[Rephrasing] Inferring Phishing Intention via Webpage Appearance and Dynamics: A Deep Vision Based Approach

💡This is a reader's perspective on the paper written by Ruofan Liu (from the National University of Singapore) and published at the USENIX Security Symposium 2022.

Brief Description

The authors developed a reference-based classification tool for phishing websites that identifies "important blocks" on the page regarding form fields, icons or buttons to identify if there is an intention to steal information and if the page is similar to a benign one. They use this tool in a crawler to identify how to go from the home page to a signup/login page on the phishing website, which is very cool. 

Observations

User click emulation using Helium is very primitive. A research GAP that might be still valid is the idea of emulating user mouse movement patterns to bypass some websites.

I would also like to see what is the amount of HTML obfuscated websites comparing benign websites and phishing websites.

Another thing I don't understand is the difference between the Threat Model section and the Challenges section. As I understood, the first mentions how attackers could exploit their idea, while the challenges are related to the conversion from the data to the model.

Initial Questions

One interesting question I had at the beginning of the paper was regarding the benign logo dataset they used. Throughout the paper, they mentioned using the Logo2K+ dataset, but another nice idea would be to use the Alexa Top websites.

From the URLs they found as phishing on CertStream, it is a nice idea to check for a couple of months if they are eventually identified as phishing in VirusTotal, which I didn't see in the results section.

A little typo in Section 10.2, in which they meant Kaspersky instead of Kapaskey (I think).

Where do the experiment ideas come from?

Everything in the paper orbits around the idea of capturing input fields in a webpage using a visual system, which I don't have much clue about why it works (I guess that I lack deep learning know-how).

What are the interesting ideas/results?

I like their improvement on a brand detection tool, which could be used to infer interesting aspects from phishing pages that mimic certain brands.

The idea of using the tool on CertStream URLs is very nice since they evaluate the ability of their system to identify zero-days. 

Another interesting idea they had was to compare how much data was necessary to obtain a better classification score. Which is slightly different from the usual overall precision vs precision comparison (but it takes more effort as well).

I like the improvement on the logo detection module and the explanation on why there was a necessity to improve it (in Section 4).

The crawler that automatically searches a page detecting where to click is a very nice alternative to the usual "login" regex match.