Beyond Phish: Toward Detecting Fraudulent e-Commerce Websites at Scale

Marzieh Bitaab; Haehyun Cho; Adam Oest; Zhuoer Lyu; Wei Wang; Jorij Abraham; Ruoyu Wang; Tiffany Bao; Yan Shoshitaishvili; Adam Doupé

doi:10.1109/SP46215.2023.10179461

Beyond Phish: Toward Detecting Fraudulent e-Commerce Websites at Scale

Marzieh Bitaab, Haehyun Cho, Adam Oest, Zhuoer Lyu, Wei Wang, Jorij Abraham, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, Adam Doupé

Engineering, Ira A. Fulton Schools of (IAFSE)

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Despite recent advancements in malicious website detection and phishing mitigation, the security ecosystem has paid little attention to Fraudulent e-Commerce Websites (FCWs), such as fraudulent shopping websites, fake charities, and cryptocurrency scam websites. Even worse, there are no active large-scale mitigation systems or publicly available datasets for FCWs.In this paper, we first propose an efficient and automated approach to gather FCWs through crowdsourcing. We identify eight different types of non-phishing FCWs and derive key defining characteristics. Then, we find that anti-phishing mitigation systems, such as Google Safe Browsing, have a detection rate of just 0.46% on our dataset. We create a classifier, BEYOND PHISH, to identify FCWs using manually defined features based on our analysis. Validating BEYOND PHISH on never-before-seen (untrained and untested data) through a user study indicates that our system has a high detection rate and a low false positive rate of 98.34% and 1.34%, respectively. Lastly, we collaborated with a major Internet security company, Palo Alto Networks, as well as a major financial services provider, to evaluate our classifier on manually labeled real-world data. The model achieves a false positive rate of 2.46% and a 94.88% detection rate, showing potential for real-world defense against FCWs.

Original language	English (US)
Title of host publication	Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	2566-2583
Number of pages	18
ISBN (Electronic)	9781665493369
DOIs	https://doi.org/10.1109/SP46215.2023.10179461
State	Published - 2023
Event	44th IEEE Symposium on Security and Privacy, SP 2023 - Hybrid, San Francisco, United States Duration: May 22 2023 → May 25 2023

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2023-May
ISSN (Print)	1081-6011

Conference

Conference	44th IEEE Symposium on Security and Privacy, SP 2023
Country/Territory	United States
City	Hybrid, San Francisco
Period	5/22/23 → 5/25/23

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Access to Document

10.1109/SP46215.2023.10179461

Cite this

Bitaab, M., Cho, H., Oest, A., Lyu, Z., Wang, W., Abraham, J., Wang, R., Bao, T., Shoshitaishvili, Y., & Doupé, A. (2023). Beyond Phish: Toward Detecting Fraudulent e-Commerce Websites at Scale. In Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023 (pp. 2566-2583). (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2023-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP46215.2023.10179461

Beyond Phish: Toward Detecting Fraudulent e-Commerce Websites at Scale. / Bitaab, Marzieh; Cho, Haehyun; Oest, Adam et al.
Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023. Institute of Electrical and Electronics Engineers Inc., 2023. p. 2566-2583 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2023-May).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bitaab, M, Cho, H, Oest, A, Lyu, Z, Wang, W, Abraham, J, Wang, R , Bao, T , Shoshitaishvili, Y & Doupé, A 2023, Beyond Phish: Toward Detecting Fraudulent e-Commerce Websites at Scale. in Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023. Proceedings - IEEE Symposium on Security and Privacy, vol. 2023-May, Institute of Electrical and Electronics Engineers Inc., pp. 2566-2583, 44th IEEE Symposium on Security and Privacy, SP 2023, Hybrid, San Francisco, United States, 5/22/23. https://doi.org/10.1109/SP46215.2023.10179461

@inproceedings{9ee29c567f5b4f4590932aac4de69ab9,

title = "Beyond Phish: Toward Detecting Fraudulent e-Commerce Websites at Scale",

abstract = "Despite recent advancements in malicious website detection and phishing mitigation, the security ecosystem has paid little attention to Fraudulent e-Commerce Websites (FCWs), such as fraudulent shopping websites, fake charities, and cryptocurrency scam websites. Even worse, there are no active large-scale mitigation systems or publicly available datasets for FCWs.In this paper, we first propose an efficient and automated approach to gather FCWs through crowdsourcing. We identify eight different types of non-phishing FCWs and derive key defining characteristics. Then, we find that anti-phishing mitigation systems, such as Google Safe Browsing, have a detection rate of just 0.46% on our dataset. We create a classifier, BEYOND PHISH, to identify FCWs using manually defined features based on our analysis. Validating BEYOND PHISH on never-before-seen (untrained and untested data) through a user study indicates that our system has a high detection rate and a low false positive rate of 98.34% and 1.34%, respectively. Lastly, we collaborated with a major Internet security company, Palo Alto Networks, as well as a major financial services provider, to evaluate our classifier on manually labeled real-world data. The model achieves a false positive rate of 2.46% and a 94.88% detection rate, showing potential for real-world defense against FCWs.",

