Security News > 2021 > November > Researchers Demonstrate New Way to Detect MitM Phishing Kits in the Wild
The findings come from a new study undertaken by a group of researchers from Stony Brook University and Palo Alto Networks, who have demonstrated a new fingerprinting technique that makes it possible to identify MitM phishing kits in the wild by leveraging their intrinsic network-level properties, effectively automating the discovery and analysis of phishing websites.
Dubbed "PHOCA" - named after the Latin word for "Seals" - the tool not only facilitates the discovery of previously unseen MitM phishing toolkits, but also be used to detect and isolate malicious requests coming from such servers.
The method devised by the researchers involves a machine learning classifier that utilizes network-level features such as TLS fingerprints and network timing discrepancies to classify phishing websites hosted by MitM phishing toolkits on reverse proxy servers.
The core idea is to measure the round-trip time delays that arise out of placing a MitM phishing kit, which, in turn, increases the duration from when the victim browser sends a request to when it receives a response from the target server owing to the fact that the reverse proxy mediates the communication sessions.
In an experimental evaluation that lasted 365 days between March 25, 2020 and March 25, 2021, the study uncovered a total of 1,220 sites as operated using MitM phishing kits that were scattered primarily across the U.S. and Europe, and relied on hosting services from Amazon, DigitalOcean, Microsoft, and Google.
"PHOCA can be directly integrated into current web infrastructure such as phishing blocklist services to expand their coverage on MitM phishing toolkits, as well as popular websites to detect malicious requests originating from MitM phishing toolkits," the researchers said, adding that uniquely identifying MitM phishing toolkits can "Enhance the ability of web-service providers to pinpoint malicious login requests and flag them before authentication is completed."
News URL
https://thehackernews.com/2021/11/researchers-demonstrate-new-way-to.html