Discovering HTTPSified Phishing Websites Using the TLS Certificates Footprints

Yuji Sakurai, Takuya Watanabe, Tetsuya Okuda, Mitsuaki Akiyama, Tatsuya Mori

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

With the recent rise of HTTPS adoption on the Web, attackers have begun "HTTPSifying"phishing websites. HTTPSifying a phishing website has the advantage of making the website appear legitimate and evading conventional detection methods that leverage URLs or web contents in the network. Further, adopting HTTPS could also contribute to generating intrinsic footprints and provide defenders with a great opportunity to monitor and detect websites, including phishing sites, as they would need to obtain a public-key certificate issued for the preparation of the websites. The potential benefits of certificate-based detection include (1) the comprehensive monitoring of all HTTPSified websites by using certificates immediately after their issuance, even if the attacker utilizes dynamic DNS (DDNS) or hosting services; this could be overlooked with the conventional domain-registration-based approaches; and (2) to detect phishing websites before they are published on the Internet. Accordingly, we address the following research question: How can we make use of the footprints of TLS certificates to defend against phishing attacks? For this, we collected a large set of TLS certificates corresponding to phishing websites from Certificate Transparency (CT) logs and extensively analyzed these TLS certificates. We demonstrated that a template of common names, which are equivalent to the fully qualified domain names, obtained through the clustering analysis of the certificates can be used for the following promising applications: (1) The discovery of previously unknown phishing websites with low false positives and (2) understanding the infrastructure used to generate the phishing websites. We use our findings on the abuse of free certificate authorities (CAs) for operating HTTPSified phishing websites to discuss possible solutions against such abuse and provide a recommendation to the CAs.

Original languageEnglish
Title of host publicationProceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages522-531
Number of pages10
ISBN (Electronic)9781728185972
DOIs
Publication statusPublished - 2020 Sep
Event5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020 - Virtual, Genoa, Italy
Duration: 2020 Sep 72020 Sep 11

Publication series

NameProceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020

Conference

Conference5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
CountryItaly
CityVirtual, Genoa
Period20/9/720/9/11

Keywords

  • HTTPS
  • Phishing
  • Public-Key Certificate

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'Discovering HTTPSified Phishing Websites Using the TLS Certificates Footprints'. Together they form a unique fingerprint.

Cite this