Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Large-Scale Analysis of Phishing Websites Hosted on Free Web Hosting Domains

Sayak Saha Roy, Unique Karanjit, Shirin Nilizadeh

TL;DR

FreePhish tackles the growing problem of phishing websites hosted on Free Website Builders by introducing a scalable detection-and-reporting framework. It combines a streaming data collector, feature-based ML classifier, and automated reporting to FWBs and social platforms, plus longitudinal analysis of anti-phishing responses. The study identifies over 31,000 zero-day FWB phishing URLs across 17 FWBs within six months and reveals low coverage and slow response from blocklists and browser protections, underscoring gaps in current defenses. It also provides a Chromium extension to warn users about potential FWB phishing and releases an open dataset to support future research.

Abstract

Free Website Building services (FWBs) provide individuals with a cost-effective and convenient way to create a website without requiring advanced technical knowledge or coding skills. However, malicious actors often abuse these services to host phishing websites. In this work, we propose FreePhish, a scalable framework to continuously identify phishing websites that are created using FWBs. Using FreePhish, we were able to detect and characterize more than 31.4K phishing URLs that were created using 17 unique free website builder services and shared on Twitter and Facebook over a period of six months. We find that FWBs provide attackers with several features that make it easier to create and maintain phishing websites at scale while simultaneously evading anti-phishing countermeasures. Our study indicates that anti-phishing blocklists and browser protection tools have significantly lower coverage and high detection time against FWB phishing attacks when compared to regular (self-hosted) phishing websites. While our prompt disclosure of these attacks helped some FWBs to remove these attacks, we found several others who were slow at removal or did not remove them outright, with the same also being true for Twitter and Facebook. Finally, we also provide FreePhish as a free Chromium web extension that can be utilized to prevent end-users from accessing potential FWB-based phishing attacks.

A Large-Scale Analysis of Phishing Websites Hosted on Free Web Hosting Domains

TL;DR

FreePhish tackles the growing problem of phishing websites hosted on Free Website Builders by introducing a scalable detection-and-reporting framework. It combines a streaming data collector, feature-based ML classifier, and automated reporting to FWBs and social platforms, plus longitudinal analysis of anti-phishing responses. The study identifies over 31,000 zero-day FWB phishing URLs across 17 FWBs within six months and reveals low coverage and slow response from blocklists and browser protections, underscoring gaps in current defenses. It also provides a Chromium extension to warn users about potential FWB phishing and releases an open dataset to support future research.

Abstract

Free Website Building services (FWBs) provide individuals with a cost-effective and convenient way to create a website without requiring advanced technical knowledge or coding skills. However, malicious actors often abuse these services to host phishing websites. In this work, we propose FreePhish, a scalable framework to continuously identify phishing websites that are created using FWBs. Using FreePhish, we were able to detect and characterize more than 31.4K phishing URLs that were created using 17 unique free website builder services and shared on Twitter and Facebook over a period of six months. We find that FWBs provide attackers with several features that make it easier to create and maintain phishing websites at scale while simultaneously evading anti-phishing countermeasures. Our study indicates that anti-phishing blocklists and browser protection tools have significantly lower coverage and high detection time against FWB phishing attacks when compared to regular (self-hosted) phishing websites. While our prompt disclosure of these attacks helped some FWBs to remove these attacks, we found several others who were slow at removal or did not remove them outright, with the same also being true for Twitter and Facebook. Finally, we also provide FreePhish as a free Chromium web extension that can be utilized to prevent end-users from accessing potential FWB-based phishing attacks.
Paper Structure (18 sections, 4 equations, 13 figures, 4 tables)

This paper contains 18 sections, 4 equations, 13 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Historical Pervasiveness of FWB Phishing Attacks
  3. Characterizing FWB Phishing Attacks
  4. FreePhish Framework
  5. Streaming and Pre-processing Module
  6. Classification Module
  7. Reporting Module
  8. Analysis Module
  9. Measurement Results
  10. Blocklist Performance
  11. Browser Protection Tool Coverage
  12. Coverage and Response of FWB Services
  13. Platform Effectiveness
  14. Qualitative Analysis of Evasive Attacks
  15. Related Work
  16. ...and 3 more sections

Figures (13)

  • Figure 1: Distribution of FWB phishing attacks shared on Twitter and Facebook from Jan. 2020 to Aug. 2022.
  • Figure 2: Example of a phishing website created on Weebly, a FWB service, and shared on Facebook. Note - This website has already been taken down, and thus the full URL string is not obfuscated from the image.
  • Figure 3: Example shows FWB websites created using Google Sites share the same certification as YouTube. Note - The phishing website has already been taken down, and thus the full URL string is not obfuscated from the image.
  • Figure 4: High-level overview of the FreePhish framework
  • Figure 5: Targetted Organizations
  • ...and 8 more figures