Beneath the Phishing Scripts: A Script-Level Analysis of Phishing Kits and Their Impact on Real-World Phishing Websites

Authors

Woonghee Lee, Korea University - KoreaFollow
Junbeom Hur, Korea University - KoreaFollow
Doowon Kim, Korea University - KoreaFollow

Author ORCID Identifier

Woonghee Lee https://orcid.org/0000-0002-9984-6879

Junbeom Hur https://orcid.org/0000-0002-4823-4194

Document Type

Article

Publication Date

7-2024

DOI

https://doi.org/10.1145/3634737.3657013

Abstract

Phishing kits have become increasingly popular among cybercriminals because they offer an easy-to-use and efficient way for phishing attackers to build phishing websites. Prior work on phishing kits has focused on analyzing specific behavioral features (e.g., evasion techniques), and measuring their effectiveness on the anti-phishing mechanisms. Unfortunately, such prior studies provide a limited perspective, either targeting specific phishing kits or not fully addressing the server-side strategies at the script level that offer insights into the phishing attacker’s view.

In this paper, we systematically conduct a comprehensive study of phishing kits at the script level, aiming to better understand the server-side behavior. Particularly, we design a crawler that periodically (every 15 mins) collects phishing kits used in the wild and client-side resources of real-world phishing websites (e.g., index. html, images, CSS, JavaScript) for 18 months. We utilize two types of our collected dataset (4,153 phishing kits and 2.4M phishing webpages) for our study. First, we classify user interaction patterns based on information-exfiltrating components of phishing kits into three categories: single-stage (non-real-time) phishing, multi-stage (non-real-time) phishing, and multi-stage (real-time) phishing. We then identify the potential information leakage of each pattern. Next, we conduct an in-depth script-level analysis of the evasive behaviors in the kits. Aiming to evaluate their practical impact on the phishing sites, we also measure how many phishing kits are used and deployed with an emphasis on the chronological trends for phishing attacks by clustering the landing pages of phishing kits with those of our collected phishing websites. Lastly, we discuss the security implications of our comprehensive study on web interaction, URL patterns/redirection, and kit-deployment trends in the phishing detection literature.

Recommended Citation

Woonghee Lee, Junbeom Hur, and Doowon Kim. 2024. Beneath the Phishing Scripts: A Script-Level Analysis of Phishing Kits and Their Impact on Real- World PhishingWebsites. In ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24), July 1–5, 2024, Singapore, Singapore. ACM, New York, NY, USA, 17 pages. https://doi.org/10.1145/3634737.3657013