Evaluating the effectiveness of Phishing Reports on Twitter

TL;DR

This study analyzes Twitter phishing reports, revealing their potential in identifying threats despite low engagement, and compares their effectiveness to existing phishing feeds, highlighting their unique contributions and limitations.

Contribution

First comprehensive analysis of Twitter-based phishing reports, demonstrating their richness and potential for threat detection compared to traditional open-source feeds.

Findings

Twitter reports contain more detailed phishing information than open feeds.

Reported phishing URLs often remain active longer and are less overlapping with existing feeds.

Low user interaction limits the immediate impact of these reports.

Abstract

Phishing attacks are an increasingly potent web-based threat, with nearly 1.5 million websites created on a monthly basis. In this work, we present the first study towards identifying such attacks through phishing reports shared by users on Twitter. We evaluated over 16.4k such reports posted by 701 Twitter accounts between June to August 2021, which contained 11.1k unique URLs, and analyzed their effectiveness using various quantitative and qualitative measures. Our findings indicate that not only do these users share a high volume of legitimate phishing URLs, but these reports contain more information regarding the phishing websites (which can expedite the process of identifying and removing these threats), when compared to two popular open-source phishing feeds: PhishTank and OpenPhish. We also notice that the reported websites had very little overlap with the URLs existing in the other feeds, and also remained active for longer periods of time. But despite having these attributes, we found that these reports have very low interaction from other Twitter users, especially from the domains and organizations targeted by the reported URLs. Moreover, nearly 31% of these URLs were still active even after a week of them being reported, with 27% of them being detected by very few anti-phishing tools, suggesting that a large majority of these reports remain undiscovered, despite the majority of the follower base of these accounts being security focused users. Thus, this work highlights the effectiveness of the reports, and the benefits of using them as an open source knowledge base for identifying new phishing websites.