Anti-phishing system by Google that is supposed to protect mobile browsers have been ineffective in identifying phishing sites from mid-2017 to the end of 2018, revealed a research project, "PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists".
Laboratory of Security Engineering for Future Computing (SEFCOM) carried out the study and was supported by The Anti-Phishing Working Group and PayPal.
The phishing sites are recognized and then added to block-list by the browsing vendors and will not direct you on those sites. Google Safe Browsing (GSB) is an example of blocklist of this kind, which is not only compatible with Google Chrome but also Firefox and Safari. Whereas, SmartScreen is Microsoft’s blocklist responsible for keeping Internet Explore and Edge browsers safe.
Clocking technique is used by scammers in which sites are kept away from some of the viewers to avoid these blocklists. According to academic studies, the clocking technique is quite effective and disclosed a flaw in GSB’s mobile browser protection that has been there for almost a year.
2,380 phishing sites were created by researchers on .com domains. Out of five, one clocking technique was used for each site using both, the phishing kit technique and control group without clocking technique.
All were restricted with the technique except
A - Control Group
B - Devices with Android or iOS operating systems
C - GSB- protected browsers used by US citizens on Windows, Linux or Mac
D - Other users with GSB-Protected browser outside the US
E - Non-secure entities
F - JavaScript-based browsers
10 anti-phishing mechanisms by prominent companies were used to test against these techniques. On average, the single browser was able to block 23% of the Phishing URLs, says research.
The testing sites protected with filters E and F were not detected by the mobile browsers, Chrome, Firefox, and Safari. These were not identified even when the sites were uncloaked.
Mobile API in GSB was responsible for optimizing the usage data, but instead, it weakens the mobile browsers’ protection.
In PhishFarm, SmartScreen, mobile browser protection by Microsoft for Edge proved to be the most effective browser against phishing sites. New URLs were assessed with heuristics by this anti-phishing blocklist, which looked for telltale signs, like deceiving domain names.
Researchers suggested that the mechanism can be improved if every browser blocklist shares their information with another browser blocklist. Though third-party houses like the Anti-Phishing Working Group (APWG) and PhishTank give better protection on all browsers, but their timing and accuracy cannot match that of the protection by browser vendors directly.
Google was then assisted by these researchers to improve mobile browser protection. Still, to ensure that you are fully secure, use different vendors, and most importantly your common sense. Do not click any link and preferably use bookmarks or type links manually.
Photo: CalypsoArt / Getty Images
Read next: How to Stay Anonymous Online in 2019 – Seven Best Tips
Laboratory of Security Engineering for Future Computing (SEFCOM) carried out the study and was supported by The Anti-Phishing Working Group and PayPal.
The phishing sites are recognized and then added to block-list by the browsing vendors and will not direct you on those sites. Google Safe Browsing (GSB) is an example of blocklist of this kind, which is not only compatible with Google Chrome but also Firefox and Safari. Whereas, SmartScreen is Microsoft’s blocklist responsible for keeping Internet Explore and Edge browsers safe.
Clocking technique is used by scammers in which sites are kept away from some of the viewers to avoid these blocklists. According to academic studies, the clocking technique is quite effective and disclosed a flaw in GSB’s mobile browser protection that has been there for almost a year.
2,380 phishing sites were created by researchers on .com domains. Out of five, one clocking technique was used for each site using both, the phishing kit technique and control group without clocking technique.
All were restricted with the technique except
A - Control Group
B - Devices with Android or iOS operating systems
C - GSB- protected browsers used by US citizens on Windows, Linux or Mac
D - Other users with GSB-Protected browser outside the US
E - Non-secure entities
F - JavaScript-based browsers
10 anti-phishing mechanisms by prominent companies were used to test against these techniques. On average, the single browser was able to block 23% of the Phishing URLs, says research.
The testing sites protected with filters E and F were not detected by the mobile browsers, Chrome, Firefox, and Safari. These were not identified even when the sites were uncloaked.
Mobile API in GSB was responsible for optimizing the usage data, but instead, it weakens the mobile browsers’ protection.
In PhishFarm, SmartScreen, mobile browser protection by Microsoft for Edge proved to be the most effective browser against phishing sites. New URLs were assessed with heuristics by this anti-phishing blocklist, which looked for telltale signs, like deceiving domain names.
Researchers suggested that the mechanism can be improved if every browser blocklist shares their information with another browser blocklist. Though third-party houses like the Anti-Phishing Working Group (APWG) and PhishTank give better protection on all browsers, but their timing and accuracy cannot match that of the protection by browser vendors directly.
Google was then assisted by these researchers to improve mobile browser protection. Still, to ensure that you are fully secure, use different vendors, and most importantly your common sense. Do not click any link and preferably use bookmarks or type links manually.
Photo: CalypsoArt / Getty Images
Read next: How to Stay Anonymous Online in 2019 – Seven Best Tips