Forget single malicious links, researchers tackle entire phishing campaigns

TOKYO – Researchers at Tokyo Metropolitan University have created a new paradigm for identifying online phishing campaigns. Their new system, PhishLumos, is activated when a link shows signs of information hiding, looking for clues within a website’s “infrastructure” and uncovering the entire campaign of which the site is only a small part. In real-world testing, we detected 8 days faster than experts and detected 190,000 URLs over 6 months.

Phishing is a widespread form of cybercrime. Criminals impersonate trusted organizations such as banks or employers to trick victims into sharing sensitive information, clicking malicious links, or installing harmful software. Those who are less digitally savvy are particularly at risk, widening the digital divide as well as eroding trust in essential digital institutions.

That’s why researchers have been looking for ways to thwart phishing campaigns. But they face tough challenges. For example, most existing approaches involve analyzing individual suspicious links, or Uniform Resource Locators (URLs), on the web. Machine learning and deep learning approaches are helping enable increasingly sophisticated programs that can assess the veracity of content, but cybercriminals can typically create far more malicious links in the time it takes to identify and shut down one site. Generating malicious content is also becoming more sophisticated. Cloaking techniques help fool scanners, allowing more malicious content to appear right in front of potential victims.

Researchers are currently seeking a paradigm shift. In a recent study, a team led by Associate Professor Daiki Chiba of Tokyo Metropolitan University took a new approach. Rather than labeling a single link as good or bad, look for signs of cloaking as a starting point for an overall automated investigation to identify the entire phishing campaign associated with a malicious actor. Their system, PhishLumos, is not bypassed by withheld content, but instead triggered. Once activated, it searches for clues within the URL’s “infrastructure”, such as which Internet Protocol (IP) numbers are involved and what network connections are used. These help to plan the entire campaign of URLs involved in the same phishing project, not just as a big list of URLs, but as a so-called knowledge base (KB) graph that explains how the campaign works.

After examining 103 real-world phishing campaigns, PhishLumos was able to achieve detections on average 8 days faster than experts. In a real-world test, given 600 seed URLs as a starting point, the discovered rules discovered over 190,000 new links, 92% of which were later flagged as malicious. Importantly, it performed significantly better than so-called “content-centric” approaches that examine website content rather than infrastructure cues.

Online services have already become an integral part of modern society, allowing malicious actors to cause widespread and irreparable harm to society. Projects like PhishLumos are an essential part of ensuring that the benefits of new information technologies reach everyone in a safe and equitable manner.