A Large-Scale Analysis of Phishing Websites Hosted on Free Web Hosting Domains

TL;DR

This study introduces FreePhish, a scalable framework for detecting phishing websites hosted on free web hosting domains, revealing their prevalence, evasion tactics, and the challenges faced by existing defenses.

Contribution

We developed FreePhish, a novel framework to identify and analyze phishing sites on free web hosting services, providing insights into their characteristics and detection challenges.

Findings

Over 31,400 phishing URLs detected on 17 free hosting services

FWB phishing sites evade traditional anti-phishing tools more effectively

Some FWBs and social platforms are slow to remove phishing content

Abstract

Free Website Building services (FWBs) provide individuals with a cost-effective and convenient way to create a website without requiring advanced technical knowledge or coding skills. However, malicious actors often abuse these services to host phishing websites. In this work, we propose FreePhish, a scalable framework to continuously identify phishing websites that are created using FWBs. Using FreePhish, we were able to detect and characterize more than 31.4K phishing URLs that were created using 17 unique free website builder services and shared on Twitter and Facebook over a period of six months. We find that FWBs provide attackers with several features that make it easier to create and maintain phishing websites at scale while simultaneously evading anti-phishing countermeasures. Our study indicates that anti-phishing blocklists and browser protection tools have significantly lower coverage and high detection time against FWB phishing attacks when compared to regular (self-hosted) phishing websites. While our prompt disclosure of these attacks helped some FWBs to remove these attacks, we found several others who were slow at removal or did not remove them outright, with the same also being true for Twitter and Facebook. Finally, we also provide FreePhish as a free Chromium web extension that can be utilized to prevent end-users from accessing potential FWB-based phishing attacks.