Samet GANAL, Ecir KÜÇÜKSİLLE, Mehmet Ali YALÇINKAYA

OltalamaAvcısı: Oltalama internet sitelerinin otomatik tespiti ve kullanıcı istismarının önüne geçilmesi için modül tasarımı

Günümüz dünyasında bilgisayar ve mobil cihazların kullanımının yaygınlaşması internet kullanımının giderek artmasına neden olmaktadır. Kullanıcıların internet ortamında en çok karşılaştığı siber saldırılardan biri oltalama internet siteleridir. Oltalama internet siteleri üzerinden gerçekleştirilen saldırılarda, gerçek internet siteleri kopyalanıp farklı alan adları üzerinden yayın yapılmakta ve kullanıcılar bu sahte internet sitelerine çeşitli sosyal mühendislik teknikleriyle yönlendirilmektedir. Kullanıcılar yönlendirildikleri internet sitesine göre; kredi kartı, kullanıcı adı-şifre bilgileri gibi kişisel ve gizli verilerini saldırgana iletmiş olmaktadır.Bu çalışmada; oltalama internet sitelerinin altyapısının ve içeriğinin oluşturulması anlatılmış, bu tür internet sitelerini tespit etmede kullanılacak 4 farklı metot geliştirilmiştir. Ana tespit yöntemi olan yeni kayıtlı internet sitelerinin incelenmesi ile beraber %95.4’lük başarılı tespit oranına ulaşılmıştır. Çalışmanın aktif savunma kısmında üç farklı yöntem kullanılmıştır. İlk olarak oltalama internet sitesi yayınının durdurulması için yer sağlayıcı firma otomatik olarak tespit edilmiş ve %98 başarı oranıyla bildirim gönderilmiştir. İkinci aktif savunma yöntemi olarak aktif bal küpü (honeypot) tekniği geliştirilmiştir. Aktif bal küpü yöntemi oltalama internet sitesine işaretli bir bilgi girilmesi ve bu bilginin gerçek internet sitesinde takibini amaçlamaktadır. Bu yöntem ile saldırgana ait pek çok veri elde edilebilmektedir. Son aktif savunma yöntemi olarak, oltalama internet sitelerini sahte veriler ile zehirleme metodu geliştirilmiştir. Bu yöntem ile oltalama internet sitelerinin girdi alanları otomatik tespit edilmekte ve çok fazla sahte veri gönderilerek gerçek kullanıcı bilgilerinin saldırganlar tarafından ayırt edilmesi önlenmeye çalışılmıştır. Aktif bal küpü ve sahte veri ile zehirleme yöntemlerinin %92 başarı elde ettiği görülmüştür.

Anahtar Kelimeler:

Oltalama, Oltalama internet sitesi, Aktifsavunma

PhisherHunter: Module design for automatic detection of phishing websites and preventing user abuse

One of the most common cyber-attacks that users encounter on the internet are phishing websites. In the attacks that are performed on phishing websites, real websites are duplicated and published on different domain names, and users are directed to these fake websites through various social engineering techniques. Through to the website to which users are directed, they transmit some personal and confidential data such as credit card, username-password details to attackers. In this study, the establishment of the infrastructure and content of phishing internet sites has been explained, a tool named PhisherHunter created, and four different methods have been developed so as to detect such websites. Through the examination of newly registered websites, which is the main detection method, a successful detection rate of 95.4% has been achieved. Three different methods have been used in the active defense part of the study. Firstly, the hosting company has been automatically determined to stop the publication of the phishing website and a notification has been sent with a success rate of 98%. As the second active defense method, the active honeypot technique has been developed. The active honeypot method aims to enter a marked information on the phishing website and to track this information on the real website. And as the last active defense method, the method of poisoning phishing websites by using fake data has been developed. It has been observed that poisoning methods by using the techniques of active honeypot and fake data have achieved a success of 92%.

Keywords:

