Documente Academic
Documente Profesional
Documente Cultură
INSTITUTE OF ENGINEERING
PULCHOWK CAMPUS
By
Rajendra Bahadur Thapa
A THESIS
SUBMITTED TO DEPARTMENT OF MECHANICAL ENGINEERING
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE
DEGREE OF MASTER OF SCIENCE IN
TECHNOLOGY AND INNOVATION MANAGEMENT
February, 2014
COPYRIGHT
The author has agreed that the library, Department of Mechanical Engineering,
Pulchowk Campus, Institute of Engineering may make this thesis freely available
for inspection. Moreover, the author has agreed that permission for extensive
copying of this thesis for scholarly purpose may be granted by the professor(s)
who supervised the work recorded herein or, in their absence, by the Head of the
Department wherein the thesis was done. It is understood that the recognition will
be given to the author of this thesis and to the Department of Mechanical
Engineering, Pulchowk Campus, Institute of Engineering in any use of the
material of this thesis. Copying or publication or the other use of this thesis for
financial gain without approval of the Department of Mechanical Engineering,
Pulchowk Campus, Institute of Engineering and authors written permission is
prohibited. Request for permission to copy or to make any other use of the
material in this thesis in whole or in part should be addressed to:
Head
Department of Mechanical Engineering
Pulchowk Campus, Institute of Engineering
Lalitpur, Kathmandu
Nepal
TRIBHUVAN UNIVERSITY
INSTITURE OF ENGINEERING
PULCHOWK CAMPUS
DEPARTMENT OF MECHANICAL ENGINEERING
The undersigned certify that they have read, and recommended to the Institute of
Engineering for acceptance, a thesis entitled "Problems in Web Browsers' Inbuilt
Anti-Phishing Techniques and their Solutions" submitted by Rajendra Bahadur
Thapa in partial fulfillment of the requirements for the degree of Master of Science in
Technology and Innovation Management.
______________________________
Supervisor, Dr. Jyoti Tandukar
Associate Professor,
IOE, Pulchowk Campus
_______________________________
External Examiner,
..
Committee Chairperson,
Name.
Title
Department of Mechanical
Engineering
Date .....................................................
ABSTRACT
Phishing is a form of crime in which identity theft is accomplished by use of
deceptive electronic mail and a fake site on the World Wide Web. Phishing threatens
financial institutions, retail companies, and consumers daily and phishers remain
successful by researching anti-phishing countermeasures and adapting their attack
methods to the countermeasures, either to exploit them, or completely circumvent
them.
This study attempts to identify solutions to phishing. It consists of an experiment on
browsers inbuilt phishing detection system using walk through inspection and batch
scripting codes to analyse problems in them, meta-analysis of phishing anomalies on
various research works, experimental quiz on users for phishing detection by
developing web application, development of model for phishing prevention and
verification of the proposed model on a extension made to use in Google Chrome.
The experiment using 96 samples of phishing websites from phishtank.com in 5 most
used browsers (Internet Explorer, Google Chrome, Mozilla Firefox, Safari and Opera).
The results show that they can detect 85% of the phish websites with their inbuilt antiphishing system on average. Browsers don't provide the solutions after detecting the
phishing websites which is the main problem in the existing anti-phishing system in
the browsers.
The experiment done through web application quiz showed users find most difficult to
detect misspelled/derived names in URL, URLs using http in place of https and URLs
using multiple Top Level Domains (TLD). An anti-phishing solution model
constituting of white list and heuristic approach has been developed where fore
mentioned anomalies in the URL are taken into consideration. An extension plug-in
for Google's Chrome browser is developed and tested with different test cases of
problems in anti phishing system in browsers and the top severe anomalies in the
URL. The proposed model was tested with 96 phishing sites with lack of SSL
anomalies, 66 with lengthy URL, 39 with multiple TLDs, etc from PhishTank could
detect all the phishing websites where Google Chrome detected 86 of them. The lack
of SSL was seen in all the phishing websites and awareness regarding SSL could
definitely prevent users from phishing.
4
ACKNOWLEDGEMENT
For the completion of this thesis different people from different sectors, professionals
and non-professionals had helped to their limit. I would like to thanks them all for
devoting their valuable time in this study. I would like to express my heartily
gratitude to supervisor Dr. Jyoti Tandukar, for his guidance and encouragement
throughout my graduate study. His expert knowledge and advice guided me though
this thesis, without which I would not have been able to get this point.
I would like to express my very special thanks for our Program Coordinator of
Masters of Science in Technology and Innovation Management, Prof. Amrit Man
Nakarmi, for his valuable time and coordinating us for the completion of this thesis. I
would like to thank Dr. Rajendra Shrestha, Head of Department of Mechanical
Engineering, Pulchowk Campus, for his regular inspiration and motivation for the
project. I would also like to thank to core member groups of Technology and
Innovation Management Program, without them I would not have got courage for the
completion of thesis.
I would like to gratitude to DIGP Mahesh Singh Kathayat, Ins. Pashupati Ray, Mr.
Shreeniwas Sharma, Mr. Ashish Bhandari, Mr. Sunil Chaudary and others who are
involved and help directly or indirectly for the completion of thesis. I am thankful to
Upveda Technology Pvt. Ltd, Jwagal for providing web app hosting support for the
thesis.
Finally, I would like to express a bouquet full of thanks to all my colleagues of
Technology and Innovation Management and all the friends of Pulchowk Engineering
Campus, IOE. And I cannot forget my family members for their full support to
complete my thesis.
TABLE OF CONTENTS
COPYRIGHT ........................................................................................................... 2
ABSTRACT ............................................................................................................. 4
ACKNOWLEDGEMENT........................................................................................ 5
LIST OF FIGURES ................................................................................................ 10
LIST OF TABLES ................................................................................................. 12
LIST OF ABBREVIATION .................................................................................. 13
CHAPTER ONE ..................................................................................................... 15
INTRODUCTION .................................................................................................. 15
1.1
Background ............................................................................................. 15
1.2
1.3
1.4
1.5
1.5.1
Scope ....................................................................................................... 18
1.5.2
Limitation ................................................................................................ 19
1.6
Phishing ................................................................................................... 21
2.2
2.3
2.3.1
2.3.2
2.3.3
2.4
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.6
2.6.1
2.6.2
2.7
2.7.1
2.7.2
Mozilla Firefox........................................................................................ 43
2.7.3
2.7.4
Opera ....................................................................................................... 47
2.7.5
Safari ....................................................................................................... 48
2.7.6
2.8
2.9
2.9.1
2.9.2
PhishTank ................................................................................................ 53
2.10
2.11
METHODOLOGY ................................................................................................. 57
3.1
3.2
3.3
3.4
3.4.1
3.4.2
3.5
3.5.1
3.5.2
3.5.3
3.6
3.7
3.7.1
3.7.2
4.2
4.2.1
4.2.2
4.2.3
4.3
Solutions .................................................................................................. 83
Conclusion............................................................................................... 85
5.2
Recommendation..................................................................................... 86
5.3
REFERENCES ....................................................................................................... 89
LIST OF FIGURES
Figure 1 Cyber crime statistics in Nepal ...................................................................... 16
Figure 2 Internet users in Nepal ................................................................................... 17
Figure 3 Social media network users ........................................................................... 23
Figure 4 Fake PayPal for mobile (left) vs legitimate site (right) ................................. 25
Figure 5 Phishing attacks per year ............................................................................... 26
Figure 6 Daily submittted phishes ............................................................................... 27
Figure 7 Daily verified phishes .................................................................................... 27
Figure 8 Phishing email for the customers of Nepal SBI bank.................................... 30
Figure 9 Classification of phishing prevention system ................................................ 31
Figure 10 World map according to the use of browsers. ............................................. 39
Figure 11 Global statistics of browsers users. ............................................................. 40
Figure 12 Statistics of percentage of browser user in Nepal ....................................... 40
Figure 13 Phishing detection in Google Chrome ......................................................... 43
Figure 14 Anti phishing setting in Mozilla Firefox ..................................................... 44
Figure 15 Enabling SmartScreen filter (IE 8) .............................................................. 46
Figure 16 Phishing detection in IE 8 after using SmartScreen filter ........................... 46
Figure 17 Phishing detection in Opera browser. .......................................................... 48
Figure 18 Checking enable or disable of anti-phishing in safari browsers .................. 50
Figure 19 Phishing detection in Safari ......................................................................... 50
Figure 20 SSL lock icon in Gmail. .............................................................................. 52
Figure 21 Model of research process ........................................................................... 57
10
11
LIST OF TABLES
Table 1 Anomalies found in the URL .......................................................................... 38
Table 2 Messages seen after malware detection in chrome ......................................... 42
Table 3 Technologies used by anti phishing system in browsers. ............................... 51
Table 4 Sampling Methodology................................................................................... 60
Table 5 Environmental variables for experimental test for detection of phishing ....... 61
Table 6 Anomalies in the URL and target brands and organizations .......................... 64
Table 7 List of Messages disseminated to alert users about their mistakes ................. 66
Table 8 Tools and Technologies used .......................................................................... 71
Table 9 Result of Detection of phishing sites by browsers .......................................... 74
Table 10 Rank of Anomalies in the URL based on mistakes from the test users ........ 77
Table 11 Solutions provided by the tools developed. .................................................. 84
Table 12 The Chi-Square Test for detection of phishing website ............................. 108
Table 13 T-Test calculation for detection of phishing websites by browsers............ 110
12
LIST OF ABBREVIATION
API
Apps
Applications
APWG
ATM
CCPM
CERT
CMU
CSIRT
DIGP
FINRA
FIRST
HTML
ICANN
ICT
IE
Internet Explorer
IP
Internet Protocol
IS
Information System
ISP
IT
Information Technology
JSON
MPCD
MS
MicroSoft
MTPD
NG
Not Good
NIBL
NST
PIN
SEI
SMS
TIM
TLD
URL
W3C
WOT
Web of Trust
14
CHAPTER ONE
INTRODUCTION
1.1
Background
15
57
60
50
40
32
30
20
10
2067/68
12
2
2068/69
8
111
010
02
01
020
02
002
021
2069/70
Problem Statement
daily.
Phishers
remain
successful
by
researching
anti-phishing
countermeasures and adapting their attack methods to exploit the fore mentioned
organizations and completely circumvent them. As people increasingly rely on
Internet to do business, Internet fraud becomes apparent threat to peoples Internet life.
16
Internet fraud uses misleading messages online to deceive human users into forming a
wrong belief and then to force them to take dangerous actions to compromise their or
other peoples welfare.
The internet users in Nepal are increasing rapidly. The internet users in Nepal are
increasing in double exponential manner (Annex 2). It is forecasted, there will be
18% internet users by 2015 and 25% by 2018. With this rapid growth of internet user,
the crimes related to internet will also increase.
Percentage of Population
35
30
30.22
25.47
25
20
18.35
15.97
15
11.15
9.00
10
5
0
1980
2020
2030
in fact, all the popular web browsers come with inbuilt anti-phishing solutions. There
is no complete measure to stop or prevent Internet users falling prey to phishing
attacks (Dhamija, Tygar, & Hearst, 2006). Every year Internet users lose hundreds of
millions of dollars to phishing attacks (APWG, 2013). In case of Nepal, where
computer literacy is very low, making the internet users to install anti phishing
solution can be cumbersome due to limited knowledge and utility of these tools.
