An analysis of reported phishing domains

Abstract: As we become more digitalized and we rely more heavily on the internet, the more important it is to protect ourselves against phishing attacks and other types of internet frauds. Users who fall for phishing attacks risk getting sensitive information stolen such as their bank accounts. In this thesis we describe and analyze domains that use Hypertext Transfer Protocol Secure (HTTPS), an extension to the Hypertext Transfer Protocol (HTTP) used for secure communication, and the impact that these domains have on phishing. We have analyzed and performed experiments that quantify how many of the phishing domains reported to PhishTank are HTTP and HTTPS, and why phishing sites can use HTTPS and still fail to be safe. We have created a script in Java that takes a set of URLs and creates a dataset containing the domains and all certificates that have been issued to these domains, making it a useful tool to analyze phishing domains. Furthermore, we present analyses and results describing how hashing algorithms are used in different certificates and their impact in securing the web. Through analyses and experiments we gained an understanding of how easy it is to create a certificate and claim to be behind a website. Phishing domains being able to use HTTPS is a good example of this and our results have shown that many imposter websites use HTTPS. Thankfully, there are tools in place to secure the web and avoid phishing, such as browsers having a set of Certificate Authorities (CAs) that they trust, meaning that any HTTPS site that does not have a certificate from one of these CAs will be flagged as not secure. Another countermeasure is increasing people's knowledge about how to handle websites that seem to be secure and have the necessary parameters, such as HTTPS, but nevertheless are phishing sites.