Cyberspace of Shujun LI


Title Page

A Novel Anti-Phishing Framework Based on Honeypots

Shujun Li1 and Roland Schmitz2

1 University of Konstanz, Germany
2 Stuttgart Media University, Germany

In Proceedings of 4th Annual APWG eCrime Researchers Summit 2009 (APWG eCrime/eCRS 2009, Tacoma, WA, USA, October 20 & 21, 2009), IEEE.

Copyright 2009 IEEE. Published in Proceedings of 4th Annual APWG eCrime Researchers Summit 2009 (APWG eCrime/eCRS 2009, Tacoma, WA, USA, October 20 & 21, 2009), 2009, DOI: 10.1109/ECRIME.2009.5342609. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works, must be obtained from the IEEE. Contact: Manager, Copyrights and Permissions / IEEE Service Center / 445 Hoes Lane / P.O. Box 1331 / Piscataway, NJ 08855-1331, USA. Telephone: + Intl. 908-562-3966.


As a powerful anti-phishing tool, honeypots have been widely used by security service providers and financial institutes to collect phishing mails, so that new phishing sites can be earlier detected and quickly shut down. Another popular use of honeypots is to collect useful information about phishers’ activities, which is used to make various kinds of statistics for the purposes of research and forensics. Recently, it has also been proposed to actively feed phishers with honeytokens. In the present paper, we discuss some problems of existing antiphishing solutions based on honeypots. We propose to overcome these problems by transforming the real e-banking system itself into a honeypot equipped with honeytokens and supported by some other kinds of honeypots. A phishing detector is used to automatically detect suspicious phishers’ attempts of stealing money from victims’ accounts, and then ask for the potential victims’ reconfirmation. This leads to a novel anti-phishing framework based on honeypots. As an indispensable part of the framework, we also propose to use phoneybots, i.e., active honeypots running in virtual machines and mimicking real users’ behavior to access the real ebanking system automatically, in order to submit honeytokens to pharmers and phishing malware. The involvement of phoneybots is crucial to fight gainst advanced phishing attacks such as pharming and malware-based phishing attacks.


Phishing Information Flow vs. Anti-Phishing Measures

Phishing Information Flow
  • Step 1: blocking the information flow from phishers to potential victims
    • phishing email detection and filtering, email authentication, anti-malware software, cousin domain rejection, and so on.
  • Step 2-4: avoiding credential leakage
    • user education, phishing site warning, inconsistent DNS information detection, cross-site/injected script rejection, mutual authentication, trusted path between user and web browser, delayed password disclosure, and so on.
  • Step 5: preventing phishers from getting stolen credentials
    • early detection and quick takedown of phishing sites, fake credential submission, password rescue, and so on.
  • Step 6: making stolen credentials useless
    • two-factor user authentication, password hashing, transaction monitoring and reconfirmation, and so on.
  • Step 7: preventing phishers from getting the stolen money, or catching phishers
    • transaction authentication, intentional transaction delay, law enforcement, and so on.
Key problems with existing anti-phishing measures:
  1. A 100% automatic detection of any statistical feature of phishing is theoretically impossible.
  2. Any countermeasures depending on end users’ judgement and action may fail to some extent.
  3. Many countermeasures require additional hardware or software at the user side.

Existing Anti-Phishing Honeypots: Problems and Solutions

Why Honeypots?

Existing Anti-Phishing Honeypots

Problems & Solutions

Our Anti-Phishing Framework

Phishing Information Flow

Appendix: Two Enhanced TAN Schemes

In the appendix of this paper, we also proposed two enhanced TAN schemes that can resist phishing attacks more effectively than the still widely-used iTAN scheme in German banking sector.

Advanced iTAN



[1]  M. Jakobsson and S. Myers, Eds., Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, John Wiley & Sons, Inc., 2007.
[2]  M. Chandrasekaran, R. Chinchani and S. Upadhyaya, "PHONEY: Mimicking user response to detect phishing attacks," in Proc. WoWMoM 2006, pp. 668-672, IEEE Computer Society, 2006.
[3]  C. M. McRae and R. B. Vaughn, "Phighting the phisher: Using web bugs and honeytokens to investigate the source of phishing attacks," in Proc. HICSS 2007, Article 270c, IEEE Computer Society, 2007.
[4]  D. Birk, S. Gajek, F. Grobert and A.-R. Sadeghi, "Phishing phishers—observing and tracing organized cybercrime," in Proc. ICIMP 2007, IEEE Computer Society, 2007.

Valid XHTML 1.0 Transitional


Germany (CET)