Abstract
The goal of anti-phishing techniques is to reduce the delivery rate of phishemails, and anti-phishing training aims to decrease the phishing click-through rates. This paper presents the X-Platform Phishing Attack, a deceptive phishing attack with an alarmingly high delivery and click-through rates, and highlights a subclass of phishing attacks that existing anti-phishing methods do not seem to be able to address. The main characteristic of this attack is that an attacker is able to embed a malicious link within a legitimate message generated by service providers (e.g., Github, Google, Amazon) and sends it using their infrastructure to his targets. This technique results in the bypassing of existing anti-phishing filters because it utilizes reputable service providers to generate seemingly legitimate emails. This also makes it highly likely for the targets of the attack to click on the phishing link as the email id of a legitimate provider is being used. An X-Platform Phishing attack can use email-based messaging and notification mechanisms such as friend requests, membership invitations, status updates, and customizable gift cards to embed and deliver phishing links to their targets. We have tested the delivery and click-through rates of this attack experimentally, based on a customized phishing email tunneled through GitHub’s pull-request mechanism. We observed that 100% of X-Platform Phishing emails passed the anti-phishing systems and were delivered to the inbox of the target subjects. All of the participants clicked on phishing messages, and in some cases, forwarded the message to other project collaborators who also clicked on the phishing links.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It is pronounced Cross-Platform Phishing.
- 2.
A user identifier of users inside Github starting with @.
References
RFC 6376: DomainKeys Identified Mail (DKIM) Signatures. https://tools.ietf.org/html/rfc6376. Accessed 20 Dec 2016
Domain-based message authentication, reporting, and conformance (DMARC) (2015). https://tools.ietf.org/html/rfc7489. Accessed 17 Apr 2016
Bisson, D.: Sony Hackers Used Phishing Emails to Breach Company Networks. https://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/. Accessed 20 Dec 2016
Krebs, B.: FBI: $1.2B Lost to Business Email Scams. https://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/. Accessed 20 Dec 2016
CBS: The phishing email that hacked the account of John Podesta. http://www.cbsnews.com/news/the-phishing-email-that-hacked-the-account-of-john-podesta/. Accessed 20 Dec 2016
CISCO: Email Attacks: This Time Its Personal. http://www.cisco.com/c/dam/en/us/products/collateral/security/email-security-appliance/targeted_attacks.pdf. Accessed 20 Dec 2016
Geek.com: Major Open Source code repository hacked for months, says FSF. https://www.geek.com/news/major-open-source-code-repository-hacked-for-months-says-fsf-551344/. Accessed 20 Dec 2016
Github: Mastering Markdown. https://guides.github.com/features/mastering-markdown/. Accessed 20 Dec 2016
Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 370–375. ACM (2004)
Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. https://tools.ietf.org/html/rfc7208. Accessed 20 Dec 2016
Metsis, V., Androutsopoulos, I., Paliouras, G.: Spam filtering with naive bayes-which naive bayes? In: CEAS, pp. 27–28 (2006)
Motherboard: The hack we can’t see: All Signs Point to Russia Being Behind the DNC Hack. https://motherboard.vice.com/read/all-signs-point-to-russia-being-behind-the-dnc-hack. Accessed 20 Dec 2016
Palka, S., McCoy, D.: Fuzzing e-mail filters with generative grammars and n-gram analysis. In: 9th USENIX Workshop on Offensive Technologies (WOOT 2015) (2015)
Jakobsson, M.: Traditional countermeasures to unwanted email. In: Jakobsson, M. (ed.) Understanding Social Engineering Based Scams, pp. 51–62. Springer, New York (2016). https://doi.org/10.1007/978-1-4939-6457-4_5
Symantec: Internet security threat report (ISTR) (2016). https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf. Accessed 20 Dec 2016
Torres-Arias, S., Ammula, A.K., Curtmola, R., Cappos, J.: On omitting commits and committing omissions: preventing git metadata tampering that (re) introduces software vulnerabilities. In: 25th USENIX Security Symposium, USENIX Security, vol. 16, pp. 10–12 (2016)
Verizon: 2016 Data Breach Investigations Report. http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pd. Accessed 20 Dec 2016
Wikipedia: Github. https://en.wikipedia.org/wiki/Github. Accessed 20 Dec 2016
Wikipedia: Half a million widely trusted websites vulnerable to Heartbleed bug. https://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html. Accessed 20 Dec 2016
ZDNet: Anatomy of the Target data breach. http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/. Accessed 20 Dec 2016
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Siadati, H., Nguyen, T., Memon, N. (2017). X-Platform Phishing: Abusing Trust for Targeted Attacks Short Paper. In: Brenner, M., et al. Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10323. Springer, Cham. https://doi.org/10.1007/978-3-319-70278-0_37
Download citation
DOI: https://doi.org/10.1007/978-3-319-70278-0_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70277-3
Online ISBN: 978-3-319-70278-0
eBook Packages: Computer ScienceComputer Science (R0)