Poster: Lightweight Content-based Phishing Detection

I. INTRODUCTION Increasing use of Internet banking and shopping by a broad spectrum of users results in greater potential profits from phishing attacks. Phish are fake websites that masquerade as legitimate sites, to trick unsuspecting users into sharing sensitive information: credentials, passwords, financial information, or other personal information that can enable fraud. This threat is especially dire for financial services and sites involving on-line payment: an attacker can use stolen credentials to steal money or make fraudulent transactions. Most browsers today detect potential phishing with URL blacklists such as the Google Safe Browsing API, Phish-Tank [1], Is It Phishing [2] service, and the Netcraft toolbar [3]. The browser checks each website a web user visits against a list of known bad sites that is typically cached locally and refreshed regularly. While effective at stopping previously known threats, blacklists must react to new threats as they are discovered, leaving an inevitable period of vulnerability where users are vulnerable. Attackers exploit this gap by changing URLs for phishing sites frequently. Alternatively, whitelists can identify predetermined web-sites as " known-good ". Whitelists thus avoid the race to identify and add new phishing sites, but have their own delays in approving new sites, and by definition prohibits (or strongly discourages) use of sites off the list. This delay makes them too limited for many users. Our goal is proactive detection of phishing websites with neither the delay of blacklist identification nor the strict constraints of whitelists. Our approach is to list known phishing targets, index the content at their correct sites, then look for this content to appear at incorrect sites to signal a phishing site. While prior work has visually compared good website layouts with potential phishing sites [4], we focus on the content itself. Our insight is that cryptographic hashing of page contents allows efficient bulk identification of content reuse at phishing sites. Our contribution is to build a system to detect phish by comparing hashes of visited websites to the hashes of the original, known good, legitimate website. We implement our approach in the form of a browser extension in Google Chrome, and show that our algorithms detect a majority of phish, even with minimal countermeasures to page obfuscation. A small number of alpha users have been using the browser extension without issues, and we have released our extension and source code at