Phishing, Phishing website, Active defense,

PDF

___

[1] Aburrous M, Hossain MA, Thabatah F, Dahal K. “Intelligent phishing website detection system using fuzzy techniques”. In 2008 3rd International Conference on Information and Communication Technologies: From Theory to Applications, Damascus, Syria, 7-11 April 2008.
[2] Adebowale MA, Lwin KT, Sanchez E, Hossain MA. “Intelligent web-phishing detection and protection scheme using integrated features of Images, frames and text”. Expert Systems with Applications, 115, 300-313, 2019.
[3] Aggarwal A, Rajadesingan A, Kumaraguru P. “PhishAri: Automatic realtime phishing detection on twitter”. In 2012 eCrime Researchers Summit, Las Croabas, PR, USA, 23-24 October 2012.
[4] Ali W. “Phishing website detection based on supervised machine learning with wrapper features selection”. International Journal of Advanced Computer Science and Applications, 8(9), 72-78, 2017.
[5] Ali W, Ahmed AA. “Hybrid intelligent phishing website prediction using deep neural networks with genetic algorithm-based feature selection and weighting”. IET Information Security, 13(6), 659-669, 2019.
[6] Chiew KL, Chang EH, Tiong WK. “Utilisation of website logo for phishing detection”. Computers & Security, 54, 16-26, 2015.
[7] Chiew KL, Choo JSF, Sze SN, Yong KS. “Leverage website favicon to detect phishing websites”. Security and Communication Networks, 2018, 1-11, 2018.
[8] Ding Y, Luktarhan N, Li K, Slamu W. “A keyword-based combination approach for detecting phishing webpages”. computers & security, 84, 256-275, 2019.
[9] Federal Bureau of Investigation. “2019 Internet Crime Report”. https://pdf.ic3.gov/2019_IC3Report.pdf (03.03.2020).
[10] Jeong SY, Koh YS, Dobbie G. “Phishing detection on Twitter streams”. Pacific-Asia Conference on Knowledge Discovery and Data Mining, Auckland, New Zealand, 19 April, 2016.
[11] Karabatak M, Mustafa T. “Performance comparison of classifiers on reduced phishing website dataset”. 6th International Symposium on Digital Forensic and Security, Antalya, Turkiye, 22-25 March 2018.
[12] Keyword Extractor. “Keyword Extraction”. http://keywordextraction.net/keyword-extractor (01.07.2020).
[13] Liew SW, Sani NFM, Abdullah MT, Yaakob R, Sharum MY. “An effective security alert mechanism for real-time phishing tweet detection on Twitter”. Computers & Security, 83, 201-207, 2019.
[14] Mao J, Tian W, Li P, Wei T, Liang Z.. “Phishing website detection based on effective CSS features of Web pages”. In International Conference on Wireless Algorithms, Systems, and Applications, Guilin, China, 19-21 June 2017.
[15] Rao RS, Pais AR. “Jail-Phish: An improved search engine based phishing detection system”. Computers & Security, 83, 246-267, 2019.
[16] Srinivasa RR, Pais AR. “Detecting phishing websites using automation of human behavior”. In Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security, Abu Dhabi, United Arab Emirates, 2 April 2017.
[17] Subasi A, Molah E, Almkallawi F, Chaudhery TJ. “Intelligent phishing website detection using random forest classifier”. In 2017 International Conference on Electrical and Computing Technologies and Applications, Ras Al Khaimah, United Arab Emirates, 21-23 November 2017.
[18] Tan CL, Chiew KL, Wong K. “PhishWHO: Phishing webpage detection via identity keywords extraction and target domain name finder”. Decision Support Systems, 88, 18-27, 2016.
[19] Ulusal Siber Olaylara Müdahale Merkezi. “Zararlı Bağlantılar”. https://www.usom.gov.tr/url-list.xml (02.07.2020).
[20] Zhuang W, Jiang Q, Xiong T. “An intelligent anti-phishing strategy model for phishing website detection”. In 2012 32nd International Conference on Distributed Computing Systems Workshops, Macau, China, 18-21 June 2012.
[21] Jain AK, Gupta BB. “A survey of phishing attack techniques, defence mechanisms and open research challenges”. Enterprise Information Systems, 16(4), 527-565, 2021.
[22] Gupta BB, Jain AK. “Phishing attack detection using a search engine and heuristics-based technique”. Journal of Information Technology Research, 13(2), 94-109, 2020.
[23] Jain AK, Gupta BB. “A machine learning based approach for phishing detection using hyperlinks information”. Journal of Ambient Intelligence and Humanized Computing, 10(5), 2015-2028, 2019.
[24] Jain AK, Gupta BB. “Two-level authentication approach to protect from phishing attacks in real time”. Journal of Ambient Intelligence and Humanized Computing, 9(6), 1783-1796, 2018.
[25] Basit A, Zafar M, Liu X, Javed AR, Jalil Z, Kifayat K. “A comprehensive survey of AI-enabled phishing attacks detection techniques”. Telecommunication Systems, 76(1), 139-154, 2021.
