16-04-2012, 04:30 PM
PhishTester: Automatic T esting of Phishing Attacks
PhishTester Automatic T esting of Phishing Attacks.pdf (Size: 530.05 KB / Downloads: 42)
Abstract
Phishing is a web-based attack where users are
allured to visit fake websites and provide their personal
information. Traditional anti-phishing tools are successful to
mitigate the attack partially. Most of the tools are focused on
protecting users. However, there exists lack of efforts to help
anti-phishing professionals who manually verify a reported
phishing site and take further actions. Moreover, current tools
cannot detect phishing attacks that leverage vulnerabilities in
trusted web applications such as cross site scripting. An attacker
might generate input forms by injecting script code and steal
credentials. This paper attempts to address these issues by
leveraging traditional web application testing method which can
be seen as a complementary effort to current anti-phishing
techniques. We consider a suspected website as a web application
and test the application based on a behavior model. The model is
described using the notion of Finite State Machine (FSM) that
captures submission of forms with fake inputs and corresponding
responses. We then identify several heuristic coverage criteria to
detect inconsistencies which lead to the conclusion that a website
is phishing or real. We implement a tool named PhishTester to
automate the testing process. We evaluate the proposed approach
with both phishing and real applications. The initial results show
that the approach incurs negligible false negatives (less than 3%)
and zero false positive for detecting phishing and real websites,
respectively. The approach can be complementary to current
anti-phishing tools to discover advanced phishing attacks.
Keywords: Phishing, finite state machine, application behavior
model, heuristic coveage, cross site scripting.
I. INTRODUCTION
Phishing is a web-based attack which allures end users to
visit fraudulent websites and give away personal information
(e.g., userid, password). The information is used to perform
illegitimate activities such as online banking [12]. Phishing
attacks cost billions of dollars losses to business
organizations and end users [28]. The attack jeopardizes the
prospects of e-commerce industries. Therefore, addressing
phishing attacks is important.
There are two main activities performed by phishers to
make an attack successful. They are (i) developing
fraudulent websites, and (ii) motivating (or urging) users to
visit those sites. The fake websites have similar look and feel
of legitimate websites, which are owned by organizations
such as banks, credit unions, and governments. Phishers
download pages of legitimate websites and modify some
parts of these pages. In particular, they modify the pages that
contain forms to be filled out by end users. The modification
results in sending user provided information to repositories
accessible by attackers. The mechanism that invites users to
visit fraudulent sites are based on email messages. These
emails urge or prompt users to take immediate actions to
avoid consequences such as bank account suspensions.
Many approaches and tools have been developed in
recent years to combat phishing attacks. These include
detecting suspicious websites with heuristics (e.g., [1, 3, 5,
7]), educating and training users to avoid the phishing attacks
[30], compiling white lists [21, 22] and blacklists [23],
filtering emails that contain suspected URLs [11, 17], and
customizing visual cues to distinguish real websites from
fake websites [24]. Most popular browsers (e.g., FireFox,
Internet Explorer) have built-in phishing detection abilities
based on white and blacklisted web sites. However, phishers
may exploit cross site scripting (XSS) vulnerabilities to
inject script code to generate HTML forms [16] and frames
containing input forms [31, 38]. Unfortunately, traditional
anti-phishing solutions cannot detect these sophisticated
attacks. Moreover, there exists no approach for anti-phishing
professionals, who manually verify suspected websites, and
inform administrators to take down the fake sites. The time
gap between uploading a fake site and taking it down is
currently good enough (around 4-5 days) to lure a number of
victims to give away information [7]. This situation
motivates us to devise a passive testing approach for
phishing website detection. We believe that an approach
focused on testing phishing sites can reduce the number of
victims and prevent real web sites from being taken down
unnecessarily.
In this paper, we propose a testing approach to detect
phishing websites. We are motivated by a number of
observations.. First, phishing websites can be considered as
web applications. Given an URL, one can consider the site to
be a collection of web pages. We denote this set of pages as a
web application. We assume that a phishing application is
implementing functionalities just like a real web application.
As the intention of phishers is to grab personal information,
phishers modify real web application pages such as replacing
a form target URL with his desired URL. While doing so,
phishers introduce inconsistencies in terms of application
behaviors (i.e., acceptance of any arbitrary inputs) and
navigation of pages (e.g., form submission might result in a
page which provides no links to traverse any other page). We
consider such inconsistencies as faults. Thus, our aim is to
test a suspected web application for phishing by revealing
these inconsistencies.
A web application testing consists of two main phases: (i)
develop a behavior model of an application under test based
2010 Fourth IEEE International Conference on Secure Software Integration and Reliability Improvement
978-0-7695-4086-3/10 $26.00 © 2010 IEEE
DOI 10.1109/SSIRI.2010.18
148
2010.17
198
2010 Fourth International Conference on Secure Software Integration and Reliability Improvement
on available artifacts (e.g., source code, specification), and
(ii) define appropriate test coverage criteria to generate test
cases that expose implementation faults with high
probabilities. Unfortunately, traditional web application
models (e.g., [19, 35]) cannot be directly applied to model
the behavior of phishing web applications as we do not have
program artifacts available (e.g., dynamic script code
employed by phishing site). Moreover, test coverage criteria
defined in these works are not suitable for detecting phishing
web applications as we do not know what kind of suspected
forms are present unless we visit the suspected pages. To
address these challenges, we first model the behavior of
suspected phishing web applications through a Finite State
Machine (FSM) based on known phishing behaviors. We
then propose five test coverage criteria (denoted as heuristic
coverage criteria) based on the FSM model. While an
application is being tested with random inputs, it is marked
as phishing or real, if a particular heuristic is satisfied. If no
criterion is satisfied, a manual checking is required for the
final decision. Our approach does not depend on any updated
black or white lists. Moreover, it is independent of the
language and textual contents of websites. Many traditional
phishing detection tools are good for analyzing web pages
contents or search results that are presented in English [7].
We implement and evaluate a prototype tool to automate the
testing of a website for phishing named PhishTester.
The paper is organized as follows: Section II discusses an
overview of phishing attack methods. Section III describes
related works that detect phishing web pages and test web
applications. In section IV, we describe the proposed
behavior model along with heuristic coverage criteria.
Section V discusses the implementation and evaluation
results of PhishTester. Finally, Section VI draws some
conclusions and discusses future work.