DeltaPhish

Detecting Phishing Webpages in Compromised Websites
This approach is based on our ESORICS2017 paper: DeltaPhish: Detecting Phishing Webpages in Compromised Websites, authored by
Igino Corona (1,2), Battista Biggio (1,2), Matteo Contini (2), Luca Piras (1,2), Roberto Corda (2), Mauro Mereu (2), Guido Mureddu (2), 
Davide Ariu (1,2), and Fabio Roli (1,2)
 
1 Pluribus One, Cagliari, Italy
2 Department of Electrical and Electronic Engineering, University of Cagliari, Cagliari, Italy
To visualize the classification reports of Deltaphish on the data used in our ESORICS2017 paper, please visit this page.
The large-scale deployment of modern phishing attacks relies on the automatic exploitation of vulnerable websites in the wild. To understand the importance of this phenomen, note that, according to the most recent Global Phishing Survey by APWG, published in 2014, 59,485 out of the 87,901 domains linked to phishing scams (namely, the 71.4%) were actually pointing to legitimate (though compromised) websites.
To counter this threat, we have developed DeltaPhish, a tool capable of detecting phishing webpages hosted in compromised websites through the analysis of the differences between the visited webpages and a predetermined reference page (e.g., the website homepage).
Fig. 1. Homepage (left), legitimate (middle) and phishing (right) pages hosted in a compromised website.
DeltaPhish analyzes both the HTML code and the visual appearance of each page, using state-of-the-art computer-vision techniques.
Fig. 2. General architecture of DeltaPhish.
Fig. 3. Computation of the visual features. Color histograms and HOG features are extracted from each image tile and concatenated to form a complete feature vector.
Furthermore, by exploiting the latest research findings in the area of adversarial machine learning, we have designed DeltaPhish to be robust to adversarial, worst-case manipulations of the HTML code of the phishing webpages made with the specific intent of evading our detection algorithm.
Fig. 4. Adversarial fusion schemes of HTML and Image classifiers to improve resilience against attacks targeting the HTML component.
DeltaPhish can be used as an additional component within a web application firewall to protect a website from these kinds of automatized phishing attacks and, hence, also to reveal signs of website compromise.
Under this application setting, we have shown that DeltaPhish can detect more than 99% of phishing webpages, while only misclassifying less than 1% of legitimate pages, and that the detection rate remains higher than 70% even under very sophisticated attacks carefully designed to evade our system.

Info

Pluribus One S.r.l.

Via Bellini 9, 09128, Cagliari (CA)

info[at]pluribus-one.it

PEC: pluribus-one[at]pec.pluribus-one.it

 

Legal entity

Share capital: € 10008

Paid-up share capital: € 4.602

VAT no.: 03621820921

R.E.A.: Cagliari 285352

 

University of Cagliari

  Pluribus One is a spin-off

  of the Department of

  Electrical and Electronic Engineering

  University of Cagliari, Italy

 

© 2017 Pluribus One s.r.l. All Rights Reserved.