2014 International Sym

mposium on Biometrics and Security Technologies (ISBAST)

Survey of Anti-phishing Tools with Deetection

Capabilities
Hiba Zuhhair Zeydan1, Ali Selamat2, Mazleena Salleh3
1,2,3
Faculty of Computing
Universiti Teknologi Malaysia (UTM), Johor, Malaysia
1
zzhiba2@live.uttm.my, 2aselamat@utm.my, 3mazleena@fsksm.utm.my

Abstract— Phishers have been continually chaanged their tricks services, social networks and onlinee governmental organizations
and emerged novel variants for more security viollations and causes respectively and cause dramatically y increased financial losses [1,
of monetary losses in business organizations. Th he lack of existing 2, 10-13], as presented in Fig. 1(c).
anti-phishing solutions considered as an optimum m anti-phishing is
because of detection incapability specifically again nst novel phishes.
This paper classifies the existing anti-phishing toools, identifies their Volumes Growth of Phishing Websites by Year
detection incapability against several kinds of n novel phishes and
underscores the issues behind this problem. Further it suggests next Phishing
500000
wave of research to solve it. Targeting academ mic and industry Websites
400000
researchers, this paper provide a valuable source of information to
300000
contribute the cyberspace with new products and fulfill the security
200000
flaws.
100000
0
Keywords- Internet phishing; anti-phishing; deetection capability;
novel phishes. 2010 2011 2012 2013
2
I. INTRODUCTION (a)
Recently, Internet phishing is one of the most profitable
cyber-crime in cyberspace. Internet phishing iss exploiting web Advancement of Phishing Activitty Trends
applications’ vulnerabilities and social enginneering; phishers New URLs
250
disguise the reliable and sensitive transactionns of users’ and
200
identity theft by impersonating the legitimaate websites or 150
Embedded
objects-based
delivering phishing emails [1-4]. For its mitigatiion, various anti- 100 phishes
phishing tools have been proposed in the lastt few years from 50
XSS-based phishes

academic and industry researchers’ side. And they have been 0

designed in the form of email filters, anti-virus software, or web
2010 2011 2012 013
20
browsers plug-in’s, add-on’s, extensions and toolbars, or as
independent web application. However, these tools are in risk (b)
which will have consequences in both cybber-security and
g Attacks
Most Targeted Industries By Phishing Goverment
economy in the future due to the dramatically iincrease of novel
phishes. Novel phishes aim to bypass the existiing anti-phishing 2013 ISP
tools and cause more potential risks succh as password
harvesting, malware distribution and then m more substantial 2012 Social
Networks
monetary losses [5-8]. As reported by Antii-Phishing Work 2011
Group (APWG) which is an international non-profit
Retail
2010
organization f o r m e d i n 2 0 0 3 t o k e e p ttrack current and Payment
future phishers’ activities, Fig. 1(a) and Fig.1(b) illustrate the 0 20 40 60
services

rapid growth of phishes in terms of volume aand activity year

over year since 2010 to 2013 [9]. Consequentlly, these phishes (c)off the notably known anti-
For the aforesaid issues, none
target many industries in the world such as online payment Fig.1. (a) Volume growth of phishing atttacks, (b) advancement of
services, financial organizations, e- banks, retail and ISP phishing activities and (c) the most targ
geted industries by phishing
attacks.

