Sunrise to Sunset: Analyzing the End-to-end Life Cycle and

Effectiveness of Phishing Attacks at Scale

Adam Oest, Penghui Zhang, Adam Doupé, Gail-Joon AhnArizona State University

Brad Wardman, Eric Nunes, Jakub BurgisPayPal

Ali Zand, Kurt ThomasGoogle

Phishing is Growing as Malware Declines

2

Phishing

Web-based malware

Weekly Malicious Website Detections [1]

[1] Google Safe Browsing Transparency Report: https://transparencyreport.google.com/safe-browsing/overview

3

4

• Phishing kits “often” embed first-party JavaScript tracking code or images

Key Observation

5

ORGANIZATION TARGETED

BY PHISHERS

ANONYMIZED

WEB

EVENTS

Building an Analysis Framework

6

ANONYMIZED

WEB

EVENTS

KNOWN PHISHING

/ SUSPICIOUS URLS

ORGANIZATION TARGETED

BY PHISHERS

Overlapping URLs

E-MAIL PROVIDER /

PHISHING REPORTS

Attack timeline / detection

Session IDs

TRAFFIC

• victims

• crawlers

• attackers

Phishing URLs

FRAUD DATA

E-MAIL DATA

• Loss calculation

• Secure accounts

• Spam timings

• Reporting trends

Framework Design

7

ANONYMIZED

WEB

EVENTS

ORGANIZATION TARGETED

BY PHISHERS

E-MAIL PROVIDER /

PHISHING REPORTS

FRAUD DATA

E-MAIL DATA

End-to-end Timeline

8

ANONYMIZED

WEB

EVENTS

ORGANIZATION TARGETED

BY PHISHERS

E-MAIL PROVIDER /

PHISHING REPORTS

FRAUD DATA

E-MAIL DATA

End-to-end Timeline

9

ANONYMIZED

WEB

EVENTS

ORGANIZATION TARGETED

BY PHISHERS

E-MAIL PROVIDER /

PHISHING REPORTS

FRAUD DATA

E-MAIL DATA

End-to-end Timeline

10

ANONYMIZED

WEB

EVENTS

ORGANIZATION TARGETED

BY PHISHERS

E-MAIL PROVIDER /

PHISHING REPORTS

FRAUD DATA

E-MAIL DATA

End-to-end Timeline

11

ANONYMIZED

WEB

EVENTS

ORGANIZATION TARGETED

BY PHISHERS

E-MAIL PROVIDER /

PHISHING REPORTS

FRAUD DATA

E-MAIL DATA

End-to-end Timeline

12

ANONYMIZED

WEB

EVENTS

ORGANIZATION TARGETED

BY PHISHERS

E-MAIL PROVIDER /

PHISHING REPORTS

FRAUD DATA

E-MAIL DATA

End-to-end Timeline

13

• Source: large organization (top 10 most-phished)

• Visibility: 39.1% of known phishing domains

7.6% phishing success rate

Trackable by Golden Hour Estimated Total

Potential Victims Known User

Phishing Site Page Loads 15.6M 4.8M 39.9M

Suspected Successful Phish 482K 148K 1.2M

Oct 2018through

Sep 2019

“Golden Hour” Data Set

14

Proactive detection Reactive mitigation improvements

Secure affected user accounts

End-to-end Timeline of Phishing

15

Ratio: Traffic from browsers w/anti-phishing features vs. other browsers

Estimating Browser-based Detection

PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists Adam Oest, Yeganeh Safaei, Penghui Zhang, Brad Wardman, Kevin Tyers, Yan Shoshitaishvili, Adam Doupé, Gail-Joon Ahn. 2020 USENIX Security Symposium.

16

Potential Victim TrafficReported Phishing URLs

Phishing URLs vs Victim Traffic

17

Long-running Campaigns

18

Top 5%: 77.8%

Top 10%: 89.1%

Top 20: 23.6%

Top Campaigns: Majority of Victim Traffic

19

Bot evasion: Human Verification

20

Extensive Identity Theft

21

Extensive Identity Theft

22

Convincing Victims: Automatic Translation

23

Victim Reassurance

Conclusions

• End-to-end look at large-scale phishing attacks• Prioritizing mitigation of sophisticated phishing

• Golden Hour system deployed at major organization• Securing user accounts• Proactively discovering malicious URLs• Tracking COVID-19 phishing campaigns

• Future work• Collaborative, cross-organizational framework• Incorporation of signals beyond web requests

24

25

Thank you!

Adam Oestaoest@asu.edu