TRIBHUVAN UNIVERSITY

INSTITUTE OF ENGINEERING
PULCHOWK CAMPUS

Problems in Web Browser's Inbuilt Anti-Phishing Techniques and their Solutions

By
Rajendra Bahadur Thapa

A THESIS
SUBMITTED TO DEPARTMENT OF MECHANICAL ENGINEERING
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE
DEGREE OF MASTER OF SCIENCE IN
TECHNOLOGY AND INNOVATION MANAGEMENT

DEPARTMENT OF MECHANCIAL ENGINEERING

LALITPUR, NEPAL

February, 2014

COPYRIGHT
The author has agreed that the library, Department of Mechanical Engineering,
Pulchowk Campus, Institute of Engineering may make this thesis freely available
for inspection. Moreover, the author has agreed that permission for extensive
copying of this thesis for scholarly purpose may be granted by the professor(s)
who supervised the work recorded herein or, in their absence, by the Head of the
Department wherein the thesis was done. It is understood that the recognition will
be given to the author of this thesis and to the Department of Mechanical
Engineering, Pulchowk Campus, Institute of Engineering in any use of the
material of this thesis. Copying or publication or the other use of this thesis for
financial gain without approval of the Department of Mechanical Engineering,
Pulchowk Campus, Institute of Engineering and authors written permission is
prohibited. Request for permission to copy or to make any other use of the
material in this thesis in whole or in part should be addressed to:

Head
Department of Mechanical Engineering
Pulchowk Campus, Institute of Engineering
Lalitpur, Kathmandu
Nepal

TRIBHUVAN UNIVERSITY
INSTITURE OF ENGINEERING
PULCHOWK CAMPUS
DEPARTMENT OF MECHANICAL ENGINEERING
The undersigned certify that they have read, and recommended to the Institute of
Engineering for acceptance, a thesis entitled "Problems in Web Browsers' Inbuilt
Anti-Phishing Techniques and their Solutions" submitted by Rajendra Bahadur
Thapa in partial fulfillment of the requirements for the degree of Master of Science in
Technology and Innovation Management.
______________________________
Supervisor, Dr. Jyoti Tandukar
Associate Professor,
IOE, Pulchowk Campus
_______________________________
External Examiner,
..

Committee Chairperson,
Name.
Title
Department of Mechanical
Engineering
Date .....................................................

ABSTRACT
Phishing is a form of crime in which identity theft is accomplished by use of
deceptive electronic mail and a fake site on the World Wide Web. Phishing threatens
financial institutions, retail companies, and consumers daily and phishers remain
successful by researching anti-phishing countermeasures and adapting their attack
methods to the countermeasures, either to exploit them, or completely circumvent
them.
This study attempts to identify solutions to phishing. It consists of an experiment on
browsers inbuilt phishing detection system using walk through inspection and batch
scripting codes to analyse problems in them, meta-analysis of phishing anomalies on
various research works, experimental quiz on users for phishing detection by
developing web application, development of model for phishing prevention and
verification of the proposed model on a extension made to use in Google Chrome.
The experiment using 96 samples of phishing websites from phishtank.com in 5 most
used browsers (Internet Explorer, Google Chrome, Mozilla Firefox, Safari and Opera).
The results show that they can detect 85% of the phish websites with their inbuilt antiphishing system on average. Browsers don't provide the solutions after detecting the
phishing websites which is the main problem in the existing anti-phishing system in
the browsers.
The experiment done through web application quiz showed users find most difficult to
detect misspelled/derived names in URL, URLs using http in place of https and URLs
using multiple Top Level Domains (TLD). An anti-phishing solution model
constituting of white list and heuristic approach has been developed where fore
mentioned anomalies in the URL are taken into consideration. An extension plug-in
for Google's Chrome browser is developed and tested with different test cases of
problems in anti phishing system in browsers and the top severe anomalies in the
URL. The proposed model was tested with 96 phishing sites with lack of SSL
anomalies, 66 with lengthy URL, 39 with multiple TLDs, etc from PhishTank could
detect all the phishing websites where Google Chrome detected 86 of them. The lack
of SSL was seen in all the phishing websites and awareness regarding SSL could
definitely prevent users from phishing.
4

ACKNOWLEDGEMENT
For the completion of this thesis different people from different sectors, professionals
and non-professionals had helped to their limit. I would like to thanks them all for
devoting their valuable time in this study. I would like to express my heartily
gratitude to supervisor Dr. Jyoti Tandukar, for his guidance and encouragement
throughout my graduate study. His expert knowledge and advice guided me though
this thesis, without which I would not have been able to get this point.
I would like to express my very special thanks for our Program Coordinator of
Masters of Science in Technology and Innovation Management, Prof. Amrit Man
Nakarmi, for his valuable time and coordinating us for the completion of this thesis. I
would like to thank Dr. Rajendra Shrestha, Head of Department of Mechanical
Engineering, Pulchowk Campus, for his regular inspiration and motivation for the
project. I would also like to thank to core member groups of Technology and
Innovation Management Program, without them I would not have got courage for the
completion of thesis.
I would like to gratitude to DIGP Mahesh Singh Kathayat, Ins. Pashupati Ray, Mr.
Shreeniwas Sharma, Mr. Ashish Bhandari, Mr. Sunil Chaudary and others who are
involved and help directly or indirectly for the completion of thesis. I am thankful to
Upveda Technology Pvt. Ltd, Jwagal for providing web app hosting support for the
thesis.
Finally, I would like to express a bouquet full of thanks to all my colleagues of
Technology and Innovation Management and all the friends of Pulchowk Engineering
Campus, IOE. And I cannot forget my family members for their full support to
complete my thesis.

TABLE OF CONTENTS

COPYRIGHT ........................................................................................................... 2
ABSTRACT ............................................................................................................. 4
ACKNOWLEDGEMENT........................................................................................ 5
LIST OF FIGURES ................................................................................................ 10
LIST OF TABLES ................................................................................................. 12
LIST OF ABBREVIATION .................................................................................. 13
CHAPTER ONE ..................................................................................................... 15
INTRODUCTION .................................................................................................. 15
1.1

Background ............................................................................................. 15

1.2

Problem Statement .................................................................................. 16

1.3

Objective of the Study ............................................................................. 18

1.4

Research Questions ................................................................................. 18

1.5

Scope and Limitation of the study .......................................................... 18

1.5.1

Scope ....................................................................................................... 18

1.5.2

Limitation ................................................................................................ 19

1.6

Organization of Thesis ............................................................................ 19

CHAPTER TWO .................................................................................................... 21

LITERATURE REVIEW ....................................................................................... 21
2.1

Phishing ................................................................................................... 21

2.2

Methods of Phishing Attacks .................................................................. 22

2.3

Phishing Medium .................................................................................... 23

2.3.1

Phishing via Social Media ....................................................................... 23

2.3.2

Phishing via Mobile ................................................................................ 24

6

2.3.3

Phishing via Apps ................................................................................... 25

2.4

Phishing: International Scenario ............................................................. 26

2.5

Phishing in Nepal .................................................................................... 28

2.5.1

Incident 1: Nabil Bank ............................................................................ 28

2.5.2

Incident 2: Nepal Investment Bank ......................................................... 28

2.5.3

Incident 3: Bank of Asia ......................................................................... 29

2.5.4

Incident 4: Nepal SBI Bank .................................................................... 29

2.6

Phishing Prevention System .................................................................... 31

2.6.1

List Based Methods ................................................................................. 32

2.6.2

Heuristic Method ..................................................................................... 33

2.7

Anti Phishing Techniques in Web Browsers .......................................... 39

2.7.1

Google Chrome ....................................................................................... 41

2.7.2

Mozilla Firefox........................................................................................ 43

2.7.3

Internet Explorer ..................................................................................... 45

2.7.4

Opera ....................................................................................................... 47

2.7.5

Safari ....................................................................................................... 48

2.7.6

Summary of technology used by anti phishing systems in browsers...... 50

2.8

Problems in Browsers Inbuilt Phishing Prevention Systems ................. 51

2.9

Organization Working against Phishing ................................................. 52

2.9.1

APWG (Anti phishing Working Group) ................................................. 52

2.9.2

PhishTank ................................................................................................ 53

2.10

Phishing prevention as a social aspect .................................................... 53

2.11

Past research on phishing detection model ............................................. 54

CHAPTER THREE ................................................................................................ 57

7

METHODOLOGY ................................................................................................. 57
3.1

Research Design ...................................................................................... 57

3.2

Sources of Data ....................................................................................... 57

3.3

Methodology Insight ............................................................................... 58

3.4

Experimental Research for phishing detection in browser ..................... 59

3.4.1

Size of the sample of phishing websites ................................................. 59

3.4.2

Pre-validation of the setup: ..................................................................... 60

3.5

Development of model and its validation ............................................... 62

3.5.1

Selection of anomalies through web app ................................................ 62

3.5.2

Development of model ............................................................................ 67

3.5.3

Validation of the anti phishing solution model ....................................... 69

3.6

Tools and Technologies Used ................................................................. 71

3.7

Accessing the Web Application and chrome extension/plug-in ............. 71

3.7.1

Accessing the Web Application .............................................................. 71

3.7.2

Assessing the Extension/Plug-in for Google chrome ............................. 72

CHAPTER FOUR .................................................................................................. 74

DATA ANALYSIS / RESULTS ............................................................................ 74
4.1

Detection of phishing websites ............................................................... 74

4.2

Experimental Analysis ............................................................................ 74

4.2.1

Results of Phishing Anomalies in the URL ............................................ 75

4.2.2

Development of Anti Phishing Model .................................................... 78

4.2.3

Test Results and Analysis ....................................................................... 80

4.3

Solutions .................................................................................................. 83

CHAPTER FIVE .................................................................................................... 85

8

CONCLUSION AND RECOMMENDATION ..................................................... 85

5.1

Conclusion............................................................................................... 85

5.2

Recommendation..................................................................................... 86

5.3

Future Research Work............................................................................. 88

REFERENCES ....................................................................................................... 89

LIST OF FIGURES
Figure 1 Cyber crime statistics in Nepal ...................................................................... 16
Figure 2 Internet users in Nepal ................................................................................... 17
Figure 3 Social media network users ........................................................................... 23
Figure 4 Fake PayPal for mobile (left) vs legitimate site (right) ................................. 25
Figure 5 Phishing attacks per year ............................................................................... 26
Figure 6 Daily submittted phishes ............................................................................... 27
Figure 7 Daily verified phishes .................................................................................... 27
Figure 8 Phishing email for the customers of Nepal SBI bank.................................... 30
Figure 9 Classification of phishing prevention system ................................................ 31
Figure 10 World map according to the use of browsers. ............................................. 39
Figure 11 Global statistics of browsers users. ............................................................. 40
Figure 12 Statistics of percentage of browser user in Nepal ....................................... 40
Figure 13 Phishing detection in Google Chrome ......................................................... 43
Figure 14 Anti phishing setting in Mozilla Firefox ..................................................... 44
Figure 15 Enabling SmartScreen filter (IE 8) .............................................................. 46
Figure 16 Phishing detection in IE 8 after using SmartScreen filter ........................... 46
Figure 17 Phishing detection in Opera browser. .......................................................... 48
Figure 18 Checking enable or disable of anti-phishing in safari browsers .................. 50
Figure 19 Phishing detection in Safari ......................................................................... 50
Figure 20 SSL lock icon in Gmail. .............................................................................. 52
Figure 21 Model of research process ........................................................................... 57
10

Figure 22 Research Methodologies in block diagram ................................................. 59

Figure 23 Existing phishing prevention systems ......................................................... 67
Figure 24 Proposed phishing prevention system ......................................................... 67
Figure 25 Implementation of the model....................................................................... 69
Figure 26 Installation of plugin/extension in Google Chrome. .................................. 73
Figure 27 Output of Web App ..................................................................................... 75
Figure 28 Result from web app for recognizing phish site and real site..................... 76
Figure 29 Detail diagram of proposed phishing prevention system ............................ 78
Figure 30 Educative message provided by the model ................................................. 79
Figure 31 Solutions advised by the model ................................................................... 80
Figure 32 Test Result (n = 96 websites) of the Model................................................. 81
Figure 33 Information revealed from advice legitimate solution by the model. ......... 82
Figure 34 Analysis of solution on IP addresses ........................................................... 83

11

LIST OF TABLES
Table 1 Anomalies found in the URL .......................................................................... 38
Table 2 Messages seen after malware detection in chrome ......................................... 42
Table 3 Technologies used by anti phishing system in browsers. ............................... 51
Table 4 Sampling Methodology................................................................................... 60
Table 5 Environmental variables for experimental test for detection of phishing ....... 61
Table 6 Anomalies in the URL and target brands and organizations .......................... 64
Table 7 List of Messages disseminated to alert users about their mistakes ................. 66
Table 8 Tools and Technologies used .......................................................................... 71
Table 9 Result of Detection of phishing sites by browsers .......................................... 74
Table 10 Rank of Anomalies in the URL based on mistakes from the test users ........ 77
Table 11 Solutions provided by the tools developed. .................................................. 84
Table 12 The Chi-Square Test for detection of phishing website ............................. 108
Table 13 T-Test calculation for detection of phishing websites by browsers............ 110

12

LIST OF ABBREVIATION
API

Application Programming Interface

Apps

Applications

APWG

Anti Phishing Working Group

ATM

Automatic Teller Machine

CCPM

Computer Crime Prevention Model

CERT

Computer Emergency Response Team

CMU

Carnegie Mellon University

CSIRT

Computer Security Incident Response Team

DIGP

Deputy Inspector General of Police

FINRA

Financial Industry Regulatory Authority

FIRST

Forum of Incident Response and Security Team

HTML

Hypertext Markup Language

ICANN

Internet Corporation for Assigned Names and Numbers

ICT

Information and Communication Technology

IE

Internet Explorer

IP

Internet Protocol

IS

Information System

ISP

Internet Service Provider

IT

Information Technology

JSON

JavaScript Object Notation

MPCD

Metropolitan Police Crime Division

13

MS

MicroSoft

MTPD

Metropolitan Traffic Police Division

NG

Not Good

NIBL

Nepal Investment Bank Limited

NST

Nepal Standard Time

PIN

Personal Information Number

SEI

Software Engineering Institute

SMS

Short Messaging Service

TIM

Technology and Innovation Management

TLD

Top Level Domain

URL

Uniform Resource Locater

W3C

World Wide Web Consortium

WOT

Web of Trust

14

CHAPTER ONE
INTRODUCTION
1.1

Background

With the enormous advancement in Information and Communication Technologies,

computers and related technologies are now being used in almost all walks of life.
Computers today touch every aspect of society including the financial industry,
manufacturing industry, universities, insurance companies, law enforcement, and
governmental agencies. There are numerous benefits of these technologies in every
sector. Along with the benefits, there are several issues, complications and crimes
created associated with these technologies.
Wide popularity in the usage of Information and Communication Technologies (ICT)
has enabled criminals to use them in illegitimate ways (Sen & S, 2001). It is imminent
that technologies including the Internet open doors to numerous opportunities for
enterprises, it has also a dark side, which involves not only hacking and cracking,
fraud and theft, pervasive pornography, pedophile rings etc. but also includes
extortion, money laundering, pirating, corporate espionage, drug trafficking and
criminal organizations. (South Asia Partnership, 2007)
Cybercrime is rapidly rooting even in the developing country like Nepal. Figure
1show the statistics of cybercrime in Nepal (Cybercrime Division Nepal Police).
Nepal police handled 15 cases of cyber crime in fiscal year 2067/68, 46 cases in
2068/69 and 78 in the current fiscal year (2069/70). Cybercrimes dealing with insults
on social networking sites, abuse of photographs, etc. does not seem to be a big issue
in Nepal where political instability and other criminal activities are challenging to the
law enforcing agencies regularly.

15

57

60

Cyber Crime In Nepal

50
40

32

30
20
10

2067/68
12
2

2068/69

8
111

010

02

01

020

02

002

021

2069/70

Source: Nepal Police Crime Division, Hanumandhoka

Figure 1 Cyber crime statistics in Nepal

Technical-human resource in the law enforcing agencies has to be developed to
embark upon accelerating computer crimes in Nepal. Rationally, as most of the
processes in organizations are automated through computers, the crime associated
with it will also scale. There has to be systematized monitoring of with crimes borne
from the social networking sites, ATM frauds, etc.
The development of Computer Crime Prevention Model (CCPM) is imperative. This
research particularly deals with the prevention model for a category of computer
crime called phishing. Phishing consists of various on hand tools and techniques
which will be extensively studied through literatures and case studies. The research
also analyzes problems of the existing system and proposes a validated Anti-Phishing
Model.
1.2

Problem Statement

Phishing threatens financial institutions, retail companies, and consumers' cyber

activities

daily.

Phishers

remain

successful

by

researching

anti-phishing

countermeasures and adapting their attack methods to exploit the fore mentioned
organizations and completely circumvent them. As people increasingly rely on
Internet to do business, Internet fraud becomes apparent threat to peoples Internet life.
16

Internet fraud uses misleading messages online to deceive human users into forming a
wrong belief and then to force them to take dangerous actions to compromise their or
other peoples welfare.
The internet users in Nepal are increasing rapidly. The internet users in Nepal are
increasing in double exponential manner (Annex 2). It is forecasted, there will be
18% internet users by 2015 and 25% by 2018. With this rapid growth of internet user,
the crimes related to internet will also increase.