978-1-4799-6444-4/14/$31.00 ©2014 IEEE

214
 For the aforesaid issues, none of the notably known phishing absence and presence of these indicators [28-30]. On the other
tools provides an optimum solution against novel phishes [4, 14- hand, the anti-phishing tools at client-server structured
23]. Targeting academic and industry researchers, this survey applications are widely used by commercial organizations like
aims to hang the issues behind the problem of novel phishes and Google, Microsoft and Netcraft but they frequently request for
detection incapability of anti-phishing tools against them by update and maintenance from their databases server [5].
characterizing the elements of the problem and presenting the Appendix Table I presents typical anti-phishing tools in terms of
potential areas for further study. The rest of this survey is some relative merits like related work, year, name, type of
organized as follows: Section II presents an overview of typical approach, type of solution, type of contribution, applied platform
anti-phishing tool in terms of their detection scenarios and and the application level.
application levels. Then, a review of these tools due to their
detection capabilities against novel phishes as well as future As depicted in Appendix Table I, B-APT was developed as
development of the research is presented in section III. At last, a white list-based anti-phishing toolbar for US financial
conclusion is drawn in Section IV. institutions and it identified phishing websites on the basis of
document object model DOM tokens and Bayesian filter [6]. An
automated individual white list-tool AIWL was proposed to
II. ANTI-PHISHING TOOLS protect users’ and their online credentials [7]. Likely, some
In the literature most of the existing anti-phishing tools relied researchers at Google Inc. [31], proposed upgraded Google’s
on various detection approaches that have been categorized into: phishing blacklist with a classifier as Google Toolbar to identify
lists, heuristics, hybrid, and information flow approaches [1, 7, phishing webpages due to some distinctive features. An
8, 15, 21, 24-27].The lists-based approaches include blacklists enhanced blacklist PhishNet generates new URLs using
and whitelists approaches, which rely on frequently updated lists heuristics and DNS lookup [32]. And, PhishCatch is mainly
of well-known phishing URLs and legitimate URLs relied on some weighted rules to classify phishing emails [25].
respectively. Whereas, heuristics based approaches predict Then, PhishShark is used to detect phishing websites with the
websites’ phishness according to a set of heuristics in website’s aid of twenty heuristics [34]. Whilst, CANTINA+ was proposed
URL and content. Hybrid approaches have mainly combined the as an upgraded version of CANTINA with the use of one new
former approaches with the aid of hybrid feature sets and feature, ten additional features, four features from typical
classifiers to detect phishes. On the other hand, information-flow CANTINA and a classifier [33, 35].
based approaches rely on appending some random credentials
before and after the users submit their credentials to a phishing In [36] PhishBlock was proposed as a hybrid tool that relied
website [1, 2, 7, 10, 15, 18]. on lookup and a support vector machine classifier to check
features derived from URL, text and linkage of visited websites.
Consequently, anti-phishing tools have been implemented at On the other hand, other researchers proposed information flow-
different application levels like: client-side level, server-side based anti-phishing tools such as in [39] PhishGuard to submit
level and client-server level [1, 28, 29]. Due to the direct bogus credentials during the user’s login process and sent the
interaction of Internet users with websites via web browsers, actual credentials to identify phishing websites. Likely, Bogus
they are potentially on risk by phishes. Thus, almost anti- Bitter proposed in [37], submitted a large number of bogus
phishing tools are integrated with the popular web browsers such credentials along with actual user’s credentials to nullify a
as Google Chrome, Internet Explorer, Mozilla Firefox, Safari phishing attack. And, PhishTester mitigated phishing websites
and Opera. These integrated tools can keep track of users’ that exploit cross site scripting vulnerabilities XSSVs of web
activities during web browsing and notify them against any browsers for malware distribution [38].
phishing website on real time. However, the web browsers-
based anti-phishing tools have some limitations related to the In addition, many industry researchers have released some
design of intuitive interface, detection accuracy, correct anti-phishing tools such as Netcraft, and McAfee Site Advisor.
warnings and suitable help system [20, 30]. Netcraft is produced by (netcraft.com, 2010), it assesses
phishing site by trying to determine how old the registered
Whereas, almost phishing email filtering tools are domain of the visited website and it relies on a database
implemented at the server-side. But they are still not effective maintained by a company [10, 15, 26, 27, 29]. Whilst, McAfee
against web banner advertising, instant chats and messengers Site Advisor is a database-based anti-phishing tool that includes
which can be exploited by novel phishes. Also some of them automated crawlers that browse websites and perform test for
rely on visual indicators and fail when users rarely notice the authenticity rating of the visited websites [20, 40, 41].

