certi ed phishing - usenix · rank target certi cates organization url dn 1 paypal 1169 0 84 3...
TRANSCRIPT
![Page 1: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/1.jpg)
Certified Phishing
Taking a Look at Public Key Certificates of Phishing Websites
Monday, August 12
Vincent Drury, Ulrike MeyerRWTH Aachen University
Research Group IT-Security
![Page 2: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/2.jpg)
Why look at Certificates?
Increasing number of websites with HTTPS
Source: Let’s Encrypt, https://letsencrypt.org/stats/. Online, accessed Aug 01, 2019.
1 of 11
![Page 3: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/3.jpg)
Why look at Certificates?
Trend also observable in phishing websites
Source: APWG Phishing Activity Trends Report 1st Quarter 2019, https://apwg.org/trendsreports/.
2 of 11
![Page 4: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/4.jpg)
Phishing: Terms and Process
Attacker
Victim Target
3 of 11
![Page 5: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/5.jpg)
Phishing: Terms and Process
Attacker
Victim Target
1. Copies Website
3 of 11
![Page 6: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/6.jpg)
Phishing: Terms and Process
2. Sends L
ink
3. Enters
Credentials
Attacker
Victim Target
1. Copies Website
3 of 11
![Page 7: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/7.jpg)
Phishing: Terms and Process
2. Sends L
ink
3. Enters
Credentials
Attacker
Victim Target
1. Copies Website
3 of 11
![Page 8: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/8.jpg)
Certificates and CAs
Certificate Authority (CA)
Domain Validation (DV)
Organization Validation (OV)
Extended Validation (EV)
4 of 11
![Page 9: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/9.jpg)
Certificates and CAs
Certificate Authority (CA)
Domain Validation (DV)
Organization Validation (OV)
Extended Validation (EV)
4 of 11
![Page 10: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/10.jpg)
Certificates and CAs
Certificate Authority (CA)
Domain Validation (DV)
Organization Validation (OV)
Extended Validation (EV)
4 of 11
![Page 11: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/11.jpg)
Certificates and CAs
Certificate Authority (CA)
Domain Validation (DV)
Organization Validation (OV)
Extended Validation (EV)
4 of 11
![Page 12: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/12.jpg)
Research Questions
Are there general differences between certificates of phishing and benignwebsites?
Are there differences in comparison to a specific target?
5 of 11
![Page 13: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/13.jpg)
Research Questions
Are there general differences between certificates of phishing and benignwebsites?
Are there differences in comparison to a specific target?
5 of 11
![Page 14: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/14.jpg)
Collection Process Overview
● 50.000 benign URLs from Alexa
● 31.264 phishing URLs fromPhishTank (53 days)
Certificates Benign Phishing
Collected 43.018 25777
Duplicates -698 -11.712
Invalid -2.842 -4.586
Final 39.478 9.479
⇒ HTTPS does not mean safe
PhishingBenign
6 of 11
![Page 15: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/15.jpg)
Collection Process Overview
● 50.000 benign URLs from Alexa
● 31.264 phishing URLs fromPhishTank (53 days)
Certificates Benign Phishing
Collected 43.018 25777
Duplicates -698 -11.712
Invalid -2.842 -4.586
Final 39.478 9.479
⇒ HTTPS does not mean safe
Alexa Top 50k PhishTank
PhishingBenign
6 of 11
![Page 16: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/16.jpg)
Collection Process Overview
● 50.000 benign URLs from Alexa
● 31.264 phishing URLs fromPhishTank (53 days)
Certificates Benign Phishing
Collected 43.018 25777
Duplicates -698 -11.712
Invalid -2.842 -4.586
Final 39.478 9.479
⇒ HTTPS does not mean safe
Alexa Top 50k PhishTank
PhishingBenign
Collection
6 of 11
![Page 17: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/17.jpg)
Collection Process Overview
● 50.000 benign URLs from Alexa
● 31.264 phishing URLs fromPhishTank (53 days)
Certificates Benign Phishing
Collected 43.018 25777
Duplicates -698 -11.712
Invalid -2.842 -4.586
Final 39.478 9.479
⇒ HTTPS does not mean safe
Alexa Top 50k PhishTank
PhishingBenign
Collection
Extraction
Analysis
6 of 11
![Page 18: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/18.jpg)
General Differences
Distribution of Validation Types:
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Phishing
Benign
Number of CertificatesDV OV EV
7 of 11
![Page 19: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/19.jpg)
General Differences
Distribution of (5 most common phishing) Issuers:
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Phishing
Benign
Let’s Encrypt cPanel RapidSSL COMODO RSA COMODO ECC Others
⇒ Not generally possible to determine if phishing or benign from certificate alone
8 of 11
![Page 20: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/20.jpg)
General Differences
Distribution of (5 most common phishing) Issuers:
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Phishing
Benign
Let’s Encrypt cPanel RapidSSL COMODO RSA COMODO ECC Others
⇒ Not generally possible to determine if phishing or benign from certificate alone
8 of 11
![Page 21: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/21.jpg)
Specific Target
Rank Target Certificates
Organization URL DN
1 PayPal 1169
0 84
3 Microsoft 297 47* 10
12 Dropbox 37 1* 2
14 Google 33 1* 1
*: Hosted on the target’s own infrastructure.