Percentage of Population

35
30

Internet users population of Nepal

30.22
25.47

25
20

18.35
15.97

15

11.15
9.00

10
5
0

1980

0.00 0.00 0.20 0.83

1990
2000
2010

2020

2030

Figure 2 Internet users in Nepal Source: (The World Bank, 2013)

In addition, financial institutions are flourishing in Nepal. The banking and business
scenarios in Nepal are gradually changing with the enormous application of ICT in
their businesses. These institutions are using ICT technologies in different forms and
serving their customers. More people are adopting internet and mobile to perform
their transactions in these institutions. On the other hand these technologies are
susceptible to the phishers. However, these changing scenarios have also attracted
many cybercriminals (Pritush, 2012; Shrestha, 2013).
Some incidents and phish scams are already seen in the police record. The prevention
of phishing is very important and localization of the solution will provide better
assurance to the Nepalese people. There are several anti-phishing solutions available;
17

in fact, all the popular web browsers come with inbuilt anti-phishing solutions. There
is no complete measure to stop or prevent Internet users falling prey to phishing
attacks (Dhamija, Tygar, & Hearst, 2006). Every year Internet users lose hundreds of
millions of dollars to phishing attacks (APWG, 2013). In case of Nepal, where
computer literacy is very low, making the internet users to install anti phishing
solution can be cumbersome due to limited knowledge and utility of these tools.
Therefore, such internet users should be facilitated with the effective inbuilt antiphishing solutions in browsers.
1.3

Objective of the Study

The main objectives of the study are:

1) To propose a phishing prevention model that increases user awareness
The specific objectives of the study are:
1) To study about phishing detection in web browsers.
2) To explore problems in web browsers inbuilt anti-phishing techniques.
3) To identify URL anomalies that are likely to confuse users in phishing
websites.
4) To ensure a higher level of protection against phishing through user awareness
1.4

Research Questions

For satisfying the objective of the study, the following research questions are prepared.
1) What are the problems in web browsers anti phishing system?
2) How can technology intervene to increase user awareness so that users are not
misled by phishing sites?
1.5

Scope and Limitation of the study

1.5.1

Scope

The scope of this study is stated below:

1) It aware internet user about phishing.
2) It improves the phishing detection.
18

3) Protect internet users from falling to phishing attacks and save money as well
as resources.
1.5.2

Limitation

The study is done for the fulfilment of MSTIM program. There are some limitations
of the study. The limiting factors are as follow:
1) The phishing websites taken from phishtank.com are of only one day, which
lacks the varieties in the phishing websites.
2) It is valid for login page or other page which asks for confidential information,
e.g., PIN code, banking information, social security, etc.
1.6

Organization of Thesis

The report is organized in six chapters that are linked to the issues in relation to the
study. It also includes information from various sources related to the study.
Chapter One gives the background of the study, its rationale, objectives and research
questions.
Chapter Two includes literature review on the phishing, methods of phishing,
phishing types, phishing detection tools and techniques, browsers anti phishing tools,
etc.
Chapter Three reviews the research methodology used in the study. It elaborates the
expert survey method and experimental methods used, ways of collecting data,
development of the anti phishing model and experimental set up with test cases
development for the verification of the model.
Chapter Four analyze the different browsers anti phishing system and its detection
with phishing websites. The results from the users accessing the web application
based on the anomalies on the URLs. With these experimental result and based on the
meta analysis of phishing detection a solution model for Nepal is proposed. This
model is verified by developing an extension plug-in in Google chrome. The results
are analyzed in this part.

19

Chapter Five contains Conclusion and Recommendation.

20

CHAPTER TWO
LITERATURE REVIEW
2.1

Phishing

Phishing is a criminal, fraudulent mechanism which uses the Internet to acquire

susceptible personal information, such as usernames, passwords or credit card details
by masquerading as a reliable business website or electronic communication (Frost &
Sullivan , 2009). It is derived from "fishing". Phishing (also called brand spoofing) is
a term used for a short of fraud where phishers send out spoof email to a random
database to fool the recipient in to divulging personal information like credit cards
details, usernames and passwords, that can be used for identity theft. Phishing is one
of the most well known and fastest growing scams on the Internet today (Singh,
2007). According to Kay, phishing is a technique used to gain personal information
for purposes of identity theft, using fraudulent e-mail messages that appear to come
from legitimate businesses. These authentic-looking messages are designed to fool
recipients into divulging personal data such as account numbers and passwords, credit
card numbers and Social Security numbers.(Kay, 2004)
PhishTank explains phishing as a fraudulent attempt, usually made through email to
steal personal information. The best way to protect users from phishing is to learn
how to recognize a phish. Phishing emails usually appear to come from a well-known
organization and ask for your personal information such as credit card numbers, social
security numbers (USA), account numbers or passwords. Often phishing attempts
appear to come from sites, services and companies with which users do not even have
their account in. In order for Internet criminals to successfully "phish" their personal
information, they must get the users to lure from an email to a website. Phishing
emails will almost always tell the users to click a link that takes you to a site where
users' personal information is requested. Legitimate organizations would never
request this information of via email. (PhishTank, 2013).

21

2.2

Methods of Phishing Attacks

Singh mentions four main techniques of phishing. These techniques are briefly
described below: (Singh, 2007)
Dragnet: This method involves the use of spammed E-Mails, bearing falsified
corporate identification (e.g., corporate names, logos and trademarks), which are
addressed to a large group of people (e.g., customers of a particular financial
institution or members of a particular auction site) to websites or pop-up windows
with similarly falsified identification. Dragnet phishers do not identify specific
prospective victims in advance. Instead, they rely on false information included in an
E-Mail to trigger an immediate response by victims typically, clicking on links in
the body of the E-Mail to take the victims to the websites or pop-up windows where
they are requested to enter bank or credit card account data or other personal data.
Rod-and-Reel: This method targets prospective victims with whom initial contact is
already made. Specific prospective victims so defined are targeted with false
information to them to prompt their disclosure of personal and financial data.
Lobsterpot: It consists of creation of websites similar to legitimate corporate
websites which narrowly defined class of victims by phishers. Smaller class of
prospective victims identified in advance, but no triggering of victim response. It is
enough that the victims mistake the spoofed website as a legitimate and trust worthy
site and provides information of personal data.
Gillnet: In gillnet phishing; phishers introduce malicious code into emails and
websites. They can, for example misuse browser functionality by injecting hostile
content into another sites pop up window. Merely by opening a particular email, or
browsing a particular website, Internet users may have a Trojan horse introduced into
their systems. In some cases, the malicious code will change settings in users
systems, so that users who want to visit legitimate banking websites will be redirected
to a lookalike phishing site. In other cases, the malicious code will record users
keystrokes and passwords when they visit legitimate banking sites, then transmit those
data to phishers for later illegal access to users financial accounts.

22

In these all techniques, the phishing schemes seem typically rely on three basic
elements. First, phishing solicitations often use familiar corporate trademarks and
trade names, as well as recognized government agency names and logos. Second, the
solicitations routinely contain warning intended to cause the recipients immediate
concern or worry about access to an existing financial account. Third, the solicitations
rely on two facts pertaining to authentication of the e-mails: (1) online consumers
often lack the tools and technical knowledge to authenticate messages from financial
institutions and e-commerce companies; and (2) the available tools and techniques are
inadequate for robust authentication or can be spoofed.
2.3

Phishing Medium

Internet is a playground for the phishers. Internet is mainly access through the web
browsers. The history of phishing dates back to 1985 in AOL mail where phisher
posed as an AOL staff member and sent an instant message to a victim, asking to
victim reveal his/her password(Wordspy.com). With the uses of internet for social
networking, mobile and apps, these are also being a medium for phishers to find preys.
2.3.1

Phishing via Social Media

The number of social network users worldwide will rise from 1.47 billion in 2012 to
1.73 billion in 2013, an 18% increase Year on Year (YoY) and by 2017, and the
number of users globally will total 2.55 billion. (Sigsworth, 2013)

Figure 3 Social media network users Source: (Sigsworth, 2013)

23

Data collected from Fortune's Global 100 revealed that more than 50% of companies
said they have Twitter, Facebook, and YouTube accounts. Facebook membership for
example has increased nearly 10 times since 2008, with over 7 billion unique visitors
per month worldwide. Twitter shows that the number of members increased by a
factor of five over the same period, boasting over 555 million regular users. (EMC
Corporation, Jan, 2013)
With the world turning into a smaller and more social village than ever,
cybercriminals are by no means staying behind. They follow the money and so as user
behavior changes, RSA expects cybercriminals to continue following their target
audience to the virtual hot-spots. According to a Microsoft research study, phishing
via social networks in early 2010 was only used in 8.3% of the attacks- by the end of
2011 that number stood at 84.5% of the total. Phishing via social media increased
through 2012, jumping as much as 13.5% in one month considering Facebook alone.
Another factor affecting the success of phishing via social media is the vast popularity
of social gaming; an activity that brought payments into the social platform. Users
who pay for gaming will not find it suspicious when they are asked for credit card
details and personal information on the social network of their choice.(EMC
Corporation, Jan, 2013)
2.3.2

Phishing via Mobile

Mobile phishing is an emerging threat targeting the customers of popular financial

entities. By the end of 2012, we already saw 4,000 mobile phishing URLs,
representing less than 1% of all our phishing URL detections. Of the total combined
URLs used in phishing attacks against the top targeted entities, 7% were mobile
URLs. (Trend-Micro, Feb, 2013)
The most prominent market trends relevant to the mobile channel have to do with the
growth in mobile device usage in both our personal and work life and the pivotal role
of mobile apps. RSA experts to see more phishing directed at mobile device users
particularly smart phones as we move into 2013. Varying social engineering schemes
will target users by voice (vishing), SMS (smishing), app-based phishing (rouge

24

apps), as well as classic email spam that users will receive and open on their mobile
devices. (EMC Corporation, Jan, 2013)
Cybercriminals launch mobile phishing attacks because they can take advantage of
certain limitations of the mobile platform. A mobile devices small screen size, for
example, inhibits the mobile browsers ability to fully display any anti-phishing
security elements a website has. This leaves users no way to verify if the website
theyre logging in to is legitimate or not.(Trend-Micro, Feb, 2013)

Figure 4 Fake PayPal for mobile (left) vs legitimate site (right) Source:(Trend-Micro,
Feb, 2013)
2.3.3

Phishing via Apps

Apps are the central resources for Smartphone users, and that overall popularity of
apps will become just as trendy with cybercriminals.
Nowadays, users download apps designed for just about day-to-day activity, with the
most prominent of those being gaming, social networking and shopping apps. To late
both Apple and Google have surpassed 35 billion app downloads each from their
respective stores. According to research firm Gartner, this umber will grow to over
185 billion by 2015. (EMC Corporation, Jan, 2013). In Nepal also, there are day to
day familiar apps for Nepali calendar (Hamro Patro), load shedding schedule (Batti
Gayo), iMusic, news of Nepal, etc. which are becoming part of day to day
activities.(Techsansar.com, 2013)
In 2013 organizations will continue to aggressively tap into this growing market and
respond by further moving products and services to this channel, delivering
25

specialized small-screen adaptations for web browsing and developing native apps
that supply mobile functionality and brand-based services to enable customers
anywhere-anytime access.
Cybercriminals will focus on apps in order to deliver phishing conceal malware,
infect devices and steal data and money from users of different mobile
platform.(EMC Corporation, Jan, 2013)
Google's Android market has a developer-friendly reputation, with open source code
and no strict Apple-like approval process before they can sell their software.
Sometimes that openness is used for nefarious purposes, though, and malware creeps
in. Just recently, the Android Market was hit with its first phishing attack, via some
apps that used fairly standard tactics of mimicking bank websites to deceive users into
entering their passwords.(Hathaway, 2010)
2.4

Phishing: International Scenario

The total number of phishing attacks in 2012 was 59% higher than 2011. It appears
that phishing has been able to set another record year in attack volumes, with global
losses from phishing estimated at 1,5 billion in 2012. This represents a 22% increase
from 2011.(EMC Corporation, Jan, 2013)

Figure 5 Phishing attacks per year Source: (EMC Corporation, Jan, 2013)
PhishTank lists the link of phishing websites. According to statistics phishtank.com,
there are 1,206,474 valid phishes and out of which 12,745 are online. (PhishTank.com,
2013).

26

Figure 6 Daily submittted phishes Source: (PhishTank.com, 2013)

Figure 7 Daily verified phishes Source: (PhishTank.com, 2013)

One creative phishing attack offered Australian tax payers a special printable form to
access their refund payments. After the victim entered their sensitive financial
information into the form and clicked print, their private data was sent to the
cybercriminals. Fortunately, the Australian tax authorities discovered the fraud and
worked diligently to shut down the servers hosting the attack. (Merritt, 2009)

27

2.5

Phishing in Nepal

The internet users in Nepal are increasing in double exponential manner.

It is

forecasted, there will be 18% internet users by 2015 and 25% by 2018. The phishing
incidents are being registered in the Nepal Police Crime Division (Figure 1). Some of
the cases which came in the media are highlighted below.
2.5.1

Incident 1: Nabil Bank

The incident posted on ekantipur.com (Shrestha, 2013). Naresh Lamgade of

Anarmani, Jhapa allegedly hacked into the accounts of Nabil Banks customers by
creating a fake website of the bank. The phiser sent email messages to Nabils ebanking customers asking them to change their security codes and providing links to
do so. The link was taken to the fake e-banking website of Nabil Bank. Upon entering
the customers' identity and password, the unsuspectingly revealed their private login
details to the phiser.
Using the details obtained by phishing, Lamgade withdrew money from the accounts
of Nabils clients. According to the police, Lamgade has admitted that he has obtained
Rs 32,000 from the accounts of Nabils clients while the bank has claimed that he has
taken Rs 50,000.
2.5.2

Incident 2: Nepal Investment Bank

According to Shrestha (2013), the customers of Nepal Investment Bank Limited

(NIBL) got emails stating that their e-banking accounts had been disabled and telling
them to go to a given link to enable them to ask for a new identity and password. As
its customers clicked on the link, they were informed about enabling of the account.
But it was just an attempt to dupe and collect e-banking account of these customers.
As a result, Rs 1.2 million of active depositors of NIBL was stolen as one who sent
the email got access to the password of the banks client. (Shrestha, 2013).
The Central Investigation Bureau (CIB) of the Nepal Police was investigating the
incident. The police said that the IP address of the email is from outside the country.
However, the issue has got less priority as the bank has not lodged a formal complaint
yet on the issue, said a CIB official.
28

2.5.3

Incident 3: Bank of Asia

(Shrestha, 2013) A customer having an e-banking account with the Bank of Asia
(BoA) received an email telling him to change the security code of his account. The
customer, who is also an employee of NMB Bank, asked the BoA why they had sent
such an email. After finding out that a fake email had been sent to its customer, the
BoA, lodged a complaint at the cyber crime cell of Metropolitan Police Range,
Hanuman Dhoka.
Shrestha states that not all the incidents of phishing have been reported so far. So
there might be many other cases of phishing and many lose which are not lodged or
unknown yet.
2.5.4

Incident 4: Nepal SBI Bank

Online Internet Banking is sort of new topic among the Nepali internet users.
Currently lots of Nepali users are getting phishing email which is claimed to be from
reputed banks like Nepal Investment Bank, SBI Bank, Nabil bank etc. (Pritush, 2012)
.
The email gives you the warning that you account has been suspended and to
reactivate it you have to go to web address listed in your email address and put your
password. Below we have attached some pictures of phishing email you might
receive. Before login check if the address is of banks and connection is secure (https).

29

Figure 8 Phishing email for the customers of Nepal SBI bank Source: (Pritush, 2012)

30

2.6

Phishing Prevention System

Phishing prevention systems build awareness of potential phishing attempts, and

developing and promoting innovative technology solutions that help protect user
against phishing. They implement prevention and detection measures. The prevention
measure focuses to practices and technical solutions that either reduces the frequency
of phishing attempts users receive or that educate users so that they are less likely to
respond to phishing attempts (American Bankers Assocation, 2005). There are
number of techniques that can be used in the prevention systems, however the most
reliable is educating the users. Then other is detection measure which includes the
techniques and tools used to detect the phishing. There is no standard solution in order
to address and manages phishing attacks, however any solution that attempts to
approach phishing in a holistic way needs to focus on both consumer and business
audiences to help create trustworthy e-commerce system in which all parties are
protected and aware of potential hazards. (Microsoft, 2005).
The phishing prevention systems can broadly be classified into Technical and NonTechnical types. The technical type can be further sub classified into list based
method and heuristic method. (Chaudhary, 2012). The Non-technical includes
Education and Awareness is kept in this classification based on the description of non
technical methods.
Phishing Prevention
Systems

Technical

Non-Technical

List Based
Methods

Black List

White List

Heuristic
Methods
Anomalies on
URL

Anomalies on
Source code

Education &
Awareness

Search Engines

visual
similarities

Figure 9 Classification of phishing prevention system

Many anti-phishing applications are developed on the client side. These are automated
techniques such as browser toolbars and plug-ins. Meanwhile, more and more
researchers on the topics of security realize the need for improving server security, in
31

order to protect against phishing by considering both the client and the server.
However, the awareness about phishing in users is the most effective way for phishing
prevention. It is important that users get familiar with widely used techniques and
tricks of social engineering, psychology of manipulating people into divulging
confidential information and performing unwitting actions.
The client based solutions include techniques like: e-mail analysis (use Bayesian filter
and content analysis), blacklist filter (queried URLs identified as malicious),
information flow (keep track of the sensitive information that the user enters into web
forms and raise an alert if something is considered unsafe like URL obfuscation, a
fake domain name), similarity of layouts (compare visible similarity), etc. Similarly,
the server based solutions include techniques like: brand monitoring (crawling on-line
to identify clones and add suspected to a centralized blacklist), behavior detection
(detect anomalies in the behavior of users), security event monitoring (identifies
anomalies activity or post mortem analysis to detect attack or fraud), strong
authentication (use of more than one identification factor), new authentication
techniques (use of latest authentication techniques), etc.
Lastly, education and awareness are related to developing user ability to identify a
phishing attack mechanisms and about precautionary actions needed to safeguard their
personal and confidential data or information. This is also the most difficult methods,
since user need to guard their data or information from the vulnerabilities generated
by their own activities.
The technical phishing prevention methods explained in details below.
2.6.1