author = "Marzieh Bitaab and Haehyun Cho and Adam Oest and Zhuoer Lyu and Wei Wang and Jorij Abraham and Ruoyu Wang and Tiffany Bao and Yan Shoshitaishvili and Adam Doup{\'e}",

note = "Funding Information: We thank the anonymous reviewers for their valuable feedback. Our appreciation also extends to the two industry organizations for their insightful contributions and collaboration. This work was supported in part by the Defense Advanced Research Projects Agency (DARPA) CHESS (No. FA8750-19C-0003), the NSF grant 2000792, the Korea Internet & Security Agency (KISA) grant funded by the Personal Information Protection Commission (PIPC) (No. 1781000003), and the Department of Defense. We gratefully acknowledge their support. Publisher Copyright: {\textcopyright} 2023 IEEE.; 44th IEEE Symposium on Security and Privacy, SP 2023 ; Conference date: 22-05-2023 Through 25-05-2023",

year = "2023",

doi = "10.1109/SP46215.2023.10179461",

language = "English (US)",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "2566--2583",

booktitle = "Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023",

}

TY - GEN

T1 - Beyond Phish

T2 - 44th IEEE Symposium on Security and Privacy, SP 2023

AU - Bitaab, Marzieh

AU - Cho, Haehyun

AU - Oest, Adam

AU - Lyu, Zhuoer

AU - Wang, Wei

AU - Abraham, Jorij

AU - Wang, Ruoyu

AU - Bao, Tiffany

AU - Shoshitaishvili, Yan

AU - Doupé, Adam

N1 - Funding Information: We thank the anonymous reviewers for their valuable feedback. Our appreciation also extends to the two industry organizations for their insightful contributions and collaboration. This work was supported in part by the Defense Advanced Research Projects Agency (DARPA) CHESS (No. FA8750-19C-0003), the NSF grant 2000792, the Korea Internet & Security Agency (KISA) grant funded by the Personal Information Protection Commission (PIPC) (No. 1781000003), and the Department of Defense. We gratefully acknowledge their support. Publisher Copyright: © 2023 IEEE.

PY - 2023

Y1 - 2023

N2 - Despite recent advancements in malicious website detection and phishing mitigation, the security ecosystem has paid little attention to Fraudulent e-Commerce Websites (FCWs), such as fraudulent shopping websites, fake charities, and cryptocurrency scam websites. Even worse, there are no active large-scale mitigation systems or publicly available datasets for FCWs.In this paper, we first propose an efficient and automated approach to gather FCWs through crowdsourcing. We identify eight different types of non-phishing FCWs and derive key defining characteristics. Then, we find that anti-phishing mitigation systems, such as Google Safe Browsing, have a detection rate of just 0.46% on our dataset. We create a classifier, BEYOND PHISH, to identify FCWs using manually defined features based on our analysis. Validating BEYOND PHISH on never-before-seen (untrained and untested data) through a user study indicates that our system has a high detection rate and a low false positive rate of 98.34% and 1.34%, respectively. Lastly, we collaborated with a major Internet security company, Palo Alto Networks, as well as a major financial services provider, to evaluate our classifier on manually labeled real-world data. The model achieves a false positive rate of 2.46% and a 94.88% detection rate, showing potential for real-world defense against FCWs.

AB - Despite recent advancements in malicious website detection and phishing mitigation, the security ecosystem has paid little attention to Fraudulent e-Commerce Websites (FCWs), such as fraudulent shopping websites, fake charities, and cryptocurrency scam websites. Even worse, there are no active large-scale mitigation systems or publicly available datasets for FCWs.In this paper, we first propose an efficient and automated approach to gather FCWs through crowdsourcing. We identify eight different types of non-phishing FCWs and derive key defining characteristics. Then, we find that anti-phishing mitigation systems, such as Google Safe Browsing, have a detection rate of just 0.46% on our dataset. We create a classifier, BEYOND PHISH, to identify FCWs using manually defined features based on our analysis. Validating BEYOND PHISH on never-before-seen (untrained and untested data) through a user study indicates that our system has a high detection rate and a low false positive rate of 98.34% and 1.34%, respectively. Lastly, we collaborated with a major Internet security company, Palo Alto Networks, as well as a major financial services provider, to evaluate our classifier on manually labeled real-world data. The model achieves a false positive rate of 2.46% and a 94.88% detection rate, showing potential for real-world defense against FCWs.

UR - http://www.scopus.com/inward/record.url?scp=85164407562&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85164407562&partnerID=8YFLogxK

U2 - 10.1109/SP46215.2023.10179461

DO - 10.1109/SP46215.2023.10179461

M3 - Conference contribution

AN - SCOPUS:85164407562

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 2566

EP - 2583

BT - Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 22 May 2023 through 25 May 2023

ER -

Beyond Phish: Toward Detecting Fraudulent e-Commerce Websites at Scale

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this