Since 2007, UAB researchers have gathered information about active phishing sites, archiving this information and sharing it with our law enforcement and corporate partners. Jui Sonwalkar, a Computer & Information Sciences Masters student, supervises the Phishing Operations team. She and her team receive potential phishing sites from several sources, including the UAB Spam Data Mine. Their task is to determine whether the phishing site is a real and active site, and if so, what financial institution or online business does it imitate?
So far in 2009, the team has identified more than 34,000 phishing sites for more than 240 financial institutions. In addition, they review the websites to determine if they can find a "phishing kit" or a "shell" placed on the server by the hacker. Many times these kits or shells can reveal the email address to which the criminal sends the stolen personal information gathered by his phishing site. This information is shared each day on the
UAB PhishIntel™ Tool
, where it is available to hundreds of FBI Agents, Law Enforcement Officers, and Banking Security and Anti-phishing personnel. The information is also shared with corporate partners who support our research.
UAB Phishing Operations works in a "Supervised Learning" mode. The root of our operation is the "Deep MD5 Matching" algorithm created by Gary Warner and PhD Candidate, Brad Wardman. This patent-pending algorithm, fetches the webpage of each reported URL and determines whether it is a "known phishing site", not by comparing it to a list of "bad URLs", but by categorizing it based on comparison with our existing database of known phishing sites. Matthew Grant, an alumni of our Computer Forensics Certificate, now working for NASA's Office of the Inspector General, wrote the prototype of our Phishing Operations web interface. This system queries the "PhishURLs" database to find "unlabeled" URLs, and reports these URLs to Jui's team for categorization. As Jui and her team label the unknown pages, the system becomes able to recognize similar pages in the future.
The ability to automatically detect phish continues to be advanced with collaboration between the Computer Forensics research group and the Knowledge Discovery & Data Mining research area and the Natural Language Processing Laboratory.
Research Team:
Brad Wardman, PhD Candidate, developer phish matching algorithms
Gaurang Shukla, Masters student, researching how websites are attacked to create phishing sites
Jui Sonwalker, Masters student, leads phishing operations team
Kenneth Paschal, CIS major, author of Weekly Phishing Intelligence report (available to law enforcement)
Gary Warner, Director of Research in Computer Forensics
Related Papers:
Identifying Vulnerable Websites by Analysis of Common Strings in Phishing URLs. Brad Wardman, Gaurang Shukla, Gary Warner. Anti-Phishing Working Group eCrime Researchers Summit, October 19-21, 2009, Tacoma, Washington, USA.
An Empirical Analysis of Phishing Blacklists. Steve Sheng, Brad Wardman, Gary Warner, Lorrie Faith Cranor, Jason Hong, Chengshan Zhang. CEAS 2009 - Sixth Conference on Email and Anti-Spam, July 16-17, 2009, Mountain View, California, USA.
Automating Phishing Website Identification Through Deep MD5 Matching. Brad Wardman, Gary Warner. APWG eCrime Researchers Summit, October 14-16, 2008, Atlanta, Georgia, USA.
