As people use the internet for more sensitive activities including managing banking accounts, health information, and pretty much every other facet of a person's life, the incidence of phishing attacks has increased. A phishing attack is a type of fraud attack where a website or communication (e.g., an email) from a website represents itself as being associated with a false identity in order to obtain sensitive information or other valuables from a user. For example, a phishing website may be configured to appear to be a consumer's bank website or the phishing website may send an email that appears to be from a consumer's bank with a link that directs the consumer to a phishing website. The phishing website may then ask the consumer for sensitive information (e.g., financial information, username, password, etc.). The operator of the phishing website may then use the sensitive information to initiate fraudulent transactions or may sell the sensitive information to others that use the information to initiate fraudulent transactions.
Many times phishing attacks may be initiated by a malicious third party hacking into a legitimate website provided by a different webhost and embedding software into the website that performs phishing attacks without the webhost knowing. Many times the software that is installed is provided in the form of a “phishing kit” where a single hacker designs and sells a toolkit to other providers that performs the phishing attack functionality. The phishing kits can be applied modularly and may use information obtained from a number of different server computers. Each kit may be branded by one or more entities in which they are attempting to mimic (e.g., PayPal™, Amazon™, eBay™, etc.). The phishing kit may include the relevant pictures, design features, and any other content that tricks a user into thinking that the website is a bank website, a medical provider, an e-commerce store front, etc. Many times these phishing kits are very sophisticated and are designed to evade traditional phishing detection methods. Thus, phishing website operators may hack into a website, implement one of the kits, and start receiving sensitive consumer information from consumers that happen across the website and are tricked into believing the website is legitimate.
Traditional phishing detection systems evaluate static website information (e.g., HTML code received from a website) to determine if a website is a phishing website. For example, a phishing scanner may analyze the content, features, and brands (e.g., website domain provider) embedded in a URL and do not load a webpage when determining whether a website is performing a phishing attack. However, the use of static website information is limited in its accuracy and abilities to identify phishing. For example, dynamic web content that will not be loaded when looking at static website information and such content will not be analyzed by static phishing detection systems. Additionally, many characteristics that identify phishing behavior cannot be observed through static website information. Accordingly, there is a need for more effective, efficient, and accurate phishing detection of sophisticated phishing attacks.
Embodiments of the present invention solve these and other problems individually and collectively.