Characterizing and Mitigating Phishing Attacks at ccTLD Scale (extended)

Giovane C. M. Moura, Thomas Daniels, Maarten Bosteels, Sebastian Castro, Moritz Müller, Thymen Wabeke, Thijs van den Hout, MacIej Korczyński, G. Smaragdakis

Research output: Book/ReportReportScientific

334 Downloads (Pure)

Abstract

Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identifying and combating phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains – namely the Netherlands’ .nl, Ireland’s .ie, and Belgium’s .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains under their country own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using whatever domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. We show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names and that most research works focus on detecting new domain names instead. We find banks, financial institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLD’s registration and abuse handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving mitigation procedures.
Original languageEnglish
Place of PublicationDelft
PublisherDelft University of Technology, Faculteit Elektrotechniek, Wiskunde en Informatica
Number of pages24
VolumeEWI-TR-2024-1
Publication statusPublished - 2024

Bibliographical note

This technical report is an extended version of the original paper that appears at ACM CCS2024.
It contains appendices which the CCS paper does not contain.

Fingerprint

Dive into the research topics of 'Characterizing and Mitigating Phishing Attacks at ccTLD Scale (extended)'. Together they form a unique fingerprint.

Cite this