The rise in phishing attacks via e-mail and short message service (SMS) has not slowed down at all. The first thing we need to do to combat the ever-increasing number of phishing attacks is to collect and characterize more phishing cases that reach end users. Without understanding these characteristics, anti-phishing countermeasures cannot evolve. In this study, we propose an approach using Twitter as a new observation point to immediately collect and characterize phishing cases via e-mail and SMS that evade countermeasures and reach users. Specifically, we propose CrowdCanary, a system capable of structurally and accurately extracting phishing information (e.g., URLs and domains) from tweets about phishing by users who have actually discovered or encountered it. In our three months of live operation, CrowdCanary identified 35,432 phishing URLs out of 38,935 phishing reports, 31,960 (90.2%) of these phishing URLs were later detected by the anti-virus engine. We analyzed users who shared phishing threats by categorizing them into two groups: experts and non-experts. As a results, we discovered that CrowdCanary extracts non-expert report-specific information, like company brand name in tweets, phishing attack details from tweet images, and pre-redirect landing page information.

翻译：电子邮件和短信服务中的钓鱼攻击数量丝毫没有减缓。为应对日益增多的钓鱼攻击，首要任务是收集并描述更多最终用户收到的钓鱼案例。若不理解这些特征，反钓鱼对策便无法进步。在本研究中，我们提出一种方法，将推特作为新的观测点，立即收集并描述通过电子邮件和短信方式逃避防御并抵达用户的钓鱼案例。具体来说，我们提出了CrowdCanary系统，能够结构化和精确地从实际发现或遭遇钓鱼的用户推文中提取钓鱼信息（例如URL和域名）。在三个月的实际运行中，CrowdCanary从38,935份钓鱼报告中识别出35,432个钓鱼URL，其中31,960个（90.2%）后被反病毒引擎检测到。我们将分享钓鱼威胁的用户分为专家和非专家两类进行分析。结果发现，CrowdCanary能提取非专家报告中的特定信息，如推文中的公司品牌名称、推文图像中的钓鱼攻击详情以及重定向前的着陆页面信息。