Therefore, such internet users should be facilitated with the effective inbuilt antiphishing solutions in browsers.
1.3
Research Questions
For satisfying the objective of the study, the following research questions are prepared.
1) What are the problems in web browsers anti phishing system?
2) How can technology intervene to increase user awareness so that users are not
misled by phishing sites?
1.5
1.5.1
Scope
3) Protect internet users from falling to phishing attacks and save money as well
as resources.
1.5.2
Limitation
The study is done for the fulfilment of MSTIM program. There are some limitations
of the study. The limiting factors are as follow:
1) The phishing websites taken from phishtank.com are of only one day, which
lacks the varieties in the phishing websites.
2) It is valid for login page or other page which asks for confidential information,
e.g., PIN code, banking information, social security, etc.
1.6
Organization of Thesis
The report is organized in six chapters that are linked to the issues in relation to the
study. It also includes information from various sources related to the study.
Chapter One gives the background of the study, its rationale, objectives and research
questions.
Chapter Two includes literature review on the phishing, methods of phishing,
phishing types, phishing detection tools and techniques, browsers anti phishing tools,
etc.
Chapter Three reviews the research methodology used in the study. It elaborates the
expert survey method and experimental methods used, ways of collecting data,
development of the anti phishing model and experimental set up with test cases
development for the verification of the model.
Chapter Four analyze the different browsers anti phishing system and its detection
with phishing websites. The results from the users accessing the web application
based on the anomalies on the URLs. With these experimental result and based on the
meta analysis of phishing detection a solution model for Nepal is proposed. This
model is verified by developing an extension plug-in in Google chrome. The results
are analyzed in this part.
19
20
CHAPTER TWO
LITERATURE REVIEW
2.1
Phishing
21
2.2
Singh mentions four main techniques of phishing. These techniques are briefly
described below: (Singh, 2007)
Dragnet: This method involves the use of spammed E-Mails, bearing falsified
corporate identification (e.g., corporate names, logos and trademarks), which are
addressed to a large group of people (e.g., customers of a particular financial
institution or members of a particular auction site) to websites or pop-up windows
with similarly falsified identification. Dragnet phishers do not identify specific
prospective victims in advance. Instead, they rely on false information included in an
E-Mail to trigger an immediate response by victims typically, clicking on links in
the body of the E-Mail to take the victims to the websites or pop-up windows where
they are requested to enter bank or credit card account data or other personal data.
Rod-and-Reel: This method targets prospective victims with whom initial contact is
already made. Specific prospective victims so defined are targeted with false
information to them to prompt their disclosure of personal and financial data.
Lobsterpot: It consists of creation of websites similar to legitimate corporate
websites which narrowly defined class of victims by phishers. Smaller class of
prospective victims identified in advance, but no triggering of victim response. It is
enough that the victims mistake the spoofed website as a legitimate and trust worthy
site and provides information of personal data.
Gillnet: In gillnet phishing; phishers introduce malicious code into emails and
websites. They can, for example misuse browser functionality by injecting hostile
content into another sites pop up window. Merely by opening a particular email, or
browsing a particular website, Internet users may have a Trojan horse introduced into
their systems. In some cases, the malicious code will change settings in users
systems, so that users who want to visit legitimate banking websites will be redirected
to a lookalike phishing site. In other cases, the malicious code will record users
keystrokes and passwords when they visit legitimate banking sites, then transmit those
data to phishers for later illegal access to users financial accounts.
22
In these all techniques, the phishing schemes seem typically rely on three basic
elements. First, phishing solicitations often use familiar corporate trademarks and
trade names, as well as recognized government agency names and logos. Second, the
solicitations routinely contain warning intended to cause the recipients immediate
concern or worry about access to an existing financial account. Third, the solicitations
rely on two facts pertaining to authentication of the e-mails: (1) online consumers
often lack the tools and technical knowledge to authenticate messages from financial
institutions and e-commerce companies; and (2) the available tools and techniques are
inadequate for robust authentication or can be spoofed.
2.3
Phishing Medium
Internet is a playground for the phishers. Internet is mainly access through the web
browsers. The history of phishing dates back to 1985 in AOL mail where phisher
posed as an AOL staff member and sent an instant message to a victim, asking to
victim reveal his/her password(Wordspy.com). With the uses of internet for social
networking, mobile and apps, these are also being a medium for phishers to find preys.
2.3.1
The number of social network users worldwide will rise from 1.47 billion in 2012 to
1.73 billion in 2013, an 18% increase Year on Year (YoY) and by 2017, and the
number of users globally will total 2.55 billion. (Sigsworth, 2013)
Data collected from Fortune's Global 100 revealed that more than 50% of companies
said they have Twitter, Facebook, and YouTube accounts. Facebook membership for
example has increased nearly 10 times since 2008, with over 7 billion unique visitors
per month worldwide. Twitter shows that the number of members increased by a
factor of five over the same period, boasting over 555 million regular users. (EMC
Corporation, Jan, 2013)
With the world turning into a smaller and more social village than ever,
cybercriminals are by no means staying behind. They follow the money and so as user
behavior changes, RSA expects cybercriminals to continue following their target
audience to the virtual hot-spots. According to a Microsoft research study, phishing
via social networks in early 2010 was only used in 8.3% of the attacks- by the end of
2011 that number stood at 84.5% of the total. Phishing via social media increased
through 2012, jumping as much as 13.5% in one month considering Facebook alone.
Another factor affecting the success of phishing via social media is the vast popularity
of social gaming; an activity that brought payments into the social platform. Users
who pay for gaming will not find it suspicious when they are asked for credit card
details and personal information on the social network of their choice.(EMC
Corporation, Jan, 2013)
2.3.2
24
apps), as well as classic email spam that users will receive and open on their mobile
devices. (EMC Corporation, Jan, 2013)
Cybercriminals launch mobile phishing attacks because they can take advantage of
certain limitations of the mobile platform. A mobile devices small screen size, for
example, inhibits the mobile browsers ability to fully display any anti-phishing
security elements a website has. This leaves users no way to verify if the website
theyre logging in to is legitimate or not.(Trend-Micro, Feb, 2013)
Figure 4 Fake PayPal for mobile (left) vs legitimate site (right) Source:(Trend-Micro,
Feb, 2013)
2.3.3
Apps are the central resources for Smartphone users, and that overall popularity of
apps will become just as trendy with cybercriminals.
Nowadays, users download apps designed for just about day-to-day activity, with the
most prominent of those being gaming, social networking and shopping apps. To late
both Apple and Google have surpassed 35 billion app downloads each from their
respective stores. According to research firm Gartner, this umber will grow to over
185 billion by 2015. (EMC Corporation, Jan, 2013). In Nepal also, there are day to
day familiar apps for Nepali calendar (Hamro Patro), load shedding schedule (Batti
Gayo), iMusic, news of Nepal, etc. which are becoming part of day to day
activities.(Techsansar.com, 2013)
In 2013 organizations will continue to aggressively tap into this growing market and
respond by further moving products and services to this channel, delivering
25
specialized small-screen adaptations for web browsing and developing native apps
that supply mobile functionality and brand-based services to enable customers
anywhere-anytime access.
Cybercriminals will focus on apps in order to deliver phishing conceal malware,
infect devices and steal data and money from users of different mobile
platform.(EMC Corporation, Jan, 2013)
Google's Android market has a developer-friendly reputation, with open source code
and no strict Apple-like approval process before they can sell their software.
Sometimes that openness is used for nefarious purposes, though, and malware creeps
in. Just recently, the Android Market was hit with its first phishing attack, via some
apps that used fairly standard tactics of mimicking bank websites to deceive users into
entering their passwords.(Hathaway, 2010)
2.4
The total number of phishing attacks in 2012 was 59% higher than 2011. It appears
that phishing has been able to set another record year in attack volumes, with global
losses from phishing estimated at 1,5 billion in 2012. This represents a 22% increase
from 2011.(EMC Corporation, Jan, 2013)
Figure 5 Phishing attacks per year Source: (EMC Corporation, Jan, 2013)
PhishTank lists the link of phishing websites. According to statistics phishtank.com,
there are 1,206,474 valid phishes and out of which 12,745 are online. (PhishTank.com,
2013).
26
27
2.5
Phishing in Nepal
It is
forecasted, there will be 18% internet users by 2015 and 25% by 2018. The phishing
incidents are being registered in the Nepal Police Crime Division (Figure 1). Some of
the cases which came in the media are highlighted below.
2.5.1
2.5.3
(Shrestha, 2013) A customer having an e-banking account with the Bank of Asia
(BoA) received an email telling him to change the security code of his account. The
customer, who is also an employee of NMB Bank, asked the BoA why they had sent
such an email. After finding out that a fake email had been sent to its customer, the
BoA, lodged a complaint at the cyber crime cell of Metropolitan Police Range,
Hanuman Dhoka.
Shrestha states that not all the incidents of phishing have been reported so far. So
there might be many other cases of phishing and many lose which are not lodged or
unknown yet.
2.5.4
Online Internet Banking is sort of new topic among the Nepali internet users.
Currently lots of Nepali users are getting phishing email which is claimed to be from
reputed banks like Nepal Investment Bank, SBI Bank, Nabil bank etc. (Pritush, 2012)
.
The email gives you the warning that you account has been suspended and to
reactivate it you have to go to web address listed in your email address and put your
password. Below we have attached some pictures of phishing email you might
receive. Before login check if the address is of banks and connection is secure (https).
29
Figure 8 Phishing email for the customers of Nepal SBI bank Source: (Pritush, 2012)
30
2.6
Technical
Non-Technical
List Based
Methods
Black List
White List
Heuristic
Methods
Anomalies on
URL
Anomalies on
Source code
Education &
Awareness
Search Engines
visual
similarities
order to protect against phishing by considering both the client and the server.
However, the awareness about phishing in users is the most effective way for phishing
prevention. It is important that users get familiar with widely used techniques and
tricks of social engineering, psychology of manipulating people into divulging
confidential information and performing unwitting actions.
The client based solutions include techniques like: e-mail analysis (use Bayesian filter
and content analysis), blacklist filter (queried URLs identified as malicious),
information flow (keep track of the sensitive information that the user enters into web
forms and raise an alert if something is considered unsafe like URL obfuscation, a
fake domain name), similarity of layouts (compare visible similarity), etc. Similarly,
the server based solutions include techniques like: brand monitoring (crawling on-line
to identify clones and add suspected to a centralized blacklist), behavior detection
(detect anomalies in the behavior of users), security event monitoring (identifies
anomalies activity or post mortem analysis to detect attack or fraud), strong
authentication (use of more than one identification factor), new authentication
techniques (use of latest authentication techniques), etc.
Lastly, education and awareness are related to developing user ability to identify a
phishing attack mechanisms and about precautionary actions needed to safeguard their
personal and confidential data or information. This is also the most difficult methods,
since user need to guard their data or information from the vulnerabilities generated
by their own activities.
The technical phishing prevention methods explained in details below.