215
 III. ISSUES AND FUTURE TRENDS
Based on the literature, almost researchers investigated Regarding to Appendix Table II and Fig. 2, almost surveyed
issues behind the detection accuracy and computational cost of anti-phishing tools fall shortly in detecting novel phishes. More
existing anti-phishing tools and conducted more researches to importantly, they analyze phishing attacks by using design
improve them towards obtaining optimum anti-phishing features and mechanisms that cannot leverage well those
campaigns. However, they rarely addressed issues behind exploited by novel phishes and have not yet been identified. And
detection incapability of some notably effective anti-phishing they come up well with language dependent features like term
tools against novel phishes which becomes a bottleneck of the frequency-inverse document frequency (tf-idf) features, text
existing anti-phishing campaign [3, 5, 11, 17, 18]. Phishers categorization and some language processing algorithms, and
frequently change their behaviours and activities to avoid ready-made frequency lists of keywords that are best suited for
existing anti-phishing campaigns whenever they exploit novel some specific languages such as English language [18, 19, 21,
phishes such as XSS-based, embedded object-based and new 22, 25, 42]. Particularly, they utilize data sets consists of
phishes hosted in any language-based websites that have not yet websites hosted English language rather than other languages.
identified before by existing anti-phishing campaign. XSS-based Thus, phishers can easily defeat them by exploiting these gaps
phishes deploy XSSVs and obfuscated scripts for malware and deliver new variants of attacks that have not yet been
delivery. Embedded object based phishes imitate embedded analyzed before. For example, heuristics-based anti-phishing
components of web content such as Applets, Flash objects, tools mostly relied on term frequency-inverse document
ActiveX objects and advertising banners for advanced frequency (tf-idf) features and text categorization, which are
deceptions. On the other hand, newly emerged phishes can language dependent features and mechanisms. Thus, they can
deploy some non-English language websites which have not yet effectively detect phishing websites made up with their own
been analyzed and identified for hostage [19, 22, 25, 42]. Based adapted heuristics only [18, 22, 42]. Similarly, hybrid-based
on the literature, Table II in Appendix reviews the detection anti-phishing tools lack of analyzing webpages made up of
capability of some notable anti-phishing tools in terms of images, flash objects, applets, ActiveX objects and external
language independence, XSS-based and embedded objects- hyperlinks. Furthermore, they rarely leverage obfuscated client
based phishes. side scripts that could be probably injected by phishers for
malware delivery [22, 42].
In Table II of Appendix, the anti-phishing tool of [7] lacks
leveraging XSS vulnerabilities of web browsers, and images, With respect to these aforesaid issues, the detection
scripts, flash and ActiveX objects in the webpage source code capability of existing anti-phishing tools against novel phishes
for imitation and obfuscation. Most of the heuristics-based anti- can be mainly considered along with detection accuracy as
phishing tools such as those proposed in [25, 31, 34], rarely major concerns of research progress. We suggest that the
leveraged novel phishes. Likely, hybrid based anti-phishing ongoing research should focus in the facets of detection
tools scarcely tolerate with novel phishes and phishes hosted in capability such as exploring new variants of features and
any language dependent website such as CANTINA+ [35]. deploying more sophisticated ones including embedded
Furthermore, information flow-based anti-phishing tools such as components, XSS-based features and client side scripting such
those in [37-39], are detectible against any language-hosted as Java Scripts, PHP and ASP as well as unlimited keywords
phishing websites but they still can be bypassed by XSS-based lists and language independent features which can be suitable for
and embedded objects-based phishes. Fig. 2 illustrates the state any natural language rather than English like eastern languages
of the art comparison of anti-phishing tools. (Chinese and Arabic). In addition, new detective strategies with
the aid of multifaceted computational science algorithms and
techniques for content extraction and features similarity
assessment should be emerged to leverage well novel phishes
Detection Capabilities of Anti-phishing Tools due to Detection
Approaches
hosted in both websites and emails. At last, next wave of
researches must be conducted to improve existing anti-phishing
90% Language
Independent
campaigns for wider scale detection of phishing attacks and
80%
provide essential factors to meet these issues.
70%
60% Embedded
Objects
50% Based
Phishes
40%
30% XSS Based
Phishes
20%
10%
0%
List-based solutions
Heuristic-based solutions
Hybrid-based solutions
Information-based solutions

