X-Platform Phishing: Abusing Trust for Targeted Attacks Short Paper

  • Hossein SiadatiEmail author
  • Toan Nguyen
  • Nasir Memon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10323)


The goal of anti-phishing techniques is to reduce the delivery rate of phishemails, and anti-phishing training aims to decrease the phishing click-through rates. This paper presents the X-Platform Phishing Attack, a deceptive phishing attack with an alarmingly high delivery and click-through rates, and highlights a subclass of phishing attacks that existing anti-phishing methods do not seem to be able to address. The main characteristic of this attack is that an attacker is able to embed a malicious link within a legitimate message generated by service providers (e.g., Github, Google, Amazon) and sends it using their infrastructure to his targets. This technique results in the bypassing of existing anti-phishing filters because it utilizes reputable service providers to generate seemingly legitimate emails. This also makes it highly likely for the targets of the attack to click on the phishing link as the email id of a legitimate provider is being used. An X-Platform Phishing attack can use email-based messaging and notification mechanisms such as friend requests, membership invitations, status updates, and customizable gift cards to embed and deliver phishing links to their targets. We have tested the delivery and click-through rates of this attack experimentally, based on a customized phishing email tunneled through GitHub’s pull-request mechanism. We observed that 100% of X-Platform Phishing emails passed the anti-phishing systems and were delivered to the inbox of the target subjects. All of the participants clicked on phishing messages, and in some cases, forwarded the message to other project collaborators who also clicked on the phishing links.


Targeted attack Phishing Cross-platform attack 


  1. 1.
    RFC 6376: DomainKeys Identified Mail (DKIM) Signatures. Accessed 20 Dec 2016
  2. 2.
    Domain-based message authentication, reporting, and conformance (DMARC) (2015). Accessed 17 Apr 2016
  3. 3.
    Bisson, D.: Sony Hackers Used Phishing Emails to Breach Company Networks. Accessed 20 Dec 2016
  4. 4.
    Krebs, B.: FBI: $1.2B Lost to Business Email Scams. Accessed 20 Dec 2016
  5. 5.
    CBS: The phishing email that hacked the account of John Podesta. Accessed 20 Dec 2016
  6. 6.
  7. 7. Major Open Source code repository hacked for months, says FSF. Accessed 20 Dec 2016
  8. 8.
    Github: Mastering Markdown. Accessed 20 Dec 2016
  9. 9.
    Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 370–375. ACM (2004)Google Scholar
  10. 10.
    Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. Accessed 20 Dec 2016
  11. 11.
    Metsis, V., Androutsopoulos, I., Paliouras, G.: Spam filtering with naive bayes-which naive bayes? In: CEAS, pp. 27–28 (2006)Google Scholar
  12. 12.
    Motherboard: The hack we can’t see: All Signs Point to Russia Being Behind the DNC Hack. Accessed 20 Dec 2016
  13. 13.
    Palka, S., McCoy, D.: Fuzzing e-mail filters with generative grammars and n-gram analysis. In: 9th USENIX Workshop on Offensive Technologies (WOOT 2015) (2015)Google Scholar
  14. 14.
    Jakobsson, M.: Traditional countermeasures to unwanted email. In: Jakobsson, M. (ed.) Understanding Social Engineering Based Scams, pp. 51–62. Springer, New York (2016). CrossRefGoogle Scholar
  15. 15.
    Symantec: Internet security threat report (ISTR) (2016). Accessed 20 Dec 2016
  16. 16.
    Torres-Arias, S., Ammula, A.K., Curtmola, R., Cappos, J.: On omitting commits and committing omissions: preventing git metadata tampering that (re) introduces software vulnerabilities. In: 25th USENIX Security Symposium, USENIX Security, vol. 16, pp. 10–12 (2016)Google Scholar
  17. 17.
    Verizon: 2016 Data Breach Investigations Report. Accessed 20 Dec 2016
  18. 18.
    Wikipedia: Github. Accessed 20 Dec 2016
  19. 19.
    Wikipedia: Half a million widely trusted websites vulnerable to Heartbleed bug. Accessed 20 Dec 2016
  20. 20.

Copyright information

© International Financial Cryptography Association 2017

Authors and Affiliations

  1. 1.New York UniversityNew York CityUSA

Personalised recommendations