List Based Methods

List based methods are reactive techniques for phishing prevention. They maintain a
lookup of either trusted websites (white list) or malicious website (blacklist). These
list may be hosted either locally or hosted at the central server.
a) White-list Method
White list is the list of trusted websites that an Internet user visits in regular basis.
When the white list is exclusive, it allows access to only those websites which are
32

considered trusted and thus is highly effective against zero hour phishing. It also does
not produce any false positive results unless there is any wrong entry in the white-list.
However, it is very difficult to determine beforehand all the websites which users may
want to browse and accordingly update the list on time. (Chaudhary, 2012).
b) Blacklist Method
Blacklist is the list of IP addresses or domain names or URLs of treacherous websites,
although, IP addresses and domain names used by the scammer can be blocked.
However, many times phishers use hacked Domain Names (DN) and servers. So,
blocking the whole DNs or IP addresses can unintentionally block many legitimate
websites which share the same IP addresses and DNs. Therefore, blacklisting URLs
is, comparatively more appropriate for blacklist (Chaudhary, 2012).
Compiling and distributing a blacklist is a multi-step process. First, a blacklist vendor
enters into contracts with various data sources for suspicious phishing emails and
URLs to be reviewed. These data sources may include emails that are gathered from
spam traps or detected by spam filters, user reports (eg. Phishtank or APWG), or
verified phish compiled by other parties such as takedown vendors or financial
institutions. Depending on the quality of these sources, additional verification steps
may be needed. Verification often relies on human reviewers. The reviewers can be a
dedicated team of experts or volunteers, as in the case of Phishtank. To further reduce
false positives, multiple reviewers may need to agree on a phish before it is added to
the blacklist. For example, Phishtank requires votes from four users in order to
classify a URL in question as a phish.(Cranor, Wardman, Warner, & Zhang, 2009)
2.6.2

Heuristic Method

Heuristic-based approaches check one or more characteristics of a website to detect

phishing rather than look in a list. Those characteristics can be the Uniform Resource
Locater (URL), the Hypertext Markup Language (HTML) code, or the page content
itself. (Alkhozae & Batarfi, 2011). These characteristics are anomalies in the
components of phishing websites. In fact, even the automatic verification of phishing
websites used to maintain blacklists employs heuristic methods. Some of the heuristic
methods are next analyzed.
33

a) Visual similarity measures

Phishing websites often imitate the look and feel of official websites with the same
layouts, styles, key regions, rendering, blocks, and most of the contents. They use
various non-text elements, such as images and flash objects to display contents. Such
mimic of an authentic website with only minimal required changes are often difficult
for Internet users to distinguish. Moreover, the use of non-text elements to display
web contents makes it even harder for general content based anti-phishing techniques.
(Chaudhary, 2012)
b) Use of search engines
There are several search engines (e.g., Google, Bing, Yahoo!, Baidu) that maintain
crawl database and perform page ranking to display search results. Page-Rank
algorithm that was formulated by Google founder Larry Page and Sergey Brown uses
factors, such as number of inbound links, number of outbound links, and other
damping factors. Moreover, there is a set of recommended guidelines from Google
web master to prevent removable of websites from Google search engine index.
(Source: Google webmaster guidelines). Phishing websites have short duration and
have low page rank in the search engines (Chaudhary, 2012).
Google will display results for the search. Google Search will not rank the phishing
websites due to following nature of phishing websites.
1) Life span is very less. (The average uptime of phishing attacks dropped to a
record low of 23 hours and 10 minutes in the first half of 2012.(APWG,
2012))
2) Google's top ranking need to be accessed from long time and should be
genuine. (Google, 2013)
3) Phishing websites are either absent in the search results or possess a very low
page rank. (Chaudhary, 2012, p. 46)
c) Anomalies in URL
The anomalies found in the URL are as follows.

34

Anomalies in URL

Short Description

Use IP address in

APWG reported that 1.19%, 1.4%, and 2.09% of the phishing

URLs.

websites had used URLs containing IP address during the first

quarter of 2012. An example of such URL is:
http://184.173.179.200/~agarwal/rbc/. However, some genuine
web applications usually used in intranet also can contain IP
address in URL.(APWG, 2012)

URLs contain brand,

In this form of phishing websites' URLs, the targets company

or domain, or host

brand or domain or host name is included in the path segment

name.

of URLs. McGrath and Gupta found that 50%-75% of phishing

websites URLs with targeted brand or domain or host
name.(McGrath & Gupta, 2008)The report of APWG (APWG,
2012) found that 49.53%, 45.39%, and 55.42% of the phishing
websites used URLs containing targeted companys brand, or
domain, or host name in their URLs.
An example of such URL is: http://abc.com/paypal.html.

URLs use http in

For SSL-enabled phishing sites, public key certificates are

place of https, i.e.,

employed. In many phishing attacks, the Distinguished Names

abnormal SSL

(DN) in their certificates are inconsistent with the claimed

certificate.

identities.(Pan & Ding, 2006)

URLs contain

There are various tricks used by phishers to derive domain

misspelled or derived

name that looks similar to genuine domain name but disobey

domain name.

the URL naming conventions. Some of the techniques used to

generate derive domain name for phishing websites are: like
replacing the characters of real domain name with similar
looking elements (can be Hexadecimal, Integer). An example
of such URL is:
http://paypa1.com, where character l is replaced by number
one, introduces a hyphen (-) in domain name, etc.(Chaudhary,
2012)

URLs using long host

There is no exact URL length limitation for both phishing and

name

legitimate websites. But phishing websites are usually longer

35

than normal URLs. Example of such URL is:

http://m.cgiebay.asmodeiproductions.com/
6872289d0ce2ae531422edfcc5b1fdc0/
8dfe2e5502027428ec505c6f138b9db7/?
pagein=http://www.ebay.com/itm/200942010334?
ru=http://www.ebay.com/sch/i.html?_from=
R40&_sacat=0&_nkw=261164572330&_rdc=1
According to McGrath and Gupta, URL lengths peak at 67 for
PhishTank and at 107 for MarkMonitor.(McGrath & Gupta,
2008).
Use short URLs.

Some phishing websites use URLs shortening services, such as

TinyURL to shorten their URLs which ultimately redirect to
long URLs. An example of such URL is:
http://prophor.com.ar/prophor/wells/alerts.php that redirected
to URL http://specialneedssvg.org/wp/wpadmin/import/
wellsfargo/wellsfargo/wellsfargo2011/indx.php(McGrath &
Gupta, 2008)

Use // character in

When URLs path contains // character, it is suspicious and

URLs path.

there is greater chance that it will redirect. An example of

such URL is: http://bganketa.com/libraries/eBaiISAPI.dll.htm?
https://signin.ebay.co.uk/ws/eBayISAPI.dll?SignIn (GastellierPrevost, Granadillo, & Laurent, 2011).

URLs use unknown

Sometime phishers use a domain name that is either

or unrelated domain

completely unknown or unrelated. An example of such URL

name.

targeted to Facebook is: http://www.ckku.com/includes/In.htm

URLs use multiple

Some phishing websites URLs use multiple TLDs within

Top Level Domains

domain name. Such URLs can be detected from the number of

(TLD) within domain

dots (.) used in URLs. (Zhang, Hong, & Cranor, 2007)

name.

http://paypal.com.bin.webscr.skin.
a5s4d6a5sdas56d6554y65564y65564y4a56s4d56as4d65sad4.
shoppingcarblumenau.com.br/
36

URLs use different

Some phishing websites use port other than port 80.(Gastellier-

port number.

Prevost, Granadillo, & Laurent, 2011) Example:

http://27.251.96.35:8888.

URLs with abnormal

Legitimate websites usually have record in DNS record;

DNS record.

however, phishing websites usually do not have record. In case

if they have, most of the information remains empty.
:http://27.251.96.35:8888 used for Paypal. (Zhang, Hong, &
Cranor, 2007)

Life of Domain.

In general, the life of phishing sites is not long. Even when

they have registered domain, it is usually a recently registered
one. However, everyday many recently registered legitimate
websites are added to Internet.(APWG, 2012)

Use of free web

Free web hosting services are widely misused by phishers to

hosting.

host their phishing websites. (McGrath & Gupta, 2008)

An example of such URL is:
http://arnodits.net/ysCntrlde/webscr_prim.php?YXJub2RpdH
M ubmV0NTAxNmNmYTVjMzY4NQ==M TM0
MzY3MjIyOQ.

URLs hosted by

The majority of phishing websites are hosted in USA (APWG,

geographical

2012). This might be because USA hosts the highest number

location.

of other websites as well.

Use of special

Special character "@" is used to redirect the user to a website

character "@"

different from that appears within the address bar. An example

of such URL is:
http://www.amazon.com:fvthsgblijhfcs83infoupdate@69.10.1
42.34(Zhang, Hong, & Cranor, 2007). Here the website is
redirected to 69.10.142.34.

Use of sensitive

Phishing URLs are found to contain several suggestive word

words

tokens. For example the words login and signin are very often
found in a phishing URL. (Garera, Provos, Chew, & Rubin,
37

2007). They stated 8 words as "secure", "account", "webscr",

"webscr", "login", "ebayisapi", "signin", "banking" and
"confirm"
Table 1 Anomalies found in the URL
However, these anomalies can be seen in the real websites also. So, these are not the
sure shot for phishing detection.
d) Anomalies found in the source codes of phishing websites
According to Chaudary, phishing websites are built in hurry and in cheap manner. So
it contents may have flaws and anomalies in the source code too.(Chaudhary, 2012).
These are listed below:

Abnormal anchor URLs.

Genuine websites link use an anchor to provide navigational guidance. The URLs
used in the anchor are usually from their own domain and sometime to different
domain. However, in phishing sites such anchor URLs are mostly from different
domain. It has been also found that sometimes the anchor in phishing websites does
not link to any pages, for example, AURL can be file:///E/ or #.

Abnormal Server Form Handler (SFH).

Security is one of the prime concerns for organizations that do online transactions.
Such organizations require credentials for login which are generally username and
password. Thus, their websites include SFH. Legitimate websites always take actions
upon the submission of form; however, phishing websites can either contain
about:blank or #. Moreover, legal sites SFHs are handled by the server of the
same domain. So whenever the form is handled by any foreign domain server, it
makes the websites suspicious.
Similarly there are many other anomalies like abnormal request URLs, abnormal
cookie, Mismatch hyperlink, use of authentic logos, illegal use of pop-ups, etc. are
found in the source code of phishing websites.

38

2.7

Anti Phishing Techniques in Web Browsers

According to Statcounter.com, statistics of browser's users are shown in the figure

below. In the figure, the map of the world is segmented according to the number of
users using browsers in that country or region. The users using Google Chrome are
shown in green color, Inter Explorer (IE) are shown in blue color, Mozilla Firefox are
shown in orange color, Safari users are shown in light grey color and Opera users are
shown in red color.

Figure 10 World map according to the use of browsers. Source: (statcounter.com,

2013)

39

Figure 11 Global statistics of browsers users. Source: (statcounter.com, 2013)

Thus, the top five browsers with respect to the number of users are Google Chrome,
Internet Explorer, Mozilla Firefox, Safari and Opera. (statcounter.com, 2013)
Similarly the statistic of browser's user in Nepal is shown below:

Figure 12 Statistics of percentage of browser user in Nepal Source: (statcounter.com,

2013)
From Figure 12, 5 most used browsers in Nepal in June, 2013 to August, 2013 are
Chrome (53.9%), Firefox (32%), Internet Explorer (7.48%), Safari (2.81%) and Opera
(2.05%). So, these 5 browsers are selected for the study purpose.
Browsers have various options for protection against phishing. Some of the options
are directly related to phishing while others too can be used against phishing. These
options are briefly described:
a) Block pop-ups windows: Online thieves use pop-up window in the legitimate
website and direct user to perform activity via which the phishers can fulfill
their motives. Blocking the pop-up window when not required can be done.
(Hacker Factor Solutions, 2005)
b) Enable JavaScript: JavaScript is being used in phishing purpose. There are
several flaws in JavaScript which would enable malicious web sites to install
something bad on user computer or even probe the details of other computers
on users private network. Many phishing attacks claims to be security
warnings, alerting users to suspicious activity in their account or offering a
40

new security mechanisms using JavaScript. In addition to that, traceable

JavaScript function is being used that allows phishers to check if a user is
logged into certain websites, hence the in-session name given to this attack
and the code would generate a web-based pop-up claiming to from website.
Disabling JavaScript when not required can be helpful against phishing.
c) Protocols (Use SSL 3.0, Use TLS 1.0): These Secure Socket Layer (SSL) and
Transfer Layer Socket (TLS) are cryptographic protocols and helpful in war
against phishing. TLS and SSL encrypt the segments of network connections
above the Transport Layer, using symmetric cryptographic for privacy and a
keyed message authentication code for message reliability. For example:
Gmail, Hotmail use 128-bit encryption and TLS 1.0 while Yahoo mail uses
256-bit encryption and TLS 1.0.
d) When a server requests my personal certificate (Ask one automatically, Ask
me every time): Setting ask me every time can be safer against phishing.
e) Warn me when sites try to install add-ons, Block reported attack sites, and
block

reported web forgeries are three options made for phishing

preventions.
2.7.1

Google Chrome

Google Chrome is a free, open-source web browser developed by Google. It was

released in 2008, and has grown to be one of the most popular browsers today.
When Google decided to make a browser, they wanted to completely rethink the
browser, as browsing now is very different from browsing simple text pages. Now we
email,

shop,

pay

bills,

and

run

large

application

in

our

browsers.

(www.w3schools.com, 2013).
Google discovers suspicious websites during constant crawl and re-crawl of the web.
Suspicious websites are the website that may look like a phishing website, designed to
steal personal information, or it may contain signs of potentially malicious activity
that would install malware onto users PC without consent. Any website that looks like
its a phishing page; it gets added to a list of suspected phishing websites. If found a
website that contains signs of potentially malicious activity, a virtual machine is
41

started, the website is browsed, and watched its activity. If malicious activities occur,
the website is added to a list of suspected malware infected websites. These black lists
maintained by Google

are

used

by Google

Chrome.(Provos,

McNamee,

Mavrommatis, Wang, & Modadugu, 2007)

All the above options are also in Google Chrome. These options have same benefits
as mentioned:
1) Check for server certificate revocation,
2) Use SSL 3.0., Use TLS 1.0
3) Allow all sites to run JavaScript
4) Do not allow any sites to show pop-ups
5) Enable phishing and malware protection (precisely for phishing).
Steps to disable phishing and malware protection:

1) Click the Chrome menu

on the browser toolbar.

2) Select Settings.
3) Click Show advanced settings and find the "Privacy" section.
4) Deselect the "Enable phishing and malware protection" checkbox.
Here are the messages users may see when phishing and malware detection is
enabled:
Message
The

Website

What it means
Ahead This message appears if Google Chrome detects that the

Contains Malware!

site you're trying to visit may have malware.

Danger: Malware Ahead!

This message appears if Google Chrome detects that the

web page you're trying to visit may have malware.

Reported Phishing Website This message appears if Google Chrome detects that the
Ahead!

site youre trying to visit is suspected of being a phishing

site.

Table 2 Messages seen after malware detection in chrome

42

Figure 13 Phishing detection in Google Chrome

2.7.2

Mozilla Firefox

Firefox contains built-in Phishing and Malware Protection to help keep you safe
online. These features will warn user when a page user visit has been reported as a
Web Forgery of a legitimate site (sometimes called phishing pages) or as an Attack
Site designed to harm users' computer (otherwise known as malware).(Firefox, 2013)
Mozilla Firefoxs Phishing feature provides two modes of operation, local and third
party mode. Under the local mode, it uses inbuilt Phishing and Malware protection
that warn users when a visited page has been reported as a web forgery of a legitimate
site or an attack site designed to harm users computers. These lists are automatically
downloaded and updated every 30 minutes or so when the Phishing and Malware
protection features are enabled.
There are two times when Firefox communicates with Mozillas partners that manage
the lists while using Phishing and Malware protection. The first is during regular
updates to the lists of reporting phishing and malware sites. No information about user
or the sites visited is communicated during lists updates. The second is when a
reported phishing or malware sites is encountered. Before blocking the site, Firefox
requests a double check to ensure that the reported site has not been removed from the
lists since the last update. In case of a visited URL matches a URL in the list of
known phishing sites, the browser block the website and displays a warning message
to the user. (Mozilla iSEC Partner, 2006)

43

This way the local mode provides security from phishing website to the user and is
able to ensure the integrity of a users browsing experience as well as the privacy of
their browsing activity. The third party mode uses online third party service (the
default third party service used by the browser is Google) and allows user to have
immediate check of a URL in real time. Users can test to see if Phishing Protection is
active by trying to visit Firefox phishing test site.(Firefox, 2013)
Alike Google chrome, Mozilla Firefox has also many options for phishing prevention.
1) Block pop-up windows (Can be accessed by going to Main Menu =>
Options=> Content)
2) Enable JavaScript
3) Protocols (use SSL 3.0, use TLS 1.0)
4) When a server requests my personal certificate (Select one automatically,
Ask me every time): Setting ask me every time can be safer against
phishing.
5) Warn me when sites try to install add-ons, block reported attack sites, and
block reported web forgeries are three options made for phishing
preventions.

