Computing and Library Services - delivering an inspiring information environment

Tutorial and Critical Analysis of Phishing Websites Methods

Mohammad, Rami, McCluskey, T.L. and Thabtah, Fadi Abdeljaber (2015) Tutorial and Critical Analysis of Phishing Websites Methods. Computer Science Review, 17. pp. 1-24. ISSN 1574-0137

[img] PDF - Accepted Version
Download (1MB)


The Internet has become an essential component of our everyday social and financial activities. Internet is not important for individual users only but also for organizations, because organizations that offer online trading can achieve a competitive edge by serving worldwide clients. Internet facilitates reaching customers all over the globe without any market place restrictions and with effective use of e-commerce. As a result, the number of customers who rely on the Internet to perform procurements is increasing dramatically. Hundreds of millions of dollars are transferred through the Internet every day. This amount of money was tempting the fraudsters to carry out their fraudulent operations. Hence, Internet users may be vulnerable to different types of web threats, which may cause financial damages, identity theft, loss of private information, brand reputation damage and loss of customers’ confidence in e-commerce and online banking. Therefore, suitability of the Internet for commercial transactions becomes doubtful. Phishing is considered a form of web threats that is defined as the art of impersonating a website of an honest enterprise aiming to obtain user’s confidential credentials such as usernames, passwords and social security numbers. In this article, the phishing phenomena will be discussed in detail. In addition, we present a survey of the state of the art research on such attack. Moreover, we aim to recognize the up-to-date developments in phishing and its precautionary measures and provide a comprehensive study and evaluation of these researches to realize the gap that is still predominating in this area. This research will mostly focus on the web based phishing detection methods rather than email based detection methods.

▼ Jump to Download Statistics
Item Type: Article
Uncontrolled Keywords: phishing websites, Data mining, Machine Learning
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Q Science > QA Mathematics > QA76 Computer software
Schools: School of Computing and Engineering > High-Performance Intelligent Computing > Planning, Autonomy and Representation of Knowledge
School of Computing and Engineering > High-Performance Intelligent Computing > Planning, Autonomy and Representation of Knowledge
Related URLs:

Aaron, G, and R Rasmussen. Global Phishing Survey 2H/2009. Sao Paulo, Brazil.: Counter eCrime Operations Summit IV, 2010.
Abu-Nimeh, Saeed, Dario Nappa, Xinlei Wang, and Suku Nair. "A Comparison of Machine Learning Techniques for Phishing Detection." The 2nd annual Anti-Phishing Working Groupse Crime researchers, eCrime '07. New York, NY, USA: ACM, 2007. 60-69.
Aburrous, M, Hossain, M. A., Dahal, K., and Fadi, T. "Predicting Phishing Websites using Classification Mining Techniques." Seventh International Conference on Information Technology. Las Vegas, Nevada, USA: IEEE, 2010 c. 176-181.
Aburrous, Maher , M A Hossain, Keshav Dahal, and Fadi Thabtah. "Intelligent phishing detection system for e-banking using fuzzy data mining." Expert Systems with Applications: An International Journal, December 2010 b: 7913-7921.
Afroz, Sadia , and Rachel Greenstadt. "PhishZoo: Detecting Phishing Websites by Looking at Them." Fifth International Conference on Semantic Computing. Palo Alto, California USA: IEEE, 2011.
Angelo, Rosiello P.E., Engin Kirda, Christopher Kruegel, and Fabrizio Ferrandi. "A layout-similarity-based approach for detecting phishing pages." Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on. Politecnico di Milano, Italy: IEEE, 2007. 454 - 463.
APWG. 2003. (accessed December 20, 2011).
APWG, Greg Aaron, and Ronnie Manning. APWG Phishing Reports. APWG. 2014. (accessed February 8, 2013).
BBC News. Jail for eBay phishing fraudster. 2005. (accessed October 20, 2011).
Brown, Keith. A First Look at InfoCard. 2005. (accessed January 20, 2012).
Cendrowska, J. "PRISM: An algorithm for inducing modular rule." International Journal of Man-Machine Studies, 1987: 349-370.
Chandrasekaran, M., K. Narayanan, and S. Upadhyaya. "Phishing email detection based on structural properties." NYS Cyber Security Conference. 2006.
Chen, Juan, and Chuanxiong Guo. "Online Detection and Prevention of Phishing Attacks (Invited Paper)." First International Conference on Communications and Networking in China. ChinaCom '06. Beijing: IEEE, 2006. 1-7.
Cloudmark Inc. Cloudmark. 2002. (accessed October 12, 2011).
Coordination, New York State Office of Cyber Security & Critical Infrastructure. Gone Phishing: A Briefing on the Anti-Phishing Exercise Initiative for New York State Government. 2005. (accessed January 12, 2012).
Cortes, Corinna, and Vladimir Vapnik. "Support Vector Networks." Machine Learning 20, no. 3 (1995): 273 - 297.
Cranor, Lorrie, Jason Hong, and Norman Sadeh. Wombat Security Technologies. 2008. (accessed December 20, 2012).
Cryptomathic Co. Two Factor Authentication for Banking, Building the Business Case. 2012. (accessed July 12, 2013).
Dede, David . Ask Sucuri. 2011. (accessed February 17, 2012).
Dhamija, Rachna, and J Doug Tygar. "The battle against phishing: Dynamic Security Skins." The 1st Symposium On Usable Privacy and Security. New York, NY, USA: ACM Press., 2005. 77-85.
Dhamija, Rachna, J. D. Tygar, and Marti Hearst. "Why Phishing Works." The SIGCHI conference on Human Factors in Computing Systems. New York, NY, USA: ACM, 2006. 581-590.
Dowd, Mark, John McDonald, and Justin Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison Wesley, 2006.
eBay Toolbar's. Using eBay Toolbar's Account Guard. 1995. (accessed March 20, 2012).
"Executive Order 13402." Presidential Documents. 2006. (accessed May 12, 2013).
Florencio, Dinei, and Cormac Herley. "Evaluating a trial deployment of password re-use for phishing prevention." The anti-phishing working groups 2nd annual eCrime researchers summit, eCrime '07. New York: ACM, 2007. 26-36.
Franklin, Jason, and Vern Paxson. "An inquiry into the nature and causes of the wealth of internet miscreants." The 14th ACM conference on Computer and communications security, CCS '07. New York: ACM, 2007. 375-388.
FTC. Federal Trade Commission. 1903. (accessed July 26, 2012).
Gartner Inc. Gartne. 2011. (accessed May 30, 2011).
General Assembly of Virginia. CHAPTER 827. 2005. (accessed May 2013, 21).
Goldman, Lea. Cybercon. 2004. (accessed May 2013, 21).
Goldreich, Oded . Pseudorandom Generators: A Primer. ULECT series, 2010.
Google code. Google Safe Browsing. 2010. (accessed December 11, 2011).
Gross, Grant. Senator introduces 'phishing' penalties bill. 2004. (accessed March 18, 2011).
Guang, Xiang, and Jason I Hong. "A hybrid phish detection approach by identity discovery and keywords retrieval." The 18th international conference on World wide web WWW '09 . Madrid: ACM, 2009. 571-580.
Guang, Xiang, ong Jason, Rose Carolyn P, and Cranor Lorrie. "CANTINA+: A Feature-rich Machine Learning Framework for Detecting Phishing Web Sites." ACM Transactions on Information and System Security (TISSEC), 09 2011: 1-28.
