1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting phishing attacks.
2. Description of the Background Art
Phishing involves stealing information, such as usernames, passwords, and credit card information, by mimicking a legitimate organization in Internet communications. Phishing may be perpetrated using a webpage, or other user interface, that purports to belong to a legitimate organization to trick the victim into entering his confidential information into the webpage. Phishing may also be perpetrated by sending emails that include a link to a webpage of a malicious website or other harmful content. Victims are fooled into clicking the link because the emails are designed to look like they are from a legitimate organization trusted by the victim.
Phishing attacks may be blocked by Internet Protocol (IP) reputation. For example, the DNS-based blacklist (DNSBL) may be consulted to identify IP addresses of servers that are sending spam emails. Although IP reputation may be employed to block some phishing attacks, a black hole list is very difficult to maintain because of the sheer number of malicious servers on the Internet. Some of these servers may also be compromised servers, i.e., legitimate servers that have been infected, so blocking them will also result in blocking legitimate emails.
Email authentication is also ineffective in blocking phishing attacks because of the setup involved and because some users are reluctant to block emails that fail an authentication check.
Examining emails to identify content indicative of spam (e.g., keywords) is problematic because a phishing email looks like a legitimate email and has very similar content. The same is true with identifying spam emails by content hashes.
Link, Uniform Resource Locator (URL), and web domain reputations are very useful in blocking phishing attacks. For example, the Anti-Phishing Working Group (APWG) collects URLs of phishing webpages and provides the collected URLs as a service to legitimate organizations and security companies. Unfortunately, collecting URLs of phishing webpages is a laborious task because of the large and increasing number of phishing webpages. Often, by the time a webpage has been verified to be a phishing webpage and its URL has been published, the phishing attack is already over and new phishing attack has begun with a new webpage and a new URL.
Another problem with lists of phishing URLs is that cybercriminals have adopted the strategy of using hundreds (if not thousands) of webpages of compromised legitimate websites. This makes detection difficult because the domains cannot simply be blocked (they are legitimate domains), requiring each individual webpage added to the legitimate website to be verified.