2.6.1
List based methods are reactive techniques for phishing prevention. They maintain a
lookup of either trusted websites (white list) or malicious website (blacklist). These
list may be hosted either locally or hosted at the central server.
a) White-list Method
White list is the list of trusted websites that an Internet user visits in regular basis.
When the white list is exclusive, it allows access to only those websites which are
32
considered trusted and thus is highly effective against zero hour phishing. It also does
not produce any false positive results unless there is any wrong entry in the white-list.
However, it is very difficult to determine beforehand all the websites which users may
want to browse and accordingly update the list on time. (Chaudhary, 2012).
b) Blacklist Method
Blacklist is the list of IP addresses or domain names or URLs of treacherous websites,
although, IP addresses and domain names used by the scammer can be blocked.
However, many times phishers use hacked Domain Names (DN) and servers. So,
blocking the whole DNs or IP addresses can unintentionally block many legitimate
websites which share the same IP addresses and DNs. Therefore, blacklisting URLs
is, comparatively more appropriate for blacklist (Chaudhary, 2012).
Compiling and distributing a blacklist is a multi-step process. First, a blacklist vendor
enters into contracts with various data sources for suspicious phishing emails and
URLs to be reviewed. These data sources may include emails that are gathered from
spam traps or detected by spam filters, user reports (eg. Phishtank or APWG), or
verified phish compiled by other parties such as takedown vendors or financial
institutions. Depending on the quality of these sources, additional verification steps
may be needed. Verification often relies on human reviewers. The reviewers can be a
dedicated team of experts or volunteers, as in the case of Phishtank. To further reduce
false positives, multiple reviewers may need to agree on a phish before it is added to
the blacklist. For example, Phishtank requires votes from four users in order to
classify a URL in question as a phish.(Cranor, Wardman, Warner, & Zhang, 2009)
2.6.2
Heuristic Method
34
Anomalies in URL
Short Description
Use IP address in
URLs.
or domain, or host
name.
abnormal SSL
certificate.
URLs contain
misspelled or derived
domain name.
name
Use // character in
URLs path.
or unrelated domain
name.
name.
http://paypal.com.bin.webscr.skin.
a5s4d6a5sdas56d6554y65564y65564y4a56s4d56as4d65sad4.
shoppingcarblumenau.com.br/
36
port number.
DNS record.
Life of Domain.
hosting.
URLs hosted by
geographical
location.
Use of special
character "@"
Use of sensitive
words
tokens. For example the words login and signin are very often
found in a phishing URL. (Garera, Provos, Chew, & Rubin,
37
Genuine websites link use an anchor to provide navigational guidance. The URLs
used in the anchor are usually from their own domain and sometime to different
domain. However, in phishing sites such anchor URLs are mostly from different
domain. It has been also found that sometimes the anchor in phishing websites does
not link to any pages, for example, AURL can be file:///E/ or #.
Security is one of the prime concerns for organizations that do online transactions.
Such organizations require credentials for login which are generally username and
password. Thus, their websites include SFH. Legitimate websites always take actions
upon the submission of form; however, phishing websites can either contain
about:blank or #. Moreover, legal sites SFHs are handled by the server of the
same domain. So whenever the form is handled by any foreign domain server, it
makes the websites suspicious.
Similarly there are many other anomalies like abnormal request URLs, abnormal
cookie, Mismatch hyperlink, use of authentic logos, illegal use of pop-ups, etc. are
found in the source code of phishing websites.
38
2.7
39
preventions.
2.7.1
Google Chrome
shop,
pay
bills,
and
run
large
application
in
our
browsers.
(www.w3schools.com, 2013).
Google discovers suspicious websites during constant crawl and re-crawl of the web.
Suspicious websites are the website that may look like a phishing website, designed to
steal personal information, or it may contain signs of potentially malicious activity
that would install malware onto users PC without consent. Any website that looks like
its a phishing page; it gets added to a list of suspected phishing websites. If found a
website that contains signs of potentially malicious activity, a virtual machine is
41
started, the website is browsed, and watched its activity. If malicious activities occur,
the website is added to a list of suspected malware infected websites. These black lists
maintained by Google
are
used
by Google
Chrome.(Provos,
McNamee,
2) Select Settings.
3) Click Show advanced settings and find the "Privacy" section.
4) Deselect the "Enable phishing and malware protection" checkbox.
Here are the messages users may see when phishing and malware detection is
enabled:
Message
The
Website
What it means
Ahead This message appears if Google Chrome detects that the
Contains Malware!
Reported Phishing Website This message appears if Google Chrome detects that the
Ahead!
Mozilla Firefox
Firefox contains built-in Phishing and Malware Protection to help keep you safe
online. These features will warn user when a page user visit has been reported as a
Web Forgery of a legitimate site (sometimes called phishing pages) or as an Attack
Site designed to harm users' computer (otherwise known as malware).(Firefox, 2013)
Mozilla Firefoxs Phishing feature provides two modes of operation, local and third
party mode. Under the local mode, it uses inbuilt Phishing and Malware protection
that warn users when a visited page has been reported as a web forgery of a legitimate
site or an attack site designed to harm users computers. These lists are automatically
downloaded and updated every 30 minutes or so when the Phishing and Malware
protection features are enabled.
There are two times when Firefox communicates with Mozillas partners that manage
the lists while using Phishing and Malware protection. The first is during regular
updates to the lists of reporting phishing and malware sites. No information about user
or the sites visited is communicated during lists updates. The second is when a
reported phishing or malware sites is encountered. Before blocking the site, Firefox
requests a double check to ensure that the reported site has not been removed from the
lists since the last update. In case of a visited URL matches a URL in the list of
known phishing sites, the browser block the website and displays a warning message
to the user. (Mozilla iSEC Partner, 2006)
43
This way the local mode provides security from phishing website to the user and is
able to ensure the integrity of a users browsing experience as well as the privacy of
their browsing activity. The third party mode uses online third party service (the
default third party service used by the browser is Google) and allows user to have
immediate check of a URL in real time. Users can test to see if Phishing Protection is
active by trying to visit Firefox phishing test site.(Firefox, 2013)
Alike Google chrome, Mozilla Firefox has also many options for phishing prevention.
1) Block pop-up windows (Can be accessed by going to Main Menu =>
Options=> Content)
2) Enable JavaScript
3) Protocols (use SSL 3.0, use TLS 1.0)
4) When a server requests my personal certificate (Select one automatically,
Ask me every time): Setting ask me every time can be safer against
phishing.
5) Warn me when sites try to install add-ons, block reported attack sites, and
block reported web forgeries are three options made for phishing
preventions.
2.7.3
Internet Explorer
Internet Explorer has a built-in Anti-Phishing feature using phishing filter. Phishing
filter in Internet Explorer, also called SmartScreen filter helps detect phishing
websites.
Phishing filter uses three methods to help protect you from phishing scams. First, it
compares the addresses of websites user visit against a list of sites reported to
Microsoft as legitimate. This list is stored on user's computer. Second, it helps analyze
the sites user's visit to see if they have the characteristics common to a phishing
website. Third, with user's consent, phishing filter sends some website addresses to
Microsoft to be further checked against a frequently updated list of reported phishing
websites.
If the site users are visiting is on the list of reported phishing websites, Internet
Explorer will display a warning webpage and a notification on the address bar. From
the warning webpage, user can continue or close the page. If the website contains
characteristics common to a phishing site but isnt on the list, Internet Explorer will
only notify user in the address bar that it might possibly be a phishing website.
When users install and run Internet Explorer for the first time, it will prompt to user to
enable phishing-filter. However, if users choose not to turn on, s/he can enable
phishing-filter as follows:
Similar to above two browsers, MS IE too contains options for phishing prevention:
1) Trusted sites and restricted sites: These two options have facility to list
trusted and restricted websites respectively. Any website suspicious to be
phishing can be made restricted website.
2) Turn on pop-up blocker: Has feature to list the website in which pop-up
can be allowed.
3) Active scripting: This is to enable and disable JavaScript.
The options primarily for phishing or is a part of phishing prevention systems of IE
are below:
45
1) Report unsafe website: This options can be use to determine if the website
is unsafe or not. It sends requests to Microsoft server which checks their
list to verify whether the website is phishing or legitimate.
2) Check this website and Turn on SmartScreen filter:
46
2.7.4
Opera
With Opera, every webpage user request is subjected to phishing and malware filters.
The security status of the page is displayed in a security badge in the address field. If
a website is found on lists of known, suspicious sites, a warning page may display
before the page is shown. Users decide whether to visit the questionable website, to
return safely to the browser home page, or to read additional information about the
status of the page. If users open a phishing or malware page, it will be marked with a
red warning badge.(Opera, 2013).
Opera have given more selectable options in particular sections of the option. These
are explained below:
1) Pop-ups: Users can handle pop-ups in their own preference as below.
a) Open all pop-ups
b) Open pop-ups in background
c) Block unwanted pop-ups.
d) Block all pop-ups.
2) Check box for "Enable JavaScript has also JavaScript options button which popups JavaScript options are below:
a) Allow resizing of windows
b) Allow moving of windows
c) Allow raising of windows
d) Allow lowering of windows
e) Allow changing of status field
f) Allow scripts to detect context menu events.
g) Allow scripts to hide address bar
h) Open console for error.
i) User JavaScript folder path text box.
3) Enable plug-ins has inner check box to enable plug-ins only on demand.
4) Manage site preferences: This option facilitates users to add, edit and delete the
website to be allowed. The added websites can be customized for pop-ups,
cookies, content, JavaScript, etc. This is like maintaining white list from the users
side.
47
5) Blocked content: This option facilitates users to add, edit and delete the websites
to be blocked.
The options primarily for phishing prevention systems are as follow
6) Enable "Fraud and Malware Protection"
7) Manage Certificates: It provides options to import, export, and view and delete
certificates of personal (client certificates) and authorities (authority certificates
like VeriSign, Go Daddy, Entrust, etc.). These certificates can be kept in
intermediate, approved and rejected group.
8) Security Protocols: The options of enabling security protocols like Enable SSL3,
Enable TLS1, etc.
9) Trusted Websites: There is provision of add, delete and edit the trusted websites.
Safari
Safari employs sandboxing techniques to isolate Web content and applications from
other information on systems, and also include malicious code blocking capabilities.
As with the other browsers, Safari also relies on current reports about malicious and
fraudulent websites to warn and protect its users. If a website contains malicious code
intended to capture personal data or tamper with users' computer, sandboxing
provides a built-in blocker that restricts the code from doing harm.(Tittel, 2011)
48
User personal data is safer on Safari. Thats because Safari protects user from crosssite scripting, phishing, and malware attacks that try to obtain user's personal data. So
if users visit a site that might contain phishing or malware content, Safari alerts users
and wont open the page. Safari makes it easy to see when user's connection to a
website is encrypted. (Safari, 2013)
When users first launch Safari 3.2, it connects to safebrowsing.clients.google.com and
requests information on the two main blacklists that Google maintains: a list of known
phishing sites, and a list of known malware sites. Google returns the list of hashed
URLs to your computer in chunks, starting with the freshest information first and
gradually filling in older information. Once users find that folder, users will see two
files within it: "cache.db" and "SafeBrowsing.db". The former is indeed Safaris
cache. The latter file contains the blacklists from Googles Safe Browsing initiative
user will notice that the file was most likely created right about the time users first
launched Safari 3.2, and if users have the browser open, the file should have been
modified within the past 30 minutes. (Macworld.com, 2008)
Safari contains following option for phishing prevention.
