Trustworthiness testing of phishing websites: A behavior model-based approach

Phishing attacks allure website users to visit fake web pages and provide their personal information. However, testing of phishing websites is challenging. Unlike traditional web-based program testing, we do not know the response of form submissions in advance. There exists lack of efforts to help anti-phishing professionals who manually verify a reported phishing site and take further actions. Moreover, current tools cannot detect phishing attacks that leverage vulnerabilities in trusted websites such as cross site scripting. An attackermight generate input forms by injecting script code and steal credentials. To address these challenges, we propose1 testing suspected phishing websites based on trustworthiness testing approach. In a trustworthiness testing, a website is not tested against a set of known inputs and matched the expected outputs with the actual ones. Rather, we check whether the behavior (response) of websites matches with our knowledge of phishing or legitimate website behaviors to decide whether a website is phishing or legitimate. We consider a suspected website as a web-based program and test the program based on a behavior model. The model is described using the notion of Finite State Machine (FSM) that captures the submission of forms with random inputs and the corresponding responses. We then identify a number of heuristics followed by a set of heuristic combination to assist a tester deciding whether websites are phishing or legitimate based on their up-to-date behaviors. We implement a tool named PhishTester to automate the testing process. We evaluate the proposed approach with both phishing and legitimate websites. The results show that the approach incurs zero false negatives and positives in detecting phishing and legitimate websites, respectively. Moreover, our approach can detect advanced XSS-based attacks that many contemporary tools currently fail to detect. © 2011 Elsevier B.V. All rights reserved.