Field Study
Reported Phishing Examples During the Field Study
swedbank.pieeja-lv.info
samsung.production.34ml.com
smsplus9.azeem.dev.jt.hostingshouse.com
rs6-rs7-performance.audi-communications.de
gst.solubilis.online
ib-trans-ateam9.sup.issuebook-np.ihsmarkit.com
device-8b248998-6847-4def-9eb1-9b59fb283b04.remotewd.com
dsgbb.top
camvdemo.stacksplatform.com
device-1d0a7d34-ad6b-44fb-980a-ca0c2d6af315.remotewd.com
0a35f634d33ec266d03c0fb6f9c377be09d46ab0.ops.yunaq.com
34.170.18.209.russegan.dev
Domain Analysis
The Top 5 common top-level domains by phishing websites are .com, .online, .de, .net, and .xyz, which is different from the top-5 top-level domains among the Alexa one million sites (.com, .org, .net, .ru, .it).
As expected, the attackers prefer regional TLDs (e.g. .de) or less conventional yet budget-friendly options (e.g. .xyz, .online).
Geolocation Analysis
We investigate the geolocations of phishers' IP addresses. We find that most of the phishing webpages detected in CertStream service originate from the US and Europe. There may be several reasons behind this observation:
Infrastructure Availability: Generally, compared to the other regions, they have more mature facilities such as available hosting services, Virtual Private Servers (VPS) and cloud providers. Worldwide attackers may take advantage of these services to set up malicious websites or send phishing emails.
Technological Sophistication: Further, as mentioned above, the US and European attackers might favour more sophisticated techniques such as encryption and anonymization.
Campaign Analysis
We identify phishing campaigns by grouping phishing webpages based on their targeted brands and similarities in domain names. The initial and final days of each campaign are plotted in the following figure. We identified 5 distinct phishing campaigns targeting SonicWall, Meta, Thales Group, EBSCO Information Services, and AVM Deutschland, respectively. On average, a phishing campaign lasts about 16 days. The longest campaign is the SonicWall campaign, which lasts for 28 days and continues until the end of our experiment.
Meta Campaign:
We observe a campaign targeting Meta, sharing several distinctive characteristics:
(i) Use of .click Top-Level Domain: All phishing webpages use the uncommon ".click" TLD.
(ii) Diverse Languages: Phishers prepare multilingual versions of the webpage for dissemination to victims from different countries.
(iii) Outdated Layout: The webpage layout is based on an outdated template of the Facebook login page.
(iv) Dynamic Logo Loading: The phishing webpage loads the logo dynamically via JavaScript, rather than directly using an img tag to point to the logo image. This approach decreases readability.
(v) Input Obfuscation: While legitimate Facebook pages use meaningful HTML attributes such as type='email' or id='pass' for their input fields, phishing pages assign random attributes to minimize readability.
SonicWall Campaign
We observe a phishing campaign targeting SonicWall, a cybersecurity company. The campaign includes the following observations:
(i) MyCloud Service Manipulation: They exploited the MyCloud service for hosting their websites.
(ii) Embedded Frame: Their HTML code loads an iframe pointing to "auth1.html", hosted by the phishers, which displays a credential-taking form.
(iii) Timeout Feature: The webpage includes a timeout mechanism that activates after about one minute, after which users are redirected to a page stating "Your login attempt has timed out".
Phishing Tactics
Moreover, we further observe the detected phishing websites exhibit the following phishing tactics.
Redirection to Target Page: Phishers intend to redirect users to the genuine target page after harvesting credentials (Figure 1). This creates a false sense of security, leading victims to believe they have been interacting with the authentic webpage throughout the process.
Diversified Targets with Evasive Strategy: We observe that some phishing websites can target multiple brands simultaneously. For example, the site https://x.xsteach.cf/ (Figure 2) uniquely presents a random phishing page targeting a different brand upon each visit. Notably, we identified six distinct phishing targets: cctv.com, weibo.com, iqiyi.com, bilibili.com, mooc.org, and xuetangx.com. This dynamic randomization broadens the attacking spectrum. After multiple refreshes, the site redirects to the legitimate iqiyi.com, possibly as a countermeasure, using a blacklist to block specific IPs after reaching a certain traffic threshold.
Manipulation of Cloud Services: In the campaigns we observed, phishing attackers are increasingly using cloud services to deploy phishing webpages. For instance, Western Digital's MyCloud service wdmycloud is being exploited for phishing. We identified 31 instances with domain names like device-<UUID>.remotewd.com. Each MyCloud user is assigned a device under remotewd.com, where ``UUID'' is the unique device identifier used by phishers. This makes it more challenging to trace the identities of these malicious actors.
Page 1: Landing page
Page 4: Error page (False error message)
Page 2: UserID page
Page 5: Loading page
Page 3: Email page
Page 6: Redirect to the real login.adp.com/welcome
Figure 1. An example of redirection to target site: https://cxeradp.tech
Figure 2. The phishing site https://x.xsteach.cf/ randomly displays one phishing page out of the six pages.