1) Enable plug-ins: Check box for enable plug-ins.
2) Enable Java: This is for enabling Java
3) Enable JavaScript
4) Block pop-up windows
The options primarily for phishing or is a part of phishing prevention systems of
Safari are as follow:
1) Warn when visiting a fraudulent website. (Uses Google Safe Browsing
Service)
2) Ask before sending a non-secure form to secure website.
By default the anti-phishing system is on in safari. It can be checked by going to
Setting=>Preference=> Security
49
Browsers
Remarks
Google Chrome
white list,
blacklist: Google
Safe
heuristic
50
browsing
API;
Opera
blacklist: PhishTank
PhishTank; Netcraft
security standards, and do not host personal pages.(Dhamija, Tygar, & Hearst,
2006; Odaro & Sanders, 2010)
5) Secure Sockets Layer (SSL) is a protocol commonly used in validating the
identity of a website and enabling the transmission of private information over the
Internet. It makes use of cryptographic keys to encrypt the data being transmitted
and to provide a signature used in identification. Browser SSL certificates are
electronic documents that enable encryption on secure websites, and also contain
information about the certificate holder. The use of these certificates (and the
related well known SSL lock icon) has traditionally been one way of providing
identity information to the user, but studies have shown that many users have
difficulty interpreting certificates or may not even be aware that they exist. There
are many other options in the browser which users rarely use due to lack or very
little knowledge about them.
Finally, the biggest problem is getting users to alter their behavior. Even study
showed that either user tend to ignore or fail on to act on security warning. This is
highest threat for several anti-phishing solutions. (Odaro & Sanders, 2010)
There are many organizations working against phishing. These organizations are the
resources for studying and tackling against phishing. Some of the main organizations
are as follow:
2.9.1
PhishTank
53
code of the target sites and rank these characteristics to calculate the secure weight.
There is no justification for categorizing different characteristics. Alkhozae and
Batarfi's proposed model doesn't provide possible solution after detecting phishing
websites.
Gowtham and Krishnamurthi's model adopts a suitable combination of all techniques
like maintaining blacklists, white-lists and employing heuristics-based approaches.
Before applying heuristics to the webpages, they applied two preliminary screening
modules in this system. The first module, the preapproved site identifier from users
maintained white-list and the login form finder which classifies as legitimate when
there are no login forms present. (Gowtham & Krishnamurthi, 2013).
The research considers the login form as the only webpage where phishers could get
benefit from the users which are very important for consideration. But the system
does not provide any solution for possible real website after detecting the phishing
websites.
He, et al.(20011) has proposed a phishing webpage detection model to determine
whether a webpage is a legitimate or a phishing webpage. It does not use list based
methods. At first a webpage is converted into 12 features which are well selected
based on the existing normal and phishing page. Training set of web pages including
normal and phishing pages are then input for a support vector machine to do training.
According to them, the experimental results showed the proposed phishing detector
can achieve the high accuracy rate with relatively low false positive and low false
negative rates. (He, et al., 2011)
The research keeps suspicious page address as feature one, which is followed by id
page address, nil anchors, foreign anchors, id foreign request, SSL certificate, Number
of dots in all URLs, etc. and search engine as the 12th feature. Moreover they have hi
lighted other features like server form handler, domain age, who is record, etc., which
were not used in the system.
Odaro and Sanders propose that users cannot completely rely on the inbuilt anti
phishing system of browsers due to inadequacy to combat the problems of phishing.
The limitations are both technical and non-technical. From the evaluation of technical
55
and non-technical issues of browsers inbuilt phishing prevention systems and other
related tools, suggestions are stated considering both technical and non-technical
problems. (Odaro & Sanders, 2010).
Islam and Abawajy propose multi-tier classification model for phishing email
filtering. Priority ranking was set up for extracting the features of phishing email
based on weighting of message content and message header.
The impact of
56
CHAPTER THREE
METHODOLOGY
In this chapter efforts have been made to present and explain the specific research
design
for
the
sake
of
attaining
the
research
objectives.
It
explains
Research Design
I have used an experimental research and design and creation research strategies to
answers the research questions. The model process of research is shown below (Oates,
2006):
Experiences
and motivaion
Literature
review
Data generation
methods
Research Questions
Strategies
Experiment
Observation
Quantitative
Design and
creation
Documents
Qualitative
Data Analysis
Sources of Data
Data were mainly collected through primary experimental observation. The online
users, who use the web application for recognizing phishing or real websites, are the
sources of primary data to select the anomalies in the URL of phishing websites. The
list of phishing URLs are obtained from the PhishTank.com (secondary source). And
the facts and cases of phishing are obtained from the online reports and publications.
57
3.3
Methodology Insight
The methodology insight can be seen through the block diagram of the methodology.
The components of the methodology are explained below.
Literature Review consists of methods, tools and techniques used for phishing. It
covers the details of the browsers inbuilt phishing prevention system, existing tools
and technologies for the phishing prevention system.
Browser's inbuilt anti phishing system is studied through different literature along
with the walk through experiments. It consist procedures of various options and
features of the phishing prevention system of the selected browsers.
Phishing prevention models consist of existing models for phishing prevention
system which are accessed through the review of journals.
and Browsers phishing detection rate is done through the experimental research.
The procedures of data collection, sampling, statistical analysis of the results are
explained in separate heading of this chapter.
Problems in browsers inbuilt phishing detection system is done through the meta
analysis of literature reviews and walk through experiments on the browsers.
Anti-phishing model is being proposed through the meta-analysis of various the
techniques and models of phishing prevention system.
Selection of phishing anomalies in the URLs is done through developed online web
application. The procedures are explained in separate heading.
Verification of the model is done making different case studies determined on the
phishing anomalies in the URL.
Conclusion and Recommendation is done making the base of all the above
procedures.
58
Experimental research is a blueprint of the procedure that enable the researcher to test
his hypothesis by reaching valid conclusions about relationships between independent
and dependent variables. It refers to the conceptual framework within which the
experiment is conducted. (Key, 1997). The following procedures are applied for
conducting this experiment.
3.4.1
There are various formulas for calculating the required sample size based upon
whether the data collected is to be of a categorical or quantitative nature (e.g. is to
estimate a proportion or a mean). These formulas require knowledge of the variance
or proportion in the population and a determination as to the maximum desirable
error, as well as the acceptable Type I error risk (e.g., confidence level). Since there is
an inverse relationship between sample size and the Margin of Error, smaller sample
sizes will yield larger Margins of Error.
The formula used for these calculations was:
59
2 1
1 + 2 1
= Population size
95.0 %
Degree of accuracy
0.1
1,206,474
Sample size
96
For the experiment, I have taken 5 different browsers. These are Internet Explorer,
Google Chrome, Mozilla Firefox, Opera and Safari. The number of phishing sites will
be 96 phish websites from different sector like PayPal, bank, government organization,
reputed brand like Amazon, eBay, Adidas, etc. and miscellaneous local phishing sites
targeting the community of Nepal.
The environment for the setup will be as follows:
Hardware environment used
Operating System
Windows 7 Ultimate
Browsers used
96
One of the major problems in analyzing anomalies in source codes is that they need to
load web pages which expose internet users to vulnerabilities from malicious codes,
key loggers, and bot-nets. Although, the risk from malicious code, key loggers, and
bot-nets can be reduced using a sandbox browser to load the webpage for analysis; it
cannot guarantee a complete protection from malwares and malicious codes(Sabanal
& Yason, 2012).
Similarly, the analysis of anomalies in URLs does not need to load the web pages
which mean Internet users can be safe from phishing conducted using
malicious software.
The proposed model consists of heuristic method and list based method. In the
heuristic component phishing detection is done with the use of anomalies in the URL.
The development of Web Application is done to select the list of anomalies for using
in the model. The white list method is used for omitting the known legitimate
websites to be checked by the model.
3.5.1
It is not possible to take all the anomalies to study. A web App is developed for the
selection of anomalies in the URL to use in the heuristic method in the model. The
phishing websites with the following anomalies are considered in the study. These
anomalies selected on the basis of availability of resources in conformance to Nepali
users and the using maximum 20 questions in the quizzes like in Sheng "Anti-Phish
Pil" (Sheng, et al., 2007) because more question will bore the users and for
randomization mixing of anomaly in the email and anomaly of the visual similarity in
logo and themes is done.
1) URLs misspelled or derived from domain name.
62
users were given 20 questions to recognize whether it is real website or phish website.
The questions numbers 2, 4, 5, 10, 11, 13 and 15 are real websites while others are
phishing websites. The phishing websites are inherited with the following anomalies
in the URL.
S. No
Target Brands
Q. No
Citizen bank
International
3
Gmail
eBay
hotmail
twitter, Nepal
Police, PayPal
9, 12,
16
Amazon.com
Amazon.com
yahoo mail
10
eBay, Facebook,
YouTube
17, 18,
19
11
Facebook, Nepal
SBI Bank
14, 20
3,8
17
a single page. Besides selection of anomalies in the URL, this web application will
disseminate knowledge to the users to recognize the phishing websites. The web
application is accessed online from the link http://upvedatech.com/quiz/. The
messages disseminated when the users make mistake are tabulated as follow:
Q.No Target Site
1
Citizen Bank
International
Nepal
Investment
Bank
Gmail
(Phishing Site) Gmail login page domain does not use SSL
(https with green color) and domain does belong to Google. It's
domain is .org
Dropbox
4
5
6
hotmail.com
(Phishing Site) Hotmail website does not use SSL (https with
green color) and does not belong to Microsoft. Domain is .tw
(Taiwan) when Microsoft is in USA.
amazon.com
(Phishing Site) Amazon website does not use SSL (https with
green color) and use IP address URL which is not
recommended for a genuine website
yahoo mail
(Phishing Site) URL contains https (but not green color by the
browser which means it is fraudulent use of https), moreover,
domain says Google while mail is for yahoo
(Phishing Site) Twitter does not use SSL and domain is not of
twitter
10
amazon.com
11
Nepal
government
Nepal Police
Facebook
email
12
13
65
15
Facebook
email
eBay
PayPal
(Phishing Site) PayPal does not use https. At the end of the
URL there is another "www." . Domain name contains
cedij.com.mx (belongs to mx) when PayPal is from USA.
Word "cedij" makes it suspicious. Ask for many sensitive
information.
eBay
(Phishing Site) eBay does not use https. URL does not belong
to eBay ("admitr")
(Phishing Site) Facebook does not use https, and domain does
not belong to facebook
YouTube
Nepal SBI
Bank
16
17
18
19
20
66
3.5.2
Development of model
URL Present
URL absent
Heuristic
Method
Test Pass
Update the
whitelist
URL Present
Test Fail
Update the
blacklist
Legitimate
URL
Phish
Educate
Users
Obtain the keyword
of the website
Advice legitimate
Suggest top
URL
results
Search in
Google
While studying the methods or techniques of phishing detection, I have found that the
result of search engine is a strong sword to use in phishing wars. All the phishing
system developed till now don't have component of giving solution after detecting the
phishing website. Using the search engine component for providing solution for
possible phishing websites, is an innovative phishing prevention system proposed in
this research.
