Inside the Phishing Reel: Leveraging Browser Instrumentation to Analyse Evasive Phishing
Abstract
Phishing websites remain a persistent threat, compromising millions of user credentials each year. While advanced classifiers have improved detection accuracy, they rely on crawlers that are easily redirected by cloaking techniques, limiting their effectiveness in real-world deployments. In this work, we propose a novel data collection approach using a modified Chromium browser capable of collecting information from phishing samples despite client-server cloaking tactics. Using this approach, we collected 432,237 unique phishing samples over eight months and introduced a clustering algorithm that groups samples based on shared deployment characteristics, achieving a Normalized Mutual Information (NMI) score of 0.846.
References
Acharya, B. and Vadrevu, P. (2021). {PhishPrint}: Evading phishing detection crawlers by prior profiling. In 30th USENIX Security Symposium (USENIX Security 21).
APWG (2024). Anti-phishing working group trends report. [link]. [Accessed in Apr 12, 2025].
Bijmans, H., Booij, T., Schwedersky, A., Nedgabat, A., and van Wegberg, R. (2021). Catching phishers by their bait: Investigating the dutch phishing landscape through phishing kit detection. In 30th USENIX security symposium (USENIX security 21), pages 3757–3774.
Bitaab, M., Cho, H., Oest, A., Zhang, P., Sun, Z., Pourmohamad, R., Kim, D., Bao, T., Wang, R., Shoshitaishvili, Y., et al. (2020). Scam pandemic: How attackers exploit public fear through phishing. In 2020 APWG Symposium on Electronic Crime Research (eCrime).
Dambra, S., Sanchez-Rola, I., Bilge, L., and Balzarotti, D. (2022). When sally met trackers: Web tracking from the users’ perspective. In 31st USENIX Security Symposium (USENIX Security 22).
Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., and Hollenbeck, S. (2013). Understanding the domain registration behavior of spammers. In Proceedings of the 2013 conference on Internet measurement conference.
Jueckstock, J. and Kapravelos, A. (2019). Visiblev8: In-browser monitoring of javascript in the wild. In Proceedings of the Internet Measurement Conference.
Kitphishr. Tool developed to discover available phishing kits hosted by the malicious url. [link]. [Accessed in Apr 12, 2025].
Kondracki, B., Azad, B. A., Starov, O., and Nikiforakis, N. (2021). Catching transparent phish: Analyzing and detecting mitm phishing toolkits. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 36–50.
Lee, J., Ye, P., Liu, R., Divakaran, D. M., and Chan, M. C. (2020). Building robust phishing detection system: an empirical analysis. NDSS MADWeb.
Li, B., Vadrevu, P., Lee, K. H., Perdisci, R., Liu, J., Rahbarinia, B., Li, K., and Antonakakis, M. (2018). Jsgraph: Enabling reconstruction of web attacks via efficient tracking of live in-browser javascript executions. In NDSS.
Liu, R., Lin, Y., Teoh, X., Liu, G., Huang, Z., and Dong, J. S. (2024). Less defined knowledge and more true alarms: Reference-based phishing detection without a pre-defined reference list. In 33rd USENIX Security Symposium (USENIX Security 24), pages 523–540.
Liu, R., Lin, Y., Yang, X., Ng, S. H., Divakaran, D. M., and Dong, J. S. (2022). Inferring phishing intention via webpage appearance and dynamics: A deep vision based approach. In 31st USENIX Security Symposium (USENIX Security 22).
MSDR (2024). Microsoft digital defense report. [link]. [Accessed in Apr 12, 2025].
Oest, A., Safaei, Y., Doupé, A., Ahn, G.-J., Wardman, B., and Tyers, K. (2019). Phishfarm: A scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists. In 2019 IEEE Symposium on Security and Privacy (SP).
Oest, A., Safaei, Y., Zhang, P., Wardman, B., Tyers, K., Shoshitaishvili, Y., and Doupé, A. (2020a). {PhishTime}: Continuous longitudinal measurement of the effectiveness of anti-phishing blacklists. In 29th USENIX Security Symposium (USENIX Security 20).
