Page 1Jigar Rathod et al Int. Journ

Page 1
Jigar Rathod et al Int. Journal of Engineering Research and Applications www.ijera.comISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.172-179 www.ijera.com 172 | Page Anti-Phishing Technique to Detect URL Obfuscation Jigar Rathod, Prof. Debalina Nandy M. Tech (CE) Researcher Scholar, RK University, India.Dept. Of Computer Engineering, RK University, India. Abstract Phishing is a criminal scheme to steal the user‟s personal data and other credential information. It is a fraud thatacquires victim‟s confidential information such as password, bank account detail, credit card number, financialusername and password etc. and later it can be misuse by attacker. In this research paper, we proposed a newanti-phishing algorithm, which we call ObURL Detection Algorithm. The ObURL Detection Algorithm used todetect the URL Obfuscation Phishing attacks and it provides the multilayer security over the internet fraud. TheObURL Detection Algorithm can detect the hyperlink, content of hyperlink‟s destination URL, iFrame in email,input form, input form in iFrame source URL, iFrame within iFrame, and after all that multiple tests will beperform such as DNS Test, IP address Test, URL Encode Test, Shorten URL Test, Black and Whitelist Test,URL pattern matching Test On that collected data. Our experiments verified that ObURL Detection Algorithmis effective to detect both known and unknown URL Obfuscation phishing attacks. Keywords— Anti-phishing, Hyperlink, iFrame, Network Security, Phishing, URL Obfuscation.I. INTRODUCTION Internet security is a tree branch of networksecurity specifically related to the internet. Itsobjective is to constitute rules and measures toprotect the confidential data against attacks over theinternet. Phishing is a criminal scheme to steal theuser‟s personal data and other credential information.It is an illicit mechanism utilizing both socialengineering and technical stratagem to steal victim‟spersonal data, financial account data and othercredential information [1].In simple word, the phishing means sendingan e-mail to victim who contains some lured data thatlead victim to spurious website and inquire aboutconfidential data [2]. The e-mail is sociallyengineered and the phisher try to convince the victimto divulge confidential information such as financialdata, credit card number, bank account detail andother credentials which can then be misuse byattacker [1]. To detect and prevent the phishingattacks, anti-phishing techniques used. Anti-phishingis a protection scheme against the phishing attacks. Itprotects the user‟s confidential data from the phishingattacks. There is diverse anti-phishing techniqueshave been developed that follows different strategieslike client side and server side protection against thephishing attacks [3]. As the use of internet service is continuouslyincreasing, the phishing attacks are also increasing tosteal user‟s confidential information. So, it is majorchallenge to protect the user‟s confidential data overthe internet by detecting and preventing the phishingattacks.Now a day most of the phishing attacks are doneusing URL Obfuscation phishing attack. Because ofthe different methods used in this attack the existingalgorithm cannot detect all the obfuscated URLs. Themethods includes such as shorten URL, iframe inwebpage, iframe in e-mail, IP address instead ofdomain name, encoded URL, input form in e-mailand other method which cannot be detect by theexisting algorithm. So, in my research work Iproposed to implement ObURL Detection Algorithmto detect obfuscated URL with the solution of currentissues and will also check some other factors such asiFrame, source URL of iFrame, content of iFrame‟ssource URL, input form and shorten URL maximumdetection of URL obfuscation phishing attack.In short, URL Obfuscation is a one type ofphishing attacks in which the message recipientfollows a hyperlink without realizing that they havebeen duped. Unfortunately, phisher have access to anincreasingly large arsenal of methods for obfuscatingthe URL [4].1.1 General steps of URL Obfuscation phishingattacks:In general the phishing attacks perform withthe following four steps as shown in figure 1 [5]:1. First of all, the phisher have to create acounterfeit website to lure the victim whichseems as legitimate one.2. Then, the URL of that website is attached tospoofed e-mail and send to the lots of users. Thecontent of e-mail will convince the victim toclick on that URL. RESEARCH ARTICLEOPEN ACCESS
Page 2
