Vincent Drury and Ulrike Meyer, Department of Computer Science, RWTH Aachen University
The share of phishing websites using HTTPS has been constantly increasing over the last years. As a consequence, the simple user advice to check whether a website is HTTPS-protected is no longer effective against phishing. At the same time, the use of certificates in the context of phishing raises the question if the information contained in them could be used to detect phishing websites. In this paper we take a first step towards answering this question. To this end, we analyze almost 10000 valid certificates queried from phishing websites and compare them to almost 40000 certificates collected from benign sites. Our analysis shows that it is generally impossible to differentiate between benign sites and phishing sites based on the content of their certificates alone. However, we present empirical evidence that current phishing websites for popular targets do typically not replicate the issuer and subject information.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Vincent Drury and Ulrike Meyer},
title = {Certified Phishing: Taking a Look at Public Key Certificates of Phishing Websites},
booktitle = {Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019)},
year = {2019},
isbn = {978-1-939133-05-2},
address = {Santa Clara, CA},
pages = {211--223},
url = {https://www.usenix.org/conference/soups2019/presentation/drury},
publisher = {USENIX Association},
month = aug
}