The component of white list check is used as filter to less burden the system.
Similarly, the anomalies are selected form the "web application quiz for anomalies in
the URL" to apply heuristics method for detection of the phishing. Also many features
of heuristic could be added for making the result more prominent. The URLs which
are not in the white list and can not pass the heuristic test are regarded as possible or
suspicious phishing websites. So, these possible phishing websites are passed for the
search engine (here we use Google) for finding the solution. The search engine result
is displayed as possible solution for the phishing websites.
The following things are considered before development of model:
1) The detection rate of existing phishing prevention system in browsers.
2) The anti phishing solution model is focused of providing solution of real
website after detecting the phishing websites.
3) Use of multi methods of list based and heuristic approach is applied.
4) Consideration of small domain in the heuristics parameters (anomalies in URL
in phishing websites.), which are selected from the result of above web app
and availability of the resources. For example "URLs misspelled or derived
from domain name." has no limitation on the domain name features and the
way of being derived or misspelled.
5) Prioritization of heuristics parameters are done through experiment on real
users.
6) The updating component and use of blacklist are kept for future enhancement
portion.
68
Due to the limitation of the study to consider only anomalies in URLs as a heuristic
method and user maintained white-list for the phishing detection methods is
implemented as below:
URL Request
URL Present
List of anomalies
(From web App &
Availability of resources )
URL absent
Test Pass
Test Pass
Heuristic
Method
Test Fail
Phish
Legitimate
URL
Educate
Users
Obtain the keyword of
the website
Advice legitimate
URL
Search in
Google
Suggest top
results
69
1) When phishing is detected, users must be provided with solutions rather than
warnings. [Warning and pop ups message is another problem which can be
irritating to user.]
The study considers anomalies in the URL for the detection of phishing. The test
cases on the basis of anomalies are as follows:
2) URLs misspelled or derived from domain name.
3) URLs using http in place of https, i.e., abnormal SSL certificate.
Heuristic Rule: Check of Https
4) URLs using TLDs within domain name or sub domains.
Heuristic Rule: Check of more than 4 dots(.) in domain name. (Zhang,
Hong, & Cranor, 2007)
5) URLs use different port number
Eighty is the port no for HTTP protocol. So, port no other than 80 is
abnormal.
6) Use of IP address which is abnormal to use.
URL with IP address is abnormal to use. (Zhang, Hong, & Cranor, 2007).
7) URLs using long host name. (Though it has no hard rule for the length of phishing
website, McGrath and Gupta had found URL length peaking on 67 characters in
PhishTank list (McGrath & Gupta, 2008).)
8) URLs with special character "@".
9) URLs with special character "//".
10) URLs with sensitive words ("webscr", "ebayisapi", "secure", "account", "login",
"signin", "banking" and "confirm").
These words are drawn by using delimiting words ("/","?".".","=","-","_")
also known as "bag of words". (Ma, Saul, Savage, & Voelker, 2009)
11) URLs contain brand, or domain, or host name. (Not implementable in detection)
12) Use of similar logo and themes of popular brands or URL use unrelated domain
names (Not implementable in detection)
13) The domain name of commercial businesses is not .org. (Not implementable in
detection)
70
14) Emails sender with catchy domain names but with different host name from the
domain. (Not implementable in detection)
Other problems in the browsers' inbuilt phishing prevention system could not be
solved as this model also uses the list based method and heuristic methods for
detecting the phishing websites. So, they are excluded for the study.
3.6
Description
Programming Languages
Database
Report making
Forecasting Tools
The web Application (anti-phishing quiz) for selection among the anomalies in URL
was hosted in online in URL http://upvedatech.com/quiz/. Users were able to open the
link (http://upvedatech.com/quiz/) and register their names or even register
anonymously.
71
3.7.2
The
code
or
software
is
uploaded
in
GitHub
and
the
URL
is
https://github.com/rajendra061/AntiPhishSolution.
The steps for using above code in Google chrome are as follow:
Step 1: Click on "customize and control Google Chrome" menu icon as shown in in
the below figure. Click Setting from the ducking window seen.
Step 2: Select the extension in the left part of the list displayed after clicking the
"setting".
Step 3: Click the "load unpacked extension", and give the path of the downloaded
source code.
Step 4: The extension will be seen in the extensions list as shown above in the
figure.
Step 5: The facilities of "refresh" link will automatically build the source code on
any changes made on it.
The downloaded extension from GitHub can be installed in Google Chrome from the
following steps as shown in figure.
72
73
CHAPTER FOUR
DATA ANALYSIS / RESULTS
4.1
From the experiment, 95% of the phishing websites in the phishtank.com are being
detected by the browsers. From the sampling theory used to sample the phishing
websites, we have Confidence level= 95.0 % and using worst case percentage 50%,
Confidence interval will be 10. So the result will be 10% of the result. i.e. 85% as
105% is impossible. Hence the detection rate of phishing sites by browsers is found to
be 85%.
Sample phishing
Browsers
sites
Detection % Average
Chrome
96
93
97%
Mozilla Firefox
96
93
97%
Internet
95%
Explorer
96
92
96%
Opera
96
91
95%
Safari
96
88
92%
4.2
Experimental Analysis
Web App stores results of user's response to the phishing and real websites. It aware
users by providing reasons in non technical language for the mistakes while
74
reorganization of the real or phishing website. In the figure below, the educative
message is prompted to aware the user. The output can be seen as bellow.
The result of the web application by users on recognizing "Real site" or "Phish site" is
shown below.
75
Figure 28 Result from web app for recognizing phish site and real site
As the study is done for user's behaviour against phishing websites, the results for the
real websites are discarded and the top mistakes on the phishing websites are taken
into the study.
On the phishing websites, about 60% of the users failed to recognize the phishing
website of Citizen Bank International, Nepal i.e. URL misspelled or derived from
domain name.
The second most failed to recognize phishing website by users is to detect the
phishing website of yahoo mail service. It falls in the category of using abnormal
https and using free hosting domain for the popular brand.
The third most failed phishing website by users is to detect the website of Nepal
police which was hosted inside upvedatech.com. It falls in the category of URLs use
multiple TLDs within domain name or sub domains.
So, on the basis of mistaken by the users to detect the phishing website, the severity of
the category of the anomalies in the URL of anti-phishing can be listed as below.
76
77
Q. No
1
3,8
8
9, 12,
16
7
7
6
17
17, 18,
19
3
4, 20
4.2.2
78
i.e.
["google.com","nibl.com.np","facebook.com","esewa.com.np","gmail.com",
"nepalpolice.gov.np", "hotmail.com"];
When URL is entered in the address bar of the Google Chrome browser, the white list
and heuristic method check is done. When the URL fails to pass the test, the address
bar will show phishing and educating alert message (error in heuristic check (https
check)) as in figure below. The host name used for search is searched in new tab
automatically.
respectively. The results from Google search within top 5, is proposed for possible
solution.
For testing, phishing websites were downloaded from the PhishTank.com. It was
downloaded on 7th February, 2014 at 11:00 pm (NST). From the list, first 96 websites
were taken for the experiment as latest phishing websites were kept on the top of the
list. At first the websites were tested with Google Chromes' inbuilt phishing detection
system. And after disabling the "Enable Phishing and Malware Protection" features of
Google Chrome, test with the model was done.
From the test, it was found that all the websites were detected with phishing
anomalies considered in the study. It was found that none of the phishing websites
have SSL layer (Https protocol in the URL). There were 39 anomalies with multiple
TLDs, 66 websites have long URL anomalies, 3 phishing cases were IP address
80
anomalies and 40 anomalies based on sensitive words. There was no website with
abnormal port address, "//" and special character "@".
120
100
86
96
96
96
80
66
60
40
40
39
20
81
Test URL:
http://www.reginagrogers.com/dev/4q0x/secure.bankofamerica.com/login/sign
in/signOnscreen.go/signon.php?section=signinpage&update=&cookie
check=yes&destination=nba/signin
Solutions
The tools developed during this thesis include the awareness part for phishing
prevention and a model for phishing detection system. The solution to correcting
demerits of blacklist method, white list methods and learning based system are out of
scope of this study. The two problems 1) problems with the warnings and 2) problems
with SSL awareness are addressed by the study.
This thesis focuses on the phishing detection on the basis of anomalies in the URL.
Most of the phishing websites fails to comply with SSL certification. So, this model
works to provide solutions to the anomalies whose particular anomalies are not
detected. The tools developed during the study addresses most of the detected
anomalies in the URL except the URL using IP address as the host name. These are
shown below.
Test cases
Direct
Detection
Awareness
Solution
Remarks
Problems with
warnings
advise legitimate
websites
URL derived or
misspelled
advise legitimate
websites
83
URLs using
multiple top
domains
advise legitimate
websites
URLs using
different port
number
advise legitimate
websites
URLs using IP
address
URLs with
Sensitive words
Domain names of
commercial
enterprise as org
CHAPTER FIVE
CONCLUSION AND RECOMMENDATION
5.1
Conclusion
Computer and internet technologies have induced different types of crimes known as
computer or cyber crimes. These crimes can be broadly categorized as social
networking crimes, hacking, phishing, identity thief, data fraud, email threats, lottery
scams, bot and bot-nets. This research particularly focuses on Phishing as a cyber
crime and studies various Anti Phishing tools. In Nepal the awareness on Phishing is
circumscribed to technical know how's and most of the internet users are not aware of
the problems that this form of cyber-crime can bring. Phishing is a form of crime in
which identity theft is accomplished by use of deceptive electronic mail and a fake
site on the World Wide Web (WWW).
It is imperative to curb cyber crimes. The Government of Nepal has enforced
Electronic Transaction Act 2063 to prevent and mitigate cyber crimes in the country.
This research is particularly focused on phishing and has extensively collected
literatures, case studies to analyze phishing in Nepal. The research is oriented firstly
to study the problems with phishing and its practical implications and secondly an anti
phishing system is proposed and is verified.
The number of international phishing attacks in 2012 was 445,004 which is 59%
higher than 2011. The internet users of Nepal comprise 11.15% of total population. It
is forecasted to increase to 18% by 2015 and 25% by 2018. Internet Browser is the
point of access the internet. 5 most used browsers in Nepal in June, 2013 to August,
2013 are Chrome (53.9%), Firefox (32%), Internet Explorer (7.48%), Safari (2.81%)
and Opera (2.05%). The browsers have inbuilt anti phishing system. They can detect
85% of the existing phish sites with their system on average. So, the detection of
phishing websites is not a problem in these browsers. But these browsers are not able
to provide probable solution or stop the users to access phishing websites.
Phishing websites can be detected through anomalies in the URL. URLs using http in
place of https, use of free web hosting to host popular brand site, URLs using multiple
85
TLDs, misspelled URLs etc. are some types of phishing anomalies. Nepalese users
find it difficult to detect the misspelled URLs or URL's derived from domain name
among the fore mentioned anomalies.
