Brad Wardman’s research while affiliated with Arizona State University and other places

Phishing websites with advanced evasion techniques are a critical threat to Internet users because they delay detection by current antiphishing systems. We present CrawlPhish, a framework for automatically detecting and categorizing the client-side (e.g., JavaScript) evasion used by phishing websites.

Despite an extensive anti-phishing ecosystem, phishing attacks continue to capitalize on gaps in detection to reach a signi cant volume of daily victims. In this paper, we isolate and identify these detection gaps by measuring the end-to-end life cycle of large-scale phishing attacks. We develop a unique framework-Golden Hour-that allows us to passively measure victim tra c to phishing pages while proactively protecting tens of thousands of accounts in the process. Over a one year period, our network monitor recorded 4.8 million victims who visited phishing pages, excluding crawler tra c. We use these events and related data sources to dissect phishing campaigns: from the time they rst come online, to email distribution , to visitor tra c, to ecosystem detection, and nally to account compromise. We nd the average campaign from start to the last victim takes just 21 hours. At least 7.42% of visitors supply their credentials and ultimately experience a compromise and subsequent fraudulent transaction. Furthermore, a small collection of highly successful campaigns are responsible for 89.13% of victims. Based on our ndings, we outline potential opportunities to respond to these sophisticated attacks.

Phishing attacks continue to evolve in order to bypass mitigations applied within the industry. These attacks are also changing due to the attacker’s desire for a greater return on investment from their attacks against the common internet user. The digital landscape has been ever-changing since the emergence of mobile technologies. The intersection of the internet and the growing mobile user-base fueled the natural progression of phishers to target mobile-specific users. This research investigates mobile-specific phishing attacks through the dissection of phishing kits used for the attacks, presentation of real world phishing campaigns, and observations about PayPal’s insight into mobile web-based phishing numbers. © Springer International Publishing AG, part of Springer Nature 2018.

Releases of usernames and passwords, referred to as credential dumps, have become an increasingly popular shared resource over the past decade, especially within underground communities. The sharing of compromised credentials by cybercriminals is done in order to demonstrate technical capability, increase reputation, and to augment one's legitimacy within criminal communities. There has been minimal research demonstrating standardized methods for identifying the distribution of credential dumps or the origin(s) of where a dump first surfaced. There has also been a lack of research related to the open source intelligence that can be obtained through tracing the distribution of dumps across the Internet. This research presents a method called REAPER which demonstrates how to leverage unique data points within credential dumps to identify its distribution, while also providing an in-depth look into the intelligence that can be gained by observing the criminal activities associated with the credentials dumped.

Organisations continue to pursue new strategies to thwart phishing attacks as well as investigate the criminals behind these scams. In order to address these issues, a novel algorithm named syntactical fingerprinting is proposed which automatically identifies phishing websites and implies the provenance of these websites using the structural components that compose the website. Syntactical fingerprinting demonstrates the ability to accurately identify newly observed phishing websites through an experiment on a custom dataset consisting of 49,840 URLs collected over three months by the UAB phishing data mine. An additional experiment was run over a different set of website content in early 2011 which exhibits the use of syntactical fingerprinting as a distance metric for clustering phishing websites. Finally, varying the threshold value used by syntactical fingerprinting demonstrates the capability for phishing investigators to identify not only the source of phishing websites, but individual phishers as well.

Phishers continue to target customers of all factions of the Internet industry in an attempt to gain personal information that can be used for profit. Typical organizational responses to these attacks are the removal of the malicious content through website takedown and user education. The latter response is extremely important as it is the organization's direct communication to the customer about these attacks. The purpose of this study is to survey a number of organizations that are highly targeted in phishing attacks and measure their effectiveness in communication to their customers. This study performs an evaluation of seven organizations', across a variety of industry sectors, communication through website content, customer service phone calls, and email abuse reporting. The outcomes of this study are suggestions that can be incorporated by all of the organizations to provide a better customer experience.