Discovering phishing dropboxes using email metadata

The criminals who operate phishing scams often deliver harvested credentials to email accounts under their control - but it is difficult, in the general case, to identify these so-called `dropboxes´. We devise three techniques to identify dropboxes and associated phishing websites by leveraging lists of known phishing websites and metadata maintained by email providers. We demonstrate the techniques´ effectiveness using data held by anti-phishing organizations and an email provider. To directly identify dropboxes, we posted fake but distinctive credentials into 170 PayPal phishing pages and inspected an email provider´s anti-spam metadata. This metadata recorded the presence of our credentials matching 28 of the phishing pages sending credentials to 17 distinct dropboxes at this particular email provider. We indirectly identified 24 additional dropboxes by searching for email subjects similar to previously-uncovered dropboxes. Based on these findings, we estimate an upper bound of 120 - 160 criminals ran phishing attacks against PayPal in July 2012, a smaller figure than might be expected from the 26 900 PayPal distinct phishing URLs they are known to have employed, spread across 13 018 different hostnames. Finally, in some cases we could extend our metadata processing by running an `intersection attack´. Whenever victims receive the same URLs as other victims, it is likely that the common URL is for a phishing page. Preliminary evidence suggests that the false positive rate for intersection attacks is low. Furthermore, it can be used to notify impersonated brands immediately after victims disclose their credentials and identify more phishing sites faster than traditional methods currently achieve.