Identifying the Phishing Websites Using the Patterns of TLS Certificates

Q3 Computer Science

Journal of Cyber Security and Mobility Pub Date : 2021-04-15 DOI:10.13052/jcsm2245-1439.1026

Yuji Sakurai, Takuya Watanabe, Tetsuya Okuda, Mitsuaki Akiyama, Tatsuya Mori

{"title":"Identifying the Phishing Websites Using the Patterns of TLS Certificates","authors":"Yuji Sakurai, Takuya Watanabe, Tetsuya Okuda, Mitsuaki Akiyama, Tatsuya Mori","doi":"10.13052/jcsm2245-1439.1026","DOIUrl":null,"url":null,"abstract":"With the recent rise of HTTPS adoption on the Web, attackers have begun “HTTPSifying” phishing websites. HTTPSifying a phishing website has the advantage of making the website appear legitimate and evading conventional detection methods that leverage URLs or web contents in the network. Further, adopting HTTPS could also contribute to generating intrinsic footprints and provide defenders with a great opportunity to monitor and detect websites, including phishing sites, as they would need to obtain a public-key certificate issued for the preparation of the websites. The potential benefits of certificate-based detection include (1) the comprehensive monitoring of all HTTPSified websites by using certificates immediately after their issuance, even if the attacker utilizes dynamic DNS (DDNS) or hosting services; this could be overlooked with the conventional domain-registration-based approaches; and (2) to detect phishing websites before they are published on the Internet. Accordingly, we address the following research question: How can we make use of the footprints of TLS certificates to defend against phishing attacks? For this, we collected a large set of TLS certificates corresponding to phishing websites from Certificate Transparency (CT) logs and extensively analyzed these TLS certificates. We demonstrated that a template of common names, which are equivalent to the fully qualified domain names, obtained through the clustering analysis of the certificates can be used for the following promising applications: (1) The discovery of previously unknown phishing websites and (2) understanding the infrastructure used to generate the phishing websites. Furthermore, we developed a real-time monitoring system using the analysis techniques. We demonstrate its usefulness for the practical security operation. We use our findings on the abuse of free certificate authorities (CAs) for operating HTTPSified phishing websites to discuss possible solutions against such abuse and provide a recommendation to the CAs.","PeriodicalId":37820,"journal":{"name":"Journal of Cyber Security and Mobility","volume":"4 1","pages":"451-486"},"PeriodicalIF":0.0000,"publicationDate":"2021-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cyber Security and Mobility","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.13052/jcsm2245-1439.1026","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"Computer Science","Score":null,"Total":0}

引用次数: 1

Abstract

With the recent rise of HTTPS adoption on the Web, attackers have begun “HTTPSifying” phishing websites. HTTPSifying a phishing website has the advantage of making the website appear legitimate and evading conventional detection methods that leverage URLs or web contents in the network. Further, adopting HTTPS could also contribute to generating intrinsic footprints and provide defenders with a great opportunity to monitor and detect websites, including phishing sites, as they would need to obtain a public-key certificate issued for the preparation of the websites. The potential benefits of certificate-based detection include (1) the comprehensive monitoring of all HTTPSified websites by using certificates immediately after their issuance, even if the attacker utilizes dynamic DNS (DDNS) or hosting services; this could be overlooked with the conventional domain-registration-based approaches; and (2) to detect phishing websites before they are published on the Internet. Accordingly, we address the following research question: How can we make use of the footprints of TLS certificates to defend against phishing attacks? For this, we collected a large set of TLS certificates corresponding to phishing websites from Certificate Transparency (CT) logs and extensively analyzed these TLS certificates. We demonstrated that a template of common names, which are equivalent to the fully qualified domain names, obtained through the clustering analysis of the certificates can be used for the following promising applications: (1) The discovery of previously unknown phishing websites and (2) understanding the infrastructure used to generate the phishing websites. Furthermore, we developed a real-time monitoring system using the analysis techniques. We demonstrate its usefulness for the practical security operation. We use our findings on the abuse of free certificate authorities (CAs) for operating HTTPSified phishing websites to discuss possible solutions against such abuse and provide a recommendation to the CAs.

查看原文本刊更多论文

利用TLS证书模式识别钓鱼网站

随着最近HTTPS在网络上的普及，攻击者已经开始对网络钓鱼网站进行“http检测”。http检测钓鱼网站的优点是使网站看起来合法，并避开利用网络中的url或web内容的传统检测方法。此外，采用HTTPS还可能有助于产生固有足迹，并为防御者提供监视和检测网站(包括网络钓鱼网站)的绝佳机会，因为他们需要获得为准备网站而颁发的公钥证书。基于证书的检测的潜在好处包括:(1)通过在证书颁发后立即使用证书对所有http认证的网站进行全面监控，即使攻击者使用动态DNS (DDNS)或托管服务;传统的基于域名注册的方法可能会忽略这一点;(2)在网络钓鱼网站发布之前进行检测。因此，我们解决了以下研究问题:我们如何利用TLS证书的足迹来防御网络钓鱼攻击?为此，我们从证书透明度(Certificate Transparency, CT)日志中收集了大量网络钓鱼网站对应的TLS证书，并对这些TLS证书进行了广泛的分析。我们证明，通过对证书进行聚类分析获得的通用名称模板(相当于完全限定域名)可用于以下有前景的应用:(1)发现以前未知的网络钓鱼网站;(2)了解用于生成网络钓鱼网站的基础设施。此外，我们利用分析技术开发了一个实时监测系统。我们在实际的安全操作中证明了它的实用性。我们使用我们关于滥用免费证书颁发机构(ca)来操作http认证的网络钓鱼网站的调查结果来讨论针对此类滥用的可能解决方案，并向ca提供建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Cyber Security and Mobility Computer Science-Computer Networks and Communications

CiteScore

2.30

自引率

0.00%

发文量

期刊介绍： Journal of Cyber Security and Mobility is an international, open-access, peer reviewed journal publishing original research, review/survey, and tutorial papers on all cyber security fields including information, computer & network security, cryptography, digital forensics etc. but also interdisciplinary articles that cover privacy, ethical, legal, economical aspects of cyber security or emerging solutions drawn from other branches of science, for example, nature-inspired. The journal aims at becoming an international source of innovation and an essential reading for IT security professionals around the world by providing an in-depth and holistic view on all security spectrum and solutions ranging from practical to theoretical. Its goal is to bring together researchers and practitioners dealing with the diverse fields of cybersecurity and to cover topics that are equally valuable for professionals as well as for those new in the field from all sectors industry, commerce and academia. This journal covers diverse security issues in cyber space and solutions thereof. As cyber space has moved towards the wireless/mobile world, issues in wireless/mobile communications and those involving mobility aspects will also be published.