Abstract
Phishing attacks rise in quantity and quality. With short online lifetimes of those attacks, classical blacklist based approaches are not sufficient to protect online users. While attackers manage to achieve high similarity between original and fraudulent websites, this fact can also be used for attack detection. In many cases attackers try to make the Internet address (URL) from a website look similar to the original. In this work, we present a way of using the URL itself for automated detection of phishing websites by extracting and verifying different terms of a URL using search engine spelling recommendation.
We evaluate our concept against a large test set of 8730 real phishing URLs. In addition, we collected scores for the visual quality of a subset of those attacks to be able to compare the performance of our tests for different attack qualities. Results suggest that our heuristics are able to mark 54.3% of the malicious URLs as suspicious. With increasing visual quality of the phishing websites, the number of URL characteristics that allow a detection increases, as well.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
PhishTank: Statistics about phishing activity and PhishTank usage, http://www.phishtank.com/stats.php (last accessed April 28, 2012)
Goodin, D.: Google bots detect 9,500 new malicious websites every day, http://arstechnica.com/security/2012/06/google-detects-9500-new-malicious-websites-daily/ (last visited July 12, 2012)
Google Inc.: Safe browsing API — google developers, https://developers.google.com/safe-browsing/ (last accessed April 28, 2012)
Hong, J.: The state of phishing attacks. Communications of the ACM (2012)
Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding phish: Evaluating anti-phishing tools. In: NDSS (2007)
Moscaritolo, A.: Number of phishing URLs at alltime high, http://www.scmagazine.com/number-of-phishing-urls-at-all-time-high/article/150010/ (last visited July 12, 2012)
Riden, J.: How fast-flux server networks work (2008), http://www.honeynet.org/node/132 (last visited July 12, 2012)
Whitten, A., Tygar, J.D.: Why johnny can’t encrypt: A usability evaluation of PGP 5.0. In: 8th USENIX Security Symposium (1999)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: CHI (2006)
Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI (2006)
Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client-side defense against web-based identity theft. In: NDSS (2004)
Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: WWW (2007)
Phelps, T.A., Wilensky, R.: Robust hyperlinks cost just five words each. Technical Report (2000)
Xiang, G., Hong, J., Rose, C.P., Cranor, L.: CANTINA+: a feature-rich machine learning framework for detecting phishing web sites. ACM Transactions on Information and System Security (2011)
Krammer, V.: Phishing defense against IDN address spoofing attacks. In: PST (2006)
Gabrilovich, E., Gontmakher, A.: The homograph attack. Communications of the ACM (2002)
Gusfield, D.: Algorithms on strings, trees, and sequences: computer science and computational biology. Cambridge University Press (1997)
Lin, E., Greenberg, S., Trotter, E., Ma, D., Aycock, J.: Does domain highlighting help people identify phishing sites? In: CHI (2011)
Postel, J.: Domain Name System Structure and Delegation. RFC 1591, Informational (1994)
Mozilla Foundation: Public suffix list, http://publicsuffix.org/list/ (last accessed April 29, 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Maurer, ME., Höfer, L. (2012). Sophisticated Phishers Make More Spelling Mistakes: Using URL Similarity against Phishing. In: Xiang, Y., Lopez, J., Kuo, CC.J., Zhou, W. (eds) Cyberspace Safety and Security. CSS 2012. Lecture Notes in Computer Science, vol 7672. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35362-8_31
Download citation
DOI: https://doi.org/10.1007/978-3-642-35362-8_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35361-1
Online ISBN: 978-3-642-35362-8
eBook Packages: Computer ScienceComputer Science (R0)