Visual similarity-based phishing detection without victim site information

Phishing attacks, which steal users' account information by fake Websites, have become a serious problem on theInternet. There are two major approaches in phishing detection: the blacklist- and the heuristics-based approach. Heuristics-based approaches employ common characteristics of phishing sites such as distinctive keywords used in Web pages or URLs in order to detect new phishing sites that are not yet listed in blacklists. However, these kinds of heuristics can be easily circumvented by phishers once their mechanism is revealed. In order to overcome this weakness, visual similarity-based detection techniques have been proposed. Because phishing sites have to mimic victim sites, visual similarity between phishing sites and their victim sites is supposed to be an inherent and not easily concealable characteristic. However, these techniques require images of real victim sites for detection. In this paper, we propose a phishing detection mechanism based on visual similarity among phishing sites that mimic the same victim site. Surprisingly, just by analyzing visual similarity among Web pages without a priori knowledge, our method automatically extracts 224 distinct Web page layouts mimicked by 2,262 phishing sites and achieves a detection rate of over 80% while keeping the false-positive rate to 17.5%. We also find that the false-positive rate can be reduced.