Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

Catching phish with web scraping

Image Description

Phishing is, unfortunately, profitable, hard to detect, and relatively easy to engage in. With digital transformations expedited across the globe, phishing is bound to experience continued explosive growth.

According to Phishlabs, the number of phishing attempts over Q1 2021 increased by nearly 50%. There’s no reason to believe it will stop climbing either.

That means increased levels of digital harm and risk. To counteract such an uptick, new approaches to phishing detection should be tested or current ones improved. One way to improve existing approaches is to make use of web scraping.

Poking phish

Phishers would be hard-pressed to completely replicate the original website. Placing all URLs identically, replicating images, cooking the domain age, etc. would take more effort than most people would be willing to dedicate. 

Additionally, a perfect spoof would likely have a lower success rate due to the ability for the target to get lost (by clicking on an unrelated URL). Finally, just like with any other scam, duping everyone is not necessary, therefore the perfect replica would be a wasted effort in most cases.

However, those who do phishing aren’t dumb. Or at least those who are successful at it aren’t. They still do their best to make a believable replica with the least effort required. It may not be effective against those who are tech-savvy, but even a perfect replica might not be effective against the wary. In short, phishing relies on being “just good enough”.

Therefore, due to the nature of the activity, there’s always a glaring hole or two that can be discovered. Two good ways to get a head start is to either look for similarities between frequently-phished-websites (e.g. fintech, SaaS, etc.) and suspected phishing websites or to collect patterns of known attacks and work your way up from there.

Unfortunately, with the volume of phishing websites appearing daily and the intent to target less tech-savvy people, solving the issue may not be as simple as it seems at first glance. Of course, as is often the case, the answer is automation. 

Looking for phish

There have been more methods developed over the years. An overview article written in 2018 by ScienceDirect lists out URL-based detection, layout recognition, content-based detection. The former often lags behind phishers as databases are updated slower than new websites appear. Layout recognition is based on human heuristic and is thus more prone to failure. Content-based detection is computational heavy.

We will be paying slightly more attention to layout recognition and content-based detection as these are complicated processes that benefit greatly from web scraping. Back in the day, a group of researchers had created a framework for detecting phishing websites called CANTINA. It was a content-based approach which would check for data such as TF-IDF ratios, domain age, suspicious URLs, improper usage of punctuation marks, etc. However, the study had been released in 2007 when automation opportunities were limited.

Web scraping can improve the framework immensely. Instead of manually attempting to find the outliers, automated applications can breeze through websites and download the relevant content within. Important details such as the ones outlined above can be extracted from the content, parsed, and evaluated.

Building a net

CANTINA, developed by the researchers, had a drawback - it was only used to prove a hypothesis. For these purposes, a database of phishing and legitimate websites had been compiled. The status of both was known a priori.

Such methods are suitable for proving a hypothesis. They are not as good in practice where we don’t know the status of the websites ahead of time. Practical applications of projects similar to CANTINA would require a significant amount of manual effort. At some point, these applications would no longer stand as “practical”.

Theoretically, though, content-based recognition seems like a strong contender. Phishing websites have to reproduce content in a nearly identical manner to the original. Any incongruences such as misplaced images, spelling mistakes, missing pieces of texts can trigger suspicion. They can never stray too far from the original, which means metrics such as TF-IDF would have to be similar by necessity.

Content-based recognition’s drawback has been the slow and costly side of manual labor. Web scraping, however, moves most of the manual effort into complete automation. In other words, it enables us to use existing detection methods on a significantly larger scale.

First, instead of manually collecting URLs or taking them from an already existing database, scraping can create its own quickly. They can be collected through any content that has hyperlinks or links to these supposed phishing websites in any shape or form.

Second, a scraper can traverse a collection of URLs faster than any human ever could. There are benefits to manual overview such as the ability to see the structure and content of a website as it is instead of retrieving raw HTML.

Visual representations, however, have little utility if we use mathematical detection methods such as link depth and TF-IDF. They may even serve as a distraction, pulling us away from the important details due to heuristics.

