.com/gui/file/35636566f7ce11d44c2acf6ce6dca00b730b39710e82000a0e92b4af4a75e52c/detection.
[27]
Sahar Abdelnabi, Katharina Krombholz, and Mario Fritz. 2020. VisualPhishNet: Zero-Day Phishing Website Detection by Visual Similarity. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).
[28]
Moruf A Adebowale, Khin T Lwin, Erika Sanchez, and M Alamgir Hossain. 2019. Intelligent web-phishing detection and protection scheme using integrated features of Images, frames and text. Expert Systems with Applications 115 (2019), 300--313.
[29]
Daniel R Alexander. 2015. Inferring the Presence of Reverse Proxies Through Timing Analysis. Technical Report. Naval Postgraduate School Monterey CA.
[30]
Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, and David Dagon. 2011. Detecting Malware Domains at the Upper DNS Hierarchy. In Proceedings of the 10th USENIX Security Symposium (USENIX Security), Vol. 11. 1--16.
[31]
APWG. 2017. Global Phishing Survey: Trends and Domain Name Use in 2016. Technical Report.
[32]
Aaron Blum, Brad Wardman, Thamar Solorio, and Gary Warner. 2010. Lexical feature based phishing URL detection using online learning. In Proceedings of the 3rd ACM Workshop on Artificial Intelligence and Security. 54--60.
[33]
Davide Canali, Marco Cova, Giovanni Vigna, and Christopher Kruegel. 2011. Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the 20th International Conference on World Wide Web (WWW). ACM, 197--206.
[34]
Igino Corona, Battista Biggio, Matteo Contini, Luca Piras, Roberto Corda, Mauro Mereu, Guido Mureddu, Davide Ariu, and Fabio Roli. 2017. Deltaphish: Detecting phishing webpages in compromised websites. In Proceedings of the 2017 European Symposium on Research in Computer Security. Springer, 370--388.
[35]
Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide scanning and its security applications. In 22nd USENIX Security Symposium. 605--620.
[36]
Xiao Han, Nizar Kheir, and Davide Balzarotti. 2016. Phisheye: Live monitoring of sandboxed phishing kits. In Proceedings of the 2016 SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1402--1413.
[37]
Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster. 2016. PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1568--1579.
[38]
Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, and Elie Bursztein. 2016. Cloak of visibility: Detecting when machines browse a different web. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 743--758.
[39]
Ankit Kumar Jain and Brij B Gupta. 2018. Towards detection of phishing websites on client-side using machine learning based approach. Telecommunication Systems 68, 4 (2018), 687--700.
[40]
Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in plain sight: A longitudinal study of combosquatting abuse. In Proceedings of the 2017 SIGSAC Conference on Computer and Communications Security. ACM, 569--586.
[41]
Anh Le, Athina Markopoulou, and Michalis Faloutsos. 2011. Phishdef: Url names say it all. In Proceedings of the 2011 IEEE INFOCOM. IEEE, 191--195.
[42]
Xueni Li, Guanggang Geng, Zhiwei Yan, Yong Chen, and Xiaodong Lee. 2016. Phishing detection based on newly registered domains. In 2016 IEEE international conference on big data (big data). IEEE, 3685--3692.
[43]
Samuel Marchal, Jérôme François, Thomas Engel, et al. 2012. Proactive discovery of phishing related domain names. In International Workshop on Recent Advances in Intrusion Detection. Springer, 190--209.
[44]
Anutthamaa Martin, Na Anutthamaa, M Sathyavathy, Marie Manjari Saint Francois, Dr V Prasanna Venkatesan, et al. 2011. A framework for predicting phishing websites using neural networks. arXiv preprint arXiv:1109.1074 (2011).
[45]
S Matthew and Geoffrey Xie. 2013. Fingerprinting Reverse Proxies Using Timing Analysis of TCP Flows. Technical Report. Naval Postgraduate School Monterey CA.
[46]
Eric Medvet, Engin Kirda, and Christopher Kruegel. 2008. Visual-similarity-based phishing detection. In Proceedings of the 4th international conference on Security and privacy in communication netowrks. 1--6.
[47]
Antonio Nappa, Rana Faisal Munir, Irfan Khan Tanoli, Christian Kreibich, and Juan Caballero. 2016. RevProbe: detecting silent reverse proxies in malicious server infrastructures. In Proceedings of the 32nd Annual Conference on Computer Security Applications. 101--112.
[48]
Terry Nelms, Roberto Perdisci, Manos Antonakakis, and Mustaque Ahamad. 2016. Towards measuring and mitigating social engineering software download attacks. In Proceedings of the 25th USENIX Security Symposium (USENIX Security). 773--789.
[49]
Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers. 2019. Phishfarm: A scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1344--1361.
[50]
Adam Oest, Yeganeh Safei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Gary Warner. 2018. Inside a phisher's mind: Understanding the anti-phishing ecosystem through phishing kit analysis. In 2018 APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1--12.
[51]
Adam Oest, Yeganeh Safei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Gary Warner. 2018. Inside a Phisher's Mind: Understanding the Anti-Phishing Ecosystem Through Phishing Kit Analysis. In Proceedings of the 2018 APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1--12.
[52]
Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. 2020. Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale. In Proceedings of the 29th USENIX Security Symposium (USENIX Security).
[53]
Pawan Prakash, Manish Kumar, Ramana Rao Kompella, and Minaxi Gupta. 2010. Phishnet: predictive blacklisting to detect phishing attacks. In 2010 Proceedings IEEE INFOCOM. IEEE, 1--5.
[54]
Babak Rahbarinia, Roberto Perdisci, and Manos Antonakakis. 2015. Segugio: Efficient behavior-based tracking of malware-control domains in large ISP networks. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 403--414.
[55]
Steve Sheng, Brad Wardman, Gary Warner, Lorrie Cranor, Jason Hong, and Chengshan Zhang. 2009. An Empirical Analysis of Phishing Blacklists. (2009).
[56]
Gianluca Stringhini, Christopher Kruegel, and Giovanni Vigna. 2010. Detecting spammers on social networks. In Proceedings of the 26th Annual Computer Security Applications Conference. 1--9.
[57]
Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, et al. 2017. Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials. In Proceedings of the 2017 SIGSAC Conference on Computer and Communications Security. ACM, 1421--1434.
[58]
Enis Ulqinaku, Daniele Lain, and Srdjan Capkun. 2019. 2FA-PP: 2nd Factor Phishing Prevention. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (WiSec). 60--70.
[59]
Matthew S Weant. 2013. Fingerprinting reverse proxies using timing analysis of TCP flows. Technical Report. Naval Postgraduate School Monterey CA.
[60]
Nicholas Weaver, Christian Kreibich, Martin Dam, and Vern Paxson. 2014. Here be web proxies. In Proceedings of the International Conference on Passive and Active Network Measurement. Springer, 183--192.
[61]
Colin Whittaker, Brian Ryner, and Marria Nazif. 2010. Large-scale automatic classification of phishing pages. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS).