Fig.2. Detection capability of anti-phishing tools in terms of detection 216

approaches and novel phishes.
 IV. CONCLUSIONS [10] G.S. Bindra, "Efficacy of Anti-phishing Measures and Strategies-A
research Analysis, "World Academy Science, Eng. Technology, vol. 70,
Concerns about novel phishes and the detection capability of 2010.
the existing anti-phishing campaign have been arisen in recent [11] S. Pravin, "A phishing analysis of web based systems," 2011 Int. Conf.
years. And a continuing enrichment of the literature via wider Comput. & Security, Proc. Communication,acm. , 2011.
objectives, theoretical and practical contributions is needed to [12] W. Kim, "The dark side of the Internet: Attacks, costs and responses,"
Inform. Syst., vol. 36, no. 3, pp. 675–705, 2011.
meet cybersecurity requirements and financial indexes. More
[13] H. Huang, S. Zhong & J.Tan, "Browser-side countermeasures for deceptive
and new scenarios should be considered to deal with the novel phishing attack," Ieee Fifth Int. Conf. Inform. Assurance Security Ias'09.,
activities of phishers and to reduce their risks. With the hope of vol. 1, pp. 352–355, Aug. 2009.
stimulating researchers’ interests and attention into the problem [14] H. Al-khateeb, "Security and usability in click-based authentication
of detection capability against novel phishes, this research systems," Doctoral Dissertation, University of Bedfordshire, 2011.
surveys the most up to date state of the art of anti-phishing [15] B. Wardman, "A series of methods for the systematic reduction of
campaigns and a large number of related work. In addition it phishing," Doctoral Dissertation, University of Alabama, 2011.
attempts to address the recent gap of anti-phishing campaign that [16] G. Gupta & J. Pieprzyk, "Socio-technological phishing prevention,"
Macquarie University, Research Online, 2011.
needs to bridge by describing and characterizing its elements.
[17] A. San Martino & X. Perramon, "Phishing Secrets: History, Effects,
Countermeasures," Ij Network Security, vol. 11, no. 3, pp. 163–171, 2010.
Based on this survey, we reveal that the given issues fall into [18] S. Purkait, "Phishing counter measures and their effectiveness–literature
several major facets like features and mechanisms which could review," Inform. Management & Comput. Security, vol. 5, no. 20, pp. 382–
be developed for wider and effective detection of novel phishes. 420, 2012.
And there is still a long way to go on towards finding an [19] H. Shahriar, "Trustworthiness testing of phishing websites: a behavior
model-based approach," Future Generation Comput. Syst., vol. 8, no. 28,
optimum anti-phishing solution against all sophisticated phishes pp. 1258–1271, 2012.
that can be probably exploited by phishers to bypass existing [20] R. Dhanalakshmi, "Detection of phishing websites and secure
anti-phishing solutions. transactions," Int. J. Communication & Network Security (ijcns), vol. 1,
pp. 15–21, 2011.
ACKNOWLEDGMENT [21] S. Sheng, B. Wardman & C.Zhang, "An empirical analysis of phishing
blacklists," Sixth Conf. Email Anti-spam (ceas), July 2009.
The authors thank Universiti Teknologi Malaysia (UTM) for [22] R. Gowtham, I. Krishnamurthi & K.Kumar, "An efficacious method for
supporting this research. detecting phishing webpage through Target Domain Identification,"
Decision Support Syst., 2014.
REFERENCES [23] M.G. Alkhozae & O.A. Maratfi, "Phishing websites detection based on
[1] M. Khonji, Y. Iraqi & A.Jones, "Phishing detection: a literature survey," phishing characteristics in the webpage source code," Int. J. Inform.
Comm. Surveys & Tutorials, vol. 15, no. 4, pp. 2091–2121, 2013. Communication Technology Research., 2011.
[2] M. He, S.J. Horng & P.Fan, "An efficient phishing webpage detector," [24] I. Jo, E.E. Jung & Y.H. Yeom, "Interactive Website Filter for Safe Web
Expert Systems With Applications, vol. 10, no. 38, pp. 12018–12027, Browsing," J. Inform. Science & Eng., vol. 1, no. 29, 2013.
2011. [25] W.D. Yu, "Phishcatch-a phishing detection tool," 33rd Annual Ieee Int.
[3] A. Upadhyaya, "Design & development of a plug-in for a browser against Comput. Software Applications Conf., 2009. Compsac'09, vol. 2, pp. 451–
phishing attacks," International Journal of Emerging Technology & 456, July 2009.
Advanced Eng., vol. 2, no. 3, 2012. [26] M. Bhati, "Prevention Approach of Phishing on Different Websites," Int. J.
[4] E.H. Chang, K.L. Chiew & S.N. Sze,"Phishing detection via identification Eng. Technology, vol. 2, no. 7, 2012.
of website identity," 2013 Int. Conf. IT Convergence Security (icitcs), pp. [27] W. Chu, X. Guan & Z.Cai, "Protect sensitive sites from phishing attacks
1–4, 2013. using features extractable from inaccessible phishing URLs," 2013 Ieee Int.
[5] Y. Lie, R. Xiao & J.Feng, "A semi-supervised learning approach for Conf. Comm. (icc), pp. 1990–1994, June 2013.
detection of phishing webpages," Optik-Int. J. for Light Electron Optics, [28] S. Chaudhary, "Recognition of phishing attacks utilizing anomalies in
vol. 14, no. 23, pp. 6027–6033, 2013. phishing websites," Masters Dissertation, University of Tampere, 2012.
[6] P. Likarish, E. Jung & D.Dunbar, "B-apt: Bayesian anti-phishing toolbar," [29] J. Chhikara, "Phishing & Anti-Phishing Techniques: Case Study," Int. J.
ICC'08 Int. Conf. Comm., pp. 1745–1749, 2008. Advanced Research Comput. Science Software Eng., vol. 3, no. 5, pp. 458–
[7] W. Han, "Using automated individual white-list to protect web digital 465, 2013.
identities," Expert Syst.With Applications, vol. 39, no. 15, pp. 11861– [30] A. Almomani, B. Gupta & E.Almomani, "A survey of phishing email
11869, 2012. filtering techniques," Ieee Comm. Surveys Tutorials, vol. 4, no. 15, pp. 1–
[8] L. Ma, "Detecting phishing emails using hybrid features," Symposia 21, 2013.
Workshops Autonomic Trusted Comput. Uic-atc'09, pp. 493–497, July [31] C. Whittaker, "Large-Scale Automatic Classification of Phishing Pages,"
2009. Nids, Mar. 2010.
[9] Anti-Phishing Working Group, Phishing Archive, at [32] P. Prakash & R.R. Kompella, "PhishNet: predictive blacklisting to detect
http://www.antiphishing.org/phishing_archive.html phishing attacks.," 2010 Ieee Proc. Infocom , pp. 1–5, Mar. 2010.