Halderman, Alex J, Brent Waters, and Edward W Felten. "A convenient method for securely managing passwords." The 14th International Conference on World Wide Web, WWW '05. NY: ACM, 2005. 471-479.
Han, Weili, Ye Cao, Elisa Bertino, and Jianming Yong. "Using automated individual white-list to protect web digital identities." Expert Systems with Applications 39, no. 15 (2012): 11861–11869.
Harris Poll. Taking Steps Against Identity Fraud. Harris Pol, 2006.
He, Mingxing , et al. "An efficient phishing webpage detector." Expert Systems with Applications 38, no. 10 (2011): 12018–12027.
Herzberg, Amir , and Ahmad Gbara. "Protecting (even) Naive Web Users, or: preventing spoofing and establishing credentials of web sites." DIMACS, 2004.
Huang , Huajun, Coll. of Comput. Sci., Central South Univ. of Fore, Junshan Tan, and Lingxi Liu. "Countermeasure Techniques for Deceptive Phishing Attack." New Trends in Information and Service Science, 2009. NISS '09. International Conference on. Beijing: IEEE, 2009. 636-641.
Jagatic, Tom N, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. "Social phishing." Communications of the ACM, 2007: 94-100.
Jakobsson, Markus. "The Human Factor in Phishing." Privacy & Security of Consumer Information ’07. 2007.
James, Lance. Phishing Exposed. Syngress Publishing, 2005.
Joshi, Y, IIIT-Bangalore, Bangalore , S Saklikar, D Das, and S Saha. "PhishGuard: A browser plug-in for protection from phishing." The 2nd International Conference on Internet Multimedia Services Architecture and Applications, 2008. IMSAA 2008. Bangalore: IEEE, 2008. 1-6.
Julie S., Downs, Holbrook Mandy, and Lorrie Faith Cranor. "Behavioral Response to Phishing Risk." The Anti-Phishing Working Groups, 2nd annual eCrime researchers summite, Crime '07. New York, NY, USA: ACM, 2007. 37-44.
JungMin, Kang, and Lee Dohoon. "Advanced White List Approach for Preventing Access to Phishing Sites." International Conference on Convergence Information Technology, 2007. Gyeongju: IEEE, 2007. 491-496.
Keizer, Gregg . Phishers Beat Bank's Two Factor Authentication. Manhasset, NY: InformationWeek, 2007.
Kirda, Engin, and Christopher Kruegel. "Protecting Users Against Phishing Attacks with AntiPhish." The 29th Annual International Computer Software and Applications Conference. Washington, DC, USA: IEEE Computer Society, 2005. 517-524.
KrebsonSecurity. HBGary Federal Hacked by Anonymous. 2011. (accessed May 14, 2013).
Kumaraguru, Ponnurangam, et al. "Getting users to pay attention to anti-phishing education: evaluation of retention and transfer." The Anti-Phishing Working Groups 2nd annual eCrime researchers summit, eCrime '07. Pittsburgh, PA, USA: ACM, 2007. 70-81.
LegitScript. The Leading Source of Internet Pharmacy Verification. 2007. (accessed February 14, 2012).
Leyden, John. Florida man indicted over Katrina phishing scam. 2006. (accessed May 21, 2013).
LinkAvisor, CallingID. 2010. (accessed September 1, 2011).
Liu, Bing, Wynne Hsu, and Yiming Ma. "Integrating Classification and association rule Mining." The 4th international conference on Knowledge Discovery and Data mining, KDD'98. AAAI Press, 1998. 80--86.
Liu, Wenyin , Xiaotie Deng, Guanglin Huang, and Anthony Y. Fu. "An Antiphishing Strategy Based on Visual Similarity Assessment." IEEE Educational Activities Department Piscataway. NJ, USA: IEEE, 2006. 58-65.
Ludl, Christian , Sean Mcallister, Engin Kirda, and Christopher Kruegel. "On the Effectiveness of Techniques to Detect Phishing Sites." The 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '07. Springer-Verlag Berlin, Heidelberg: Springer Berlin / Heidelberg, 2007. 20-39.
Malwarebytes. hoHosts. 2005. (accessed January 13, 2012).
Mannan, M, and P.C. van Oorschot. "Using a personal device to strengthen password." The 11th International Conference and 1st International Workshop on Usable Security, USEC 2007. Trinidad and Tobago: Springer Berlin Heidelberg, 2007. 88-103.
Manning, Christopher D, Prabhakar Raghavan, and Hinrich Schütze. Introduction to Information Retrieval. Cambridge University Press, 2008.
MarkMonitor. MarkMonitor. 1999. (accessed January 14, 2013).
McAfee. SiteAdvisor. 1987. (accessed December 19, 2011).
MessageLabs. The MessageLabs Intelligence Annual Security Report: 2009 Security Year in Review. 2009. (accessed May 8, 2013).
Microsoft, Support-. Microsoft IE 9 anti-phishing. 2012. (accessed December 19, 2012).
Ming, Q., and Y. Chaobo. "Research and Design of Phishing Alarm System at Client Terminal." IEEE - Asian-Pasific conference on services computing, APSCC'06. Asian, 2006. 597-600.
Miyamoto, Daisuke , Hiroaki Hazeyama, and Youki Kadobayashi. "An Evaluation of Machine Learning-based Methods for Detection of Phishing Sites." Australian Journal of Intelligent Information Processing Systems, 2008: 54-63.