Oest, A., Safei, Y., Doupé, A., Ahn, G.-J., Wardman, B., and Warner, G. (2018). Inside a phisher’s mind: Understanding the anti-phishing ecosystem through phishing kit analysis. In 2018 APWG Symposium on Electronic Crime Research (eCrime).
Oest, A., Zhang, P., Wardman, B., Nunes, E., Burgis, J., Zand, A., Thomas, K., Doupé, A., and Ahn, G.-J. (2020b). Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In 29th {USENIX} Security Symposium ({USENIX} Security 20).
Roesner, F., Kohno, T., and Wetherall, D. (2012). Detecting and defending against {Third-Party} tracking on the web. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12).
Sakurai, Y., Watanabe, T., Okuda, T., Akiyama, M., and Mori, T. (2020). Discovering httpsified phishing websites using the tls certificates footprints. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 522–531. IEEE.
Sanchez-Rola, I., Bilge, L., Balzarotti, D., Buescher, A., and Efstathopoulos, P. (2023). Rods with laser beams: understanding browser fingerprinting on phishing pages. In 32nd USENIX Security Symposium (USENIX Security 23).
Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., Invernizzi, L., Markov, Y., Comanescu, O., Eranti, V., Moscicki, A., et al. (2017). Data breaches, phishing, or malware? understanding the risks of stolen credentials. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security.
Tian, K., Jan, S. T., Hu, H., Yao, D., and Wang, G. (2018). Needle in a haystack: Tracking down elite phishing domains in the wild. In Proceedings of the Internet Measurement Conference 2018.
Xu, W., Zhang, F., and Zhu, S. (2013). Jstill: mostly static detection of obfuscated malicious javascript code. In Proceedings of the third ACM conference on Data and application security and privacy.
Zhang, P., Oest, A., Cho, H., Sun, Z., Johnson, R., Wardman, B., Sarker, S., Kapravelos, A., Bao, T., Wang, R., et al. (2021). Crawlphish: Large-scale analysis of client-side cloaking techniques in phishing. In 2021 IEEE Symposium on Security and Privacy (SP).
APWG (2024). Anti-phishing working group trends report. [link]. [Accessed in Apr 12, 2025].
Bijmans, H., Booij, T., Schwedersky, A., Nedgabat, A., and van Wegberg, R. (2021). Catching phishers by their bait: Investigating the dutch phishing landscape through phishing kit detection. In 30th USENIX security symposium (USENIX security 21), pages 3757–3774.
Bitaab, M., Cho, H., Oest, A., Zhang, P., Sun, Z., Pourmohamad, R., Kim, D., Bao, T., Wang, R., Shoshitaishvili, Y., et al. (2020). Scam pandemic: How attackers exploit public fear through phishing. In 2020 APWG Symposium on Electronic Crime Research (eCrime).
Dambra, S., Sanchez-Rola, I., Bilge, L., and Balzarotti, D. (2022). When sally met trackers: Web tracking from the users’ perspective. In 31st USENIX Security Symposium (USENIX Security 22).
Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., and Hollenbeck, S. (2013). Understanding the domain registration behavior of spammers. In Proceedings of the 2013 conference on Internet measurement conference.
Jueckstock, J. and Kapravelos, A. (2019). Visiblev8: In-browser monitoring of javascript in the wild. In Proceedings of the Internet Measurement Conference.
Kitphishr. Tool developed to discover available phishing kits hosted by the malicious url. [link]. [Accessed in Apr 12, 2025].
Kondracki, B., Azad, B. A., Starov, O., and Nikiforakis, N. (2021). Catching transparent phish: Analyzing and detecting mitm phishing toolkits. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 36–50.
Lee, J., Ye, P., Liu, R., Divakaran, D. M., and Chan, M. C. (2020). Building robust phishing detection system: an empirical analysis. NDSS MADWeb.
