Phishing represents one of the most important security risks for normal people and companies, as human error is often capable of bypassing even the most well-designed infrastructures. To fight it, researchers have introduced tools that can analyze relevant aspects of the webpages, such as URL, source code structure and visual appearance. Visual Phishing Detectors (VPDs) are classifiers that, as the name implies, focus on visible elements like logos and forms. VPD papers often do not provide information regarding possible attacks and procedures used to gather data necessary for the analysis, nor their timing parameters. The team identified "timing" as a potential vulnerability, which can be exploited by changing the rendering process, displaying enough content to lure the user false into a sense of security, while evading detectors. Phishing samples were gathered from the internet, and visual effects were applied to their screenshots first, testing their performance against the reference tools. Then, a limited subset of samples was selected for the next step of modifying the actual source code and adapting it to work with our PhishMe framework, meant to control the rendering process via parameters set by the attacker/developer. Subsequently, a user study tested the participants' ability in spotting visual changes in the crafted samples, collecting their feedback on the similarity and trustworthiness of the hypothetical websites, and finding the ideal delay threshold that VPDs should use. Lastly, a proof-of-concept of a phishing defense mechanism is introduced. The proposed tool is based on a browser extension and a web-socket server that runs a logo detector.
Phishing represents one of the most important security risks for normal people and companies, as human error is often capable of bypassing even the most well-designed infrastructures. To fight it, researchers have introduced tools that can analyze relevant aspects of the webpages, such as URL, source code structure and visual appearance. Visual Phishing Detectors (VPDs) are classifiers that, as the name implies, focus on visible elements like logos and forms. VPD papers often do not provide information regarding possible attacks and procedures used to gather data necessary for the analysis, nor their timing parameters. The team identified "timing" as a potential vulnerability, which can be exploited by changing the rendering process, displaying enough content to lure the user false into a sense of security, while evading detectors. Phishing samples were gathered from the internet, and visual effects were applied to their screenshots first, testing their performance against the reference tools. Then, a limited subset of samples was selected for the next step of modifying the actual source code and adapting it to work with our PhishMe framework, meant to control the rendering process via parameters set by the attacker/developer. Subsequently, a user study tested the participants' ability in spotting visual changes in the crafted samples, collecting their feedback on the similarity and trustworthiness of the hypothetical websites, and finding the ideal delay threshold that VPDs should use. Lastly, a proof-of-concept of a phishing defense mechanism is introduced. The proposed tool is based on a browser extension and a web-socket server that runs a logo detector.
Time-based attacks for phishing detection evasion
RADO, CRISTIANO ALEX
2024/2025
Abstract
Phishing represents one of the most important security risks for normal people and companies, as human error is often capable of bypassing even the most well-designed infrastructures. To fight it, researchers have introduced tools that can analyze relevant aspects of the webpages, such as URL, source code structure and visual appearance. Visual Phishing Detectors (VPDs) are classifiers that, as the name implies, focus on visible elements like logos and forms. VPD papers often do not provide information regarding possible attacks and procedures used to gather data necessary for the analysis, nor their timing parameters. The team identified "timing" as a potential vulnerability, which can be exploited by changing the rendering process, displaying enough content to lure the user false into a sense of security, while evading detectors. Phishing samples were gathered from the internet, and visual effects were applied to their screenshots first, testing their performance against the reference tools. Then, a limited subset of samples was selected for the next step of modifying the actual source code and adapting it to work with our PhishMe framework, meant to control the rendering process via parameters set by the attacker/developer. Subsequently, a user study tested the participants' ability in spotting visual changes in the crafted samples, collecting their feedback on the similarity and trustworthiness of the hypothetical websites, and finding the ideal delay threshold that VPDs should use. Lastly, a proof-of-concept of a phishing defense mechanism is introduced. The proposed tool is based on a browser extension and a web-socket server that runs a logo detector.| File | Dimensione | Formato | |
|---|---|---|---|
|
Rado_CristianoAlex.pdf
Accesso riservato
Dimensione
9.13 MB
Formato
Adobe PDF
|
9.13 MB | Adobe PDF |
The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License
https://hdl.handle.net/20.500.12608/101995