Figure 14 Anti phishing setting in Mozilla Firefox

44

2.7.3

Internet Explorer

Internet Explorer has a built-in Anti-Phishing feature using phishing filter. Phishing
filter in Internet Explorer, also called SmartScreen filter helps detect phishing
websites.
Phishing filter uses three methods to help protect you from phishing scams. First, it
compares the addresses of websites user visit against a list of sites reported to
Microsoft as legitimate. This list is stored on user's computer. Second, it helps analyze
the sites user's visit to see if they have the characteristics common to a phishing
website. Third, with user's consent, phishing filter sends some website addresses to
Microsoft to be further checked against a frequently updated list of reported phishing
websites.
If the site users are visiting is on the list of reported phishing websites, Internet
Explorer will display a warning webpage and a notification on the address bar. From
the warning webpage, user can continue or close the page. If the website contains
characteristics common to a phishing site but isnt on the list, Internet Explorer will
only notify user in the address bar that it might possibly be a phishing website.
When users install and run Internet Explorer for the first time, it will prompt to user to
enable phishing-filter. However, if users choose not to turn on, s/he can enable
phishing-filter as follows:
Similar to above two browsers, MS IE too contains options for phishing prevention:
1) Trusted sites and restricted sites: These two options have facility to list
trusted and restricted websites respectively. Any website suspicious to be
phishing can be made restricted website.
2) Turn on pop-up blocker: Has feature to list the website in which pop-up
can be allowed.
3) Active scripting: This is to enable and disable JavaScript.
The options primarily for phishing or is a part of phishing prevention systems of IE
are below:

45

1) Report unsafe website: This options can be use to determine if the website
is unsafe or not. It sends requests to Microsoft server which checks their
list to verify whether the website is phishing or legitimate.
2) Check this website and Turn on SmartScreen filter:

Figure 15 Enabling SmartScreen filter (IE 8)

Figure 16 Phishing detection in IE 8 after using SmartScreen filter

46

2.7.4

Opera

With Opera, every webpage user request is subjected to phishing and malware filters.
The security status of the page is displayed in a security badge in the address field. If
a website is found on lists of known, suspicious sites, a warning page may display
before the page is shown. Users decide whether to visit the questionable website, to
return safely to the browser home page, or to read additional information about the
status of the page. If users open a phishing or malware page, it will be marked with a
red warning badge.(Opera, 2013).
Opera have given more selectable options in particular sections of the option. These
are explained below:
1) Pop-ups: Users can handle pop-ups in their own preference as below.
a) Open all pop-ups
b) Open pop-ups in background
c) Block unwanted pop-ups.
d) Block all pop-ups.
2) Check box for "Enable JavaScript has also JavaScript options button which popups JavaScript options are below:
a) Allow resizing of windows
b) Allow moving of windows
c) Allow raising of windows
d) Allow lowering of windows
e) Allow changing of status field
f) Allow scripts to detect context menu events.
g) Allow scripts to hide address bar
h) Open console for error.
i) User JavaScript folder path text box.
3) Enable plug-ins has inner check box to enable plug-ins only on demand.
4) Manage site preferences: This option facilitates users to add, edit and delete the
website to be allowed. The added websites can be customized for pop-ups,
cookies, content, JavaScript, etc. This is like maintaining white list from the users
side.
47

5) Blocked content: This option facilitates users to add, edit and delete the websites
to be blocked.
The options primarily for phishing prevention systems are as follow
6) Enable "Fraud and Malware Protection"
7) Manage Certificates: It provides options to import, export, and view and delete
certificates of personal (client certificates) and authorities (authority certificates
like VeriSign, Go Daddy, Entrust, etc.). These certificates can be kept in
intermediate, approved and rejected group.
8) Security Protocols: The options of enabling security protocols like Enable SSL3,
Enable TLS1, etc.
9) Trusted Websites: There is provision of add, delete and edit the trusted websites.

Figure 17 Phishing detection in Opera browser.

2.7.5

Safari

Safari employs sandboxing techniques to isolate Web content and applications from
other information on systems, and also include malicious code blocking capabilities.
As with the other browsers, Safari also relies on current reports about malicious and
fraudulent websites to warn and protect its users. If a website contains malicious code
intended to capture personal data or tamper with users' computer, sandboxing
provides a built-in blocker that restricts the code from doing harm.(Tittel, 2011)
48

User personal data is safer on Safari. Thats because Safari protects user from crosssite scripting, phishing, and malware attacks that try to obtain user's personal data. So
if users visit a site that might contain phishing or malware content, Safari alerts users
and wont open the page. Safari makes it easy to see when user's connection to a
website is encrypted. (Safari, 2013)
When users first launch Safari 3.2, it connects to safebrowsing.clients.google.com and
requests information on the two main blacklists that Google maintains: a list of known
phishing sites, and a list of known malware sites. Google returns the list of hashed
URLs to your computer in chunks, starting with the freshest information first and
gradually filling in older information. Once users find that folder, users will see two
files within it: "cache.db" and "SafeBrowsing.db". The former is indeed Safaris
cache. The latter file contains the blacklists from Googles Safe Browsing initiative
user will notice that the file was most likely created right about the time users first
launched Safari 3.2, and if users have the browser open, the file should have been
modified within the past 30 minutes. (Macworld.com, 2008)
Safari contains following option for phishing prevention.
1) Enable plug-ins: Check box for enable plug-ins.
2) Enable Java: This is for enabling Java
3) Enable JavaScript
4) Block pop-up windows
The options primarily for phishing or is a part of phishing prevention systems of
Safari are as follow:
1) Warn when visiting a fraudulent website. (Uses Google Safe Browsing
Service)
2) Ask before sending a non-secure form to secure website.
By default the anti-phishing system is on in safari. It can be checked by going to
Setting=>Preference=> Security

49

Figure 18 Checking enable or disable of anti-phishing in safari browsers

Figure 19 Phishing detection in Safari

2.7.6

Summary of technology used by anti phishing systems in browsers

Browsers

Detection Technology Used

Remarks

Google Chrome

Blacklist and heuristic on

Safe browsing API

web crawl data

Internet Explorer

white list,

smart screen filters

blacklist and heuristic

Mozilla Firefox

local mode: black list

Safe browsing API

third party mode: Google

Safari

blacklist: Google

Safe

heuristic

Third party cookie blocking

50

browsing

API;

Opera

blacklist: PhishTank

PhishTank; Netcraft

Table 3 Technologies used by anti phishing system in browsers.

2.8

Problems in Browsers Inbuilt Phishing Prevention Systems

The technical and non-technical issues are mentioned below:

1) Warning and pop ups message is another problem which can be irritating to user.
A further difficulty is that of warning the user (or taking other action when
phishing is detected or suspected). Halting the browser connection (i.e. refusing to
connect to the site) is usually unacceptable unless it is absolutely certain that the
site is phishing. (Dhamija, Tygar, & Hearst, 2006; Wu, Miller, & Garfinkel, 2006;
Li & Helenius, 2007; Egelman, Cranor, & Hong, 2008)
2) The above mentioned browsers use blacklist approaches in their default antiphishing systems. The problems of blacklist approach are false positive, false
negative, and list update. The anti-phishing systems have to struggle with effort to
maintain both false positives and false negatives error rate low. The false positives
erode trust in the system and cause inconvenience and possible loss to website that
are erroneously classified as phishing. Similarly, the false negative can turn the
effort to protect phishing futile. Furthermore, to halt the browser connection to
certain website unless it is not confirmed that it is phishing is unacceptable.
Moreover, blacklist approach attempt to inform clients of phishing sites either
pushing an update list to the client or having the clients check with server to
request information on a URL it is visiting (Florencio & Herley, 2006; Cranor,
Wardman, Warner, & Zhang, 2009). Both of these approaches are inconvenient
because they can cause definite latency and serve over load respectively.
3) There are many rules or heuristics that can appear promising when run on training
data. They can even perform worthwhile to protect small fraction of overall
population. However, their efficiency is inverse relation to their scale of
deployment: the more people use them the less effective they are. (Islam &
Abawajy, 2013)
4) There is white-list approach that is maintained by user. This is used to reduce the
traffic to server and can only be used in conjunction with sites that have high
51

security standards, and do not host personal pages.(Dhamija, Tygar, & Hearst,
2006; Odaro & Sanders, 2010)
5) Secure Sockets Layer (SSL) is a protocol commonly used in validating the
identity of a website and enabling the transmission of private information over the
Internet. It makes use of cryptographic keys to encrypt the data being transmitted
and to provide a signature used in identification. Browser SSL certificates are
electronic documents that enable encryption on secure websites, and also contain
information about the certificate holder. The use of these certificates (and the
related well known SSL lock icon) has traditionally been one way of providing
identity information to the user, but studies have shown that many users have
difficulty interpreting certificates or may not even be aware that they exist. There
are many other options in the browser which users rarely use due to lack or very
little knowledge about them.
Finally, the biggest problem is getting users to alter their behavior. Even study
showed that either user tend to ignore or fail on to act on security warning. This is
highest threat for several anti-phishing solutions. (Odaro & Sanders, 2010)

Figure 20 SSL lock icon in Gmail.

2.9

Organization Working against Phishing

There are many organizations working against phishing. These organizations are the
resources for studying and tackling against phishing. Some of the main organizations
are as follow:
2.9.1

APWG (Anti phishing Working Group)

The APWG is a worldwide coalition unifying the global response to cybercrime

across industry, government and law-enforcement sectors. APWGs membership of
more than 2000 institutions worldwide is as global as its outlook, with its directors,
52

managers and research fellows advising: national governments; global governance

bodies like ICANN; hemispheric and global trade groups; and multilateral treaty
organizations such as the European Commission, Council of Europe's Convention on
Cybercrime, United Nations Office of Drugs and Crime, Organization for Security
and Cooperation in Europe and the Organization of American States. (APWG, 2013)
Websites of APWG public-service enterprises include its public website,
<http://www.antiphishing.org>; the website of public awareness program, "STOP.
THINK. CONNECT." messaging convention <http://www.stopthinkconnect.org> and
the APWGs research website <http://www.ecrimeresearch.org>. These serve as
resources about the problem of phishing and electronic frauds perpetrated against
personal computers and their users and resources for countering these threats.
(APWG, 2013)
The APWG collects, analyzes, and exchanges lists of verified credential collection
sites, like those used in phishing. (APWG, 2013)
2.9.2

PhishTank

PhishTank is an anti-phishing website. PhishTank was launched in October 2006 by

entrepreneur David Ulevitch as an offshoot of OpenDNS. The company offers a
community-based phish verification system where users submit suspected phishes and
other users "vote" if it is a phish or not. PhishTank is used by Opera, WOT (Web of
Trust), Yahoo! Mail, McAfee, APWG, CMU, Mozilla, Kaspersky, Firetrust, Officer
Blue, FINRA, Message Level, SURBL < http://www.surbl.org/ >, Site Truth, Avira,
CSIRT and by PhishTank SiteChecker.(Wikipedia, 2013)
PhishTank data is provided gratis for download or for access via an API call but only
under an extremely limited, restrictive license. PhishTank SiteChecker is a tool
available for Mozilla Firefox browser to check the user site against phishing.
2.10 Phishing prevention as a social aspect
The social aspects that are vital for the phishing prevention mentioned in American
Bankers Association report are:

53

1) Public Education on Phishing: Since phishing is a form of identity theft that

differs substantially from other physical based identity theft techniques, it is
the responsibility of government and private sector towards public to update
them about latest phishing techniques and method to recognize them.
2) Authentication: No doubt education of phishing is helpful to fight against
phishing and other form of identity theft that involves social engineering,
however not sufficient to provide adequate protection especially when the
Phishers continue to refine their attacks. This needs improvement of
authentication technologies, and multifactor authentication measures as
appropriate. Standardizing the way enterprise communicates with their clients
can play pivot role in addressing this issue.
3) Legislative framework: A strong legislative framework is also fundamental to
combat identity theft, and specific mechanisms that can end such phishing.
4) Enforcement: An effective and comprehensive response to identify theft
requires the investigation and prosecution of appropriate cases involving
phishing schemes.
5) International and national level coordination: The phishing attacks can origin
from any part of globe. International coordination is highly important to tackle
them.
2.11 Past research on phishing detection model
Alkhozae and Batarfi have proposed phishing detection approach based on checking
the webpage source code. They extracted some phishing characteristics out of W3C
standards to evaluate the security of the websites and check each character in the
webpage source code. On finding a phishing character, they will decrease the initial
secure weight. The security percentage is calculated based on the final secure weight.
From the final secure weight, high percentage is secure website and other website is
most likely to be a phishing website. This approach was tested with two legitimate
and phishing websites and compared the security percentage between them.
(Alkhozae & Batarfi, 2011)
The research considered 8 different characteristics which are Https, images,
suspicious URLs, domain, email, iframe, script and popup windows in the source
54

code of the target sites and rank these characteristics to calculate the secure weight.
There is no justification for categorizing different characteristics. Alkhozae and
Batarfi's proposed model doesn't provide possible solution after detecting phishing
websites.
Gowtham and Krishnamurthi's model adopts a suitable combination of all techniques
like maintaining blacklists, white-lists and employing heuristics-based approaches.
Before applying heuristics to the webpages, they applied two preliminary screening
modules in this system. The first module, the preapproved site identifier from users
maintained white-list and the login form finder which classifies as legitimate when
there are no login forms present. (Gowtham & Krishnamurthi, 2013).
The research considers the login form as the only webpage where phishers could get
benefit from the users which are very important for consideration. But the system
does not provide any solution for possible real website after detecting the phishing
websites.
He, et al.(20011) has proposed a phishing webpage detection model to determine
whether a webpage is a legitimate or a phishing webpage. It does not use list based
methods. At first a webpage is converted into 12 features which are well selected
based on the existing normal and phishing page. Training set of web pages including
normal and phishing pages are then input for a support vector machine to do training.
According to them, the experimental results showed the proposed phishing detector
can achieve the high accuracy rate with relatively low false positive and low false
negative rates. (He, et al., 2011)
The research keeps suspicious page address as feature one, which is followed by id
page address, nil anchors, foreign anchors, id foreign request, SSL certificate, Number
of dots in all URLs, etc. and search engine as the 12th feature. Moreover they have hi
lighted other features like server form handler, domain age, who is record, etc., which
were not used in the system.
Odaro and Sanders propose that users cannot completely rely on the inbuilt anti
phishing system of browsers due to inadequacy to combat the problems of phishing.
The limitations are both technical and non-technical. From the evaluation of technical
55

and non-technical issues of browsers inbuilt phishing prevention systems and other
related tools, suggestions are stated considering both technical and non-technical
problems. (Odaro & Sanders, 2010).
Islam and Abawajy propose multi-tier classification model for phishing email
filtering. Priority ranking was set up for extracting the features of phishing email
based on weighting of message content and message header.

The impact of

rescheduling the classifier algorithms in a multi-tier classification process is evaluated

to find out the optimum scheduling. A detailed empirical performance and analysis of
the proposed algorithm is presented. The results of the experiments show that the
proposed algorithm reduces the false positive problems substantially with lower
complexity. (Islam & Abawajy, 2013).
There are many papers based on phishing detection model using the classification
through the use of neural network and artificial intelligence.
There is no silver bullet to eliminate the problem of phishing. It depends partially on
well designed technology and equally on the browsing habits of Internet users. Well
designed technology includes techniques efficiently able to tackle successful phishing
techniques and a usable design that take into consideration what humans can and
cannot do well (Dhamija, Tygar, & Hearst, 2006).
On review of literatures no significant researched have been done for the phishing
prevention model which focuses after detecting the phishing websites. Most of the
tools have concentrated on GUI display of warning messages. But more than warning
message, users have to be provided with some solution, if the users requested website
is a phishing website. This study will focus on developing a model which can give
solution after phishing is being detected.

56

CHAPTER THREE
METHODOLOGY
In this chapter efforts have been made to present and explain the specific research
design

for

the

sake

of

attaining

the

research

objectives.

It

explains

procedures/methods after the development of research questions or it excludes the

chapter one contents It includes research design, nature of data, population and
sample and data analysis procedures.
3.1

Research Design

I have used an experimental research and design and creation research strategies to
answers the research questions. The model process of research is shown below (Oates,
2006):

Experiences
and motivaion

Literature
review

Data generation
methods

Research Questions

Strategies

What are the problems

in web browsers anti
phishing system?

Experiment

Observation

Quantitative

Design and
creation

Documents

Qualitative

How can technology

intervene to increase
user awareness so that
users are not misled
by phishing sites?

Data Analysis

Figure 21 Model of research process

3.2

Sources of Data

Data were mainly collected through primary experimental observation. The online
users, who use the web application for recognizing phishing or real websites, are the
sources of primary data to select the anomalies in the URL of phishing websites. The
list of phishing URLs are obtained from the PhishTank.com (secondary source). And
the facts and cases of phishing are obtained from the online reports and publications.

57

3.3

Methodology Insight

The methodology insight can be seen through the block diagram of the methodology.
The components of the methodology are explained below.
Literature Review consists of methods, tools and techniques used for phishing. It
covers the details of the browsers inbuilt phishing prevention system, existing tools
and technologies for the phishing prevention system.
Browser's inbuilt anti phishing system is studied through different literature along
with the walk through experiments. It consist procedures of various options and
features of the phishing prevention system of the selected browsers.
Phishing prevention models consist of existing models for phishing prevention
system which are accessed through the review of journals.
and Browsers phishing detection rate is done through the experimental research.
The procedures of data collection, sampling, statistical analysis of the results are
explained in separate heading of this chapter.
Problems in browsers inbuilt phishing detection system is done through the meta
analysis of literature reviews and walk through experiments on the browsers.
Anti-phishing model is being proposed through the meta-analysis of various the
techniques and models of phishing prevention system.
Selection of phishing anomalies in the URLs is done through developed online web
application. The procedures are explained in separate heading.
Verification of the model is done making different case studies determined on the
phishing anomalies in the URL.
Conclusion and Recommendation is done making the base of all the above
procedures.