217
[33] Y. Zhang, "Cantina: a content-based approach to detecting phishing web [35] G. Xiang, "CANTINA+: a feature-rich machine learning framework for
sites," Proc. 16th Int. Conf. World Wide Web, Acm, pp. 639–648, May detecting phishing web sites," ACM Trans. Inform. Syst. Security (tissec),
2007. vol. 2, no. 14, 2011.
[34] S. Gastellier-prevost, "Decisive heuristics to differentiate legitimate from [36] H.M. Fahmy, & S.A. Ghoneim, "PhishBlock: A hybrid anti-phishing tool,"
phishing sites," IEEE 2011 Conf. Network Inform. Syst. Security (sar-ssi), 2011 Ieee Int. Conf. Comm., Comput. Control Applications (ccca), pp. 1–
pp. 1–9, May 2011. 5, Mar. 2011.
[37] C. Yue & H. Wang, "BogusBiter: a transparent protection against phishing [40] N. Witte, "Rating the Authenticity of Websites," 16th Twente Student
attacks," Acm Trans. Internet Technology, College William Mary, vol. 10, Conf. It , Jan 2012.
no. 2, 2010. [41] R.B. Basnet, "Rule-based phishing attack detection," Int. Conf. Security
[38] H. Shahriar, "PhishTester: automatic testing of phishing attacks," Secure Management (sam 2011), Las Vegas, Nv., 2011.
Software Integration and Reliability Improvement (ssiri), June 2010. [42] R. Gowtham, "A comprehensive and efficacious architecture for detecting
[39] Y. Joshi, "PhishGuard: A browser plug-in for protection from phishing," phishing webpages," Computers & Security, vol. 40, pp. 23–37, 2014.
IEEE 2nd Int. Conf. Internet Multimedia Services Architecture
Applications,imsaa 2008, pp. 1–6, Dec. 2008.