Cited By

View all
  • (2025)Phish Fighter: Self Updating Machine Learning Shield Against Phishing Kits Based on HTML Code AnalysisIEEE Access10.1109/ACCESS.2025.352599813(4460-4486)Online publication date: 2025
  • (2024)SoKProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698941(719-737)Online publication date: 14-Aug-2024
  • (2024)Multi-SpacePhish: Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors Using Machine LearningDigital Threats: Research and Practice10.1145/36382535:2(1-51)Online publication date: 20-Jun-2024
  • Show More Cited By

Index Terms

  1. Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
    November 2021
    3558 pages
    ISBN:9781450384544
    DOI:10.1145/3460120
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 13 November 2021

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. phishing
    2. social engineering
    3. web security

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    CCS '21
    Sponsor:
    CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security
    November 15 - 19, 2021
    Virtual Event, Republic of Korea

    Acceptance Rates

    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)650
    • Downloads (Last 6 weeks)47
    Reflects downloads up to 25 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)Phish Fighter: Self Updating Machine Learning Shield Against Phishing Kits Based on HTML Code AnalysisIEEE Access10.1109/ACCESS.2025.352599813(4460-4486)Online publication date: 2025
    • (2024)SoKProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698941(719-737)Online publication date: 14-Aug-2024
    • (2024)Multi-SpacePhish: Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors Using Machine LearningDigital Threats: Research and Practice10.1145/36382535:2(1-51)Online publication date: 20-Jun-2024
    • (2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
    • (2024)A Comprehensive Case Study on MaxPhisher: Investigating the Features and Impact of Phishing Toolkits2024 3rd International Conference on Computer Technologies (ICCTech)10.1109/ICCTech61708.2024.00017(94-98)Online publication date: 1-Feb-2024
    • (2024)A State-of-the-Art Review on Phishing Website Detection TechniquesIEEE Access10.1109/ACCESS.2024.351497212(187976-188012)Online publication date: 2024
    • (2024)Device Risk Analysis Protocol for SMS-Based OTP AuthenticationIEEE Access10.1109/ACCESS.2024.344593112(123177-123192)Online publication date: 2024
    • (2024)Knocking on Admin’s Door: Protecting Critical Web Applications with DeceptionDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_15(283-306)Online publication date: 9-Jul-2024
    • (2023)Knowledge expansion and counterfactual interaction for reference-based phishing detectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620469(4139-4156)Online publication date: 9-Aug-2023
    • (2023)Phishing in Style: Characterizing Phishing Websites in the Wild2023 7th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA58422.2023.10199059(1-4)Online publication date: 26-Jun-2023
    • Show More Cited By

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media