58

Figure 22 Research Methodologies in block diagram

3.4

Experimental Research for phishing detection in browser

Experimental research is a blueprint of the procedure that enable the researcher to test
his hypothesis by reaching valid conclusions about relationships between independent
and dependent variables. It refers to the conceptual framework within which the
experiment is conducted. (Key, 1997). The following procedures are applied for
conducting this experiment.
3.4.1

Size of the sample of phishing websites

There are various formulas for calculating the required sample size based upon
whether the data collected is to be of a categorical or quantitative nature (e.g. is to
estimate a proportion or a mean). These formulas require knowledge of the variance
or proportion in the population and a determination as to the maximum desirable
error, as well as the acceptable Type I error risk (e.g., confidence level). Since there is
an inverse relationship between sample size and the Margin of Error, smaller sample
sizes will yield larger Margins of Error.
The formula used for these calculations was:
59

Sample size (n) =

2 1
1 + 2 1

Source: (Krejcie & Morgan, 1970)

2*N*(1-P)
ME2(N-1) + ( 2*P*(1-P))
Where
n = required sample size
N

= Population size

ME = Desired Marginal error (expressed as a proportion)

Confidence interval

95.0 %

Degree of accuracy

0.1

No of valid phish websites

1,206,474

Sample size

96

Table 4 Sampling Methodology

3.4.2

Pre-validation of the setup:

For the experiment, I have taken 5 different browsers. These are Internet Explorer,
Google Chrome, Mozilla Firefox, Opera and Safari. The number of phishing sites will
be 96 phish websites from different sector like PayPal, bank, government organization,
reputed brand like Amazon, eBay, Adidas, etc. and miscellaneous local phishing sites
targeting the community of Nepal.
The environment for the setup will be as follows:
Hardware environment used

Processor Intel Core i5 M 430

Memory (RAM): 4 GB
System: 32-bit Operating System
60

Operating System

Windows 7 Ultimate

Browsers used

Google Chrome Version 29.0.1547.66 m

Internet Explorer Version 8.0.7600.16385
Mozilla Firefox Version 24.0
Opera Version11.60
Safari v 5.1.7 Windows version.

Sample size of phishing websites

96

Table 5 Environmental variables for experimental test for detection of phishing

At first these sites are tested for their existence first. The average lifetime of phishing
websites are reducing gradually. According to the APWGs Global Phishing Survey:
Trends and Domain Name Use in 1H2012, the average uptime of phishing attacks
dropped to a record low of 23 hours and 10 minutes in the first half of 2012. This
number, the APWG says, it about half of what it was in late 2011, and by far the
lowest since the report first started back in January 2008. (APWG, 2012)
Date of Selection of Website from phishtank.com: 2013-10-1 at 1:12 pm
Auto script batch file is developed for checking the website URL in the different
browsers. The reaction of the browsers is reconfirmed by self walk through inspection.
Batch Script example: start chrome website1 website2
The following validation is taken place each time before to start the experiment.
1) Availability of computers having operating system in a good condition.
2) Confirmation of 5 browsers freshly downloaded available and each of them
incorporated with the in-built anti phishing system.
3) Selection of phishing websites from phishtank.com for test.
4) Availability of the resources to write the results.
5) Writing of test script code for different browsers.
6) Identifying and controlling non experimental factors.
7) Selecting or constructing and validating instruments to measure outcomes.
8) Conducting pilot study.
9) Determining place, time, and duration of the experiment.
61

10) Conducting the experiment.

11) Compiling raw data and reduce to usable form.
12) Identifying and define the problem.
13) Formulation of hypotheses and deduce their consequences.
3.5

Development of model and its validation

One of the major problems in analyzing anomalies in source codes is that they need to
load web pages which expose internet users to vulnerabilities from malicious codes,
key loggers, and bot-nets. Although, the risk from malicious code, key loggers, and
bot-nets can be reduced using a sandbox browser to load the webpage for analysis; it
cannot guarantee a complete protection from malwares and malicious codes(Sabanal
& Yason, 2012).
Similarly, the analysis of anomalies in URLs does not need to load the web pages
which mean Internet users can be safe from phishing conducted using
malicious software.
The proposed model consists of heuristic method and list based method. In the
heuristic component phishing detection is done with the use of anomalies in the URL.
The development of Web Application is done to select the list of anomalies for using
in the model. The white list method is used for omitting the known legitimate
websites to be checked by the model.
3.5.1

Selection of anomalies through web app

It is not possible to take all the anomalies to study. A web App is developed for the
selection of anomalies in the URL to use in the heuristic method in the model. The
phishing websites with the following anomalies are considered in the study. These
anomalies selected on the basis of availability of resources in conformance to Nepali
users and the using maximum 20 questions in the quizzes like in Sheng "Anti-Phish
Pil" (Sheng, et al., 2007) because more question will bore the users and for
randomization mixing of anomaly in the email and anomaly of the visual similarity in
logo and themes is done.
1) URLs misspelled or derived from domain name.
62

2) The domain name of commercial businesses is not .org

3) URLs using http in place of https. i.e. Abnormal SSL certificate.
4) URLs contain brand, or domain, or host name.
5) URLs using long host name.
6) URLs use multiple TLDs within domain name or sub-domains.
7) URLs use different port number.
8) URLs with abnormal DNS record.
9) Use of free web hosting.
10) Use of similar logo and themes of popular brands.
11) Emails sender with catchy domain names but with different host name from
the domain.
The screenshots of websites representing the above anomalies of phishing websites is
collected. Using these screenshots, development of web app is done to test on users'
accomplishment on anomalies in URL.
The experiment is done online with the online web application. The application is
hosted in the server and is made available to all the internet users. The application
has following features.
1) The web application stores both real and phish sites in a random manner.
2) The phish sites are from different ranges of organization from banks, email
providers like hotmail, Gmail, yahoo, etc., governmental organizations, social
networking sites, popular brands and payment gateways, etc.
3) There will be options for users to click one from two buttons either "Real Site"
button or "Phishing Site" button.
4) The users are alerted with proper message when they are mistaken on choosing
the right answers ("Phish site" or "Real site").
5) The result of the test is shown at the last with all the questions and the answers
with the proper messages in a summary form.
Nepalese user uses websites mainly for email services, social media networking,
getting news and information, online banking, etc. The websites of these categories
were collected and made to address different types of anomalies in the URL. The
63

users were given 20 questions to recognize whether it is real website or phish website.
The questions numbers 2, 4, 5, 10, 11, 13 and 15 are real websites while others are
phishing websites. The phishing websites are inherited with the following anomalies
in the URL.
S. No

Anomalies in the URL

Target Brands

Q. No

URLs misspelled or derived from domain

name.

Citizen bank
International

The domain name of commercial businesses

is not .org

3
Gmail

URLs using http in place of https, i.e.,

abnormal SSL certificate.

Gmail, Yahoo mail

URLs contain brand, or domain, or host

name.

eBay

URLs using long host name.

hotmail

URLs using multiple TLDs within domain

name or sub domains.

twitter, Nepal
Police, PayPal

9, 12,
16

URLs use different port number.

Amazon.com

URLs with abnormal DNS record.

Amazon.com

Use of free web hosting.

yahoo mail

10

Use of similar logo and themes of popular

brands or URL use unrelated domain names

eBay, Facebook,
YouTube

17, 18,
19

11

Emails sender with catchy domain names but

with different host name from the domain.

Facebook, Nepal
SBI Bank

14, 20

3,8

17

Table 6 Anomalies in the URL and target brands and organizations

When the user mistakes either on real website or in phishing website, the message
regarding recognizing the real and phishing websites is disseminated to the user
through the alerting system. After completing the quiz, whole summary of the quiz
and score obtained, will be display in a single page. In the summary of quiz, user can
see screen shot of all the questions along with the reason of being phishing website in
64

a single page. Besides selection of anomalies in the URL, this web application will
disseminate knowledge to the users to recognize the phishing websites. The web
application is accessed online from the link http://upvedatech.com/quiz/. The
messages disseminated when the users make mistake are tabulated as follow:
Q.No Target Site

Message alert when users makes mistake.

1
Citizen Bank
International

(Phishing Site) Citizen Bank legitimate website is

http://www.citizensbank.com.np/, where the .com.np which is
a registered domain for Nepal. But the snapshot does .com
which is not domain for Nepal.

Nepal
Investment
Bank

(Real Site)Website for Nepal Investment Bank uses SSL (https

with green color)

Gmail

(Phishing Site) Gmail login page domain does not use SSL
(https with green color) and domain does belong to Google. It's
domain is .org

Dropbox

(Real Site) Dropbox website belongs to Dropbox (leftmost side

contains "dropbox.com" )

4
5

(Real Site) It is site hosted by Mercantile Communication,

Nepal which owns nepalnews.com; Also the Netcraft shows
nepalnews.com that it is hosted in Nepal.

6
hotmail.com

(Phishing Site) Hotmail website does not use SSL (https with
green color) and does not belong to Microsoft. Domain is .tw
(Taiwan) when Microsoft is in USA.

amazon.com

(Phishing Site) Amazon website does not use SSL (https with
green color) and use IP address URL which is not
recommended for a genuine website

yahoo mail

(Phishing Site) URL contains https (but not green color by the
browser which means it is fraudulent use of https), moreover,
domain says Google while mail is for yahoo

twitter

(Phishing Site) Twitter does not use SSL and domain is not of
twitter

10

amazon.com

(Real Site) Amazon uses https

11

Nepal
government

(Real Site)Domain is nepalgov.com.np (authorized registered

domain name) .gov.np

Nepal Police

(Phishing Site) Nepal website main domain is .com

(nepalpolice.com.np is just a string)

Facebook
email

(Real Site)Though, this email in Facebook look suspicious

since it ask user to click a link to change the password, there is
no generic salutation. Instead the receiver name is used. Then,

12
13

65

it also mentions your Gmail account. Moreover, the sender

email id is Facebook email service. Then, the there is
activation code mention.
14

15

Facebook
email

(Phishing Site) Even though the email tells it is from Facebook

but sender email address is not of Facebook. Salutation is
generic "Hello" no receiver name. Ask to click a link which is
suspicious. Then, redirect hyperlink contains Facebook.
montadalitihad ( montadalitihad makes it suspicious)

eBay

(Real Site) Use https

PayPal

(Phishing Site) PayPal does not use https. At the end of the
URL there is another "www." . Domain name contains
cedij.com.mx (belongs to mx) when PayPal is from USA.
Word "cedij" makes it suspicious. Ask for many sensitive
information.

eBay

(Phishing Site) eBay does not use https. URL does not belong
to eBay ("admitr")

Facebook

(Phishing Site) Facebook does not use https, and domain does
not belong to facebook

YouTube

(Phishing Site) Domain does not belong to YouTube.

Suspicious message "There is nothing called free lunch".

Nepal SBI
Bank

(Phishing Site) Bank never asks for information through email.

Salutation is generic "Dear Valued Customer" no customer
name. All the URLs at the end of the message are not from
SBI.

16

17
18
19
20

Table 7 List of Messages disseminated to alert users about their mistakes

66

3.5.2

Development of model

Figure 23 Existing phishing prevention systems

URL Request

URL Present

Look for URL in

Whitelist
URL absent
Look for URL in
Blacklist

URL absent
Heuristic
Method
Test Pass
Update the
whitelist

URL Present

Test Fail
Update the
blacklist

Legitimate
URL

Phish

Educate
Users
Obtain the keyword
of the website
Advice legitimate
Suggest top
URL
results

Search in
Google

Figure 24 Proposed phishing prevention system

The existing phishing prevention system provides warnings after detection of phishing
websites. How relevant or correct result does the phishing prevention system provides,
it will be of no use as users ignore the warnings.
67

While studying the methods or techniques of phishing detection, I have found that the
result of search engine is a strong sword to use in phishing wars. All the phishing
system developed till now don't have component of giving solution after detecting the
phishing website. Using the search engine component for providing solution for
possible phishing websites, is an innovative phishing prevention system proposed in
this research.
The component of white list check is used as filter to less burden the system.
Similarly, the anomalies are selected form the "web application quiz for anomalies in
the URL" to apply heuristics method for detection of the phishing. Also many features
of heuristic could be added for making the result more prominent. The URLs which
are not in the white list and can not pass the heuristic test are regarded as possible or
suspicious phishing websites. So, these possible phishing websites are passed for the
search engine (here we use Google) for finding the solution. The search engine result
is displayed as possible solution for the phishing websites.
The following things are considered before development of model:
1) The detection rate of existing phishing prevention system in browsers.
2) The anti phishing solution model is focused of providing solution of real
website after detecting the phishing websites.
3) Use of multi methods of list based and heuristic approach is applied.
4) Consideration of small domain in the heuristics parameters (anomalies in URL
in phishing websites.), which are selected from the result of above web app
and availability of the resources. For example "URLs misspelled or derived
from domain name." has no limitation on the domain name features and the
way of being derived or misspelled.
5) Prioritization of heuristics parameters are done through experiment on real
users.
6) The updating component and use of blacklist are kept for future enhancement
portion.

68

Due to the limitation of the study to consider only anomalies in URLs as a heuristic
method and user maintained white-list for the phishing detection methods is
implemented as below:

URL Request

URL Present

Look for URL in

Whitelist

List of anomalies
(From web App &
Availability of resources )

URL absent
Test Pass

Test Pass

Heuristic
Method
Test Fail
Phish

Legitimate
URL

Educate
Users
Obtain the keyword of
the website
Advice legitimate
URL

Search in
Google

Suggest top
results

Figure 25 Implementation of the model

3.5.3

Validation of the anti phishing solution model

The validation consists of detection of phishing websites and providing information

about the phishing anomalies and providing possible solution (legitimate URLs) after
the phishing detection. It is tested with valid phishing websites downloaded from the
PhishTank.com just few minutes before the test.
The test cases developed from the list of problems in the inbuilt phishing prevention
system are as follows:

69

1) When phishing is detected, users must be provided with solutions rather than
warnings. [Warning and pop ups message is another problem which can be
irritating to user.]
The study considers anomalies in the URL for the detection of phishing. The test
cases on the basis of anomalies are as follows:
2) URLs misspelled or derived from domain name.
3) URLs using http in place of https, i.e., abnormal SSL certificate.
Heuristic Rule: Check of Https
4) URLs using TLDs within domain name or sub domains.
Heuristic Rule: Check of more than 4 dots(.) in domain name. (Zhang,
Hong, & Cranor, 2007)
5) URLs use different port number
Eighty is the port no for HTTP protocol. So, port no other than 80 is
abnormal.
6) Use of IP address which is abnormal to use.
URL with IP address is abnormal to use. (Zhang, Hong, & Cranor, 2007).
7) URLs using long host name. (Though it has no hard rule for the length of phishing
website, McGrath and Gupta had found URL length peaking on 67 characters in
PhishTank list (McGrath & Gupta, 2008).)
8) URLs with special character "@".
9) URLs with special character "//".
10) URLs with sensitive words ("webscr", "ebayisapi", "secure", "account", "login",
"signin", "banking" and "confirm").
These words are drawn by using delimiting words ("/","?".".","=","-","_")
also known as "bag of words". (Ma, Saul, Savage, & Voelker, 2009)
11) URLs contain brand, or domain, or host name. (Not implementable in detection)
12) Use of similar logo and themes of popular brands or URL use unrelated domain
names (Not implementable in detection)
13) The domain name of commercial businesses is not .org. (Not implementable in
detection)

70

14) Emails sender with catchy domain names but with different host name from the
domain. (Not implementable in detection)
Other problems in the browsers' inbuilt phishing prevention system could not be
solved as this model also uses the list based method and heuristic methods for
detecting the phishing websites. So, they are excluded for the study.
3.6

Tools and Technologies Used

Name of Tools/ languages/

Technologies

Description

Programming Languages

PHP: For development of web application

quiz to select anomalies in the URL
JSON: JSON is used to develop extension/
plug-in for implementing the proposed
phishing prevention system in Google
Chrome browser.

Database

MySQL: MySQL is used as database for the

web application quiz.

Source code management and

collaboration

GitHub: GitHub is used for source sharing

and collaborate with stakeholders
(Supervisor, Thesis Committee, etc.).

Report making

Microsoft Excel and Word 2007 are used

for report making.

Forecasting Tools

Crystal Ball Predictor for Microsoft Excel

Table 8 Tools and Technologies used

3.7
3.7.1

Accessing the Web Application and chrome extension/plug-in

Accessing the Web Application

The web Application (anti-phishing quiz) for selection among the anomalies in URL
was hosted in online in URL http://upvedatech.com/quiz/. Users were able to open the
link (http://upvedatech.com/quiz/) and register their names or even register
anonymously.
71

3.7.2

Assessing the Extension/Plug-in for Google chrome

The

code

or

software

is

uploaded

in

GitHub

and

the

URL

is

https://github.com/rajendra061/AntiPhishSolution.
The steps for using above code in Google chrome are as follow:
Step 1: Click on "customize and control Google Chrome" menu icon as shown in in
the below figure. Click Setting from the ducking window seen.
Step 2: Select the extension in the left part of the list displayed after clicking the
"setting".
Step 3: Click the "load unpacked extension", and give the path of the downloaded
source code.
Step 4: The extension will be seen in the extensions list as shown above in the
figure.
Step 5: The facilities of "refresh" link will automatically build the source code on
any changes made on it.
The downloaded extension from GitHub can be installed in Google Chrome from the
following steps as shown in figure.

72

Figure 26 Installation of plugin/extension in Google Chrome.

73

CHAPTER FOUR
DATA ANALYSIS / RESULTS
4.1

Detection of phishing websites

From the experiment, 95% of the phishing websites in the phishtank.com are being
detected by the browsers. From the sampling theory used to sample the phishing
websites, we have Confidence level= 95.0 % and using worst case percentage 50%,
Confidence interval will be 10. So the result will be 10% of the result. i.e. 85% as
105% is impossible. Hence the detection rate of phishing sites by browsers is found to
be 85%.
Sample phishing
Browsers

sites

No. of sites detected

Detection % Average

Chrome

96

93

97%

Mozilla Firefox

96

93

97%

Internet

95%

Explorer

96

92

96%

Opera

96

91

95%

Safari

96

88

92%

Table 9 Result of Detection of phishing sites by browsers

This result shows that the technicalities used in the phishing detection system in
browsers is very commendable. The focus must be on the process of guiding users
after the phishing detection.

4.2

Experimental Analysis

Web App stores results of user's response to the phishing and real websites. It aware
users by providing reasons in non technical language for the mistakes while
74

reorganization of the real or phishing website. In the figure below, the educative
message is prompted to aware the user. The output can be seen as bellow.

Figure 27 Output of Web App

4.2.1

Results of Phishing Anomalies in the URL

The result of the web application by users on recognizing "Real site" or "Phish site" is
shown below.

