You’re online and you get an email from PayPal asking to check your balance. The logo looks good — you’re not really paying much attention — and the email provides a handy link to get into your account. You click on that, type in your username and password, glance at your account — which appears to be right — and surf off somewhere else.
Two weeks later your account is empty. They phished and you bit. Ouch.
But why didn’t you get a pop-up of one of those red warning pages that screams, “DANGER AHEAD”?
Because the tech giants didn’t know about the new scam site. It was hidden — cloaked — in a way that their machines wouldn’t pick up.
A team of researchers in the Center for Cybersecurity and Digital Forensics at Arizona State University studied the problem by creating an automatic analysis system called CrawlPhish to detect and categorize fraudulent websites.
“The thing that keeps people safe is these browser block lists that get populated with a list of sites that are known to be bad, but the question is, well, how do those get there to your machine?” said Doupé, who is also the acting director of the Center for Cybersecurity and Digital Forensics. “Somebody has to first detect it. And of course you don’t want The New York Times to be on that list because they’re a legitimate company. So there’s a whole ecosystem. When somebody like PayPal first goes and finds a phishing site, then they have to try to convince people like Google or Microsoft that this is actually a phishing site to get that put into those lists.”
Doupé’s students found that many phishing websites want to look exactly like PayPal. So how do they do that? They actually link directly to the PayPal logo. Because of how the web works, that’s hosted on web servers on paypal.com. When your browser sends a request for that image, it actually will say where it came from. The team was able to go through PayPal’s logs and find out how many people are getting the image from PayPal, but are not on a PayPal site.
That gave the team links to actual, real phishing websites in the wild. Using CrawlPhish, they saw when people visited them, and if they had been logged into PayPal — which a lot of people were — they could actually see what PayPal user they were. Later they could see if and how much later a fraudulent transaction on that PayPal account popped up.
“We tracked phishing emails that went out so we can see when the first emails were sent,” Doupé said. “We have timelines of those. The crazy thing is that we have tons of people that visit the site before it’s ever detected.”
He calls that time period the “golden hour,” similar to that time of day photographers love because the light is perfect.
“With phishing they get so much of those victims that actually visit the page before it’s ever on a block list,” Doupé said. “We found like 50% of victims visit the page 40 minutes before it’s ever blocked. This is the thing that shows like, ‘Hey, we need to be doing this faster because we’re leaving people as victims to these sites and the attackers know this, and this is why their attacks are so successful.’ … The super interesting thing is then we would find a fraudulent transaction on average, five days after detection.”
Attackers are quick to adapt to changing news cycles. Look at how fast shady-looking sites for face masks sprang up last spring, or how fake donation sites arise after a natural disaster.
“Our anti-detection systems aren’t right, because essentially we’re fighting human intelligence,” Doupé said. “Their livelihood depends on being able to successfully scam people. So they’re able to quickly pivot and create these scam sites that take advantage of current things like the coronavirus.
“The key takeaway is us trying to say, ‘Hey, look, attackers are agile and clearly adjusting their strategies to the climate. How can the anti-phishing ecosystem?’ … The goal here is to kind of spur further research and to say, ‘OK, how can we deal with these changing things?’ Our systems are behind. They’re much more reactive rather than proactive.”