The present invention relates generally to network security and more specifically to identifying phishing Web sites.
Phishing attacks primarily consist of sending emails that are forged to appear as if originating from commercial organizations. The sending of the email is an attempt to cause one or more recipients of the email to access a phony Web site that has been set up to gather information about the recipient(s).
Phishing is typically different from spamming. Phishers send out fake emails to a large number of recipients after setting up one or more Web sites that look similar to the Web sites of banking and other financial institutions. A typical goal of phishing is to mislead people into thinking that the email they received is from a legitimate business organization. The email directs the email recipients to Web sites under the phisher's control. The Web sites have often been set up to gather personal, sensitive information such as credit card numbers, user identification numbers, and passwords. After some (e.g., a short) amount of time, the sites are taken down to prevent discovery. Thus, the window of opportunity to detect phishing sites is often the time between the first email being sent and the time that the Web site is taken down.
Typically, phishing sites are discovered after a person (or group of people) report the phishing attack to a Web site that collects such information. The potential phishing site is then manually checked to determine whether the site is a phishing Web site. Tools to accomplish this traditionally exist as part of a toolbar (e.g., Netcraft), are from hand-checked reports (dslreports.com), etc. The manual checking of potential phishing sites is often time and/or work intensive.
Thus, there remains a need to more effectively identify phishing sites.