Abstract
Adversaries create phishing websites that spoof the visual appearances of frequently used legitimate websites in order to trick victims into providing their private information, such as bank accounts and login credentials. Phishing detection is an ongoing combat between the defenders and the attackers, where various defense mechanisms have been proposed, such as blacklists, heuristics, data mining, etc. In this paper, we present a new perspective on the identification of phishing websites. The proposed solution, namely PhishFencing, consists of three main steps: (1) filtering: a list of trusted and non-hosting websites is used to eliminate pages from legitimate hosts; (2) matching: a sub-graph matching mechanism is developed to determine if an unknown webpage contains logo images of whitelisted legitimate websites–once a match is detected, the unknown webpage is considered a suspicious page; (3) identification: host features are utilized to identify whether a suspicious webpage is hosted on the same cluster of servers as the corresponding legitimate pages–if not, the suspicious page is tagged as phishing. Compared with existing approaches in the literature, PhishFencing introduces an autonomous mechanism to replace the manual process of collecting and refreshing groundtruth data. As a in-network solution, PhishFencing could also partially detect phishing pages hosted on HTTPS servers, without requiring any support from clients. Through intensive experiments, we show that PhishFencing is very effective in comparing with the literature.
Z. Zhou and L. Yu are co-first authors of this paper.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In this paper, we use whitelisted sites and legitimate sites interchangeably.
- 2.
An upper limit of crawled URLs is set just in case the domain is huge, however, it is rarely reached in our experiments.
References
Phishtank. https://www.phishtank.com/index.php
Phishing activity trends report. Technical report 2nd Quarter, APWG (2018)
Afroz, S., Greenstadt, R.: Phishzoo: detecting phishing websites by looking at them. In: IEEE ICSC, pp. 368–375 (2011)
Blum, A., Wardman, B., Solorio, T., Warner, G.: Lexical feature based phishing url detection using online learning. In: ACM AISec Workshop, pp. 54–60 (2010)
Borgolte, K., Kruegel, C., Vigna, G.: Meerkat: detecting website defacements through image-based object recognition. In: USENIX Security, pp. 595–610 (2015)
Britt, J., Wardman, B., Sprague, A., Warner, G.: Clustering potential phishing websites using deepmd5. In: USENIX LEET (2012)
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: WWW Conference, pp. 197–206 (2011)
Chang, C.C., Lin, C.J.: Libsvm: a library for support vector machines. ACM TIST 2(3), 27 (2011)
Chang, E.H., Chiew, K.L., Tiong, W.K., et al.: Phishing detection via identification of website identity. In: IEEE ICITCS, pp. 1–4 (2013)
Choi, H., Zhu, B.B., Lee, H.: Detecting malicious web links and identifying their attack types. WebApps 11(11), 218 (2011)
Corona, I., et al.: Deltaphish: detecting phishing webpages in compromised websites. In: ESORICS, pp. 370–388 (2017)
Dunlop, M., Groat, S., Shelly, D.: Goldphish: using images for content-based phishing analysis. In: IEEE ICIMP, pp. 123–128 (2010)
Fifield, D., Lan, C., Hynes, R., Wegmann, P., Paxson, V.: Blocking-resistant communication through domain fronting. PETS 2015(2), 46–64 (2015)
Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: ACM workshop on Recurring malcode (2007)
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)
Khonji, M., Iraqi, Y., Jones, A.: Phishing detection: a literature survey. IEEE Commun. Surv. Tutorials 15(4), 2091–2121 (2013)
Le, A., Markopoulou, A., Faloutsos, M.: Phishdef: url names say it all. In: INFOCOM, pp. 191–195 (2011)
Lowe, D.G.: Distinctive image features from scale-invariant keypoints. Int. J. Comput. Vis. 60(2), 91–110 (2004)
Ludl, C., McAllister, S., Kirda, E., Kruegel, C.: On the effectiveness of techniques to detect phishing sites. In: DIMVA, pp. 20–39 (2007)
Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: ACM KDD, pp. 1245–1254 (2009)
Marchal, S., Armano, G., Gröndahl, T., Saari, K., Singh, N., Asokan, N.: Off-the-hook: an efficient and usable client-side phishing prevention application. IEEE Trans. Comput. 66(10), 1717–1733 (2017)
Marchal, S., François, J., State, R., Engel, T.: Phishstorm: detecting phishing with streaming analytics. IEEE Trans. Netw. Serv. Manage. 11(4), 458–471 (2014)
Muja, M., Lowe, D.G.: Fast approximate nearest neighbors with automatic algorithm configuration. VISAPP (1) 2(331–340), 2 (2009)
Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time url spam filtering service. In: IEEE S&P, pp. 447–462 (2011)
Tian, K., Jan, S.T., Hu, H., Yao, D., Wang, G.: Needle in a haystack: tracking down elite phishing domains in the wild. In: ACM IMC, pp. 429–442 (2018)
Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages (2010)
Xiang, G., Hong, J., Rose, C.P., Cranor, L.: Cantina+: a feature-rich machine learning framework for detecting phishing web sites. ACM TISSEC 14(2), 1–28 (2011)
Xiang, G., Hong, J.I.: A hybrid phish detection approach by identity discovery and keywords retrieval. In: WWW Conference, pp. 571–580 (2009)
Zhang, W., Jiang, Q., Chen, L., Li, C.: Two-stage ELM for phishing web pages detection using hybrid features. World Wide Web 20(4), 797–813 (2017)
Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: WWW Conference, pp. 639–648 (2007)
Acknowledgements
Zhaoyu Zhou, Lingjing Yu, Qingyun Liu, and Yang Liu were supported in part by Y8YY041101 and Y9W0013401. The authors also like to thank the anonymous reviewers for their constructive suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhou, Z., Yu, L., Liu, Q., Liu, Y., Luo, B. (2020). Tear Off Your Disguise: Phishing Website Detection Using Visual and Network Identities. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_44
Download citation
DOI: https://doi.org/10.1007/978-3-030-41579-2_44
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41578-5
Online ISBN: 978-3-030-41579-2
eBook Packages: Computer ScienceComputer Science (R0)