PhishAri : automatic realtime phishing detection on Twitter

Abstract

With the advent of online social media, phishers have started using social networks like Twitter, Facebook, and Foursquare to spread phishing scams. Twitter is an immensely popular micro- blogging network where people post short messages of 140 characters called tweets. It has over 100 million active users who post about 200 million tweets everyday. Phishers have started using Twitter as a medium to spread phishing because of this vast information dissemination. Due to constraints of limited text space in social systems like Twitter, phishers have begun to use URL shortener services. In this study, we rst provide an overview of phishing attacks for this new scenario. One of our main conclusions was that phishers use URL shorteners not only for reducing space but also to hide their identity. We also observed that social media websites like Facebook, Habbo, Orkut are competing with e-commerce services like PayPal, eBay in terms of tra c and focus of phishers. 1 Further, it is di cult to detect phishing on Twitter unlike emails because of the quick spread of phishing links in the network, short size of the content, and use of URL obfuscation to shorten the URL. We developed a technique, PhishAri, 2 which detects phishing on Twitter in realtime. We use Twitter speci c features along with URL features to detect whether a tweet posted with a URL is phishing or not. Some of the Twitter speci c features we used are tweet content and its characteristics like length, hashtags, and mentions. Other Twitter features used are the characteristics of the Twitter user posting the tweet such as age of the account, number of tweets, and the follower-followee ratio. These TTwitterwitter speci c features coupled with URL based features proved to be a strong mechanism to detect phishing tweets. We used machine learning classi cation techniques and detected phishing tweets with an accuracy of 92.52%. We deployed our system for end-users by providing an easy to use Chrome browser extension. The extension works in realtime and classi es a tweet as phishing or safe. In this research, we showed that we were able to detect phishing tweets at zero hour with high accuracy which is much faster than public blacklists and as well as Twitter's own defense mechanism to detect malicious content. We also performed a quick user evaluation of PhishAri in a laboratory study to evaluate the usability and e ectiveness of PhishAri and showed that users like and nd it convenient to use PhishAri in real-world. Currently, there are 74 active users of PhishAri chrome extension. To the best of our knowledge, this is the rst realtime, comprehensive and usable system to detect phishing on Twitter.