Crowdsourced phishing blacklists such as PhishTank, CryptoScamDB and APWG are quite useful in practice to defend against phishing attacks. Out of these services, PhishTank, has been the longest serving and most widely used crowd-sourced phishing blacklist. While it has been instrumental in maintaining a ledger of phishing URLs, it suffers from several limitations: (1) centralized architecture with a single point of failure, (2) lack of transparency, (3) lack of incentive to participate and (4) prone to manipulations. In fact, these are common issues for all existing centralized blacklisting systems. Focusing on PhishTank and for example, Figure 1 shows inconsistent assignment of final labels to URLs in PhishTank. The figure on the left shows a URL marked as phishing even though all 5 crowd sourced verifiers ascertain it is phishing. The figure on the right, on the other hand, shows that a URL is marked as not phishing even though no one has verified it. It is not clear how PhishTank arrived at the final decision and raises concerns on the transparency.
We propose PhishChain, a transparent and decentralized system to blacklist phishing URLs in a crowd-sourced manner while addressing the limitations mentioned above. We envision a blacklisting system where a consortium of mostly targeted organizations such as Paypal, Apple, Microsoft and Facebook form an alliance to put our proposal to use. Our key design goals are as follows: (1) System should be decentralized where anyone can participate and no single authority should be controlling it, (2) All operations should be immutable and recorded, (3) URLs should be assigned a final phish score based on the participants’ assessment, (4) Participants should be incentivized by assigning skill points instead of a cryptocurrency in order to encourage voluntary participation 111Phishtank and APWG work through voluntary participation, but we observe that only a handful of participants contribute to the lists maintained., and (5) The system and data should be publicly available for anyone to consume.
There are a few notable efforts to build blockchain based decentralized solutions for phishing blacklisting or crowd sourcing in general. However, they suffer from one or two drawbacks. PhishLedger (Liu et al., 2019) is a private blockchain solution for blacklisting phishing URLs, and they do not support crowd sourcing. Further, the system is not available for public consumption and is managed in a closed environment. Hence, the verifications performed in this system are questionable. CrowdBC (Li et al., 2019) and ZebraLancer (Lu et al., 2018) are blockchain based crowd sourcing systems, but they rely on a cryptocurrency to maintain the functionality.
Demonstration Scenarios: PhishChain is designed as the next generation decentralized phishing blacklisting system. We show the following three use cases. (1) URL verification, (2) URL detailed dashobard and transaction, and (3) URL verification graph and timeline along with the phish score and verifier skill points.
2. System Architecture
2.1. Overall System Design
Figure 2 shows the overall system architecture. The key components in the system are blockchain network, smart contracts, truth discovery algorithm, and API services modules. The system supports three main functions in addition to user and system management functionality: (1) URL submission, (2) URL verification and (3) URL lookup.
Blockchain Network Module: Blockchain network is the backbone of the decentralized infrastructure. Each node in our blockchain network is either a validator or a normal node. A validator node validates each and every transaction whereas a normal node is a read-only participant. Note that the validation node only participate in the blockchain block verification process similar to committing data to the blockchain ledger, whereas the verifier participates in the URL verification process itself. Istanbul Byzantine Fault Tolerance is utilized as the consensus algorithm since our threat model assumes that there can be malicious participants. In order to meet our system goals, a consortium type blockchain system called, Quorum (ConsenSys, 2021a), is employed as the blockchain network. Tessera (ConsenSys, 2021b) is used to manage transactions of the Quorum network.
Smart Contract Module: The crowd source functionality is implemented using smart contracts (Solidity version 0.5.0). We categorize the smart contracts into three main groups: (1) user management, (2) URL management and (3) URL verification.
Truth Discovery Module: In our crowd sourcing environment, URL verifiers are the workers and the task is to assess if a URL is phishing or non phishing. Due to the varying degree of expertise and experience of verifiers, one cannot simply take, for example, the majority answer as the final phish score of a URL. Instead, a truth discovery algorithm which takes potentially conflicting status for a URL and verifier information, and arrives at the final phish score, should be employed. We observe that existing truth discovery algorithms developed by the database community (Li et al., 2016) are performing poorly on our problem as these algorithms assume that the majority of the verifiers respond to each URL verification task, which is not true for verifying URLs. Our retrospective analysis of PhishTank URLs show that only a handful of verifiers verify a given URL even though there are thousands of them altogether. Hence, we design a new truth discovery algorithm by leveraging page ranking (PR) algorithm on verifier-verifier graph. We construct the verifier-verifier graph by using the “follower” relationship. We define verifier follows for a given URL if verifies the URL before . A directed edge from to is created in this case. The generated graph represent real world relationships among users which captures how users are following others and how they are being followed. Applying the page rank algorithm on top of this graph computes a rank, a real value number between 0 and 1, for each node (i.e. user), indicating how important it is with respect to the whole user population. It follows the intuition that, the more the number of followers are, the more recognition a user receive from its peers. We utilize the computed ranks to calculate the weighted voting score for each URL and assess if it is phishing or not.
Table 1 shows how our algorithm outperforms in comparison to popular truth discovery algorithms on a real-world dataset obtained from PhishTank. We collect URLs submitted and verified in PhishTank from January 1 2020 to December 23 2020. The cleaned dataset contains 17,000 phishing URLs and 6,000 non phishing URLs. We scrape the additional information of each of these URLs to identify the verifiers and their order of verification. We use a balanced dataset of 6,000 URLs from each class for the evaluation.