75

Figure 28 Result from web app for recognizing phish site and real site
As the study is done for user's behaviour against phishing websites, the results for the
real websites are discarded and the top mistakes on the phishing websites are taken
into the study.
On the phishing websites, about 60% of the users failed to recognize the phishing
website of Citizen Bank International, Nepal i.e. URL misspelled or derived from
domain name.
The second most failed to recognize phishing website by users is to detect the
phishing website of yahoo mail service. It falls in the category of using abnormal
https and using free hosting domain for the popular brand.
The third most failed phishing website by users is to detect the website of Nepal
police which was hosted inside upvedatech.com. It falls in the category of URLs use
multiple TLDs within domain name or sub domains.
So, on the basis of mistaken by the users to detect the phishing website, the severity of
the category of the anomalies in the URL of anti-phishing can be listed as below.

76

S.No Anomalies in the URL

Mistake Points
1
URLs misspelled or derived from domain
name.
41
URLs using http in place of https, i.e.,
2
abnormal SSL certificate.
23
3
Use of free web hosting.
23
URLs use multiple TLDs within domain name
4
or sub domains.
20
5
URLs use different port number.
16
6
URLs with abnormal DNS record.
16
7
URLs using long host name.
15
8
URLs contain brand, or domain, or host name.
14
9
Use of similar logo and themes of popular
brands or URL use unrelated domain names
14
The domain name of commercial businesses is
10 not .org
14
11 Emails sender with catchy domain names but
with different host name from the domain.
13
Table 10 Rank of Anomalies in the URL based on mistakes from the test users

77

Q. No
1
3,8
8
9, 12,
16
7
7
6
17
17, 18,
19
3
4, 20

4.2.2

Development of Anti Phishing Model

Figure 29 Detail diagram of proposed phishing prevention system

For the development and implementation of the model, a plug in/extension for Google
Chrome browser is made. At first, the URL request in the Google Chrome is obtained,
checked with white list and checked with anomalies. If the URL is in the white list,
then the user request is directed to the internet. Otherwise, the user requested URL is
sent for the anomalies test. When the URL passes the anomalies test, it is directed to
the internet. But if it fails the anomalies test, then keyword is determined from the
URL (here, host name is used as the keyword.). The information of the websites kept
in the white list is as follows. For this an array is made storing the values of the white
list.

78

i.e.

["google.com","nibl.com.np","facebook.com","esewa.com.np","gmail.com",

"nepalpolice.gov.np", "hotmail.com"];
When URL is entered in the address bar of the Google Chrome browser, the white list
and heuristic method check is done. When the URL fails to pass the test, the address
bar will show phishing and educating alert message (error in heuristic check (https
check)) as in figure below. The host name used for search is searched in new tab
automatically.

Figure 30 Educative message provided by the model

After the educative message, this model finds the key word in the URL. The key word
is searched in the Google and possible solutions are advised to the users. As
"facebook1" was found suspicious to phishing and educative message regarding
anomalies was displayed to the user. And the hostname is treated as keyword for
Google search. So, the keyword passed in the Google search shows "facebook.com"
as the first result. This means that facebook1 domain might be used to deceive users
of Facebook. Thus the users can select the possible solution and stay away from
phishing. In the screenshot below and are the possible first and second solution
79

respectively. The results from Google search within top 5, is proposed for possible
solution.

Figure 31 Solutions advised by the model

4.2.3

Test Results and Analysis

For testing, phishing websites were downloaded from the PhishTank.com. It was
downloaded on 7th February, 2014 at 11:00 pm (NST). From the list, first 96 websites
were taken for the experiment as latest phishing websites were kept on the top of the
list. At first the websites were tested with Google Chromes' inbuilt phishing detection
system. And after disabling the "Enable Phishing and Malware Protection" features of
Google Chrome, test with the model was done.
From the test, it was found that all the websites were detected with phishing
anomalies considered in the study. It was found that none of the phishing websites
have SSL layer (Https protocol in the URL). There were 39 anomalies with multiple
TLDs, 66 websites have long URL anomalies, 3 phishing cases were IP address

80

anomalies and 40 anomalies based on sensitive words. There was no website with
abnormal port address, "//" and special character "@".
120
100

86

96

96

96

80

66

60
40

40

39

20

Figure 32 Test Result (n = 96 websites) of the Model

The proposed model detected all the phishing sites and provided awareness message
to users about the type of anomalies in the URL of the phishing websites. Google
Chrome could not detect ten phishing websites. Our system provided solution to all
the phishing websites.
Analysis 1: Preventing Phishing by Awareness in the model
The tests have revealed more information about the model. The effectiveness of the
Google solution can be judged by the following result as an example. We found the
phishing website's URL targeting "Bank of America" hosted in reginagrogers.com.
The model detected it as phishing and provided solution regarding the keyword
"reginagrogers". Reginagrogers website is about "A to Z Proposals Plus, Inc", which
is not relevant to user trying to login to Bank of America. So, any users can make a
common sense while seeing the solution provided by the model.

81

Test URL:
http://www.reginagrogers.com/dev/4q0x/secure.bankofamerica.com/login/sign
in/signOnscreen.go/signon.php?section=signinpage&amp;update=&amp;cookie
check=yes&amp;destination=nba/signin

Figure 33 Information revealed from advice legitimate solution by the model.

From the above analysis, we can see that phishing websites with anomalies using
names of prominent businesses/organizations are solved by this model. Similarly use
of free hosting, unrelated logos, unrelated Top Level Domains real face is displayed
in the advised legitimate websites.
Analysis 2: IP Address
It is difficult to analyze phishing generating from IP address in which case Google
could not translate the IP address. If Google converts the IP addresses to its host name
or alternately if a third party host name resolver is used to detect phishing IP's then
phishing URL's can be detected more efficiently. But sometimes the blacklist IP
addresses are listed in some websites which Google crawler could identify and display.
Test URL: http://82.208.147.239/navi/WebObjects/MyAppleIdwoa/wal/sign_in.html
82

Figure 34 Analysis of solution on IP addresses

4.3

Solutions

The tools developed during this thesis include the awareness part for phishing
prevention and a model for phishing detection system. The solution to correcting
demerits of blacklist method, white list methods and learning based system are out of
scope of this study. The two problems 1) problems with the warnings and 2) problems
with SSL awareness are addressed by the study.
This thesis focuses on the phishing detection on the basis of anomalies in the URL.
Most of the phishing websites fails to comply with SSL certification. So, this model
works to provide solutions to the anomalies whose particular anomalies are not
detected. The tools developed during the study addresses most of the detected
anomalies in the URL except the URL using IP address as the host name. These are
shown below.
Test cases

Direct
Detection

Awareness

Solution

Remarks

Problems with
warnings

advise legitimate
websites

URL derived or
misspelled

advise legitimate
websites

83

URL using http

instead of https

URLs using
multiple top
domains

advise legitimate
websites

URLs using
different port
number

advise legitimate
websites

URLs using IP
address

But provides solution

when it is blacklisted
in other sites.

URLs using long

host name

URLs with special

character"@"

URLs with "//"

URLs with
Sensitive words

URLs using brand

names

Aware via web app

also

Domain names of
commercial
enterprise as org

Aware via web app &

advise

Use of similar logo

and themes of
popular brands or
URL use unrelated
domain names

Use of free web

hosting.
Table 11 Solutions provided by the tools developed.

Aware via web app

As the anomalies using prominent organization names, domain names of commercial

enterprise as ".org" use of similar logo and themes of popular brands or URL use
unrelated domain names, etc. have at least one anomaly i.e. not using https. So, it is
detected as phishing by the system. Users can be aware of fishiness in the website
from the results shown as advised legitimate solutions.Thus this method is an
effective method of phishing prevention.
84

CHAPTER FIVE
CONCLUSION AND RECOMMENDATION
5.1

Conclusion

Computer and internet technologies have induced different types of crimes known as
computer or cyber crimes. These crimes can be broadly categorized as social
networking crimes, hacking, phishing, identity thief, data fraud, email threats, lottery
scams, bot and bot-nets. This research particularly focuses on Phishing as a cyber
crime and studies various Anti Phishing tools. In Nepal the awareness on Phishing is
circumscribed to technical know how's and most of the internet users are not aware of
the problems that this form of cyber-crime can bring. Phishing is a form of crime in
which identity theft is accomplished by use of deceptive electronic mail and a fake
site on the World Wide Web (WWW).
It is imperative to curb cyber crimes. The Government of Nepal has enforced
Electronic Transaction Act 2063 to prevent and mitigate cyber crimes in the country.
This research is particularly focused on phishing and has extensively collected
literatures, case studies to analyze phishing in Nepal. The research is oriented firstly
to study the problems with phishing and its practical implications and secondly an anti
phishing system is proposed and is verified.
The number of international phishing attacks in 2012 was 445,004 which is 59%
higher than 2011. The internet users of Nepal comprise 11.15% of total population. It
is forecasted to increase to 18% by 2015 and 25% by 2018. Internet Browser is the
point of access the internet. 5 most used browsers in Nepal in June, 2013 to August,
2013 are Chrome (53.9%), Firefox (32%), Internet Explorer (7.48%), Safari (2.81%)
and Opera (2.05%). The browsers have inbuilt anti phishing system. They can detect
85% of the existing phish sites with their system on average. So, the detection of
phishing websites is not a problem in these browsers. But these browsers are not able
to provide probable solution or stop the users to access phishing websites.
Phishing websites can be detected through anomalies in the URL. URLs using http in
place of https, use of free web hosting to host popular brand site, URLs using multiple
85

TLDs, misspelled URLs etc. are some types of phishing anomalies. Nepalese users
find it difficult to detect the misspelled URLs or URL's derived from domain name
among the fore mentioned anomalies.
The proposed anti phishing solution model is composed of phishing detection
components (white-list based approach and heuristic approach where anomalies in the
URL is taken in the study) and is designed to show the possible real websites. The
results of the solution are tested by developing an extension plug-in to Google
Chrome browser. The test from the experiment is tested with anomalies in the URLs.
It provides solutions to the users by discouraging them to use phishing URL's.
However it is difficult to detect Phishing generating from IP address in which case
Google could not translate the IP address. If Google converts the IP addresses to its
host name or alternately a third party host name resolver can be used to detect the
phishing IP's then phishing URL's can be detected more efficiently. The legitimate
websites advised by the model, provides information about the domain name where
users are going to enter. This system prevents users from being deluded. The
proposed model was tested with 96 phishing sites from PhishTank could detect all the
phishing websites where Google Chrome detected 86 of them. The lack of SSL was
seen in all the phishing websites and awareness regarding SSL could definitely
prevent users from phishing.
Thus, this model provides solution to the suspicious phishing websites which are not
yet found by any other anti phishing tools in the web browsers.
5.2

Recommendation

It can be learnt from this study that computer crime management system is very
important to study and there are many areas which are very new to study in the case
of Nepal. The types of computer crimes have many improvement areas are waiting for
researchers from Nepal to study the problem and propose probable solutions.
In the process of fight against phishing, the most fundamental parts are : to ensure that
internet browser is up to date and security patches applied; Phishing probably targets
most of its victims among the less technical savvy so the user need to understand what
phishing is, and how it works; the phishing problem differs from many other security
86

problems in that we wish to protect users from themselves so all design must consider
the assumption that user do not change their behavior and systems have to handle
negligence resulting because of their behavior.
Some of the fundamental precautionary actions that user needs to adopt are:
1) Do not rely on the links contained in email, even if the web address appears to
be correct or look similar to legitimate in appearance.
2) Use Anti-virus and anti-spyware, as well as a Firewall, and update them all
regularly.
3) Always use secure website for submitting confidential or sensitive information
via web browsers i.e. https:// rather than http://.
4) Phishing check can be done just before password is typed. This will protect the
phishing attack that use delay of page load to delude the anti-phishing
systems.
5) Numeric IP address check or web pages that have many outbound links, the
phishing websites may have many links to legitimate website can be use for
detecting phishing website.
6) Phishers are least bothered about the design, spelling errors in their web site
and copy right information. This can be use for detecting phishing
7) The concept of providing solution on the phishing detection system is
recommended for phishing prevention system which will help in correcting
user's mistakes.
8) Educating people about different phishing and effective use of anti phishing
tools.
9) The IT technical manpower must be provided with different training against
computer crimes and research and development activities.
This model has a component to advice legitimate websites after detection of phishing
websites. So, it recommended to use this system while doing monetary and
confidential transaction in the internet.

87

5.3

Future Research Work

The future research work will be further refining the model for anti phishing system.
It can be listed as below:
1) The implementation of login filter system as proposed by Gowtham and
Krishnamurthi will remove the limitation. (Gowtham & Krishnamurthi, 2013).
2) The implementation of blacklist check can be done using standard blacklists
maintained by Google, PhishTank, etc which is kept for future work.
3) The self updating the blacklist and white list in this model can be done for
further enhancement.
4) Further studies can be made in the area of anti phishing system in the browsers
like usability, user behaviour, etc.

88

REFERENCES
Alkhozae, M. G., & Batarfi, O. A. (2011). Phishing Websites Detection based on
Phishing Characteristics in the Webpage Source Code. International Journal of
Information and Communication Technology Research , 1 (6), 283-291.
American Bankers Assocation. (2005). ABA Works on Fraud - Phishing Prevention &
Resolution.

Retrieved

25,

2013,

from

http://www.angelinabank.com/phishing063005.pdf
APWG.

(2013).

About

APWG.

Retrieved

09

01,

2013,

from

http://www.antiphishing.org/about-APWG/
APWG. (2012). Global Phishing Survey: Trends and Domain Name Use in 1H2012.
Lexington.
Bequai, A. (1978). Computer Crime. Canada and United States: Lexinton Books.
Chaudhary, S. (2012). Recognition of phishing attacks utilizing anomalies in websites.
University of Tampere.
Computer Crime Law. (n.d.). Retrieved 09 10, 2013, from www.hg.org:
http://www.hg.org/computer-crime.html
Cranor, L., Egelman, S., Hong, J., & Zhang, Y. (2006). Phinding Phish: An
Evaluation of Anti-Phishing Toolbars. Pittsburgh: CyLab Carnegie Mellon
University.
Cranor, L., Wardman, B., Warner, G., & Zhang, C. (2009). Case Study of Browserbased Anti-phishing Solutions. CEAS.
Cryto Group Standford. (n.d.). Spoofguard. Retrieved 09 1, 2013, from
http://crypto.stanford.edu/SpoofGuard/
Dan Tynan, PCWorld. (2004, 4 13). EarthLink Readies Anti-Phishing Tool. Retrieved
09 01, 2013, from http://www.pcworld.com/article/115652/article.html
Daryanani, M. (2011). Desensitizing the User - A Study of the Efficacy of Warning
Messages. Kellogg College, University of Oxford.
89

Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why Phishing Works. ACM 1-59593178-3/06/0004.
Egelman, S., Cranor, L. F., & Hong, J. (2008). You've Been Warned: An Emperical
Study of the Effectiveness of Web Browser Phishing Warnings. Proc. of CHI 2008.
Florence, Italy.
EMC Corporation. (Jan, 2013). The Year in Phishing. RSA, EMC.
Firefox. (2013). Phishing and Malware protection. Retrieved 09 20, 2013, from
http://www.mozilla.org/en-US/firefox/phishing-protection/
Florencio, D., & Herley, C. (2006). Analysis and Improvement of Anti-Phishing
Schemes.

Retrieved

10

12,

2012,

from

http://research.microsoft.com/pubs/69369/mainsec2006.pdf
Frost & Sullivan . (2009). Key Challenges in fighting Phishing and Pharming.
Retrieved

april

6,

2013,

from

http://www.easysol.net/newweb/images/stories/downloads/Frost_SullivanPhishing_wp_dec09.pdf
Garera, S., Provos, N., Chew, M., & Rubin, A. D. (2007). A Framework for Detection
and Measurement of Phishing Attacks.
Gastellier-Prevost, S., Granadillo, G. G., & Laurent, M. (2011). Decisive heuristics to
differentiate legitimate from phishing sites. Network and Information System Security
(SAR-SSI).
Google. (2013). Facts about Google and Competition-About Search. Retrieved 10 25,
2013, from https://www.google.com/competition/howgooglesearchworks.html
Government of Nepal. (2008). The Electronic Transactions Act, 2063 (2008). Nepal:
Government of Nepal.
Gowtham, R., & Krishnamurthi, I. (2013). A comprehensive and efficacious
architecture for detecting phishing webpages. Computer and Security (40), 23-37.

90

Hacker Factor Solutions. (2005). Anti-Phishing: Page Encoding. Retrieved 10 9,

2013, from http://www.hackerfactor.com/papers/ap-page_encoding.pdf
Hathaway, J. (2010, 1 12). Phishing attack hits Android Market -- be careful about
banking

apps!

Retrieved

09

24,

2013,

from

http://downloadsquad.switched.com/2010/01/12/phishing-attack-hits-android-marketbe-careful-about-banking/
He, M., Horng, S.-J., Fan, P., Khan, M. K., Run, R.-S., Lai, J.-L., et al. (2011). An
efficient phishing webpage detector. Expert Systems with Applications , 12018
12027.
Islam, R., & Abawajy, J. (2013). A multi-tier phishing detection and filtering
approach. Network and Computer Applications (36), 324335.
Jamieson, R., land, L. P., Winchester, D., Stephens, G., Steel, A., Maurushat, A., et al.
(2012). Addressing identity crime in crime management information systems:
Definitions, classification, and empirics. comp u t e r law & s e c u rity rev iew 2 8 ,
381-395.
Kay, R. (2004, 1 19). QuickStudy: Phishing. Retrieved 09 09, 2013, from
http://www.computerworld.com/:
http://www.computerworld.com/s/article/89096/Phishing
Key, J. P. (1997). Experimental. Retrieved 09 16, 2013, from Oklahoma State
University:
http://www.okstate.edu/ag/agedcm4h/academic/aged5980a/5980/newpage2.htm
Killcrece, G. (2004). Steps for Creating National CSIRTs. Pittsburgh: Carnegie
Mellon Software Engineering Institute.
Krejcie, R. V., & Morgan, D. W. (1970). Determining Sample Size for Research
Activities. Educational and Pyschological Measurement (30), 607-610.
Kuo, C., Parno, B., & Perrig, A. Browser Enhancements for Preventing Phishing
Attacks. Pittsburgh: Carnegie Mellon University.

