Phish-Net: Investigating phish clusters using drop email addresses

Phish-Net: Investigating phish clusters using drop email addresses

The most common approach to collect users' secret credentials from phishing websites is to email the credentials to criminals' email addresses which we call drop email addresses. We propose a clustering algorithm, which is based on the assumption that if there is a common drop email addres...

Full description

Saved in:
Bibliographic Details
Published in:2013 APWG eCrime Researchers Summit pp. 1 - 13
Main Authors: Zawoad, Shams, Dutta, Amit Kumar, Sprague, Alan, Hasan, Ragib, Britt, Jason, Warner, Gary
Format: Conference Proceeding
Language:English
Published: IEEE 01-09-2013
Subjects:
Cluster
Clustering algorithms
Companies
Data mining
Electronic mail
Investigation
Libraries
Merging
Phishing
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The most common approach to collect users' secret credentials from phishing websites is to email the credentials to criminals' email addresses which we call drop email addresses. We propose a clustering algorithm, which is based on the assumption that if there is a common drop email address found in the phishing kits from two different phishing websites, then these two websites are directly related. Based on obfuscated and plain-text drop email addresses, we produce two types of clusters: one is called phishing kit creator cluster and another is kit user cluster. Clustering related phishing websites using our proposed approach will allow phishing investigators to focus their investigative efforts on important phishing attacks rather than random attacks. For example, in January 2013, 1475 phishing websites are hosted by only 317 groups of phishers (who we will call kit users). Our scheme will thus help investigators to narrow investigation to pervasive phishing criminals. By analyzing the clusters generated using our clustering approach, we can determine the strongest and most pervasive phishers, and phishing kit creators, relationships between phishing kit creators and phishing kit users, and the most dominant phisher of one group. These findings have real-life implication in phishing investigation paradigm.
DOI:10.1109/eCRS.2013.6805777