DeltaPhish: Detecting Phishing Webpages in Compromised Websites

TitleDeltaPhish: Detecting Phishing Webpages in Compromised Websites
Publication TypeConference Proceedings
Year of Publication2017
AuthorsCorona, I, Biggio, B, Contini, M, Piras, L, Corda, R, Mereu, M, Mureddu, G, Ariu, D, Roli, F
EditorFoley, SN, Gollmann, D, Snekkenes, E
Conference Name22nd European Symposium on Research in Computer Security (ESORICS)
Volume10492
Pagination370–388
Date Published09/2017
PublisherSpringer International Publishing
Conference LocationNorway, September 11-15, 2017
KeywordsDNS
Abstract

The large-scale deployment of modern phishing attacks relies on the automatic exploitation of vulnerable websites in the wild, to maximize profit while hindering attack traceability, detection and blacklisting. To the best of our knowledge, this is the first work that specifically leverages this adversarial behavior for detection purposes. We show that phishing webpages can be accurately detected by highlighting HTML code and visual differences with respect to other (legitimate) pages hosted within a compromised website. Our system, named DeltaPhish, can be installed as part of a web application firewall, to detect the presence of anomalous content on a website after compromise, and eventually prevent access to it. DeltaPhish is also robust against adversarial attempts in which the HTML code of the phishing page is carefully manipulated to evade detection. We empirically evaluate it on more than 5,500 webpages collected in the wild from compromised websites, showing that it is capable of detecting more than 99% of phishing webpages, while only misclassifying less than 1% of legitimate pages. We further show that the detection rate remains higher than 70% even under very sophisticated attacks carefully designed to evade our system.
Notes

ESORICS 2017 - acceptance rate: 16% (54 accepted papers out of 340 submissions).
Citation Keycorona17-esorics
Download: 
AttachmentSize
corona17-esorics.pdf4.13 MB