Phishing in the Free Waters: A Study of Phishing Attacks Created using Free Website Building Services
View/ Open
Date
2023-10Author
Saha Roy, Sayak
Unique, Karanjit
Nilizadeh, Shirin
Metadata
Show full item recordAbstract
Free Website Building services (FWBs) provide individuals with
a cost-effective and convenient way to create a website without
requiring advanced technical knowledge or coding skills. However, malicious actors often abuse these services to host phishing
websites. In this work, we propose FreePhish, a scalable framework to continuously identify phishing websites that are created
using FWBs. Using FreePhish, we were able to detect and characterize more than 31.4K phishing URLs that were created using
17 unique free website builder services and shared on Twitter and
Facebook over a period of six months. We find that FWBs provide
attackers with several features that make it easier to create and
maintain phishing websites at scale while simultaneously evading anti-phishing countermeasures. Our study indicates that antiphishing blocklists and browser protection tools have significantly
lower coverage and high detection time against FWB phishing attacks when compared to regular (self-hosted) phishing websites.
While our prompt disclosure of these attacks helped some FWBs to
remove these attacks, we found several others who were slow at
removal or did not remove them outright, with the same also being
true for Twitter and Facebook. Finally, we also provide FreePhish
as a free Chromium web extension that can be utilized to prevent
end-users from accessing potential FWB-based phishing attacks