{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T15:04:35Z","timestamp":1774364675566,"version":"3.50.1"},"reference-count":39,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T00:00:00Z","timestamp":1770940800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004489","name":"Mitacs","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004489","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers & Security"],"published-print":{"date-parts":[[2026,6]]},"DOI":"10.1016\/j.cose.2026.104860","type":"journal-article","created":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T00:38:09Z","timestamp":1770943089000},"page":"104860","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["Domains of deception: phishing through the lens of ownership"],"prefix":"10.1016","volume":"165","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7509-9725","authenticated-orcid":false,"given":"Mina","family":"Erfan","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9917-3694","authenticated-orcid":false,"given":"Paula","family":"Branco","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6067-6545","authenticated-orcid":false,"given":"Guy-Vincent","family":"Jourdan","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2026.104860_bib0001","unstructured":"Anti-phishing working group, 2003. https:\/\/apwg.org\/."},{"key":"10.1016\/j.cose.2026.104860_bib0002","series-title":"Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses","first-page":"446","article-title":"Content-agnostic detection of phishing domains using certificate transparency and passive dns","author":"AlSabah","year":"2022"},{"key":"10.1016\/j.cose.2026.104860_bib0003","series-title":"Technical Report","article-title":"Global Phishing Survey 2015\u20132016: Trends and Domain Name Use","author":"(APWG)","year":"2016"},{"key":"10.1016\/j.cose.2026.104860_bib0004","series-title":"Technical Report","article-title":"Phishing Attack Trends Report - 2Q 2024","author":"(APWG)","year":"2024"},{"key":"10.1016\/j.cose.2026.104860_bib0005","series-title":"Technical Report","article-title":"Phishing Attack Trends Report - 3Q 2024","author":"(APWG)","year":"2024"},{"key":"10.1016\/j.cose.2026.104860_bib0006","series-title":"International Conference on Passive and Active Network Measurement","first-page":"564","article-title":"Operational domain name classification: from automatic ground truth generation to adaptation to missing values","author":"Bayer","year":"2023"},{"key":"10.1016\/j.cose.2026.104860_bib0007","series-title":"30th USENIX Security Symposium (USENIX Security 21)","first-page":"3757","article-title":"Catching phishers by their bait: investigating the Dutch phishing landscape through phishing kit detection","author":"Bijmans","year":"2021"},{"key":"10.1016\/j.cose.2026.104860_bib0008","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1023\/A:1010933404324","article-title":"Random forests","volume":"45","author":"Breiman","year":"2001","journal-title":"Mach. Learn."},{"key":"10.1016\/j.cose.2026.104860_bib0009","series-title":"Classification and Regression Trees","author":"Breiman","year":"2017"},{"key":"10.1016\/j.cose.2026.104860_bib0010","first-page":"2079","article-title":"On over-fitting in model selection and subsequent selection bias in performance evaluation","volume":"11","author":"Cawley","year":"2010","journal-title":"J. Mach. Learn. Res."},{"key":"10.1016\/j.cose.2026.104860_bib0011","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1613\/jair.953","article-title":"Smote: synthetic minority over-sampling technique","volume":"16","author":"Chawla","year":"2002","journal-title":"J. Artifi. Intell. Res."},{"key":"10.1016\/j.cose.2026.104860_bib0012","series-title":"Proceedings of the 22nd ACM Sigkdd International Conference on Knowledge Discovery and Data Mining","first-page":"785","article-title":"Xgboost: a scalable tree boosting system","author":"Chen","year":"2016"},{"issue":"3","key":"10.1016\/j.cose.2026.104860_bib0013","doi-asserted-by":"crossref","first-page":"273","DOI":"10.1023\/A:1022627411411","article-title":"Support-vector networks","volume":"20","author":"Cortes","year":"1995","journal-title":"Mach. Learn."},{"key":"10.1016\/j.cose.2026.104860_bib0014","series-title":"30th USENIX Security Symposium (USENIX Security 21)","first-page":"3721","article-title":"Compromised or {Attacker-Owned}: a large scale classification and study of hosting domains of malicious {URLs}","author":"De Silva","year":"2021"},{"key":"10.1016\/j.cose.2026.104860_bib0015","series-title":"2024 9th International Conference on Computer Science and Engineering (UBMK)","first-page":"1","article-title":"Dual-layered approach for malicious domain detection","author":"Do\u011fan","year":"2024"},{"key":"10.1016\/j.cose.2026.104860_bib0016","series-title":"Proceedings of the 16th International Conference on Availability, Reliability and Security","first-page":"1","article-title":"Finding phish in a haystack: a pipeline for phishing classification on certificate transparency logs","author":"Drichel","year":"2021"},{"key":"10.1016\/j.cose.2026.104860_bib0017","series-title":"2024 APWG Symposium on Electronic Crime Research (eCrime)","first-page":"14","article-title":"Owned, pwned or rented: whose domain is it?","author":"Erfan","year":"2024"},{"key":"10.1016\/j.cose.2026.104860_bib0018","series-title":"Security and Privacy in Communication Networks: 15th EAI International Conference, SecureComm 2019, Orlando, FL, USA, October 23\u201325, 2019, Proceedings, Part II 15","first-page":"320","article-title":"Phish-hook: detecting phishing certificates using certificate transparency logs","author":"Fasllija","year":"2019"},{"key":"10.1016\/j.cose.2026.104860_bib0019","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1007\/s10994-006-6226-1","article-title":"Extremely randomized trees","volume":"63","author":"Geurts","year":"2006","journal-title":"Mach. Learn."