|
| Features | Description |
|
| F1 [15] | Embedded domain: some phishing URLs will insert the benign website domain name into the domain name to hide the real domain name. For example, the following phishing link nests the domain name of eBay.com to confuse the user. http://cgi.ebay.com.ebaymotors.732issapidll.private99dll.qqmotorsqq.ebmdata.com |
| F2 [15] | IP address: this feature checks if a page ’s domain is an IP address. |
| F3 [15] | Number of dots in the URL: this feature counts the number of dots in the URL. Phishing pages tend to use more than 5 dots in their URLs than the legitimate sites. |
| F4 [15] | Suspicious URL: the phishing link will confuse the user by inserting a special character in the URL. The commonly used special characters include “@,” “-,” etc., and “@” hides the phishing URL by commenting out the domain name that appears before its position. Benign links will not perform similar operations. |
| F5 [15] | Number of sensitive words in the URL: phishing websites add sensitive words to pretend to be legitimate websites. Sensitive words like “login” and “registered” can increase the similarity of phishing sites, allowing users to submit forms with private information. |
| F6 [15] | Out-of-position top-level domain (TLD): some phishing websites often have strange top-level domains in their domain names. This is because the links contain “edu, cn, com” etc, which makes it easier to obtain the trust of users. Phishing attackers insert common top-level domains in domain names or paths. For example, http://www.inc-paypal-id.com.apps-web.cf/ uses a separator to insert a com in the domain name. |
| F7 [28] | Length of the URL: the URL of a phishing website is different in length from that of a legitimate websites. We set the threshold to 54, and the URL length is greater than 54. It is more likely to be a phishing website. |
| F8 [29] | Number of “/” s in the URL: this feature counts the number of dots in the URL. Phishing pages tend to use more than 5 “/” in their URLs than the legitimate sites. |
| F9 [30] | Number of sensitive domain in the URL: paypal.com, apple.com, google.com, eBay.com, eBay.it, maybank2u.com, aol.com, yahoo.com, nab.com, natwest.com, amazon.com, bt.com, Alibaba.com, facebook.com, key.com |
|
