Analysis of browser plugins to provide phishing protection

April 1, 2017
Phishing Protection

Phishing protection, protecting the business and end user victims, requires a layered approach. Although we have discussed the limitation of end user protection at the browser level, we still recommend User use this point of protection. Browser plugins provide phishing protection against phishing sites.

In this article, we review some common desktop applications that can block and prevent end users victims from phishing sites. Advance heuristics in these application can also detect zero hour phishing attacks which blacklists are unable to detect and are faster than visual based assessment techniques.

Google Safe Browsing uses blacklist anti-phishing technique to detect phishing technique. The suspicious URL is checked in the blacklist for its presence. The Suspicious URL is classified as phishing site if it is found in blacklist otherwise classified as legitimate website. The limitation in this approach is that phishing sites which are not listed in blacklist are not detected. These type of non-blacklisted phishing sites are called as Zero day phishing sites. This technique may lead to high false negative rate. A small change to the blacklisted URLs would result in no match with blacklist and hence cannot be recognized by the tool.

browserPlugin

PhishNet technique takes blacklist as input and predicts variations of each URL based on five URL variation heuristics such as Replacing Top Level Domain (TLD), Directory structure similarity, IP address equivalence, Query string substitution and Brand name equivalence. This technique covers the exact match limitation which is stated above in Google safe browsing. However, this technique also has same limitation of not detecting zero day phishing attacks.

PhishGaurd extension feeds the large number of random generated credentials to the login form, restricts user’s original credentials from submitting and based on the responses of server it chooses to feed the users credentials. If the response of server to bogus credential is success then user is alerted with a warning of phishing message. But the extension may create a worry to online user thinking that he/she already given his credentials to the phishing site. The extension also violates the first line of defense i.e. preventing phishing websites reaching to online users.

Cantina technique depends on the textual content of the website. Term Frequency–Inverse Document Frequency (TF-IDF) algorithm applied on the textual content combined with additional heuristics used to detect phishing attacks. The top five tokens with highest TF-IDF is submitted to search engine followed by comparison of suspicious link with search engine results. This approach fails when the text of website is replaced with images or addition of invisible text which matches background color of the website.

SpoofGaurd plugin works, based on the phishing symptoms of suspicious website. Some of the phishing symptoms considered are host name check, host name sensitivity, URL check, Image check, Password field check and links check. These symptoms or heuristics are assigned with weights of same value or different value. If total score of all heuristics of a suspicious website exceeds a threshold then it is classified as phishing website otherwise as legitimate. It has an advantage of detecting zero day phishing attack but has a limitation of high false positive rate.

BaitAlarm uses visual features comparison to classify phishing and legitimate websites. Phishers must use same styles to imitate the graphics of legitimate website so authors considered Cascading Style Sheets (CSS) for detecting phishing websites. Authors taken a legitimate site and compared with a large number of phishing sites indicating need of whitelist. The limitation of BaitAlarm is that computation cost of CSS style comparison with whitelist database is too high.

Of course – all applications do offer phishing protection and are worth consider in a mixed anti-phishing strategy.

About the author

Leave a Reply