91

Leng, T. K. (2000). Computer Crime- UK/ Singapore Unauthorized Access to

Computer Data. Elsevier Science Ltd.
Li, L., & Helenius, M. (2007). Usability evaluation of antiphishing toolbars.
Computer Virology , 3, 163-184.
Ma, J., Saul, L. K., Savage, S., & Voelker, G. M. (2009). Beyond Blacklists: Learning
to Detect Malicious Web Sites from Suspicious URLs. 15th ACM SIGKDD
International Conference on Knowledge Discovery and Data Mining, (pp. 12451254).
Macworld.com. (2008, 11 25). Inside Safari 3.2s anti-phishing features. Retrieved 09
17, 2013, from http://www.macworld.com/article/1137094/safari_safe_browsing.html
McGrath, D. K., & Gupta, M. (2008). Behind Phishing: An Examination of Phisher
Modi Operandi. 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats.
San Francisco, California, USA: USENIX Association Berkeley, CA, USA.
Merritt, M. (2009). Cybercrime Exposed. Symantec Cooperation.
Microsoft. (2005). Microsoft Phishing Filter: A New Approach to Building Trust in ECommerce

Content.

Retrieved

25,

2013,

from

http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=B4022C6699BC-4A30-9ECC-8BDEFCF0501D&displaylang=en
Moore, R. (2005). Cyber crime: Investigating High-Technology Computer Crime.
Cleveland, Mississippi: Anderson Publishing.
Mozilla iSEC Partner. (2006). Mozilla Phishing Protection: Testing Methodology
Analysis.

Retrieved

08

20,

2013,

from

http://www.mozilla.org/security/iSECPartners_Phishing.pdf
Nepal Government. (2008). The Electronic Transactions Act, 2063 (2008). The
Electronic Transactions Act, 2063 (2008) . Nepal: Nepal Government.
Netcraft.

(2013).

Anti-Phishing

Services.

http://www.netcraft.com/anti-phishing/
92

Retrieved

09

01,

2013,

from

Netcraft.

(2013).

Netcraft

toolbar.

Retrieved

09

01,

2013,

from

http://toolbar.netcraft.com/
NW3C. (2013, 9 8). Criminal Use of Social Media. (NW3C, Ed.) Retrieved 9 8, 2013,
from

http://www.nw3c.org/docs/whitepapers/:

http://www.nw3c.org/docs/whitepapers/criminal-use-of-social-media.pdf
Oates, B. J. (2006). Researching Information Systems and Computing. London:
SAGE Publications.
Odaro, U. S., & Sanders, G. B. (2010). Social Engineering: Phishing for a Solution.
Retrieved 7 12, 2013, from http://www.kaspersky.com/view.html?id=81
Opera. (2013). Opera's Fraud and Malware Protection. Retrieved 09 20, 2013, from
http://www.opera.com/help/tutorials/security/fraud/
Pan, Y., & Ding, X. (2006). Anomaly Based Web Phishing Page Detection. 22nd
Annual Computer Security Applications Conference (ACSAC06). Computer Society.
Parker, D. B. (1989). Computer Crime: Criminal Justice Resource Manual.
Washington D. C: National Institute of Justice.
Perry, R. L. (1986). Computer Crime. New York: Franklin Watts.
PhishTank. (2013, 09 08). What is Phishing? Retrieved 09 08, 2013, from
PhishTank.com: http://www.phishtank.com/what_is_phishing.php?view=website
PhishTank.com. (2013, 09 24). phishtank: stats. Retrieved 09 24, 2013, from
phishtank: stats: https://www.phishtank.com/stats.php
Pritush. (2012, 11 13). Beware of Phishing email Targeted to Nepali internet
banking

users.

Retrieved

09

09,

2013,

from

Nepallica.com:

http://nepallica.com/beware-of-phishing-email-targeted-to-nepali-internet-bankingusers/
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., & Modadugu, N. (2007).
Google discovers suspicious websites during. Retrieved 8 9, 2013, from
http://www.usenix.org/event/hotbots07/tech/full_papers/provos/provos.pdf
93

Sabanal, P., & Yason, M. V. (2012). Digging deep into the Flash Sandboxes. (IBM
Corporation) Retrieved 08 09, 2013, from http://media.blackhat.com/bh-us12/Briefings/Sabanal/BH_US_12_Sabanal_Digging_Deep_WP.pdf
Safari.

(2013).

What

is

Safari?

Retrieved

09

24,

2013,

from

http://www.apple.com/safari/what-is.html
Sen, O. N., & S, B. (2001). Criminal Justice Responses to Emerging Computer Crime
Problems. Texas: University of North Texas.
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., et al.
(2007). Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches
People Not to Fall for Phish. Symposium on Usable and Security (SOUPS).
Pittsburgh, PA, USA.
Shrestha, P. M. (2013, 4 16). Phishing incidents wake up Nepali banks to security
threats.

Retrieved

09

09,

2013,

from

ekantipur.com:

http://www.ekantipur.com/2013/04/16/business/phishing-incidents-wake-up-nepalibanks-to-security-threats/370064.html
Sigsworth, W. (2013, 6 24). Report: Almost 1 In 4 People Worldwide Are Using
Social

Media.

Retrieved

09

24,

2013,

from

SocialMediaFrontiers.com:

http://www.socialmediafrontiers.com/2013/06/report-almost-1-in-4-peopleworldwide.html
Singh, N. P. (2007). Online Frauds in Banks with Phishing. Journal of Internet
Banking and Commerce , 12 (2).
South Asia Partnership. (2007). Cyber Cafes of Nepal - Passage to cyber crime?
Kathmandu: SAP International and Bellanet Asia.
statcounter.com. (2013). Statcounter Global top 5 browser. Retrieved 09 8, 2013,
from

statcounter.com:

http://gs.statcounter.com/#browser-ww-monthly-201306-

201308-bar
State of Alaska State Security Office. (July 2009). Monthly Cyber Security Tips
Newsletter. Alaska: State of Alaska State Security Office.
94

Techsansar.com. (2013, 2 14). List of Nepali Apps in Google Play Store. Retrieved 09
24, 2013, from http://techsansar.com/application/nepali-android-apps-google-playstore/
Tenhunen, M. (1994). Updating Computer Crime and Information Security Strategies.
Paper presented to Kriminalistik and Forensische Wissenshcaften .
The World Bank. (2013). Internet users (per 100 people). Retrieved 09 24, 2013,
from World Bank: http://data.worldbank.org/indicator/IT.NET.USER.P2
Tittel, E. (2011, 6 11). A Review of Browser Anti-Phishing Protection. Retrieved 09
20, 2013, from readwrite.com: http://readwrite.com/2011/07/30/a-review-of-browseranti-phish
Trend-Micro. (Feb, 2013). Mobile Phishing: A Problem on the Horizon. Trend-Micro.
Wikipedia.

(2013,

07

16).

PhishTank.

Retrieved

09

01,

2013,

from

http://en.wikipedia.org/wiki/Phishtank
Wordspy.com.

(n.d.).

phishing.

Retrieved

10

12,

2013,

from

http://www.wordspy.com/words/phishing.asp
Wu, M., Miller, R. C., & Garfinkel, S. (2006). Do security toolbars actually prevent
phishing attacks?
www.w3schools.com. (2013). What is Google Chrome? Retrieved 09 8, 2013, from
http://www.w3schools.com:
http://www.w3schools.com/browsers/browsers_chrome.asp
Zhang, Y., Hong, J., & Cranor, L. (2007). CANTINA: A content-Based Approach to
Detecting Phishing Web Sites. WWW 2007 / Track: Security, Privacy, Reliability, and
Ethics (pp. 639-648). Alberta: International World Wide Web Conference Committee
(IW3C2).

95

ANNEXES
Annex 1 Important terminology and Definition .......................................................... 98
Annex 2 Best forecasting method for the internet users using crystal ball .................. 99
Annex 3 Internet users in Nepal suing crystal Ball predictor .................................... 100
Annex 4 List of valid phishing website from PhishTank.com................................... 102
Annex 5 Phishing websites not detected by browsers ............................................... 106
Annex 6 Question for WebApp with answers http://upvedatech.com/quiz/.............. 106
Annex 7 Chi Square Test ........................................................................................... 108
Annex 8 T- Test ......................................................................................................... 109
Annex 9 Entering inside of the web app .................................................................... 111
Annex 10 URL derived from host name .................................................................... 111
Annex 11 Real website with SSL .............................................................................. 112
Annex 12 Message alerted on mistake....................................................................... 112
Annex 13 Phishing website of Gmail ........................................................................ 113
Annex 14 Educative message to the user ................................................................... 113
Annex 15 Real website of Dropbox ........................................................................... 114
Annex 16 Real website of nepalnews.com with page ranking, risk rate, etc. ............ 114
Annex 17 Phishing website of Hotmail ..................................................................... 115
Annex 18 Phishing website of Amazon, use of IP address/port no ........................... 115
Annex 19 Phishing website of Yahoo Mail ............................................................... 116
Annex 20 Phishing website of twitter.com ................................................................ 116

96

Annex 21 R Real website of Amazon.com (Use of SSL certificate) ......................... 117

Annex 22 Real website of Government of Nepal (use of gov.np) ............................. 117
Annex 23 Phishing website of Nepal Police hosted in other site .............................. 118
Annex 24 Real email from Facebook, no generic salutation, etc. ............................. 118
Annex 25 Phishing email ........................................................................................... 119
Annex 26 Real website of esewa.com.np with SSL .................................................. 119
Annex 27 Phishing website of PayPal ....................................................................... 120
Annex 28 Phishing website of eBay .......................................................................... 120
Annex 29 Phishing website of Facebook hosted other domain ................................. 121
Annex 30 Phishing website of YouTube.com ........................................................... 121
Annex 31 Phishing email targeting SBI Nepal Bank................................................. 122
Annex 32 Summary of the web App (part 1) ............................................................. 122
Annex 33 Summary of the Web App (part 2) ............................................................ 123
Annex 34 Summary of the web App (part 3) ............................................................. 123
Annex 35 Summary of the web App (part 4) ............................................................. 124
Annex 36 Summary of the web App (part 5) ............................................................. 124
Annex 37 Messages delivered to users on various anomalies .................................. 125
Annex 38 Test Result of the Model (excerpt) ............................................................ 125

97

Annex 1 Important terminology and Definition

Computer or

Nepal's Electronic Transaction Act 2063 defines computer as "a

Cyber Crime

means an electro-magnetic, optical or other high-speed data

processing device or system, which performs logical, arithmetic
and memory functions by manipulating electro-magnetic or
optical impulses, and also includes all acts of input, output,
processing, storage and computer software or communication
facilities which are connected or related to the computer in any
computer system or computer network".(Government of Nepal,
2008)

Identity crimes

Identity crime involves the illegal use of any part of a biometric,

attributed or biographical identity of an individual and entity.
These three identity components are used by governments and
organizations to identify and authenticate customers in everyday
business transactions. The identity crime label is an overarching
class that encompasses identity fraud. Identity fraud is enabled by
identity crime sub-classes identity theft and identity deception.
(Jamieson, et al., 2012)

Social Network

Social media will be defined as any website or software that

allows you to receive and disseminate information
interactively.(NW3C, 2013)

Social

More typical are those forms of online fraud that play upon our

Engineering

interests, emotions, and concerns. Cybercriminals know to use

social engineering to trick us into lowering our defenses. While
were donating to a charity, our credit card is actually being
charged by a criminal account. Or perhaps, while were looking at
porn, a salacious video or photographic contentinstead of the
juicy details we think were downloadingwere actually
downloading a keystroke logger or bot onto our own

98

computer.(Merritt, 2009)
Bots and Botnet

Short for robot, a bot is a small hidden application that is sent by

cybercriminals to unsuspecting computers like yours. It then uses
your computer to perpetrate criminal activities such as sending
spam emails or phishing attacks. Botnets are networks of bots
working together to perpetuate massive attacks in thousands or
even millions of computers.(Merritt, 2009)
The term refers to the unauthorized access of anothers computer

Hacking

system. These intrusions are often conducted in order to launch

malicious programs known as viruses, worms, and Trojan Horses
that can shut down or destroy an entire computer network.
Hacking is also carried out as a way to take credit card numbers,
internet passwords, and other personal information. By accessing
commercial databases, hackers are able to steal these types of
items from millions of internet users all at once. (Computer Crime
Law)
CERTs/CSIRTs

CERT stands for Computer Emergency Response Team and

CSIRT stands for Computer Security Incident Response Team.
The need for a community of computer security incident response
teams was recognized in the late 1980s when the Defense
Advanced Research Projects Agency created the Computer
Emergency Response Team Coordination Center at Carnegie
Mellon Universitys Software Engineering Institute. (Killcrece,
2004).

Trojan Horse

Trojan horse is a program in which malicious or harmful code is

contained inside apparently harmless programming or data in such
a way that it can get control and do its chosen form of damage.

Annex 2 Best forecasting method for the internet users using crystal ball
Table Items
99

Methods

Rank RMSE

MAD

MAPE

Durbin- Theil's
Watson U
Periods Alpha

Double
Exponential
Smoothing 1

1.2117 0.3185 29.668 1.958

0.946

Double
Moving
Average

1.3669 0.4613 29.917 1.933

0.908

Single
Exponential
Smoothing 3

1.3482 0.4851 39.447 1.384

Single
Moving
Average

1.3479 0.4848 39.426 1.386

Annex 3 Internet users in Nepal suing crystal Ball predictor

Year

Internet Users

Year

Internet Users

1989

2009

1.97

1990

2010

7.93

1991

2011

1992

2012

11.1493

1993

2013

13.60106

1994

2014

15.97461

1995

0.000925

2015

18.34817

1996

0.00451

2016

20.72172

1997

0.021999

2017

23.09527

1998

0.064394

2018

25.46882

100

0.733

0.999

Beta

0.516

1999

0.146669

2019

27.84237

2000

0.204652

2020

30.21592

2001

0.240015

2021

32.58948

2002

0.312956

2022

34.96303

2003

0.382811

2023

37.33658

2004

0.449844

2024

39.71013

2005

0.826551

2025

42.08368

2006

1.141389

2026

44.45723

2007

1.41

2027

46.83079

2008

1.73

2028

49.20434

101

Annex 4 List of valid phishing website from PhishTank.com

S.
No
1

2
3

7
8

10
11

12

13

14
15
16
17
18

URL
http://jigsawesl.co.uk/wpcontent/plugins/5501654516/349325931520424/index2.php
http://www.paypal.com.sgiqfczjhk6nrcn6h6.kaiu888ue4zz6zpp9qhpsu6drdx.c
om/us/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://theclassicbicycleshop.com.au/demo/BigPond/https:|www.bigpond.com/
http://evies.com/www.citibank.com/online.citibank.com/US/JSO/signon/uname/Nexte66
5.html
http://www.paypal.com.c80sl1t35ypx6frhq3es.kaiu88895u3junkrrdxctxb3pj3.c
om/us/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.8r7d0pvxfvrjgn.kaiu8882x52s57khxevuzhcfmni.com/
us/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://mine-returns.mtxserv.fr/templates/pay/www.paypal.fr.login.cgibin.webscr.cmd.login.submit.dispatch.btoc70bbe415271cd0fd42c2b071efa252
ac2bbd1fddf0fdac1a/update/TlRJeE9ERXhORFkxTWpjPQ==/
http://www.gjimnazi-gjilan.com/CitiBankTTcopy.htm
http://mine-returns.mtxserv.fr/templates/pay/www.paypal.fr.login.cgibin.webscr.cmd.login.submit.dispatch.btoc70bbe415271cd0fd42c2b071efa252
ac2bbd1fddf0fdac1a/update/TmpVeE16UTNOVGcyTkRJPQ==/erreur.htm
http://mine-returns.mtxserv.fr/templates/pay/www.paypal.fr.login.cgibin.webscr.cmd.login.submit.dispatch.btoc70bbe415271cd0fd42c2b071efa252
ac2bbd1fddf0fdac1a/update/T0RZek1qQTFOVE01TURjPQ==/Informations.p
hp
http://p2pradio.cl/pp/Paypal/websc/update.php
http://paypal.com.us.cgi-bin.webscr.cmd.loginsubmit.dispatch.5.885d80a13c0db1f8.e263663d3faee8d9.6fc0752e9614158.f0
4872d2f2ae25dc.f185a366458bf11c.70bbe4d1f65.40254698653274.pay1234p
al2020.doc7kfb45cfi.manf997854.hoztech.ro/f1e62fc62abaf990b7b291c6282ff
715/info.php
http://update-info-login.tigleacoperis.ro/014/?cmd=_home&dispatch=5885d80a13c0db1f8e&ee=54ca199af
5213c6df2c52d15ce22231e
http://tigle-acoperis.ro/update-infologin/014/?cmd=_home&dispatch=5885d80a13c0db1f8e&ee=eff48506ac52df
a4d3a7425208b4734d
http://tigle-acoperis.ro/update-info-login/014/websc/update.php
http://www.bumsroth.de/modules/mod_related_items/tmpl/pudateinfo/webscr.php
http://www.paypal.clienti.altervista.org/
http://paypalpaypamentbonus.altervista.org/
102

