Detection of phishing pages based on interaction Shani
Detection of phishing pages based on interaction Shani Mor Yossef , Reut Zeevi , Sivan Bachrach
What is phishing ? Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by impersonating a benign website.
The problem Phishing attacks are growing drastically in the last years. The need to automatically detect phishing sites becomes critical. In this project we wish to implement a number of methods that interactively communicate with site suspected of phishing and decide the probability of it being a phishing site or not, based on how the site behaves.
Our Goals • Examine the differences between benign and phishing sites responses. • Defined the interactions we wish to test. • Execute the interactions
Algorithm Flow Looking for an absolute identification for phishing Fill inputs with suitable credentials and submit Check website behavior
The distribution of results includes 120 URLs and shows in the diagram 90 80 70 60 50 83 40 30 20 25 12 10 0 No Inputs To fill in first test Phishing No Decision
Phishing: request for private inputs at first url
Phishing: HTTP error after submit
Phishing: "login success” due to no input to fill
Phishing: “login success” due to private input request
Phishing: "login success” due to domain has been changed and got no error messages
Phishing: “login success” got existed user messages
40 Classified Phishing Decisions 35 30 25 20 35 15 10 15 6 7 12 8 5 0 Phishing: "login Phishing: “login Phishing: "login Phishing: HTTP error Phishing: request for success” due to success” got existed success” due to no after submit private inputs at first domain has been user messages private input request input to fill url changed and got no error messages.
First Check for HTTP error Fill inputs & Submit No Decision no Is data was sent to the server? Analyzing HTML page elements If at least one of the following: • URL has been changed • HTML elements has been changed • Got POST request Is there an indication for existed user? yes Phishing yes Was an HTTP error received? yes “Login” success? no No Decision no yes Need to continue interaction with website? Phishing no Is there any input to fill? no Phishing yes If at least one of the following: • No inputs && No incorrect details msg • Got request for private inputs • Got indication for “existed user” • No incorrect details msg && domain has been changed no No Decision yes no Is there any request for private inputs? yes Phishing
The distribution of the benign pages results includes 50 URLs and shows in the diagram 50 45 40 35 30 46 25 20 15 10 5 4 False positive No Decision 0
Thank you “And may the odds be ever in your favor. . . ”
- Slides: 16