Existing server-based anti-phishing tools are designed around blacklisting, which has inherent drawbacks in terms of correctness, timeliness and completeness. In contrast, machine-learning methods have achieved success in detecting phishing sites by extracting dynamic features from domain names, such as their up-times and co-location with other malicious sites.
One of the major indicators of a spear-phishing campaign is the use of certificates that are self-signed, stolen or bought from a cheap certificate authority. In this paper, we present a machine-learning approach to detect spear-phishing sites and server infrastructure by extracting features from SSL certificates collected by daily Internet scans. Our model is trained on the characteristics of the certificate, its acquisition, and its ownership. We illustrate that our certificate-based detection approach greatly increases the difficulty for spear-phishers to masquerade.
Our proposed model has several advantages over existing static, rule-based detection techniques. Our model does not require frequent updates from central servers, and is adaptable to the dynamic features of malicious sites and server infrastructure. In addition, our model can provide ample contextual data around a detection. Our model gives security professionals unprecedented visibility of spear-phishing threats even before they show up on blacklists.
Our model will be provided to the community as part of a self-hosted SSL certificate classifier service. The tool can be embedded into existing detection models and in turn can help foster data-driven security decisions on spear-phishing campaigns across the Internet.
