TY - GEN
T1 - Characterizing and Mitigating Phishing Attacks at ccTLD Scale
AU - Moura, Giovane C.M.
AU - Daniels, Thomas
AU - Bosteels, Maarten
AU - Castro, Sebastian
AU - Müller, Moritz
AU - Wabeke, Thymen
AU - van den Hout, Thijs
AU - Korczynski, Maciej
AU - Smaragdakis, Georgios
N1 - Publisher Copyright:
© 2024 Copyright held by the owner/author(s).
PY - 2024/12/9
Y1 - 2024/12/9
N2 - Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identify and mitigate phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains – namely the Netherlands’ .nl, Ireland’s .ie, and Belgium’s .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains under their country’s own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using any domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. Although most research works focus on detecting new domain names, we show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names. We find banks, financial institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLDs’ registration and abuse handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving mitigation procedures.
AB - Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identify and mitigate phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains – namely the Netherlands’ .nl, Ireland’s .ie, and Belgium’s .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains under their country’s own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using any domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. Although most research works focus on detecting new domain names, we show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names. We find banks, financial institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLDs’ registration and abuse handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving mitigation procedures.
KW - ccTLD
KW - DNS
KW - Mitigation
KW - Phishing
KW - Policy
KW - Registry
UR - https://www.scopus.com/pages/publications/85215520646
U2 - 10.1145/3658644.3690192
DO - 10.1145/3658644.3690192
M3 - Conference contribution
AN - SCOPUS:85215520646
T3 - CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
SP - 2147
EP - 2161
BT - CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024
Y2 - 14 October 2024 through 18 October 2024
ER -