Address Bar based Features 1 Using the IP Address

If an IP address is used as an alternative of the domain name in the URL, such as (http://125.98.3.123/fake.html), users are excused if they doubt that someone is trying to steal their personal information (Aburrous et al., 2010 C). Sometimes the IP address is even converted into hexadecimal code as shown in the following link (http:// 0xCA. 0x62.0xCC.0x58 /3/paypal.uk/index.htm). To extract this feature, we examine whether the domain part of the URL (Figure ‎5.7) contains an IP address or not.

Chapter ‎5 Page 99 EVALUATING THE SSNNALGORITHM

Figure ‎5.7 URL anatomy

2-

Phishers might use long URLs to hide the suspicious part in the address bar. For example:

http://federmacedoadv.com.br/3f/aze/ab51e2e319e51502f416dbe46b773a5e/?cmd=_hom e&dispatch=11004d58f5b74f8dc1e7c2e8dd4105e811004d58f5b74f8dc1e7c2e8dd41 05e8@phishing.website.html

According to (Basnet et al., 2011) the maximum length of genuine URL is 75 characters. However, the authors did not clarify the reasons behind their chosen value. In another study (McGrath & Gupta, 2008), it has been stated that URL lengths peak at 22 characters for legitimate websites in the Directory Mozilla6 _{(DMOZ) (Skrenta & Truel, 2011). However, the same study revealed}

that there are 67 characters for the phishing URLs in PhishTank (PhishTank, 2011) and 107 for the phishing URLs in MarkMonitor (MarkMonitor, 2013). However, phishers are nowadays utilizing smaller URLs in an attempt to add an atmosphere of legality to their hostile links. In general, there is no agreement on a reliable length that separates phishing websites from legitimate ones.

6

Chapter ‎5 Page 100 EVALUATING THE SSNNALGORITHM

3-

URL shortening is a method on the World Wide Web in which a URL may be made considerably smaller in length and still leads to the required webpage. For example, a link such as http://portal.hud.ac.uk/ can be shortened to

bit.ly/19DXSk4. However, it is abnormal to find a legitimate website using shortening service. By looking into our data set, we found 107 TinyURLs and none of them was found in the legitimate websites data set.

4-

One technique commonly used to lure users is by utilizing the @ symbol. The

existence of such a symbol in the URL leads the browser to ignore everything

preceding the symbol, since the real address often follows the @ symbol. After

reviewing our data set, we found 90 URLs having the @ symbol and all of them

were found in the phishing data set.

5-

The Hypertext Access (.htaccess) is a configuration file used to modify the configuration of the Apache Web Server (Starr, 2012). One of these configurations is the redirect functionality. Phishers can use .htaccess to redirect

users to a phishing webpage. The .htaccess looks for any request for a specific

webpage and if it finds that request, it forwards the user to a new webpage. For

example, if a phisher wants to redirect users from legitimate.html to

phishing.html he can use the following syntax:

redirect legitimate.html http://www.fake.ca/phishing.html

Any user visiting legitimate.html will end up on http://www.fake.ca/phishing.html. However, this technique results in adding double slash (//) at the beginning of the redirected webpage as seen in the following example:

Chapter ‎5 Page 101 EVALUATING THE SSNNALGORITHM

http://www.legitimate.html//http://www.phishing.html

We will check the position where the // appears. We have found that if the URL starts with HTTP then the // normally appears in the sixth position. However, if the URL uses HTTPS then the // appears in seventh position. Otherwise, the // will cause the URL to be transferred to another webpage.

6-

The dash symbol is infrequently used in genuine URLs (Aburrous et al., 2010 B). Phishers resort to adding prefixes or suffixes separated by (-) to the domain name so that users feel that they are dealing with a legitimate webpage. For example: http://www.Confirme-paypal.com/.

