TY - GEN
T1 - Discovering HTTPSified Phishing Websites Using the TLS Certificates Footprints
AU - Sakurai, Yuji
AU - Watanabe, Takuya
AU - Okuda, Tetsuya
AU - Akiyama, Mitsuaki
AU - Mori, Tatsuya
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/9
Y1 - 2020/9
N2 - With the recent rise of HTTPS adoption on the Web, attackers have begun "HTTPSifying"phishing websites. HTTPSifying a phishing website has the advantage of making the website appear legitimate and evading conventional detection methods that leverage URLs or web contents in the network. Further, adopting HTTPS could also contribute to generating intrinsic footprints and provide defenders with a great opportunity to monitor and detect websites, including phishing sites, as they would need to obtain a public-key certificate issued for the preparation of the websites. The potential benefits of certificate-based detection include (1) the comprehensive monitoring of all HTTPSified websites by using certificates immediately after their issuance, even if the attacker utilizes dynamic DNS (DDNS) or hosting services; this could be overlooked with the conventional domain-registration-based approaches; and (2) to detect phishing websites before they are published on the Internet. Accordingly, we address the following research question: How can we make use of the footprints of TLS certificates to defend against phishing attacks? For this, we collected a large set of TLS certificates corresponding to phishing websites from Certificate Transparency (CT) logs and extensively analyzed these TLS certificates. We demonstrated that a template of common names, which are equivalent to the fully qualified domain names, obtained through the clustering analysis of the certificates can be used for the following promising applications: (1) The discovery of previously unknown phishing websites with low false positives and (2) understanding the infrastructure used to generate the phishing websites. We use our findings on the abuse of free certificate authorities (CAs) for operating HTTPSified phishing websites to discuss possible solutions against such abuse and provide a recommendation to the CAs.
AB - With the recent rise of HTTPS adoption on the Web, attackers have begun "HTTPSifying"phishing websites. HTTPSifying a phishing website has the advantage of making the website appear legitimate and evading conventional detection methods that leverage URLs or web contents in the network. Further, adopting HTTPS could also contribute to generating intrinsic footprints and provide defenders with a great opportunity to monitor and detect websites, including phishing sites, as they would need to obtain a public-key certificate issued for the preparation of the websites. The potential benefits of certificate-based detection include (1) the comprehensive monitoring of all HTTPSified websites by using certificates immediately after their issuance, even if the attacker utilizes dynamic DNS (DDNS) or hosting services; this could be overlooked with the conventional domain-registration-based approaches; and (2) to detect phishing websites before they are published on the Internet. Accordingly, we address the following research question: How can we make use of the footprints of TLS certificates to defend against phishing attacks? For this, we collected a large set of TLS certificates corresponding to phishing websites from Certificate Transparency (CT) logs and extensively analyzed these TLS certificates. We demonstrated that a template of common names, which are equivalent to the fully qualified domain names, obtained through the clustering analysis of the certificates can be used for the following promising applications: (1) The discovery of previously unknown phishing websites with low false positives and (2) understanding the infrastructure used to generate the phishing websites. We use our findings on the abuse of free certificate authorities (CAs) for operating HTTPSified phishing websites to discuss possible solutions against such abuse and provide a recommendation to the CAs.
KW - HTTPS
KW - Phishing
KW - Public-Key Certificate
UR - http://www.scopus.com/inward/record.url?scp=85097053831&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85097053831&partnerID=8YFLogxK
U2 - 10.1109/EuroSPW51379.2020.00077
DO - 10.1109/EuroSPW51379.2020.00077
M3 - Conference contribution
AN - SCOPUS:85097053831
T3 - Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
SP - 522
EP - 531
BT - Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
Y2 - 7 September 2020 through 11 September 2020
ER -