},{"key":"10.1016\/j.cose.2026.104860_bib0020","series-title":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","first-page":"120","article-title":"Txphishscope: towards detecting and understanding transaction-based phishing on ethereum","author":"He","year":"2023"},{"key":"10.1016\/j.cose.2026.104860_bib0021","series-title":"Applied Logistic Regression","author":"Hosmer","year":"2013"},{"key":"10.1016\/j.cose.2026.104860_bib0022","series-title":"2012 19th Working Conference on Reverse Engineering","first-page":"325","article-title":"Inferring repository file structure modifications using nearest-neighbor clone detection","author":"Lavoie","year":"2012"},{"key":"10.1016\/j.cose.2026.104860_bib0023","series-title":"2019 17th International Conference on Privacy, Security and Trust (PST)","first-page":"1","article-title":"Victim or attacker? a multi-dataset domain classification of phishing attacks","author":"Le Page","year":"2019"},{"issue":"17","key":"10.1016\/j.cose.2026.104860_bib0024","first-page":"1","article-title":"Imbalanced-learn: a python toolbox to tackle the curse of imbalanced datasets in machine learning","volume":"18","author":"Lema\u00eetre","year":"2017","journal-title":"J. Mach. Learn. Res."},{"key":"10.1016\/j.cose.2026.104860_bib0025","series-title":"European Conference on Machine Learning","first-page":"4","article-title":"Naive (bayes) at forty: the independence assumption in information retrieval","author":"Lewis","year":"1998"},{"key":"10.1016\/j.cose.2026.104860_bib0026","unstructured":"Lim, K., Sommese, R., Jonker, M., Mok, R., Kim, D., et al., 2025. Registration, detection, and deregistration: analyzing DNS abuse for phishing attacks. arXiv: 2502.09549."},{"key":"10.1016\/j.cose.2026.104860_bib0027","series-title":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","first-page":"537","article-title":"Don\u2019t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains","author":"Liu","year":"2017"},{"issue":"1","key":"10.1016\/j.cose.2026.104860_bib0028","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1214\/aoms\/1177730491","article-title":"On a test of whether one of two random variables is stochastically larger than the other","volume":"18","author":"Mann","year":"1947","journal-title":"Ann. Math. Statist."},{"key":"10.1016\/j.cose.2026.104860_bib0029","series-title":"2020 IEEE European Symposium on Security and Privacy (EuroS&P)","first-page":"607","article-title":"Comar: classification of compromised versus maliciously registered domains","author":"Maroofi","year":"2020"},{"key":"10.1016\/j.cose.2026.104860_bib0030","series-title":"2024 IEEE Symposium on Security and Privacy (SP)","first-page":"1","article-title":"On sms phishing tactics and infrastructure","author":"Nahapetyan","year":"2024"},{"key":"10.1016\/j.cose.2026.104860_bib0031","unstructured":"Nosyk, Y., Korczy\u0144ski, M., Ga\u00f1\u00e1n, C., Maroofi, S., Bayer, J., Odgerel, Z., Tajalizadehkhoob, S., Duda, A., 2025. Infermal: inferential analysis of maliciously registered domains. arXiv: 2512.01391\">."},{"key":"10.1016\/j.cose.2026.104860_bib0032","unstructured":"Openphish - phishing intelligence, https:\/\/openphish.com\/."},{"key":"10.1016\/j.cose.2026.104860_bib0033","series-title":"Technical Report","article-title":"Most Phishing Attacks Use Compromised Domains and Free Hosting","author":"PhishLabs","year":"2021"},{"key":"10.1016\/j.cose.2026.104860_bib0034","unstructured":"Phishtank - join the fight against phishing, 2006. https:\/\/www.phishtank.com\/."},{"issue":"6088","key":"10.1016\/j.cose.2026.104860_bib0035","doi-asserted-by":"crossref","first-page":"533","DOI":"10.1038\/323533a0","article-title":"Learning representations by back-propagating errors","volume":"323","author":"Rumelhart","year":"1986","journal-title":"Nature"},{"key":"10.1016\/j.cose.2026.104860_bib0036","series-title":"2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","first-page":"522","article-title":"Discovering HTTPSified phishing websites using the TLS certificates footprints","author":"Sakurai","year":"2020"},{"key":"10.1016\/j.cose.2026.104860_bib0037","series-title":"Proceedings of the Internet Measurement Conference 2018","first-page":"343","article-title":"The rise of certificate transparency and its implications on the internet ecosystem","author":"Scheitle","year":"2018"},{"key":"10.1016\/j.cose.2026.104860_bib0038","unstructured":"Wayback machine, 2001. Wayback machine. https:\/\/wayback-api.archive.org\/."},{"key":"10.1016\/j.cose.2026.104860_bib0039","doi-asserted-by":"crossref","unstructured":"Zhang, M., Li, X., Liu, B., Lu, J., Zhang, Y., Chen, J., Duan, H., Hao, S., Zheng, X., 2023. Detecting and measuring security risks of hosting-based dangling domains. Proceedings of the ACM on Measurement and Analysis of Computing Systems 7 (1), 1\u201328.","DOI":"10.1145\/3579440"}],"container-title":["Computers & Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826000362?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826000362?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T14:19:08Z","timestamp":1774361948000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404826000362"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6]]},"references-count":39,"alternative-id":["S0167404826000362"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2026.104860","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,6]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Domains of deception: phishing through the lens of ownership","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2026.104860","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"104860"}}