19

20
21
22
23
24
25

26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

http://www.paypal.com.ah0ta7sy6c4019hcah.728bq3ebrcwgggb.com/cgibin/webscr/greenerror.php
http://www.paypal.com.n71h1rx7cysrg5nwy41n.kaiu888dsxv5xece84sxu4ffjy
m.com/us/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.wzyqx65oerk4804taj.yxtkzrqyyxxb4nq.com/cgibin/webscr/update_ok.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/SFP6o2/index.php
http://209.105.244.10/~restaurw/cgibin/0dd62148849ee637d8555c5613f8923e/
http://webmailaccessadmin.jimdo.com/
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/mU6vrg/index.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/mCqlGm/login.html?cmd=run=916610&verifyID=7
117
http://genpats.info/84byhTn7jcm1pq31380569614/mbr=whspe8var1ul4gc/prof
ile=18153083/bridger.php?nxINCL=d2Vic2NycHJpbWEucGhw
http://osmanzolan.com/login.paypal.com.home.account.security.verification.ap
ps.web/
http://wscvfrtgbnhyujmkilok.fii.me/
http://tobiiiiii.bugs3.com/yahoo/
http://www.fultonindoh.com//includes/js/dtree/img/home59,136,176,1,1,1,1.bb
/
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/GXDFIU/x.php
http://login.paypal.com.home.account.security.verification.apps.web.osmanzol
an.com/
http://pbreload.com/~tv9/txzt2tzxt2/4ut4rw4ert4/59c2ffb1b9cee57d1cc125a54
6a0a725/
http://pbreload.com/~tv9/txzt2tzxt2/4ut4rw4ert4/
http://recibo-troca.zz.mu/dotz-premiado/id/
http://webmail.mailupdate.important.validation.verification.team.teamoo.com
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/REirF9/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/mBt9mB/x.php
http://www.alpi.lv/images/resized/images/category/dics/mail.html
http://convitesmiles-2013.sytes.net/
http://www.alpi.lv//images/resized/images/category/dics/mail.html
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/S1yzeJ/x.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/JS83MN/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/84qeTo/index.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/wF8jKS/index.php
http://www.alpi.lv//images/resized/images/category/clear/mail.html
103

48
49
50
51
52
53
54
55
56

57
58
59
60

61
62
63

64

65
66
67
68
69
70
71
72
73

74

http://nvnmvnmvnmvnvmn.x90x.net/
http://jhfdjhjhhfbf.hostingsiteforfree.com/
http://hgdjdfh.hostingsiteforfree.com
http://gfdiyfi7yfyo.zz.mu
http://resetacthonee.bugs3.com/
http://ljkkhjhjghgjhkjjl.yzi.me/
http://gooddybaggggggggggggg.x90x.net/
http://hcccjcfj.clan.su/account-reactivation.user.htm
http://stampaclic.it/images/stories/home/?cmd=_home&dispatch=5885d80a13
c0db1f8e&ee=c47b428f40996531827aee6f0c2be628
http://kellerduerr.ch/webEdition/apps/toolfactory/lang/fr/5292602585/105328892193242/i
ndex2.php
http://adlerapothekehalle.de/uk/1nmtjmow69dpg4vkb0ok2ietp18lr1bifo4o4jc0
jfgqa33crhmjpr68i5k2tlb135gvfjlopr8pl1r697foocny70prcqj6mpqr/
http://staufferkassen.ch/webEdition/lib/Zend/Log/7470114079/105328892193
242/index2.php
http://www.stylespygirl.com/Ihrem.konto/
http://50.31.147.177/~tv9/txzt2tzxt2/4ut4rw4ert4/168cc93b112ce970d6e566f1
e09d1f40/CardConfirm.php?Userid=mpu4cx5y53b&Session=n1xto6frcqcpga3
z8ow9szuy213su7la8s13mowb8pjy8oohwr7whte90fijr5o
http://50.31.147.177/~tv9/txzt2tzxt2/4ut4rw4ert4/29bc9da375f26a786048f897
eed721ca/Address.php
http://update.paypal.com.redeessencial.com.br/
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/8DNBly/login.html?cmd=run=80399&verifyID=13
1514
http://50.31.147.177/~tv9/txzt2tzxt2/4ut4rw4ert4/43a0d7dcec333eaf9c529289
5e10d2e9/AccountLogin.php?Userid=ybvj05f0wc69t&Session=ci55lfps9jg6d
n3cop0f0phz4dxncvm4nejvgugllbenmxsr4mpp9zo4
http://50.31.147.177/~tv9/txzt2tzxt2/4ut4rw4ert4/3e99bed4d7e5616276b253a
8d759f934/Address.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/QZQYX9/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/QZQYX9/x.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/lE0xjq/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/w4Uv4O/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/D2pyAt/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/D2pyAt/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/3g6CgV/index.php
http://paypal.com.account.us.login.webapps.verified.infromation.d80a13c0db1
f8e263663d3faee8d0038486cd0d9a2f30f3a21df7b0d.adefaevwzcr6n6ppreqtpi
q5nc2cysu2j5-gujc1ds3ukcpy.center.helps.foreverpottery.com/reawdbrokns.php
104

75

76
77
78
79
80
81
82
83
84
85
86

87

88

89
90

91
92
93
94
95
96

http://www.serivcesconfirmation.com/pls/confirmation/?cmd=_home&dispatch=0fee7132162be90
c765d06c52b7319f70fee7132162be90c765d06c52b7319f7
http://www.elegantanna.com.cn/images/?us.battle.net/lhttp://www.elegantanna
.com.cn/images/?us.battle.net/login/en/?ref=http:http://www.eliteconnectionsin
dia.in/form/use/feedback/form1.html
http://tr.im/4czdp
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/6tnOTm/index.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/qGldBs/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/6tnOTm/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/ZEq7k1/index.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/Zv8a8Q/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/ra7Lav/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/Lfbuu2/x.php
http://askcomunicaciones.com/wpcontent/plugins/cmdrun/d/h7TOZF/index.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/FbhhA6/x.php
http://www.paypal.com.17zj8a0q3l6f.kaiu888n4qmd6kkmfhxp4taieyq.com/we
bapps/mpp/home?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.9c5motw5ajluuyqsa8.kaiu888m9kes9rf6qz2t3kymtf7.
com/webapps/mpp/home/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.ine14l2fyazeoj.kaiu888m9kes9rf6qz2t3kymtf7.com/w
ebapps/mpp/home/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.mv778wq06jqvzl.kaiu888xyvssfgr2jzd2web7i97.com/
webapps/mpp/home/?cmd=_login-submit
http://www.paypal.com.ine14l2fyazeoj.kaiu888m9kes9rf6qz2t3kymtf7.com/us
/cgi-bin/webscr/?cmd=_loginsubmit&dispatch=d8abfd443683c2cc0402854ef2be0e68
http://www.paypal.com.fza2t03jlhuhjq16l.gj347cgz8249bdd.com/cgibin/webscr/greenquestions1.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/HC1dM2/x.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/SUgwna/x.php
http://askcomunicaciones.com/wp-content/plugins/cmdrun/d/GIH3CU/x.php
http://mbstec.com/0o1.php

105

Annex 5 Phishing websites not detected by browsers

Browsers

Websites list (S.No.) not detected

Chrome

8,45,77

Mozilla Firefox

8,44,77

Internet Explorer

8, 11, 33, 77

Opera

4, 8, 20, 33, 68, 77

Safari

4, 15,19, 61,62, 68, 74, 78

Annex 6 Question for WebApp with answers http://upvedatech.com/quiz/

S.No
1
2
3
4

Name
Citizen Bank
International
Nepal Investment
Bank
gmail
dropbox

Ans IsPhish
1= phish; 0 =not

Remarks
similar url name

1
ebanking with SSL
0
1 it is of org domain
0 Login form, with SSL
simple http, with netcraft antiphishing system showing
0 address is Nepal.
1 long url names

5 nepalnews.com
6 hotmail.com
7 amazon.com
8 yahoo mail

1 use of static ip address

1 long url names
use of same url in sub domain
1 name
0 Using SSL
Simple http, government of
0 Nepal's domain gov.np
1 Use of multipe TLDs
Real authentic email from
facebook with same host
sender, with specific
salutation and with activation
0 code.
1 Use of same name in email
0 ssl with Norton secured

9 twitter
10 amazon.com
11 Nepal government
12 Nepal Police

13 facebook email
14 Facebook email
15 ebay
106

16 paypal

17
18
19
20

1
1
1
1

ebay
facebook
youtube
Nepal SBI Bank

signature.
Use of long url and same url
name back of host url
Use of long url and same url
at back
Use of secure icon
Use of similar logo
Use of name and hypen

Statistical Analysis of browsers phishing detection system

107

Annex 7 Chi Square Test

Assumption: The detection of phishing websites in different browsers is done by same
anti-phishing system.
Null Hypothesis
H0: Detection of phishing websites by the browsers is independent by browsers
Alternate Hypothesis
H1: H0 is false. Detection of phishing websites by the browsers is dependent.
The observed frequency has been counted from the experiment of action with
browsers with sample (size =96, level of significance, =0.05) of phishing websites.
Browsers

Observed

Expected

D.F.

(O-E)2/E

Chrome

93

91.2

0.035526

Mozilla Firefox

93

91.2

0.035526

Explorer

92

91.2

0.007018

Opera

90

91.2

0.015789

Safari

88

91.2

Total

456

Calculated 2

Internet

0.112281

0.20614

Table 12 The Chi-Square Test for detection of phishing website

The critical value of 2 with degree of freedom 4 at 0.05 alpha levels is 9.49.
i.e. 2critical = 9.49
From Table 12 calculated 2 value is 0.20614 for 4 degree of freedom. But critical 2
value for degree of freedom 4 at 0.05 alpha level is 9.49. Since the calculated 2
value is less than the critical 2- value, the alternate hypotheses H1: Detection of
108

phishing websites by the browsers is dependent is rejected. i.e. Null hypothesis H0 is

accepted. Thus, it indicates that Detection of phishing websites by the browsers is
independent.
Annex 8 T- Test
Statement: Detection of all the phishing websites are done by the browsers inbuilt anti
phishing system.
Assumption the distribution of the samples is randomly sampled, normal
distribution and equal variances.
Here we have sample size = 96, level of significance is 95%, i.e. =0.05
Taking the null hypothesis that there is detection of all 96 phishing websites by the
inbuilt anti phishing system of the browsers.
Null Hypothesis:
H0: = H0 = 96 i.e. Detection of all the phishing websites are done by the browsers
inbuilt anti phishing system.
Alternate Hypothesis
H1: H0. i.e. Detection of phishing websites by the browsers is not all the websites.
Observed Observed

D.F.

Browsers

(xi)

Mean(

(N-1)

Chrome

93

x i-

(x i- )2

91.2

1.8

3.24

93

91.2

1.8

3.24

Explorer

92

91.2

0.8

0.64

Opera

90

91.2

-1.2

1.44

Mozilla
Firefox
Internet
4

109

2.1679 -4.950822

Safari

88

Total

456

91.2

-3.2

10.24
18.8

Table 13 T-Test calculation for detection of phishing websites by browsers.

The critical value of T-value with degree of freedom 4 at 0.05 alpha levels is 2.132.
i.e. Tcritical = 2.132
From Table 13 calculated Tcritical value is 2.132 for 4 degree of freedom. But critical
Tcritical value for degree of freedom 4 at 0.05 alpha level is 2.132. Since the calculated
|t| value is more than the critical T-value, the null hypotheses H0: Detection of all
the phishing websites by the browsers is rejected. i.e. Alternate hypothesis H1 is
accepted. Thus, it indicates that Detection of all phishing websites by the browsers is
less.

110

Outputs of web application quiz:

Annex 9 Entering inside of the web app

Annex 10 URL derived from host name

111

Annex 11 Real website with SSL

Annex 12 Message alerted on mistake

112

Annex 13 Phishing website of Gmail

Annex 14 Educative message to the user

113

Annex 15 Real website of Dropbox

Annex 16 Real website of nepalnews.com with page ranking, risk rate, etc.

114

Annex 17 Phishing website of Hotmail

Annex 18 Phishing website of Amazon, use of IP address/port no

115

Annex 19 Phishing website of Yahoo Mail

Annex 20 Phishing website of twitter.com

116

Annex 21 R Real website of Amazon.com (Use of SSL certificate)

Annex 22 Real website of Government of Nepal (use of gov.np)

117

Annex 23 Phishing website of Nepal Police hosted in other site

Annex 24 Real email from Facebook, no generic salutation, etc.

118

Annex 25 Phishing email

Annex 26 Real website of esewa.com.np with SSL

119

Annex 27 Phishing website of PayPal

Annex 28 Phishing website of eBay

120

Annex 29 Phishing website of Facebook hosted other domain

Annex 30 Phishing website of YouTube.com

121

Annex 31 Phishing email targeting SBI Nepal Bank

Full page summary is broken into parts for display.

Annex 32 Summary of the web App (part 1)

122

Annex 33 Summary of the Web App (part 2)

Annex 34 Summary of the web App (part 3)

123

Annex 35 Summary of the web App (part 4)

Annex 36 Summary of the web App (part 5)

124

Annex 37 Messages delivered to users on various anomalies

Anomalies
in URL
Messages
The website asks for confidential information but it does not use encryption during
no https
data transmission. This makes your information unsecure.
multiple
TLDs
The website uses multiple top level domain (e.g., .com.np).
Long
URL
The website uses suspiciously lengthy URL.
IP
The website uses IP address (e.g., 192.183.24.23) which is not recommended for
Address
website hosting.
The website uses port other than 80 which is not recommended for website
Port No
hosting.
Use of '//' The website may suspiciously redirect to other site.
Use of '@' The website will suspiciously redirect to other site.
Sensitive
words
The website url has sensitive words.

Annex 38 Test Result of the Model (excerpt)

List
http://bjxxhg.com/l0ginpaypaI/PayPal.co.uk/Pool%3D100/
http://50.87.131.118/%7Evoice/https.verified.pa
ylap.com.webapps.security.verifictionfaqid.856249782198732165798731657cmd/jss/
9e2bf35a3b204e198eae52795928ef0f/
http://paypal.com.cgi.bin.webscr.cmd.login.sub
mit.15.cmd.login.submit.15.cmd.login.submit.1
5.cmd.login.submit.15.cmd.login.submit.15.cm
d.login.submit.15.baranorganizasyon.com/pp/tt/
99aed546f8523260c183d20d8d9f1cf8
http://paypal.com.cgi.bin.webscr.cmd.login.sub
mit.15.cmd.login.submit.15.cmd.login.submit.1
5.cmd.login.submit.15.cmd.login.submit.15.cm
d.login.submit.15.baranorganizasyon.com/pp/tt/
795a5f7b424111d75ce81cd4e4aa26b6
http://paypal.com.cgi.bin.webscr.cmd.login.sub
mit.15.cmd.login.submit.15.cmd.login.submit.1
5.cmd.login.submit.15.cmd.login.submit.15.cm
d.login.submit.15.baranorganizasyon.com/pp/tt/
5b73d1a91914aea6e33beb9dd02af9dd
125

Detected by
Chrome

Detected by
model and
Anomalies found

Yes

no https;

Yes

no https; long
URL length; Uses
IP address

Yes

no https; multiple
TLDs; long URL
length;

Yes

no https; multiple
TLDs; long URL
length;

Yes

no https; multiple
TLDs; long URL
length;

http://https.www.paypal.co.uk.cgi.bin.websecur
e.intercoboxe.fr/bd89eba603c238953d00725d7
85ac251
http://my1stphotography.com/images/Update=
NewefilingOtpValid/update=newefiling.int00.0/
/pages/investec/index.php
http://mandl.edu/wpcontent/uploads/2014/02/halas/new_test
http://conradseoul.co.kr/wpcontent/uploads/Auto_Atendimento_Bradesco/l
ogin.do.php
http://www.gesundenhaus.de/libraries/joomla/cl
ient/xxxxxxxxxxxx/sss/index.htm
http://www.reginagrogers.com/dev/4q0x/secure
.bankofamerica.com/login/signin/signOnscreen.go/signon.php?section=signinp
age&amp;update=&amp;cookiecheck=yes&am
p;destination=nba/signin
http://www.reginagrogers.com/dev/4q0x/secure
.bankofamerica.com/login/signin/signOnscreen.go/
http://www.miromoreira.com.br/index.file/ww
w/wellsfargo.com/securitycenter/onlineWellsFa
rgo/Passcode/done.html
http://www.sgibin.paypal.fr.mise.a.jours.validupdate.com/servi
ce/mptt/activation/webscr_fichiers/lang/fr/ffc0a
177829a5db30feed8944f85b539/login.php
http://www.supersizefashion.nl/js/lib/googledoc
ss/sss/index.htm
http://www.visualmente.cl/plugins/editors/tiny
mce/jscripts/tiny_mce/plugins/insertdatetime/im
ages/pulign/6c9ab2d536659407e8e77ee8dd1d3
415/Confirm.php?cmd=_error_loginrun&amp;dispatch=5885d80a13c0db1fb6947b0
aeae66fdbfb2119927117e3a6f876e0fd34af4365
80c63a156eb
http://servosdasnacoes.com/mon/gogle/index.ph
p.htm
http://paypal.com.cgi-bin.webscr.cmd.loginsubmit.dispatch.5885d80a13c0db1rje263663d3f
aee8defu93hhuhy7hhfp.keptsimple.com.au/ppl/
http://paypal.com.cgi.bin.webscr.cmd.login.sub
mit.15.cmd.login.submit.15.cmd.login.submit.1
5.cmd.login.submit.15.cmd.login.submit.15.cm
d.login.submit.15.baranorganizasyon.com/pp/tt/
1dac12d1f4e61bba0ca0b28b1ee4cb37/
126

Yes

no https; multiple
TLDs; long URL
length;

Yes

no https

Yes

no https

Yes

Yes

Yes

Yes

Yes

Yes
Yes

Yes

no https; long
URL length
no https; multiple
TLDs; long URL
length

no https; long
URL length
no https; multiple
TLDs; long URL
length
no https; multiple
TLDs; long URL
length

no https; multiple
TLDs;
no https; long
URL length;

Yes

no https;
no https; long
URL length
no https; multiple
TLDs; long URL
length

No

no https; multiple
TLDs;long URL
length

Yes

http://paypal.com.cgi.bin.scoutshpen.com/4d2f9621b038043735a0b6a3798a98
b3/

Yes

no https; multiple
TLDs; long URL
length

Detail result is kept in excel file inside CD ROM

CD ROM includes Source codes for the web app and extension developed in the
Google Chrome.

127