Li, B., Vadrevu, P., Lee, K. H., Perdisci, R., Liu, J., Rahbarinia, B., Li, K., and Antonakakis, M. (2018). Jsgraph: Enabling reconstruction of web attacks via efficient tracking of live in-browser javascript executions. In NDSS.
Liu, R., Lin, Y., Teoh, X., Liu, G., Huang, Z., and Dong, J. S. (2024). Less defined knowledge and more true alarms: Reference-based phishing detection without a pre-defined reference list. In 33rd USENIX Security Symposium (USENIX Security 24), pages 523–540.
Liu, R., Lin, Y., Yang, X., Ng, S. H., Divakaran, D. M., and Dong, J. S. (2022). Inferring phishing intention via webpage appearance and dynamics: A deep vision based approach. In 31st USENIX Security Symposium (USENIX Security 22).
MSDR (2024). Microsoft digital defense report. [link]. [Accessed in Apr 12, 2025].
Oest, A., Safaei, Y., Doupé, A., Ahn, G.-J., Wardman, B., and Tyers, K. (2019). Phishfarm: A scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists. In 2019 IEEE Symposium on Security and Privacy (SP).
Oest, A., Safaei, Y., Zhang, P., Wardman, B., Tyers, K., Shoshitaishvili, Y., and Doupé, A. (2020a). {PhishTime}: Continuous longitudinal measurement of the effectiveness of anti-phishing blacklists. In 29th USENIX Security Symposium (USENIX Security 20).
Oest, A., Safei, Y., Doupé, A., Ahn, G.-J., Wardman, B., and Warner, G. (2018). Inside a phisher’s mind: Understanding the anti-phishing ecosystem through phishing kit analysis. In 2018 APWG Symposium on Electronic Crime Research (eCrime).
Oest, A., Zhang, P., Wardman, B., Nunes, E., Burgis, J., Zand, A., Thomas, K., Doupé, A., and Ahn, G.-J. (2020b). Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In 29th {USENIX} Security Symposium ({USENIX} Security 20).
Roesner, F., Kohno, T., and Wetherall, D. (2012). Detecting and defending against {Third-Party} tracking on the web. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12).
Sakurai, Y., Watanabe, T., Okuda, T., Akiyama, M., and Mori, T. (2020). Discovering httpsified phishing websites using the tls certificates footprints. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 522–531. IEEE.
Sanchez-Rola, I., Bilge, L., Balzarotti, D., Buescher, A., and Efstathopoulos, P. (2023). Rods with laser beams: understanding browser fingerprinting on phishing pages. In 32nd USENIX Security Symposium (USENIX Security 23).
Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., Invernizzi, L., Markov, Y., Comanescu, O., Eranti, V., Moscicki, A., et al. (2017). Data breaches, phishing, or malware? understanding the risks of stolen credentials. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security.
Tian, K., Jan, S. T., Hu, H., Yao, D., and Wang, G. (2018). Needle in a haystack: Tracking down elite phishing domains in the wild. In Proceedings of the Internet Measurement Conference 2018.
Xu, W., Zhang, F., and Zhu, S. (2013). Jstill: mostly static detection of obfuscated malicious javascript code. In Proceedings of the third ACM conference on Data and application security and privacy.
Zhang, P., Oest, A., Cho, H., Sun, Z., Johnson, R., Wardman, B., Sarker, S., Kapravelos, A., Bao, T., Wang, R., et al. (2021). Crawlphish: Large-scale analysis of client-side cloaking techniques in phishing. In 2021 IEEE Symposium on Security and Privacy (SP).
Published
2025-09-01
How to Cite
FAVORETTI, João Pedro; DANTAS, Fernando; PEREIRA JR, Lourenço Alves.
Inside the Phishing Reel: Leveraging Browser Instrumentation to Analyse Evasive Phishing. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 530-546.
DOI: https://doi.org/10.5753/sbseg.2025.11391.
