1 / 15

Behind Phishing: An Examination of Phisher Modi Operandi

Behind Phishing: An Examination of Phisher Modi Operandi. Speaker: Jun-Yi Zheng 2010/05/10. Reference.

keisha
Download Presentation

Behind Phishing: An Examination of Phisher Modi Operandi

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Behind Phishing: An Examination of Phisher Modi Operandi Speaker: Jun-Yi Zheng 2010/05/10

  2. Reference McGrath, D. K., & Gupta, M. (2008). Behind Phishing: An Examination of Phisher Modi Operandi. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). San Francisco, CA.

  3. Outline Introduction Data Collection Analysis Conclusions

  4. Introduction Do phishing URLs and domains exhibit characteristics that are different from other URLs and domains? To what extent are phishers registering new domains to put up phishing sites and how long does it take for such sites to become active phishing campaigns? What type of machines are phishers using to host phishing sites and how long does a typical phishing domain live?

  5. Dataset Sources PhishTank http://www.phishtank.com/ MarkMonitor http://www.markmonitor.com/ MarkMonitor-2006 contain phishing URLs from MarkMonitor from 2006 Open Directory Project http://www.dmoz.org/

  6. Dataset Sources http://www.xyz.example.com/doc.html .com is the generic top-level domain (gTLD) example.com is the second-level domain http://www.example.ac.au/ .au is a country code TLD (ccTLD) example.ac.au is the effective second-level domain

  7. Data Overview

  8. Analysis Figure 1: Distribution of URL lengths

  9. Analysis Figure 2: Distribution of domain name lengths

  10. Analysis Figure 3: Comparison of letter frequencies in English, DMOZ, PhishTank, and MarkMonitor

  11. Analysis Figure 4: Number of unique characters within the domain name

  12. Analysis Table 1: Percent of URLs with brand domain name in each data set

  13. Analysis Figure 5: Time to activation of phishing domains

  14. Conclusions Phishing URLs and domain names have very different lengths compared to other URLs and domain URL and domain name lengths Letter frequencies Phishers are misusing free Web hosting services as well as URL-aliasing services, such as, TinyURL This points to the need to better scrutinize the users of such services Most domains registered for the purpose of phishing become active almost immediately upon registration This implies that the window to track suspicious domain registrations from the perspective of phishing is very small Many phishing domains were hosted on multiple machines spread across multiple countries A significant percentage of these machines belonged to residential customers

  15. Future Work double-flux

More Related