Phishing Site Detection Using Similarity of Website Structure

Abstract

The number of phishing sites is increasing and becoming a problem. General phishing sites often have very short lives. Phishers are thought to construct phishing sites using tools such as phishing kits. Phishing sites constructed using the same tools have similar website structures. We propose a new method based on the similarity of website structure information defined by the types and sizes of web resources that make up these websites. Our method can detect phishing sites that is not registered with blocklists or do not have similar URL strings with targeting legitimate sites. In addition, our method can identify phishing sites that differed in appearance but have similar website structures. Our method is particularly effective for detecting phishing sites constructed by the same phishers or using the same tools, as our method identifies structural similarity between websites. We conducted an evaluation to confirm the correctness of our assumption using phishing sites constructed using phishing kits and the PhishTank dataset. We found a large number of phishing sites that were structurally similar to phishing sites constructed using phishing kits. We applied our method to web access logs provided by ordinary Japanese citizens, and detected some unknown phishing sites. We have also examined the possibility of improving our method based on the importance of web resources, determined using the number of occurrences in web access logs.