Jigar Rathod et al Int. Journal of Engineering Research and Applications www.ijera.comISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.172-179 www.ijera.com 173 | Page 3. If victim clicks on that obfuscated URL and visitthat website, it convinces the victim to entersome confidential information.4. Phisher then acquire some entered data and laterit can be misuse by phisher.Figure 1: General Steps for URL Obfuscation Attack1.2 Methods used in URL Obfuscation PhishingAttack:There are several methods for obfuscatingthe URL. Most common methods includes for URLobfuscation is:A. Bad domain name or Misspelled domain nameOne of the obfuscation method is uses thebad domain name or misspelled domain name todupe the victim. Now a days it is easy to register theown domain name at minimal cost. So, this is themost common method used by attacker [6].Consider the financial site Genuine Bankhasregistereddomainname http://www.genuinebank.com andassociatedcustomertransactionalsite http://www.netbanking.genuinebank.com. Theattacker can setup any of the following domainnames to obfuscate the real destination host [7]. • http://www.genuinebanks.com • http://www.netbank.genuinebank.com • http://www.netbanking.genuinebanks.com Phishing by Top level Domain (TLDs)Anti-phishing working group (APWG)phishing activity trends report for 1st quarter of 2013have analyse the phishing attacks using Top-leveldomain as shown in Figure 2 [6]:B. Host Name Obfuscation or Using IP Address.Host name obfuscation method uses the IPaddress instead of domain name. It obfuscates thehost name by replacing it with the IP address.As we have considered the domain name offinancialsiteGenuineBankis http://www.genuinebank.com, suppose the IP address for this domain name is 173.193.212.4. The phishermay use the IP address as a part of URL to obfuscatethe host name or hide the destination from the enduser [5]. For example: The following URL http://www.genuinebank.com , Could be obfuscated such as, http://173.193.212.4.There are the other formats also availablefor the IP address such as dot less IP address indecimal, dotted IP address in octal, dotted IP addressin hexadecimal, dot less IP address in hexadecimal[8]. Figure 2: Phishing Attacks Trends using TLDs.
Page 3
Jigar Rathod et al Int. Journal of Engineering Research and Applications www.ijera.comISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.172-179 www.ijera.com 174 | Page C. Shortened URLsThe length and complexity of web basedapplication URLs is minimize using shortened URLmethod. The shortened URL is a combination ofservice provider site and unique number or uniqueword [9]. This navigates the user to the originaldestination. There are several service providers whichcan be used by phishing attacker to obfuscate thedestination URL, such as http://tinyurl.com. http://bitly.com, http://goo.gl. For example, the shorten URL for http://en.wikipedia.org/w/index.php?search=shortened+url+ &title=Special%3ASearch&go=Go URL is in goo.glserviceproviderproduce http://goo.gl/VmwBNh, and in bitly.com it ishttp://bit.ly/1kfh1P0, and in tinyurl.com it ishttp://tinyurl.com/lbnj3un. Where, goo.gl, bit.ly and tinyurl.com is a service provider site and „VmwBNh‟,„1kfh1P0‟ and „lbnj3un‟ are the unique words.Because of the shorten URL are not relative todestination URL, the user can not judge thedestination URL [10]. The attacker sends thisshortened URL through the e-mail and the contentconvince the user to click on that link. If the user getsclick on that URL, it is directed to the counterfeitwebpage. The message will write as an officialmessage. For Example: as shown in below figure 3[4]:Figure 3: Shortened URL E-mail ExampleD. Encoded URL ObfuscationIn this method, the attacker obfuscates theURL using the encoded scheme. This encodingscheme tends to be supported by most of the webbrowser and can be interpreted in different way byweb browser and their custom applications. II. OBURL DETECTION ALGORITHMIMPLEMENTATION We have implemented ObURL DetectionAlgorithm to detect the maximum URL ObfuscationPhishing Attacks. ObURL Detection Algorithmstands for Obfuscated URL Detection Algorithm. The ObURL detection algorithm providesthe multilayer security. Because of the use of internetservice is continuously increasing, the phishingattacks are also increasing. So, the ObURL detectionalgorithm will secure the data against the phishingattacks over the internet. As we know, the attacker uses the number ofmethods to obfuscate the URL. So, it is complex todetect all that attacks but the ObURL detectionalgorithm can detect the maximum number of URLobfuscation phishing attacks because of it performsthe multiple tests such as DNS Test, IP address Test,URL encode Test, Shorten URL Test, Whitelist andBlacklist Test, Pattern matching Test and also checkthe iFrame, source URL of iFrame, content ofiFrame‟s source URL, input form in email. 3.1 ObURL Detection Algorithm:Input: Content of EmailOutput: Prevent the user if URLs seems CounterfeitAlert User: Possible PhishingSafe User: No Phishing
Page 4
Jigar Rathod et al Int. Journal of Engineering Research and Applications www.ijera.comISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.172-179 www.ijera.com 175 | Page DB: DatabaseIf Input form found in E-mail Content thenAlert User;EndFor each iframe in E-mail content do//get the content of iframeFor each iframe in E-mail content’s iframesource doIf input form found thenAler