APPENDIX
TABLE I. NOTABLE ANTI-PHISHING TOOLS WITH THEIR RELATIVE MERITS

Solution Year Approach Type Contribution Platform Application level

PhishGuard [39] 2008 Information flow Plug-in Website filter Browser Independent Client-side

B-APT [6] 2008 Whitelist Toolbar URL filter Mozilla Firefox Server-side

BogusBiter [37] 2010 Information flow Toolbar Website filter Browser independent Client-side

PhishTester [38] 2010 Information flow Toolbar Website filter Internet Explorer7 Client-side

PhishCatch [25] 2010 Heuristics Plug-in Email filter Browser Independent Client-side

McAfee Site 2010 Hybrid Extension Website filter McAfee Anti-virus Client-Server
Advisor [13, 37]
PhishNet [32] 2010 Blacklist Toolbar URL filter Google Client-side

PhishBlock [36] 2011 Hybrid Toolbar Website filter Mozilla Firefox, Client-side
Internet Explorer
Google Toolbar 2011 Heuristics Toolbar URL / Gmail filter Google Client-side
[31]
PhishShark [34] 2011 Heuristics Toolbar Website filter Browser Independent Client-side

CANTINA+ 2011 Hybrid extension Website filter Internet Explorer Client-side

[35]
AIWL [7] 2012 Whitelist Toolbar URL filter Browser Independent Client-side

218
TABLE II. DETECTION CAPABILITY OF ANTI-PHISHING TOOLS IN TERMS OF XSS-BASED AND EMBEDDED OBJECTS-BASED PHISHES
AS WELL AS LANGUAGE INDEPENDENCE

Related Work Brief Description XSS-based Embedded objects- Language

phishes based phishes independence
AIWL [7] It records legitimate websites URLs Yes No Yes
using Bayesian filter

PhisNet[32] It maintains blacklist of phishing URLs No No Yes

using TLD and DNs features

CANTINA+ [35] Extract features of webpage identity No No No

and compare them with the current
domain using search engine.

PhishShark [34] Identifies phishness and legitimacy of No No No

websites using twenty heuristics

PhishGuard [39] It Submits fake credentials before and Yes No Yes

after actual user’s credentials.

BogusBiter[37] It sends bogus credentials when a No No Yes

webpage is detected as phishing to
avoid information leakage.

PhishTester [38] Identifies phishing websites by using Yes No Yes

FSM and several features.

PhishBlock [36] It is based on both lookup and a SVM No No No

classifier that checks features derived
from websites URL, text and linkage.

Google Toolbar [31] It classifies phishing emails and No No No

webpages using classifier and
Google’s blacklist

PhishCatch [25] It analyzes phishing emails using No No No

heuristics

McAfee Site Advisor It maintains list of website’s safety Yes No Yes

[38] ratings.

B-APT [6] It identifies phishing websites by using No No Yes

Bayesian filter and DOM tree.

219