7-

Another technique used by phishers to scam users is by adding multi sub- domains to the URL (Gastellier-Prevos et al., 2011) (Leyden, 2011)as in the following URL: http://sigin.ehay.it.ws.ebadell.it.vividsong.com/.

8-

HTTPS is a Hyper Text Transfer Protocol (HTTP) plus Secure Sockets Layer (SSL). Usually, legitimate websites utilise secure domains every time sensitive information is transferred. SSL indicates that the clients are connected to the server they presume and not to any other third party. In addition, SSL encrypts the network traffic, therefore nobody other than the client and server can eavesdrop. The presence of HTTPS is an important sign of website validity; nevertheless this is clearly not enough. For instance, in 2005, Netcraft Toolbar Community identified more than 450 phishing URLs utilising fake HTTPS (Miller, 2005). Fake certificates can be utilised to trick users into thinking a

Chapter ‎5 Page 102 EVALUATING THE SSNNALGORITHM

malicious website is legitimate. Therefore, we further need to check the certificate assigned with HTTPS, including the certificate age, and the extent of a trust certificate issuer. Certificate authorities that are frequently listed among the top trustworthy names include (Best SSL Certificates, 2011): GeoTrust, GoDaddy, Network Solutions, Thawte, Comodo, Doster and VeriSign. However, by testing out our data sets, we have found that the minimum age of a reputable certificate is two years. In our phishing data set, we find 2321 URLs that do not support HTTPS, whereas in legitimate data sets we found 115 items. Unlike previous researches that assume that a URL is valid if it is using an HTTPS protocol, we further examine the certificate authority provider as well as the certificate age.

9-

It is abnormal to find a legitimate websites hosted on a free domain-hosting server. Commonly, reputable companies pay for web hosting service providers to maintain their domain name. In a recent report (Aaron & Manning, 2014 B), it has been shown that 25% of phishing websites identified in the first half of 2014 are using free domain-hosting servers. Information about hosting providers can be obtained from WHOIS database (WHOIS, 2005).

10-

A favicon is a graphic image (icon) associated with a specific webpage. Many organisations show favicon as a visual reminder of the website identity in the address bar as per Figure ‎5.8. In our data sets, we have found 139 phishing websites using such feature. None of them loads the favicon from the domain shown in the address bar but from the genuine domain. This could be attributed to the fact that most phishing webpages are simple copies of genuine ones.

Chapter ‎5 Page 103 EVALUATING THE SSNNALGORITHM

Figure ‎5.8 Webpage where favicon appears

11-

Port 80 and port 443 are the default ports for HTTP and HTTPS respectively7_.

This implies that no need for the user to specify the port while he browsing the Internet. However, phishers tend to add a port number to the URL in order to bypass the security detection tools that may monitor a particular port number. In our data set, we have found 28 URLs having a port number other than the default ports, all of them were found in the phishing data set.

12-

Several improvements have been made on Firefox since the seventh version was released. In addition to other improvements, one of the changes made is that Firefox no longer displays the (HTTP://) part of a URL. For instance, when visiting (http://portal.hud.ac.uk/), Firefox will show (portal.hud.ac.uk) in the URL address bar as shown in Figure ‎5.9.

7 _{A full list of the common ports can be achieved from:}

http://www.networksorcery.com/enp/protocol/ip/ports00000.htm

Chapter ‎5 Page 104 EVALUATING THE SSNNALGORITHM

Figure ‎5.9 Firefox Does not Show the http protocol

However, Firefox is still showing (HTTPS://) in the URL address bar when visiting a website that uses the HTTPS protocol. The phishers were aware of such behaviour, thus they might add the HTTPS token to the URL in order to trick users. For example, if we type the following URL in the Firefox address bar (http://https-www-paypal-it-webapps-mpp-home.soft-hair.com/), the shown part of this URL is (https-www-paypal-it-webapps-mpp-home.soft-hair.com), therefore, if HTTPS is used in the domain part of the URL that could be a sign that the URL belongs to phishing attempts.