Phish Tester: Automatic Testing of Phishing Attacks

Abstract:

Phishing is a web-based attack where users are allured to visit fake websites and provide
their personal information. Traditional anti-phishing tools are successful to mitigate the attack
partially. Most of the tools are focused on protecting users.

However, there exists lack of efforts to help anti-phishing professionals who manually
verify a reported phishing site and take further actions. Moreover, current tools cannot detect
phishing attacks that leverage vulnerabilities in trusted web applications such as cross site
scripting. An attacker might generate input forms by injecting script code and steal credentials.

This project attempts to address these issues by leveraging traditional web application
testing method which can be seen as a complementary effort to current anti-phishing techniques.
We consider a suspected website as a web application and test the application based on a
behavior model.

The model is described using the notion of Finite State Machine (FSM) that captures
submission of forms with fake inputs and corresponding responses. We then identify several
heuristic coverage criteria to detect inconsistencies which lead to the conclusion that a website is
phishing or real.

We implement a tool named Phish Tester to automate the testing process. We evaluate the
proposed approach with both phishing and real applications. The initial results show that the
approach incurs negligible false negatives (less than 3%) and zero false positive for detecting
phishing and real websites, respectively. The approach can be complementary to current anti-
phishing tools to discover advanced phishing attacks.
Modules:
1) Online Web Browsing.
2) Modeling of Application Behavior.
3) Applying Finite Set Machine.
4) Applying Heuristic coverage criteria for detecting phishing attacks.
5) Evaluation of Detection.
Modules Description:
1. Online Web Browsing:
A web browser or Internet browser is a software application for retrieving, presenting,
and traversing information resources on the World Wide Web. An information resource is
identified by a Uniform Resource Identifier (URI) and may be a web page, image, video, or other
piece of content. Hyperlinks present in resources enable users to easily navigate their browsers
to related resources. Although browsers are primarily intended to access the World Wide Web,
they can also be used to access information provided by Web servers in private networks or files
in file systems. Some browsers can also be used to save information resources to file systems.
2. Modeling of Application Behavior:
In this module we consider a suspected website as a web application and test the
application based on a behavior model. The model is described using the notion of Finite State
Machine (FSM) that captures submission of forms with fake inputs and corresponding responses.
We apply Finite State Machine (FSM) notion to describe an application behavior. We develop it
based on known symptoms and well known behavior of real web applications with respect to
form submissions.

3.Applying Finite Set Machine:

In these modules we are going to apply Finite State Machine (FSM) notion to describe an
application behavior. A phishing site often contains pages which may have (or have no) forms.
The FSM is denoted by <S, s0, I, , F>, where S is a finite set of states, s0 is the initial state, I is
a finite set of inputs, is the state transition function, and F is a set of final states. FSM model
which has eight states. For the sake of presentational convenience, we denote the states from S1
to S8. s0 is the initial state which belongs to {S1, S2}. F is the final state which belongs to {S3,
S4, S5, S6, S7, S8}. We denote inputs of the FSM as a pair of interesting requests (denoted as x1
to x2) and corresponding responses (denoted as y1 to y7).

4) Applying Heuristic coverage criteria for detecting phishing attacks:

We then identify several heuristic coverage criteria to detect inconsistencies which lead to
the conclusion that a website is phishing or real. We implement a tool named Phish Tester to
automate the testing process. We define four heuristic coverage criteria to detect phishing
applications based on the FSM model. They are multiple states with no loop, multiple states with
single loop, multiple states with multiple loops, and maximum form submission coverage. We
want to identify whether a site is real or not, we define maximum error message coverage as
another heuristic in this direction .The heuristic coverage is intended to discover phishing and
real application. These heuristics can be thought of as test generation techniques to discover
phishing behaviors. It requires mapping abstract requests and responses with real Requests and
responses. We do not map it with phishing attack .we can show that an attack type can satisfy
multiple heuristic coverage criteria considering possible scenarios of state sequences and we
divide phishing attack types into eight categories denoted as a1 to a8.they are Redirecting to real
application, SSL-based attack, Information sent to third party, No form in the beginning, Variable
error message, similar form pattern, isolated page, and Non-existent page.

5) Evaluation of Detection:
The FSM-based approach is an effective for identifying phishing sites .We implement a
tool named Phish Tester to automate the testing process. We evaluate the proposed approach with
both phishing and real applications. The initial results show that the approach incurs negligible
false negatives (less than 3%) and zero false positive for detecting phishing and real websites,
respectively. We further compare Phish Tester with two popular heuristic-based anti-phishing
tools and notice that the proposed approach can warn about potential phishing sites residing in
trusted websites.
System Specification:

Hardware & software requirements

Hardware requirements

Processor : Pentium IV

Speed : Above 500 MHz

RAM capacity : 2 GB

Hard disk drive : 80 GB

Key Board : Samsung 108 keys

Mouse : Logitech Optical Mouse

Printer : DeskJet HP

Motherboard : Intel

Cabinet : ATX

Monitor : 17 Samsung

Software configuration

Operating System : Windows XP and above

Front end used : Java

Back End : SQL Server