[26] Abbasi A, Dobolyi D, Vance A, Zahedi FM. “The phishing funnel model: A design artifact to predict user susceptibility to phishing websites”. Information Systems Research, 32(2), 410-436, 2021.
[27] Wei W, Ke Q, Nowak J, Korytkowski M, Scherer R, Woźniak M. “Accurate and fast URL phishing detector: a convolutional neural network approach”. Computer Networks, 178, 1-9, 2020.
[28] Oest A, Safaei Y, Zhang P, Wardman B, Tyers K, Shoshitaishvili Y, Doupé A. “PhishTime: Continuous longitudinal measurement of the effectiveness of antiphishing blacklists”. In 29th Security Symposium, Boston, MA, USA, 12–14 August 2020.
[29] Zhang P, Oest A, Cho H, Sun Z, Johnson RC, Wardman B, Ahn GJ. “CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing”. In Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 24-27 May 2021.
[30] Tan CL, Chiew KL, Yong KS, Abdullah J, Sebastian Y. “A graph-theoretic approach for the detection of phishing webpages”. Computers & Security, 95, 1-47, 2020.
[31] Zamir A, Khan HU, Iqbal T, Yousaf N, Aslam F, Anjum A, Hamdani M. “Phishing web site detection using diverse machine learning algorithms”. The Electronic Library, 38(1), 65-80, 2020.
[32] Alsariera YA, Adeyemo VE, Balogun AO, Alazzawi AK. “Ai meta-learners and extra-trees algorithm for the detection of phishing websites”. IEEE Access, 8, 1-12, 2020.
[33] Zeng Y, Zang T, Zhang Y, Chen X, Wang Y. “A comprehensive measurement study of domain-squatting abuse”. In ICC 2019-2019 IEEE International Conference on Communications, Shanghai, China, 20-24 May 2019.
[34] Loyola P, Gajananan K, Kitahara H, Watanabe Y, Satoh F. “Automating Domain Squatting Detection Using Representation Learning”. In 2020 IEEE International Conference on Big Data, Atlanta, GA, USA, 10-13 December 2020.
[35] Spaulding J, Upadhyaya S, Mohaisen A. “The landscape of domain name typosquatting: Techniques and countermeasures”. In 2016 11th International Conference on Availability, Reliability and Security, Salzburg, Austria, 31 August-02 September 2016.
[36] Marill JL, Boyko A, Ashenfelder M, Graham L. “Tools and techniques for harvesting the World Wide Web”. In Proceedings of the 2004 Joint ACM/IEEE Conference on Digital Libraries, Tucson, Arizona, USA, 7–11 June 2004.
[37] Tan, C. L., Chiew, K. L., Yong, K. S., Abdullah, J., & Sebastian, Y. (2020).”A graph-theoretic approach for the detection of phishing webpages”. Computers & Security, 95, 1-47, 2020.
[38] Aas J, Barnes R, Case B, Durumeric Z, Eckersley P, FloresLópez A, Warren B. “Let's Encrypt: an automated certificate authority to encrypt the entire web”. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, United Kingdom, 11-15 November 2019.
[39] Robinson M. “How to Get Free HTTPS Certificates from Let's Encrypt”. Journal of Intellectual Freedom & Privacy, 2(1), 11-12, 2017.
[40] Kim D, Cho H, Kwon Y, Doupé A, Son S, Ahn GJ, Dumitras T. “Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem”. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, Hong Kong, 7-11 June 2021.
[41] Holub A, O'Connor J. “COINHOARDER: Tracking a ukrainian bitcoin phishing ring DNS style”. In 2018 APWG Symposium on Electronic Crime Research, San Diego, CA, USA, 15-17 May 2018.
[42] Liew SW, Sani NFM, Abdullah MT, Yaakob R, Sharum MY. “An effective security alert mechanism for real-time phishing tweet detection on Twitter”. Computers & Security, 83, 201-207, 2019.
[43] Szurdi J, Kocso B, Cseh G, Spring J, Felegyhazi M, Kanich C. “The long “taile” of typosquatting domain names”. In 23rd {USENIX} Security Symposium, San Diego, CA, 20-22 August 2014.
[44] Krammer V. “Phishing defense against IDN address spoofing attacks”. In Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, Markham, Ontario, Canada, 30 October-1 November 2006.
[45] Fu AY, Deng X, Liu W. “A potential IRI based phishing strategy”. In International Conference on Web Information Systems Engineering, New York, NY, USA, 20-22 November 2005.
[46] Hu H, Jan ST, Wang Y, Wang G. “Assessing Browser-level Defense against IDN-based Phishing”. In 30th {USENIX} Security Symposium, Anaheim, CA, USA, 11-13 August 2021.
[47] Aburrous M, Hossain MA, Dahal K, Thabtah F. “Experimental case studies for investigating e-banking phishing techniques and attack strategies”. Cognitive Computation, 2(3), 242-253, 2010.
[48] Qabajeh I, Thabtah F, Chiclana F. “A recent review of conventional vs. automated cybersecurity anti-phishing techniques”. Computer Science Review, 29, 44-55, 2018.
[49] Amin A, Haq I, Nazir M. ” Two factor authentication”. International Journal of Computer Science and Mobile Computing, 6(7), 5-8, 2017.
[50] Roesslein J. “Tweepy Documentation”. http://tweepy. readthedocs. io/en/v3, 5 (20.06.2020).
[51] Free Proxy List. “Free Proxy List”. https://free-proxylist.net (04.07.2020).