We use our PR based algorithm to assign skill points to verifiers as well as final phish score to URLs. The skill points of verifiers are computed based on the verifier reputation score returned by the truth discovery algorithm and the proportion of correctly labeled URLs. The phish score of a URL is computed with the weighted score of phishing and non phishing verifiers.
Note that in PhishChain system, we enforce transparency and consistency on the data by following the consensus algorithm. In other words, all the data related to URLs (URLs themselves, votes, status) on the blockchain is consistent and hardened from unauthorized modifications. While our system has a separate truth discovery server for URL verification due to the practical limitations in the Solidity framework utilized, as the algorithm and the data are publicly available and verifiable, any user can verify the the results produced by the URL verification proces is indeed correct.
API Services Module: This module facilitates the communication with the blockchain network. The demo web application we build is a consumer of this API.
In this section, we describe the main use cases of our system. As shown in Figure 3, we setup a consortium blockchain consisting of 7 validation nodes each possessing a copy of the blockchain ledger and participating in validating each transaction. In a real-world setup, these validation nodes are to be hosted by organizations mostly targeted by phishers (e.g. Paypal, Facebook, Microsoft) as such a system is in their best interest to defend against phishing attacks and a collective effort is likely to yield a significantly better blocklist compared to having individual systems.
3.1. URL Verification
Any user can sign up and participate in the process of submission and verification of URLs. Figure 4 shows the UI for the verification of a given URL as phishing or not phishing. Once user submits their verdict, the validation nodes validate the transaction adhering to the consensus algorithm resulting the transaction shown in Figure 5. Once verified, if there are at least 3 votes for the URL, truth discovery model is invoked and assigns the ULR’s calculated score where a positive score indicates that the URL is a phishing URL. Note that the users in here are real-world users with varying degree of domain expertise who may either submit URLs or verify whether the URL is phishing or not. Further, in order to limit the abuse of the system, PhishChain enforces that each URL submitted to the system should be accompanied with a valid email referring to the the URL 222Similar to existing blocklists, the goal of PhishChain to assess suspicious URLs found in likely phishing emails..
3.2. URL Detailed Dashboard
Figure 6 shows the details of the URL submitted by user 1, and it is verified by users 3 and 4 as phishing and users 2 and 5 as non phishing. The system assigns an overall final phishing score of 0.3452 based on PR based truth discovery algorithm. Since it is a positive value, the system concludes that the URL is a phishing URL at that point in time.
3.3. URL Verification Graph and Timeline
Figure 7 and Figure 8 show the verification graph and the timeline of verification respectively. Based on the participation in the system and the proportion of accurately labeled URLs, each user is assigned skill points. For example, user 1 has the highest skill points of 153. Notice that after the 3 vote, the URL is marked as phishing with a score of 0.64, but after the 4 vote, URL is still marked as phishing but with a lower phishing score of 0.35. The phishing score changes with every additional vote as truth discovery algorithm is invoked on affected URLs. Such a detailed timeline easily allows an analyst to not only assess the latest status but also understand how our system arrived at the decision.
The motivation for introducing skill points is inspired from the question answering systems such as StackOverflow and StackExchange. Such systems show that even though participants do not receive any monetary benefits by contributing, these participants attain various “expertise” levels that have far more significance in their respective domains. We believe a similar system for malicious URL verification could assist solve the problem of the limited participation in the volunteer based blacklisting systems currently available.
In this work, we assume that users do not maliciously try to manipulate the truth discovery based system. However, one may extend PhishChain to defend against such manipulations by introducing additional mechanisms that the reputation/recommender system community has already made available (Friedman et al., 2007).
We propose, PhishChain, a truly transparent and decentralized phishing URL blacklisting system that is managed by a consortium instead of a centralized entity. Based on the proposed page rank based truth discovery algorithm, we compute a phish score for each URL as well as verifier skill points. Smart contracts are employed to implement the proposed functionality over the Quorum blockchain. We demonstrate three use cases: (1) URL verification, (2) URL dashboard and its transaction, and (3) URL verification graph and timeline. We believe our approach is generally applicable to any crowd sourced blacklisting system.
- ConsenSys (2021a) ConsenSys. 2021a. Quorum. Available at https://consensys.net/quorum.
- ConsenSys (2021b) ConsenSys. 2021b. Tessera. Available at https://github.com/ConsenSys/tessera.
et al. (2007)
Eric Friedman, Paul
Resnick, and Rahul Sami.
Manipulation-resistant reputation systems.
Algorithmic Game Theory677 (2007).
- Li et al. (2019) M. Li, J. Weng, A. Yang, W. Lu, Y. Zhang, L. Hou, J. Liu, Y. Xiang, and R. Deng. 2019. CrowdBC: A blockchain-based decentralized framework for crowdsourcing. IEEE Trans. on Para. and Dist. Sys. 30, 6 (2019), 1251–1266.
- Li et al. (2016) Yaliang Li, Jing Gao, Chuishi Meng, Qi Li, Lu Su, Bo Zhao, Wei Fan, and Jiawei Han. 2016. A Survey on Truth Discovery. ACM SIGKDD Explorations Newsletter 17, 2 (2016), 1–16. https://doi.org/10.1145/2897350.2897352 arXiv:1505.02463
- Liu et al. (2019) D. Liu, W. Wang, Y. Wang, and Y. Tan. 2019. PhishLedger: A decentralized phishing data sharing mechanism. ACM International Conference Proceeding Series (2019), 84–89.
- Lu et al. (2018) Y. Lu, Q. Tang, and G. Wang. 2018. ZebraLancer: Crowdsource Knowledge atop Open Blockchain, Privately and Anonymously. July (2018), 1–17. arXiv:1803.01256 http://arxiv.org/abs/1803.01256