26–27 Oct 2024
Clarion Congress Hotel Prague
Europe/Prague timezone

Characterizing and Mitigating Phishing Attacks at ccTLD Scale

27 Oct 2024, 14:10
15m
Tycho/Kepler Rooms (Clarion Congress Hotel Prague)

Tycho/Kepler Rooms

Clarion Congress Hotel Prague

Freyova 33 Praha 9 ⁠-⁠ Vysočany 190 00 Česká republika
In-Person Standard Presentation Session 3

Speaker

Mr Sebastian Castro (.IE)

Description

Phishing on the web is a model of social engineering and an attack
vector for getting access to sensitive and financial data of individ-
uals and corporations. Phishing has been identified as one of the
prime cyber threats in recent years. With the goal to effectively
identifying and combating phishing as early as possible, we present
in this paper a longitudinal analysis of phishing attacks from the
vantage point of three country-code top-level domain (ccTLD) reg-
istries that manage more than 8 million active domains – namely
the Netherlands’ .nl, Ireland’s .ie, and Belgium’s .be. We perform
a longitudinal analysis on phishing attacks spanning up to 10 years,
based on more than 28 thousand phishing domains. Our results
show two major attack strategies: national companies and organi-
zations are far more often impersonated using malicious registered
domains under their country own ccTLD, which enables better
mimicry of the impersonated company. In stark contrast, interna-
tional companies are impersonated using whatever domains that
can be compromised, reducing overall mimicry but bearing no reg-
istration and financial costs. We show that 80% of phishing attacks
in the studied ccTLDs employ compromised domain names and that
most research works focus on detecting new domain names instead.
We find banks, financial institutions, and high-tech giant compa-
nies at the top of the most impersonated targets. We also show
the impact of ccTLD’s registration and abuse handling policies on
preventing and mitigating phishing attacks, and that mitigation
is complex and performed at both web and DNS level at different
intermediaries. Last, our results provide a unique opportunity for
ccTLDs to compare and revisit their own policies and their impacts,
with the goal to improve their own mitigation procedures.

Summary

This is based on a accepted paper for a tier 1 security conference.
Our paper has been conditionally accepted, and cleared for acceptance by our shepherd.

We are just waiting the final confirmation

We compare phishing seen in .nl, .be, and .ie,

Talk duration 10 Minutes (+5 for Q&A)

Primary authors

Mr Giovane Moura (SIDN Labs) Maciej Korczynski (Grenoble Institute of Technology) Moritz Müller (SIDN) Mr Sebastian Castro (.IE)

Presentation materials