Favicon - a clue to phishing sites detection

Abstract

Phishing is a type of scam designed to steal user's identity. Typically, anti-phishing methods either use blacklists or recognize the phishing pattern with statistical learning. This paper focuses on a tiny but powerful visual element-favicon, which is widely used by phishers but ignored by anti-phishing researchers. Indeed, only some lowest-quality phishing campaigns do not use such favicons. By analyzing the characteristic of favicon in phishing sites, an alternative phishing detection method is proposed. Favicon detection and recognition locates the suspicious brand sites, including legitimate and fake brands sites, and then PageRank and DNS filtering algorithm discriminates the sites with branding rights from fake brands sites. To validate the effectiveness of the proposed method, we carried out two different experiments. One is collecting a diverse spectrum of corpora containing 3642 phishing cases containing favicons from PhishTank, and 19585 legitimate Web pages from DMOZ and Google; experimental evaluations on the data set show that the proposed method achieved over 99.50% TPR and 0.15% FPR. The other is validating the method in the real Web query environment; a total of 517 unique phishing URLs were found and reported to the Anti-Phishing Alliance of China in a month. The experimental results demonstrate the competitive performances of favicon detection and recognition method for anti-phishing in practice.