ABSTRACT
Phishing attacks are a persistent problem to users and organizations world-wide, resulting in monetary loss and providing a first step in more complex attacks.
To improve the anti-phishing defensive efforts, this paper offers two main contributions: First, we present a novel categorization of phishing URLs with the goal of capturing the URL reading capabilities of untrained users and evaluate it in a user study. We find, that phishing URLs which are similar to the target URL when read from the left were the most complicated to classify in our study. Second, based on these results, we evaluate Reverse Domain Name (RDN) notation as an alternative URL notation where attacker-controlled information no longer makes up the left-most part of the URL. We evaluate the effect of using RDN notation in a second user study, and show that accuracies indeed improved for the relevant URL categories, and that users were significantly faster in their decisions compared to normal URL notation.
Our results extend previous work aiming to understand users’ URL reading, provide recommendations when designing user studies including URL classification tests, and motivate further research into the potential advantages of RDN notation in practice.
- Sara Albakry, Kami Vaniea, and Maria K Wolters. 2020. What is this URL’s destination? Empirical evaluation of users’ URL reading. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM.Google ScholarDigital Library
- APWG. 2022. APWG Phishing Activity Trends Report, 3rd Quarter 2022. Technical Report. Anti-Phishing Working Group. https://docs.apwg.org/reports/apwg_trends_report_q3_2022.pdfGoogle Scholar
- Fred J Damerau. 1964. A technique for computer detection and correction of spelling errors. Commun. ACM 7, 3 (1964).Google Scholar
- Avisha Das, Shahryar Baki, Ayman El Aassal, Rakesh Verma, and Arthur Dunbar. 2019. SoK: a comprehensive reexamination of phishing research from the security perspective. IEEE Communications Surveys & Tutorials 22, 1 (2019).Google Scholar
- Vincent Drury. 2023. Data of Phishing URL Categories and Reverse Domain Name (RDN) Studies. https://doi.org/10.17605/OSF.IO/Q563MGoogle ScholarCross Ref
- Vincent Drury, Rene Roepke, Ulrik Schroeder, and Ulrike Meyer. 2022. Analyzing and creating malicious URLs: a comparative study on anti-phishing learning games. In Proceedings of the Workshop on Usable Security and Privacy (USEC 2022).Google ScholarCross Ref
- Anjuli Franz, Verena Zimmermann, Gregor Albrecht, Katrin Hartwig, Christian Reuter, Alexander Benlian, and Joachim Vogt. 2021. SoK: Still Plenty of Phish in the Sea—A Taxonomy of User-Oriented Phishing Interventions and Avenues for Future Research. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021).Google Scholar
- Eric Lin, Saul Greenberg, Eileah Trotter, David Ma, and John Aycock. 2011. Does domain highlighting help people identify phishing sites?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM.Google ScholarDigital Library
- Boris New, Verónica Araújo, and Thierry Nazzi. 2008. Differential processing of consonants and vowels in lexical access through reading. Psychological Science 19, 12 (2008).Google Scholar
- Federal Bureau of Investigation. 2021. Internet Crime Report 2021. Technical Report. https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdfGoogle Scholar
- Joshua Reynolds, Deepak Kumar, Zane Ma, Rohan Subramanian, Meishan Wu, Martin Shelton, Joshua Mason, Emily Stark, and Michael Bailey. 2020. Measuring identity confusion with uniform resource locators. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM.Google ScholarDigital Library
- Richard Roberts, Rachel Walter, Daniela Lulli, and Dave Levin. [n. d.]. .how.you.spot.whoswho.online.sucks: Deceiving Users with Generic Top-Level Domains. ([n. d.]).Google Scholar
- Jeffrey Spaulding, Shambhu Upadhyaya, and Aziz Mohaisen. 2017. You’ve been tricked! A user study of the effectiveness of typosquatting techniques. In Proceedings of the 37th International Conference on Distributed Computing Systems (ICDCS). IEEE.Google ScholarCross Ref
- Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. 2014. The long “taile” of typosquatting domain names. In Proceedings of the 23rd USENIX Security Symposium.Google Scholar
- Tran Phuong Thao, Yukiko Sawaya, Hoang-Quoc Nguyen-Son, Akira Yamada, Ayumu Kubota, Tran Van Sang, and Rie Shigetomi Yamaguchi. 2019. Influences of human demographics, brand familiarity and security backgrounds on homograph recognition. arXiv preprint arXiv:1904.10595 (2019).Google Scholar
- Christopher Thompson, Martin Shelton, Emily Stark, Maximilian Walker, Emily Schechter, and Adrienne Porter Felt. 2019. The web’s identity crisis: understanding the effectiveness of website identity indicators. In Proceedings of the 28th USENIX Security Symposium.Google Scholar
- Melanie Volkamer, Karen Renaud, and Paul Gerber. 2016. Spot the phish by checking the pruned URL. Information & Computer Security 24, 4 (2016).Google Scholar
Index Terms
- Easier in Reverse: Simplifying URL Reading for Phishing URLs via Reverse Domain Name Notation
Recommendations
Influence of URL Formatting on Users' Phishing URL Detection
EuroUSEC '23: Proceedings of the 2023 European Symposium on Usable SecurityDespite technical advances in anti-phishing protection, in many cases the detection of phishing URLs largely depends on users manually inspecting the links found in suspicious emails. One solution proposed to support users in doing so is to use a URL ...
Intelligent phishing url detection using association rule mining
Phishing is an online criminal act that occurs when a malicious webpage impersonates as legitimate webpage so as to acquire sensitive information from the user. Phishing attack continues to pose a serious risk for web users and annoying threat within ...
Why phishing still works
We have conducted a user study to assess whether improved browser security indicators and increased awareness of phishing have led to users' improved ability to protect themselves against such attacks. Participants were shown a series of websites and ...
Comments