⇒ No evidence of active replication of certificate information,but abuse of target infrastructure possible
9 of 11
![Page 22: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/22.jpg)
Specific Target
Rank Target Certificates Organization
URL DN
1 PayPal 1169 0
84
3 Microsoft 297 47* 10
12 Dropbox 37 1* 2
14 Google 33 1* 1
*: Hosted on the target’s own infrastructure.
⇒ No evidence of active replication of certificate information,but abuse of target infrastructure possible
9 of 11
![Page 23: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/23.jpg)
Specific Target
Rank Target Certificates Organization URL DN
1 PayPal 1169 0 84
3 Microsoft 297 47* 10
12 Dropbox 37 1* 2
14 Google 33 1* 1
*: Hosted on the target’s own infrastructure.
⇒ No evidence of active replication of certificate information,but abuse of target infrastructure possible
9 of 11
![Page 24: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/24.jpg)
Specific Target
Rank Target Certificates Organization URL DN
1 PayPal 1169 0 84
3 Microsoft 297 47* 10
12 Dropbox 37 1* 2
14 Google 33 1* 1
*: Hosted on the target’s own infrastructure.
⇒ No evidence of active replication of certificate information,but abuse of target infrastructure possible
9 of 11
![Page 25: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/25.jpg)
Specific Target
Rank Target Certificates Organization URL DN
1 PayPal 1169 0 84
3 Microsoft 297 47* 10
12 Dropbox 37 1* 2
14 Google 33 1* 1
*: Hosted on the target’s own infrastructure.
⇒ No evidence of active replication of certificate information,but abuse of target infrastructure possible
9 of 11
![Page 26: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/26.jpg)
Suitability of Certificates for Phishing Detection
● Discriminative power● Benign websites without EV/OV certificate
● Robustness● Trust in CAs?
● Certificate Transparency
● Other potential problems● TLS interception
10 of 11
![Page 27: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/27.jpg)
Suitability of Certificates for Phishing Detection
● Discriminative power● Benign websites without EV/OV certificate
● Robustness● Trust in CAs?
● Certificate Transparency
● Other potential problems● TLS interception
10 of 11
![Page 28: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/28.jpg)
Suitability of Certificates for Phishing Detection
● Discriminative power● Benign websites without EV/OV certificate
● Robustness● Trust in CAs?● Certificate Transparency
● Other potential problems● TLS interception
10 of 11
![Page 29: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/29.jpg)
Suitability of Certificates for Phishing Detection
● Discriminative power● Benign websites without EV/OV certificate
● Robustness● Trust in CAs?● Certificate Transparency
● Other potential problems● TLS interception
10 of 11
![Page 30: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/30.jpg)
Conclusion
● In general hard to differentiate certificates of benign and phishing websites
● Currently no evidence that attackers actively replicate the content of target certificates● But: hosting on target infrastructure sometimes possible
● Certificates as possible resource for future research:● Automated detection?● User Education?
Thank you for your attention!
11 of 11
![Page 31: Certi ed Phishing - USENIX · Rank Target Certi cates Organization URL DN 1 PayPal 1169 0 84 3 Microsoft 297 47* 10 12 Dropbox 37 1* 2 14 Google 33 1* 1 *: Hosted on the target’s](https://reader035.vdocuments.mx/reader035/viewer/2022063017/5fd823fcda8c0968db694523/html5/thumbnails/31.jpg)
Conclusion
● In general hard to differentiate certificates of benign and phishing websites
● Currently no evidence that attackers actively replicate the content of target certificates● But: hosting on target infrastructure sometimes possible
● Certificates as possible resource for future research:● Automated detection?● User Education?
Thank you for your attention!
11 of 11