A Large-Scale Analysis of Phishing Websites Hosted on Free Web Hosting Domains

While phishing attacks have evolved to utilize several obfuscation tactics to evade prevalent detection measures, implementing said measures often requires significant technical competence and logistical overhead from the attacker's perspective. In this work, we identify a family of phishing attacks hosted over Free web-Hosting Domains (FHDs), which can be created and maintained at scale with very little effort while also effectively evading prevalent anti-phishing detection and resisting website takedown. We observed over 8.8k such phishing URLs shared on Twitter and Facebook from February to August 2022 using 24 unique FHDs. Our large-scale analysis of these attacks shows that phishing websites hosted on FHDs remain active on Twitter and Facebook for at least 1.5 times longer than regular phishing URLs. In addition, on average, they have 1.7 times lower coverage from anti-phishing blocklists than regular phishing attacks, with a coverage time also being 3.8 times slower while only having half the number of detections from anti-phishing tools. Moreover, only 23.6% of FHD URLs were removed by the hosting domain a week after their first appearance, with a median removal time of 12.2 hours. We also identified several gaps in the prevalent anti-phishing ecosystem in detecting these threats. Based on our findings, we developed FreePhish, an ML-aided framework that acts as an effective countermeasure to detect and mitigate these URLs automatically and more effectively. By regularly reporting phishing URLs found by FreePhish to FHDs and hosting registrars over a period of two weeks, we note a significant decrease in the time taken to remove these websites. Finally, we also provide FreePhish as a free Chromium web extension that can be utilized to prevent end-users from accessing potential FHD-based phishing attacks.