The proposed anti phishing solution model is composed of phishing detection
components (white-list based approach and heuristic approach where anomalies in the
URL is taken in the study) and is designed to show the possible real websites. The
results of the solution are tested by developing an extension plug-in to Google
Chrome browser. The test from the experiment is tested with anomalies in the URLs.
It provides solutions to the users by discouraging them to use phishing URL's.
However it is difficult to detect Phishing generating from IP address in which case
Google could not translate the IP address. If Google converts the IP addresses to its
host name or alternately a third party host name resolver can be used to detect the
phishing IP's then phishing URL's can be detected more efficiently. The legitimate
websites advised by the model, provides information about the domain name where
users are going to enter. This system prevents users from being deluded. The
proposed model was tested with 96 phishing sites from PhishTank could detect all the
phishing websites where Google Chrome detected 86 of them. The lack of SSL was
seen in all the phishing websites and awareness regarding SSL could definitely
prevent users from phishing.
Thus, this model provides solution to the suspicious phishing websites which are not
yet found by any other anti phishing tools in the web browsers.
5.2
Recommendation
It can be learnt from this study that computer crime management system is very
important to study and there are many areas which are very new to study in the case
of Nepal. The types of computer crimes have many improvement areas are waiting for
researchers from Nepal to study the problem and propose probable solutions.
In the process of fight against phishing, the most fundamental parts are : to ensure that
internet browser is up to date and security patches applied; Phishing probably targets
most of its victims among the less technical savvy so the user need to understand what
phishing is, and how it works; the phishing problem differs from many other security
86
problems in that we wish to protect users from themselves so all design must consider
the assumption that user do not change their behavior and systems have to handle
negligence resulting because of their behavior.
Some of the fundamental precautionary actions that user needs to adopt are:
1) Do not rely on the links contained in email, even if the web address appears to
be correct or look similar to legitimate in appearance.
2) Use Anti-virus and anti-spyware, as well as a Firewall, and update them all
regularly.
3) Always use secure website for submitting confidential or sensitive information
via web browsers i.e. https:// rather than http://.
4) Phishing check can be done just before password is typed. This will protect the
phishing attack that use delay of page load to delude the anti-phishing
systems.
5) Numeric IP address check or web pages that have many outbound links, the
phishing websites may have many links to legitimate website can be use for
detecting phishing website.
6) Phishers are least bothered about the design, spelling errors in their web site
and copy right information. This can be use for detecting phishing
7) The concept of providing solution on the phishing detection system is
recommended for phishing prevention system which will help in correcting
user's mistakes.
8) Educating people about different phishing and effective use of anti phishing
tools.
9) The IT technical manpower must be provided with different training against
computer crimes and research and development activities.
This model has a component to advice legitimate websites after detection of phishing
websites. So, it recommended to use this system while doing monetary and
confidential transaction in the internet.
87
5.3
The future research work will be further refining the model for anti phishing system.
It can be listed as below:
1) The implementation of login filter system as proposed by Gowtham and
Krishnamurthi will remove the limitation. (Gowtham & Krishnamurthi, 2013).
2) The implementation of blacklist check can be done using standard blacklists
maintained by Google, PhishTank, etc which is kept for future work.
3) The self updating the blacklist and white list in this model can be done for
further enhancement.
4) Further studies can be made in the area of anti phishing system in the browsers
like usability, user behaviour, etc.
88
REFERENCES
Alkhozae, M. G., & Batarfi, O. A. (2011). Phishing Websites Detection based on
Phishing Characteristics in the Webpage Source Code. International Journal of
Information and Communication Technology Research , 1 (6), 283-291.
American Bankers Assocation. (2005). ABA Works on Fraud - Phishing Prevention &
Resolution.
Retrieved
25,
2013,
from
http://www.angelinabank.com/phishing063005.pdf
APWG.
(2013).
About
APWG.
Retrieved
09
01,
2013,
from
http://www.antiphishing.org/about-APWG/
APWG. (2012). Global Phishing Survey: Trends and Domain Name Use in 1H2012.
Lexington.
Bequai, A. (1978). Computer Crime. Canada and United States: Lexinton Books.
Chaudhary, S. (2012). Recognition of phishing attacks utilizing anomalies in websites.
University of Tampere.
Computer Crime Law. (n.d.). Retrieved 09 10, 2013, from www.hg.org:
http://www.hg.org/computer-crime.html
Cranor, L., Egelman, S., Hong, J., & Zhang, Y. (2006). Phinding Phish: An
Evaluation of Anti-Phishing Toolbars. Pittsburgh: CyLab Carnegie Mellon
University.
Cranor, L., Wardman, B., Warner, G., & Zhang, C. (2009). Case Study of Browserbased Anti-phishing Solutions. CEAS.
Cryto Group Standford. (n.d.). Spoofguard. Retrieved 09 1, 2013, from
http://crypto.stanford.edu/SpoofGuard/
Dan Tynan, PCWorld. (2004, 4 13). EarthLink Readies Anti-Phishing Tool. Retrieved
09 01, 2013, from http://www.pcworld.com/article/115652/article.html
Daryanani, M. (2011). Desensitizing the User - A Study of the Efficacy of Warning
Messages. Kellogg College, University of Oxford.
89
Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why Phishing Works. ACM 1-59593178-3/06/0004.
Egelman, S., Cranor, L. F., & Hong, J. (2008). You've Been Warned: An Emperical
Study of the Effectiveness of Web Browser Phishing Warnings. Proc. of CHI 2008.
Florence, Italy.
EMC Corporation. (Jan, 2013). The Year in Phishing. RSA, EMC.
Firefox. (2013). Phishing and Malware protection. Retrieved 09 20, 2013, from
http://www.mozilla.org/en-US/firefox/phishing-protection/
Florencio, D., & Herley, C. (2006). Analysis and Improvement of Anti-Phishing
Schemes.
Retrieved
10
12,
2012,
from
http://research.microsoft.com/pubs/69369/mainsec2006.pdf
Frost & Sullivan . (2009). Key Challenges in fighting Phishing and Pharming.
Retrieved
april
6,
2013,
from
http://www.easysol.net/newweb/images/stories/downloads/Frost_SullivanPhishing_wp_dec09.pdf
Garera, S., Provos, N., Chew, M., & Rubin, A. D. (2007). A Framework for Detection
and Measurement of Phishing Attacks.
Gastellier-Prevost, S., Granadillo, G. G., & Laurent, M. (2011). Decisive heuristics to
differentiate legitimate from phishing sites. Network and Information System Security
(SAR-SSI).
Google. (2013). Facts about Google and Competition-About Search. Retrieved 10 25,
2013, from https://www.google.com/competition/howgooglesearchworks.html
Government of Nepal. (2008). The Electronic Transactions Act, 2063 (2008). Nepal:
Government of Nepal.
Gowtham, R., & Krishnamurthi, I. (2013). A comprehensive and efficacious
architecture for detecting phishing webpages. Computer and Security (40), 23-37.
90
apps!
Retrieved
09
24,
2013,
from
http://downloadsquad.switched.com/2010/01/12/phishing-attack-hits-android-marketbe-careful-about-banking/
He, M., Horng, S.-J., Fan, P., Khan, M. K., Run, R.-S., Lai, J.-L., et al. (2011). An
efficient phishing webpage detector. Expert Systems with Applications , 12018
12027.
Islam, R., & Abawajy, J. (2013). A multi-tier phishing detection and filtering
approach. Network and Computer Applications (36), 324335.
Jamieson, R., land, L. P., Winchester, D., Stephens, G., Steel, A., Maurushat, A., et al.
(2012). Addressing identity crime in crime management information systems:
Definitions, classification, and empirics. comp u t e r law & s e c u rity rev iew 2 8 ,
381-395.
Kay, R. (2004, 1 19). QuickStudy: Phishing. Retrieved 09 09, 2013, from
http://www.computerworld.com/:
http://www.computerworld.com/s/article/89096/Phishing
Key, J. P. (1997). Experimental. Retrieved 09 16, 2013, from Oklahoma State
University:
http://www.okstate.edu/ag/agedcm4h/academic/aged5980a/5980/newpage2.htm
Killcrece, G. (2004). Steps for Creating National CSIRTs. Pittsburgh: Carnegie
Mellon Software Engineering Institute.
Krejcie, R. V., & Morgan, D. W. (1970). Determining Sample Size for Research
Activities. Educational and Pyschological Measurement (30), 607-610.
Kuo, C., Parno, B., & Perrig, A. Browser Enhancements for Preventing Phishing
Attacks. Pittsburgh: Carnegie Mellon University.
91
Content.
Retrieved
25,
2013,
from
http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=B4022C6699BC-4A30-9ECC-8BDEFCF0501D&displaylang=en
Moore, R. (2005). Cyber crime: Investigating High-Technology Computer Crime.
Cleveland, Mississippi: Anderson Publishing.
Mozilla iSEC Partner. (2006). Mozilla Phishing Protection: Testing Methodology
Analysis.
Retrieved
08
20,
2013,
from
http://www.mozilla.org/security/iSECPartners_Phishing.pdf
Nepal Government. (2008). The Electronic Transactions Act, 2063 (2008). The
Electronic Transactions Act, 2063 (2008) . Nepal: Nepal Government.
Netcraft.
(2013).
Anti-Phishing
Services.
http://www.netcraft.com/anti-phishing/
92
Retrieved
09
01,
2013,
from
Netcraft.
(2013).
Netcraft
toolbar.
Retrieved
09
01,
2013,
from
http://toolbar.netcraft.com/
NW3C. (2013, 9 8). Criminal Use of Social Media. (NW3C, Ed.) Retrieved 9 8, 2013,
from
http://www.nw3c.org/docs/whitepapers/:
http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
Oates, B. J. (2006). Researching Information Systems and Computing. London:
SAGE Publications.
Odaro, U. S., & Sanders, G. B. (2010). Social Engineering: Phishing for a Solution.
Retrieved 7 12, 2013, from http://www.kaspersky.com/view.html?id=81
Opera. (2013). Opera's Fraud and Malware Protection. Retrieved 09 20, 2013, from
http://www.opera.com/help/tutorials/security/fraud/
Pan, Y., & Ding, X. (2006). Anomaly Based Web Phishing Page Detection. 22nd
Annual Computer Security Applications Conference (ACSAC06). Computer Society.
Parker, D. B. (1989). Computer Crime: Criminal Justice Resource Manual.
Washington D. C: National Institute of Justice.
Perry, R. L. (1986). Computer Crime. New York: Franklin Watts.
PhishTank. (2013, 09 08). What is Phishing? Retrieved 09 08, 2013, from
PhishTank.com: http://www.phishtank.com/what_is_phishing.php?view=website
PhishTank.com. (2013, 09 24). phishtank: stats. Retrieved 09 24, 2013, from
phishtank: stats: https://www.phishtank.com/stats.php
Pritush. (2012, 11 13). Beware of Phishing email Targeted to Nepali internet
banking
users.
Retrieved
09
09,
2013,
from
Nepallica.com:
http://nepallica.com/beware-of-phishing-email-targeted-to-nepali-internet-bankingusers/
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., & Modadugu, N. (2007).
