Tear Off Your Disguise: Phishing Website Detection Using Visual and Network Identities

Abstract

Adversaries create phishing websites that spoof the visual appearances of frequently used legitimate websites in order to trick victims into providing their private information, such as bank accounts and login credentials. Phishing detection is an ongoing combat between the defenders and the attackers, where various defense mechanisms have been proposed, such as blacklists, heuristics, data mining, etc. In this paper, we present a new perspective on the identification of phishing websites. The proposed solution, namely PhishFencing, consists of three main steps: (1) filtering: a list of trusted and non-hosting websites is used to eliminate pages from legitimate hosts; (2) matching: a sub-graph matching mechanism is developed to determine if an unknown webpage contains logo images of whitelisted legitimate websites–once a match is detected, the unknown webpage is considered a suspicious page; (3) identification: host features are utilized to identify whether a suspicious webpage is hosted on the same cluster of servers as the corresponding legitimate pages–if not, the suspicious page is tagged as phishing. Compared with existing approaches in the literature, PhishFencing introduces an autonomous mechanism to replace the manual process of collecting and refreshing groundtruth data. As a in-network solution, PhishFencing could also partially detect phishing pages hosted on HTTPS servers, without requiring any support from clients. Through intensive experiments, we show that PhishFencing is very effective in comparing with the literature.