Abstract

Phishing attacks allure website users to visit fake web pages and provide their personal information. However, testing of phishing websites is challenging. Unlike traditional web-based program testing, we do not know the response of form submissions in advance. There exists lack of efforts to help anti-phishing professionals who manually verify a reported phishing site and take further actions. Moreover, current tools cannot detect phishing attacks that leverage vulnerabilities in trusted websites such as cross site scripting. An attacker might generate input forms by injecting script code and steal credentials. To address these challenges, we propose11The preliminary version of this paper has been published in Shahriar and Zulkernine (2010) [44]. testing suspected phishing websites based on trustworthiness testing approach. In a trustworthiness testing, a website is not tested against a set of known inputs and matched the expected outputs with the actual ones. Rather, we check whether the behavior (response) of websites matches with our knowledge of phishing or legitimate website behaviors to decide whether a website is phishing or legitimate. We consider a suspected website as a web-based program and test the program based on a behavior model. The model is described using the notion of Finite State Machine (FSM) that captures the submission of forms with random inputs and the corresponding responses. We then identify a number of heuristics followed by a set of heuristic combination to assist a tester deciding whether websites are phishing or legitimate based on their up-to-date behaviors. We implement a tool named PhishTester to automate the testing process. We evaluate the proposed approach with both phishing and legitimate websites. The results show that the approach incurs zero false negatives and positives in detecting phishing and legitimate websites, respectively. Moreover, our approach can detect advanced XSS-based attacks that many contemporary tools currently fail to detect.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.