Google discovers suspicious websites during. Retrieved 8 9, 2013, from
http://www.usenix.org/event/hotbots07/tech/full_papers/provos/provos.pdf
93
Sabanal, P., & Yason, M. V. (2012). Digging deep into the Flash Sandboxes. (IBM
Corporation) Retrieved 08 09, 2013, from http://media.blackhat.com/bh-us12/Briefings/Sabanal/BH_US_12_Sabanal_Digging_Deep_WP.pdf
Safari.
(2013).
What
is
Safari?
Retrieved
09
24,
2013,
from
http://www.apple.com/safari/what-is.html
Sen, O. N., & S, B. (2001). Criminal Justice Responses to Emerging Computer Crime
Problems. Texas: University of North Texas.
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., et al.
(2007). Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches
People Not to Fall for Phish. Symposium on Usable and Security (SOUPS).
Pittsburgh, PA, USA.
Shrestha, P. M. (2013, 4 16). Phishing incidents wake up Nepali banks to security
threats.
Retrieved
09
09,
2013,
from
ekantipur.com:
http://www.ekantipur.com/2013/04/16/business/phishing-incidents-wake-up-nepalibanks-to-security-threats/370064.html
Sigsworth, W. (2013, 6 24). Report: Almost 1 In 4 People Worldwide Are Using
Social
Media.
Retrieved
09
24,
2013,
from
SocialMediaFrontiers.com:
http://www.socialmediafrontiers.com/2013/06/report-almost-1-in-4-peopleworldwide.html
Singh, N. P. (2007). Online Frauds in Banks with Phishing. Journal of Internet
Banking and Commerce , 12 (2).
South Asia Partnership. (2007). Cyber Cafes of Nepal - Passage to cyber crime?
Kathmandu: SAP International and Bellanet Asia.
statcounter.com. (2013). Statcounter Global top 5 browser. Retrieved 09 8, 2013,
from
statcounter.com:
http://gs.statcounter.com/#browser-ww-monthly-201306-
201308-bar
State of Alaska State Security Office. (July 2009). Monthly Cyber Security Tips
Newsletter. Alaska: State of Alaska State Security Office.
94
Techsansar.com. (2013, 2 14). List of Nepali Apps in Google Play Store. Retrieved 09
24, 2013, from http://techsansar.com/application/nepali-android-apps-google-playstore/
Tenhunen, M. (1994). Updating Computer Crime and Information Security Strategies.
Paper presented to Kriminalistik and Forensische Wissenshcaften .
The World Bank. (2013). Internet users (per 100 people). Retrieved 09 24, 2013,
from World Bank: http://data.worldbank.org/indicator/IT.NET.USER.P2
Tittel, E. (2011, 6 11). A Review of Browser Anti-Phishing Protection. Retrieved 09
20, 2013, from readwrite.com: http://readwrite.com/2011/07/30/a-review-of-browseranti-phish
Trend-Micro. (Feb, 2013). Mobile Phishing: A Problem on the Horizon. Trend-Micro.
Wikipedia.
(2013,
07
16).
PhishTank.
Retrieved
09
01,
2013,
from
http://en.wikipedia.org/wiki/Phishtank
Wordspy.com.
(n.d.).
phishing.
Retrieved
10
12,
2013,
from
http://www.wordspy.com/words/phishing.asp
Wu, M., Miller, R. C., & Garfinkel, S. (2006). Do security toolbars actually prevent
phishing attacks?
www.w3schools.com. (2013). What is Google Chrome? Retrieved 09 8, 2013, from
http://www.w3schools.com:
http://www.w3schools.com/browsers/browsers_chrome.asp
Zhang, Y., Hong, J., & Cranor, L. (2007). CANTINA: A content-Based Approach to
Detecting Phishing Web Sites. WWW 2007 / Track: Security, Privacy, Reliability, and
Ethics (pp. 639-648). Alberta: International World Wide Web Conference Committee
(IW3C2).
95
ANNEXES
Annex 1 Important terminology and Definition .......................................................... 98
Annex 2 Best forecasting method for the internet users using crystal ball .................. 99
Annex 3 Internet users in Nepal suing crystal Ball predictor .................................... 100
Annex 4 List of valid phishing website from PhishTank.com................................... 102
Annex 5 Phishing websites not detected by browsers ............................................... 106
Annex 6 Question for WebApp with answers http://upvedatech.com/quiz/.............. 106
Annex 7 Chi Square Test ........................................................................................... 108
Annex 8 T- Test ......................................................................................................... 109
Annex 9 Entering inside of the web app .................................................................... 111
Annex 10 URL derived from host name .................................................................... 111
Annex 11 Real website with SSL .............................................................................. 112
Annex 12 Message alerted on mistake....................................................................... 112
Annex 13 Phishing website of Gmail ........................................................................ 113
Annex 14 Educative message to the user ................................................................... 113
Annex 15 Real website of Dropbox ........................................................................... 114
Annex 16 Real website of nepalnews.com with page ranking, risk rate, etc. ............ 114
Annex 17 Phishing website of Hotmail ..................................................................... 115
Annex 18 Phishing website of Amazon, use of IP address/port no ........................... 115
Annex 19 Phishing website of Yahoo Mail ............................................................... 116
Annex 20 Phishing website of twitter.com ................................................................ 116
96
97
Cyber Crime
Identity crimes
Social Network
Social
More typical are those forms of online fraud that play upon our
Engineering
98
computer.(Merritt, 2009)
Bots and Botnet
Hacking
Trojan Horse
Annex 2 Best forecasting method for the internet users using crystal ball
Table Items
99
Methods
Rank RMSE
MAD
MAPE
Durbin- Theil's
Watson U
Periods Alpha
Double
Exponential
Smoothing 1
0.946
Double
Moving
Average
0.908
Single
Exponential
Smoothing 3
Single
Moving
Average
Internet Users
Year
Internet Users
1989
2009
1.97
1990
2010
7.93
1991
2011
1992
2012
11.1493
1993
2013
13.60106
1994
2014
15.97461
1995
0.000925
2015
18.34817
1996
0.00451
2016
20.72172
1997
0.021999
2017
23.09527
1998
0.064394
2018
25.46882
100
0.733
0.999
Beta
0.516
1999
0.146669
2019
27.84237
2000
0.204652
2020
30.21592
2001
0.240015
2021
32.58948
2002
0.312956
2022
34.96303
2003
0.382811
2023
37.33658
2004
0.449844
2024
39.71013
2005
0.826551
2025
42.08368
2006
1.141389
2026
44.45723
2007
1.41
2027
46.83079
2008
1.73
2028
49.20434
101
2
3
7
8
10
11
12
13
14
15
16
17
18
URL
http://jigsawesl.co.uk/wpcontent/plugins/5501654516/349325931520424/index2.php
http://www.paypal.com.sgiqfczjhk6nrcn6h6.kaiu888ue4zz6zpp9qhpsu6drdx.c
om/us/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://theclassicbicycleshop.com.au/demo/BigPond/https:|www.bigpond.com/
http://evies.com/www.citibank.com/online.citibank.com/US/JSO/signon/uname/Nexte66
5.html
http://www.paypal.com.c80sl1t35ypx6frhq3es.kaiu88895u3junkrrdxctxb3pj3.c
om/us/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.8r7d0pvxfvrjgn.kaiu8882x52s57khxevuzhcfmni.com/
us/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://mine-returns.mtxserv.fr/templates/pay/www.paypal.fr.login.cgibin.webscr.cmd.login.submit.dispatch.btoc70bbe415271cd0fd42c2b071efa252
ac2bbd1fddf0fdac1a/update/TlRJeE9ERXhORFkxTWpjPQ==/
http://www.gjimnazi-gjilan.com/CitiBankTTcopy.htm
http://mine-returns.mtxserv.fr/templates/pay/www.paypal.fr.login.cgibin.webscr.cmd.login.submit.dispatch.btoc70bbe415271cd0fd42c2b071efa252
ac2bbd1fddf0fdac1a/update/TmpVeE16UTNOVGcyTkRJPQ==/erreur.htm
http://mine-returns.mtxserv.fr/templates/pay/www.paypal.fr.login.cgibin.webscr.cmd.login.submit.dispatch.btoc70bbe415271cd0fd42c2b071efa252
ac2bbd1fddf0fdac1a/update/T0RZek1qQTFOVE01TURjPQ==/Informations.p
hp
http://p2pradio.cl/pp/Paypal/websc/update.php
http://paypal.com.us.cgi-bin.webscr.cmd.loginsubmit.dispatch.5.885d80a13c0db1f8.e263663d3faee8d9.6fc0752e9614158.f0
4872d2f2ae25dc.f185a366458bf11c.70bbe4d1f65.40254698653274.pay1234p
al2020.doc7kfb45cfi.manf997854.hoztech.ro/f1e62fc62abaf990b7b291c6282ff
715/info.php
http://update-info-login.tigleacoperis.ro/014/?cmd=_home&dispatch=5885d80a13c0db1f8e&ee=54ca199af
5213c6df2c52d15ce22231e
http://tigle-acoperis.ro/update-infologin/014/?cmd=_home&dispatch=5885d80a13c0db1f8e&ee=eff48506ac52df
a4d3a7425208b4734d
http://tigle-acoperis.ro/update-info-login/014/websc/update.php
http://www.bumsroth.de/modules/mod_related_items/tmpl/pudateinfo/webscr.php
http://www.paypal.clienti.altervista.org/
http://paypalpaypamentbonus.altervista.org/
102
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
http://www.paypal.com.ah0ta7sy6c4019hcah.728bq3ebrcwgggb.com/cgibin/webscr/greenerror.php
http://www.paypal.com.n71h1rx7cysrg5nwy41n.kaiu888dsxv5xece84sxu4ffjy
m.com/us/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.wzyqx65oerk4804taj.yxtkzrqyyxxb4nq.com/cgibin/webscr/update_ok.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/SFP6o2/index.php
http://209.105.244.10/~restaurw/cgibin/0dd62148849ee637d8555c5613f8923e/
http://webmailaccessadmin.jimdo.com/
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/mU6vrg/index.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/mCqlGm/login.html?cmd=run=916610&verifyID=7
117
http://genpats.info/84byhTn7jcm1pq31380569614/mbr=whspe8var1ul4gc/prof
ile=18153083/bridger.php?nxINCL=d2Vic2NycHJpbWEucGhw
http://osmanzolan.com/login.paypal.com.home.account.security.verification.ap
ps.web/
http://wscvfrtgbnhyujmkilok.fii.me/
http://tobiiiiii.bugs3.com/yahoo/
http://www.fultonindoh.com//includes/js/dtree/img/home59,136,176,1,1,1,1.bb
/
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/GXDFIU/x.php
http://login.paypal.com.home.account.security.verification.apps.web.osmanzol
an.com/
http://pbreload.com/~tv9/txzt2tzxt2/4ut4rw4ert4/59c2ffb1b9cee57d1cc125a54
