Don’t touch that link: Machine learning and the war on phishing

[tao]

We can catch phishes before they're even cast—using real-time data and open source code.

 

It's Friday, August 3, and I have hooked a live one. Using StreamingPhish, a tool that identifies potential phishing sites by mining data on newly registered certificates, I've spotted an Apple phishing site before it's even ready for victims. Conveniently, the operator has even left a Web shell wide open for me to watch him at work.

 

The site's fully qualified domain name is appleld.apple.0a2.com, and there's another registered at the same domain—appleld.applle.0a2.com. As I download the phishing kit, I take a look at the site access logs from within the shell. Evidently, I've caught the site just a few hours after the certificate was registered.

 

As I poke around, I find other phishing sites on the same server in other directories. One targets French users of the telecommunications company Orange; others have more generic names intended to disguise them as part of a seemingly legitimate URL, such as Secrty-ID.com-Logine-1.0a2.com.  Others still are spam blogs filled with affiliate links to e-commerce sites.

 

I check the access log again. The phisher has come back, logged in from an IP address in Morocco. He's unzipped the phishing kit. I send a heads up to the hosting company, SingleHop, with screenshots of the phishing page. I report the site to Google Safe Browsing and check one more time to see if I've missed anything.

 

The phisher notices something suspicious in his access logs. His site now up and running, he's deleted his shell—but not one on another subdomain. I consider going back in, but my work here is done anyway.

 

During the two hours I spent investigating this Apple phish, another 1,678 suspicious sites have popped up—spoofing brands including Apple, PayPal, Netflix, Instagram, and Bank of America. It will be nearly two days before SingleHop responds about the initial Apple one: "We were in touch with the management of the allegedly abused server, and after discussion the reported problem is claimed to be resolved."

 

That sort of interaction can't scale very well, but phishing seems to only be growing in its popularity. So if I learned anything from my StreamingPhish-time on the frontlines of this new digital war, it's this: if we're going to make a dent in these phishes, we're going to need a bigger boat—one with a whole lot more machine learning-based automation.

Anatomy of a modern phish

[...]

 

If interested, please read rather long article < here >.