Mizuno, Shintaro, Kohji Yamada, and Kenji Takahashi. "Authentication using multiple communication channels." The 2005 Workshop on Digital Identity Management. Fairfax, VA, USA: ACM, 2005. 54-62.
Neil, Chou, Robert Ledesma, Yuka Teraguchi, and Dan Bon. "Client side defense against web based identity theft." The 11th Annual Network and Distributed System Security Symposium, (NDSS '04). San Diego: SpoofGuard, 2004. 143-159.
Netcraft Toolbar. Netcraft. 1995. (accessed December 19, 2011).
Ohaya, Charles. "Managing Phishing Threats in an Organization." The 3rd Annual Conference on Information Security Curriculum Development. New York, NY, USA: ACM, 2006. 159-161.
OpenDNS. 2006. (accessed February 12, 2012).
Oxford Dictionaries. 1990. (accessed October 13, 2012).
Pan, Ying, and Xuhua Ding. "Anomaly Based Web Phishing Page Detection." The 22nd Annual Computer Security Applications Conference, ACSAC. Miami Beach, Florida, USA.: IEEE, 2006. 381-392.
Panda Security SL. 1990. (accessed Januady 10, 2011).
PhishTank. 2006. (accessed March 12, 2011).
Quinlan, J R. "Improved use of continuous attributes in C4.5." Journal of Artificial Intelligence Research, 1996: 77-90.
Rasmussen, Rod, and Greg Aaron. Global Phishing Survey: Trends and Domain Name Use 2H2009. Lexington, MA, 2010.
Ronald, Dodge Jr C, Carver Curtis, and Ferguson J Aaron. "Phishing for user security awareness." Computers & Security 26, no. 1 (2007): 73-80.
Ronda, Troy, Stefan Saroiu, and Alec Wolman. "iTrustPage: A User-Assisted Anti-Phishing Tool." The 3rd ACM SIGOPS/ EuroSys European Conference on Computer Systems 2008. New York, NY, USA ©2008: ACM, 2008. 261-272.
Ross, Blake , Collin Jackson, Nick Miyake, Dan Boneh, and John C Mitchell. "Stronger Password Authentication Using Browser Extensions." The 14th conference on USENIX Security Symposium, SSYM'05. Baltimore,USA.: USENIX Association, 2005. 2.
RSA. RSA SecurID. 1982. (accessed January 5, 2012).
Sadeh, N, A Tomasic, and I Fette. "Learning to detect phishing emails." The 16th International Conference on World Wide Web. New York,NY, USA., 2007. 649-656.
Salem, O, Hossain Alamgir, and M Kamala. "Awareness Program and AI based Tool to Reduce Risk of Phishing Attacks." The 10th International Conference in Computer and Information Technology. University of Bradford, Bradford, UK., 2010. 1418-1423.
Sanglerdsinlapachai, Nuttapong, and Arnon Rungsawang. "Using Domain Top-page Similarity Feature in Machine Learning-based Web." Third International Conference on Knowledge Discovery and Data Mining. IEEE, 2010. 187-190.
Schneier, Bruce. "Inside risks: semantic network attacks." Magazine Communications of the ACM. 143, no. 12 (2000): 168.
Seltzer, Larry. betanews. 2011. (accessed October 20, 2012).
Sharifi, M, Iran Univ. of Sci. & Technol, and S H Siadati. "A phishing sites blacklist generator." Computer Systems and Applications, 2008. AICCSA 2008. IEEE/ACS International Conference on. Doha: IEEE, 2008. 840 - 843.
Sheng, Steve , et al. Anti-Phishing Phil. 2007. (accessed December 11, 2011).
Sheng, Steve , Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. "Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions." The 28th International Conference on Human Factors in Computing Systems, CHI '10. New York, NY, USA: ACM, 2010. 373-382.
Sheng, Steve, Brad Wardman, Gary Warner, Lorrie Faith Cranor, Jason Hong, and Chengshan Zhang. "An Empirical Analysis of Phishing Blacklists." The 6th Conference on Email and Anti-Spam, CEAS'09. CA, USA, 2009.
Sodiya, S, S Onashoga, and B Oladunjoye. "Threat Modeling Using Fuzzy Logic Paradigm." Informing Science: International Journal of an Emerging Transdiscipline. 4, no. 1 (2007): 53-61.
spoofstick. 2005. (accessed March 19, 2012).
Sullins, Lauren L. "Phishing for a Solution: Domestic and International Approaches to Decreasing Online Identity Theft." Emory International Law Review 20 (2006): 397-433.
Symantec Corporation. Internet Security Threat Report 2013. Symantec Corporation, 2013.
Symantec. Verisign Authentication Services. 1982. (accessed December 19, 2011).
Thabtah, F, C Peter, and Y Peng. "MCAR: Multi-class Classification based on Association Rule." The 3rd ACS/IEEE International Conference on Computer Systems and Applications. 2005. 33.
The Apache SpamAssassin Project. SpamAssassin. 1995. (accessed January 20, 2012).
TREND MICRO. Threat Reports. 2013. (accessed May 2013, 20).
TRUSTe Co. TRUSTe. 1997. (accessed April 1, 2012).
W3C. 2003. (acces

Depositing User: Rami Mohammad
Date Deposited: 29 Apr 2015 09:18
Last Modified: 16 May 2016 19:02


Downloads per month over past year

Repository Staff Only: item control page

View Item View Item

University of Huddersfield, Queensgate, Huddersfield, HD1 3DH Copyright and Disclaimer All rights reserved ©