6a0a725/
http://pbreload.com/~tv9/txzt2tzxt2/4ut4rw4ert4/
http://recibo-troca.zz.mu/dotz-premiado/id/
http://webmail.mailupdate.important.validation.verification.team.teamoo.com
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/REirF9/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/mBt9mB/x.php
http://www.alpi.lv/images/resized/images/category/dics/mail.html
http://convitesmiles-2013.sytes.net/
http://www.alpi.lv//images/resized/images/category/dics/mail.html
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/S1yzeJ/x.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/JS83MN/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/84qeTo/index.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/wF8jKS/index.php
http://www.alpi.lv//images/resized/images/category/clear/mail.html
103
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
http://nvnmvnmvnmvnvmn.x90x.net/
http://jhfdjhjhhfbf.hostingsiteforfree.com/
http://hgdjdfh.hostingsiteforfree.com
http://gfdiyfi7yfyo.zz.mu
http://resetacthonee.bugs3.com/
http://ljkkhjhjghgjhkjjl.yzi.me/
http://gooddybaggggggggggggg.x90x.net/
http://hcccjcfj.clan.su/account-reactivation.user.htm
http://stampaclic.it/images/stories/home/?cmd=_home&dispatch=5885d80a13
c0db1f8e&ee=c47b428f40996531827aee6f0c2be628
http://kellerduerr.ch/webEdition/apps/toolfactory/lang/fr/5292602585/105328892193242/i
ndex2.php
http://adlerapothekehalle.de/uk/1nmtjmow69dpg4vkb0ok2ietp18lr1bifo4o4jc0
jfgqa33crhmjpr68i5k2tlb135gvfjlopr8pl1r697foocny70prcqj6mpqr/
http://staufferkassen.ch/webEdition/lib/Zend/Log/7470114079/105328892193
242/index2.php
http://www.stylespygirl.com/Ihrem.konto/
http://50.31.147.177/~tv9/txzt2tzxt2/4ut4rw4ert4/168cc93b112ce970d6e566f1
e09d1f40/CardConfirm.php?Userid=mpu4cx5y53b&Session=n1xto6frcqcpga3
z8ow9szuy213su7la8s13mowb8pjy8oohwr7whte90fijr5o
http://50.31.147.177/~tv9/txzt2tzxt2/4ut4rw4ert4/29bc9da375f26a786048f897
eed721ca/Address.php
http://update.paypal.com.redeessencial.com.br/
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/8DNBly/login.html?cmd=run=80399&verifyID=13
1514
http://50.31.147.177/~tv9/txzt2tzxt2/4ut4rw4ert4/43a0d7dcec333eaf9c529289
5e10d2e9/AccountLogin.php?Userid=ybvj05f0wc69t&Session=ci55lfps9jg6d
n3cop0f0phz4dxncvm4nejvgugllbenmxsr4mpp9zo4
http://50.31.147.177/~tv9/txzt2tzxt2/4ut4rw4ert4/3e99bed4d7e5616276b253a
8d759f934/Address.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/QZQYX9/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/QZQYX9/x.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/lE0xjq/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/w4Uv4O/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/D2pyAt/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/D2pyAt/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/3g6CgV/index.php
http://paypal.com.account.us.login.webapps.verified.infromation.d80a13c0db1
f8e263663d3faee8d0038486cd0d9a2f30f3a21df7b0d.adefaevwzcr6n6ppreqtpi
q5nc2cysu2j5-gujc1ds3ukcpy.center.helps.foreverpottery.com/reawdbrokns.php
104
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
http://www.serivcesconfirmation.com/pls/confirmation/?cmd=_home&dispatch=0fee7132162be90
c765d06c52b7319f70fee7132162be90c765d06c52b7319f7
http://www.elegantanna.com.cn/images/?us.battle.net/lhttp://www.elegantanna
.com.cn/images/?us.battle.net/login/en/?ref=http:http://www.eliteconnectionsin
dia.in/form/use/feedback/form1.html
http://tr.im/4czdp
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/6tnOTm/index.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/qGldBs/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/6tnOTm/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/ZEq7k1/index.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/Zv8a8Q/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/ra7Lav/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/Lfbuu2/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/h7TOZF/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/FbhhA6/x.php
http://www.paypal.com.17zj8a0q3l6f.kaiu888n4qmd6kkmfhxp4taieyq.com/we
bapps/mpp/home?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.9c5motw5ajluuyqsa8.kaiu888m9kes9rf6qz2t3kymtf7.
com/webapps/mpp/home/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.ine14l2fyazeoj.kaiu888m9kes9rf6qz2t3kymtf7.com/w
ebapps/mpp/home/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.mv778wq06jqvzl.kaiu888xyvssfgr2jzd2web7i97.com/
webapps/mpp/home/?cmd=_login-submit
http://www.paypal.com.ine14l2fyazeoj.kaiu888m9kes9rf6qz2t3kymtf7.com/us
/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.fza2t03jlhuhjq16l.gj347cgz8249bdd.com/cgibin/webscr/greenquestions1.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/HC1dM2/x.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/SUgwna/x.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/GIH3CU/x.php
http://mbstec.com/0o1.php
105
Chrome
8,45,77
Mozilla Firefox
8,44,77
Internet Explorer
8, 11, 33, 77
Opera
Safari
S.No
1
2
3
4
Name
Citizen Bank
International
Nepal Investment
Bank
gmail
dropbox
Ans IsPhish
1= phish; 0 =not
Remarks
similar url name
1
ebanking with SSL
0
1 it is of org domain
0 Login form, with SSL
simple http, with netcraft antiphishing system showing
0 address is Nepal.
1 long url names
5 nepalnews.com
6 hotmail.com
7 amazon.com
8 yahoo mail
9 twitter
10 amazon.com
11 Nepal government
12 Nepal Police
13 facebook email
14 Facebook email
15 ebay
106
16 paypal
17
18
19
20
1
1
1
1
ebay
facebook
youtube
Nepal SBI Bank
signature.
Use of long url and same url
name back of host url
Use of long url and same url
at back
Use of secure icon
Use of similar logo
Use of name and hypen
107
Observed
Expected
D.F.
(O-E)2/E
Chrome
93
91.2
0.035526
Mozilla Firefox
93
91.2
0.035526
Explorer
92
91.2
0.007018
Opera
90
91.2
0.015789
Safari
88
91.2
Total
456
Calculated 2
Internet
0.112281
0.20614
D.F.
Browsers
(xi)
Mean(
(N-1)
Chrome
93
x i-
(x i- )2
91.2
1.8
3.24
93
91.2
1.8
3.24
Explorer
92
91.2
0.8
0.64
Opera
90
91.2
-1.2
1.44
Mozilla
Firefox
Internet
4
109
2.1679 -4.950822
Safari
88
Total
456
91.2
-3.2
10.24
18.8
110
111
112
113
Annex 16 Real website of nepalnews.com with page ranking, risk rate, etc.
114
115
116
117
118
119
120
121
122
123
124
List
http://bjxxhg.com/l0ginpaypaI/PayPal.co.uk/Pool%3D100/
http://50.87.131.118/%7Evoice/https.verified.pa
ylap.com.webapps.security.verifictionfaqid.856249782198732165798731657cmd/jss/
9e2bf35a3b204e198eae52795928ef0f/
http://paypal.com.cgi.bin.webscr.cmd.login.sub
mit.15.cmd.login.submit.15.cmd.login.submit.1
5.cmd.login.submit.15.cmd.login.submit.15.cm
d.login.submit.15.baranorganizasyon.com/pp/tt/
99aed546f8523260c183d20d8d9f1cf8
http://paypal.com.cgi.bin.webscr.cmd.login.sub
mit.15.cmd.login.submit.15.cmd.login.submit.1
5.cmd.login.submit.15.cmd.login.submit.15.cm
d.login.submit.15.baranorganizasyon.com/pp/tt/
795a5f7b424111d75ce81cd4e4aa26b6
http://paypal.com.cgi.bin.webscr.cmd.login.sub
mit.15.cmd.login.submit.15.cmd.login.submit.1
5.cmd.login.submit.15.cmd.login.submit.15.cm
d.login.submit.15.baranorganizasyon.com/pp/tt/
5b73d1a91914aea6e33beb9dd02af9dd
125
Detected by
Chrome
Detected by
model and
Anomalies found
Yes
no https;
Yes
no https; long
URL length; Uses
IP address
Yes
no https; multiple
TLDs; long URL
length;
Yes
no https; multiple
TLDs; long URL
length;
Yes
no https; multiple
TLDs; long URL
length;
http://https.www.paypal.co.uk.cgi.bin.websecur
e.intercoboxe.fr/bd89eba603c238953d00725d7
85ac251
http://my1stphotography.com/images/Update=
NewefilingOtpValid/update=newefiling.int00.0/
/pages/investec/index.php
http://mandl.edu/wpcontent/uploads/2014/02/halas/new_test
http://conradseoul.co.kr/wpcontent/uploads/Auto_Atendimento_Bradesco/l
ogin.do.php
http://www.gesundenhaus.de/libraries/joomla/cl
ient/xxxxxxxxxxxx/sss/index.htm
http://www.reginagrogers.com/dev/4q0x/secure
.bankofamerica.com/login/signin/signOnscreen.go/signon.php?section=signinp
age&update=&cookiecheck=yes&am
p;destination=nba/signin
http://www.reginagrogers.com/dev/4q0x/secure
.bankofamerica.com/login/signin/signOnscreen.go/
http://www.miromoreira.com.br/index.file/ww
w/wellsfargo.com/securitycenter/onlineWellsFa
rgo/Passcode/done.html
http://www.sgibin.paypal.fr.mise.a.jours.validupdate.com/servi
ce/mptt/activation/webscr_fichiers/lang/fr/ffc0a
177829a5db30feed8944f85b539/login.php
http://www.supersizefashion.nl/js/lib/googledoc
ss/sss/index.htm
http://www.visualmente.cl/plugins/editors/tiny
mce/jscripts/tiny_mce/plugins/insertdatetime/im
ages/pulign/6c9ab2d536659407e8e77ee8dd1d3
415/Confirm.php?cmd=_error_loginrun&dispatch=5885d80a13c0db1fb6947b0
aeae66fdbfb2119927117e3a6f876e0fd34af4365
80c63a156eb
http://servosdasnacoes.com/mon/gogle/index.ph
p.htm
http://paypal.com.cgi-bin.webscr.cmd.loginsubmit.dispatch.5885d80a13c0db1rje263663d3f
aee8defu93hhuhy7hhfp.keptsimple.com.au/ppl/
http://paypal.com.cgi.bin.webscr.cmd.login.sub
mit.15.cmd.login.submit.15.cmd.login.submit.1
5.cmd.login.submit.15.cmd.login.submit.15.cm
d.login.submit.15.baranorganizasyon.com/pp/tt/
1dac12d1f4e61bba0ca0b28b1ee4cb37/
126
Yes
no https; multiple
TLDs; long URL
length;
Yes
no https
Yes
no https
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
no https; long
URL length
no https; multiple
TLDs; long URL
length
no https; long
URL length
no https; multiple
TLDs; long URL
length
no https; multiple
TLDs; long URL
length
no https; multiple
TLDs;
no https; long
URL length;
Yes
no https;
no https; long
URL length
no https; multiple
TLDs; long URL
length
No
no https; multiple
TLDs;long URL
length
Yes
http://paypal.com.cgi.bin.scoutshpen.com/4d2f9621b038043735a0b6a3798a98
b3/
Yes
no https; multiple
TLDs; long URL
length
CD ROM includes Source codes for the web app and extension developed in the
Google Chrome.
127