Some users of computers connected to the Internet experience various attacks from attackers hoping to steal sensitive information. In a particular type of attack known as a phishing attack, a customer on a computer is lured into divulging credentials to an attacker through a spoofed web site that the customer believes is authentic. For example, suppose that the customer performs online banking transactions with his bank, Customer Bank. The attacker, who may only be guessing that the customer has an account with Customer Bank, sends the customer an email directing the customer to click on a link. The customer, thinking that the email is from Customer Bank and is legitimate, clicks on the link and is taken to a site controlled by the attacker which looks very similar or identical the legitimate website operated by Customer Bank. On the attacker's site, the customer inputs credentials such as an account number and a password into a form. After the customer enters the credentials, scripting code from which the website runs sends the credentials to the intruder in an email.
Intruders that conduct phishing attacks typically derive the spoofed web sites, as well as the scripting code that sends credentials to the intruder, from phishing kits available in underground hacking channels. Such phishing kits provide an attacker with tools that make deploying spoofed websites simple; previously, the intruder manually copied information from a web site and constructed HTML code from the information. The phishing kits typically include PHP script files for providing the spoofed website as well as commands for sending customer-entered credentials to the intruder in a credentials email. The phishing kits may also include a set of images or other visual elements for display on the spoofed web site for additional realism.
In halting such phishing attacks, conventional network security techniques involve extracting, from a phishing kit, a destination email address belonging to an intruder. Once such a destination email address has been extracted the email provider used by the intruder can be contacted to have the destination email address shut down.