Parsing also becomes an avenue for detection. Parsers frequently fall apart if any layout or design changes happen within the website. If there are some unusual parsing errors when compared to the same process performed on parent websites, these may serve as an indication of a phishing attempt.

In the end, web scraping doesn’t produce any completely new methods, at least as far as I can see, but it enables older ones. It provides an avenue for scaling methods that might otherwise be too costly to implement.

Casting a net

With the proper web scraping infrastructure, millions of websites can be checked daily. As a scraper collects the source HTML, we have all the text content stored wherever we’d like. Some parsing later, the plain text content can be used to calculate TF-IDF. A project would likely start out by collecting all the important metrics from popular phishing targets and move on to detection.

Additionally, there’s a lot of interesting information we can extract from the source. Any internal links can be visited and stored in an index to create a representation of the overall link depth.

It’s possible to detect phishing attempts by creating a website tree through indexing with a web crawler. Most phishing websites will be shallow due to the reasons outlined previously. On the other hand, phishing attempts copy websites of highly established businesses. These will have great link depths. Shallowness by itself could be an indicator for a phishing attempt.

Nevertheless, the collected data can then be used to compare the TF-IDF, keywords, link depth, domain age, etc., against the metrics of legitimate websites. A mismatch would be cause for suspicion. 

There is one caveat that has to be decided “on the go” - what margin of difference is a cause to investigate? A line in the sand has to be drawn somewhere and, at least at first, it will have to be fairly arbitrary.

Additionally, there’s an important consideration for IP addresses and locations. Some content on a phishing website might only be visible to IP addresses from a specific geographical location (or not from a specific geographical location). Getting around such issues, in regular circumstances, is challenging, but proxies provide an easy solution.

Since a proxy always has an associated location and IP address, a sufficiently large pool will provide global coverage. Whenever a geographically-based block is encountered, a simple proxy switch is all it takes to hop over the hurdle.

Finally, web scraping, by its nature, uncovers a lot of data on a specific topic. Most of it is unstructured, something usually fixed by parsing, and unlabeled, something usually fixed by humans. Structured, labeled data may serve as a great ground for machine learning models.

Terminating phish

Building an automated phish detector through web scraping produces a lot of data for evaluation. Once evaluated, the data would usually lose its value. However, like with recycling, that information may be reused with some tinkering.

Machine learning models have the drawback of requiring enormous amounts of data in order to begin making predictions of acceptable quality. Yet, if phishing detection algorithms start making use of web scraping, that amount of data would be produced naturally. Of course, labeling might be required which would take a considerable amount of manual effort.

Regardless of this, the information would already be structured in a manner that would produce acceptable results. While all machine learning models are black boxes, they’re not entirely opaque. We can predict that data structured and labeled in a certain manner will produce certain results.

For clarity, machine learning models might be thought of as the application of mathematics to physics. Certain mathematical modeling seems to fit exceptionally well with natural phenomena such as gravity. Gravitational pull can be calculated by multiplying the gravitational constant by the mass of two objects and dividing the result by the distance between them squared. However, if we knew only the data required, that would give us no understanding about gravity itself.

Machine learning models are much the same. A certain structure of data produces expected results. However, how these models arrive at their predictions will be unclear. At the same time, at all stages the rest is as predicted. Therefore, outside of fringe cases, the “black box” nature doesn’t harm the results too much.

Additionally, machine learning models seem to be among the most effective methods for phishing detection. Some automated crawlers with ML implementations could reach 99% accuracy, according to research by Springer Link.

The future of web scraping

Web scraping seems like the perfect addition to any current phishing solutions. After all, most of cybersecurity is going through vast arrays of data to make the correct protective decisions. Phishing is no different. At least through the cybersecurity lens.

There seems to be a holy trinity in cybersecurity waiting to be harnessed to its full potential - analytics, web scraping, and machine learning. There have been some attempts to combine two of three together. However, I’ve yet to see all three harnessed to their full potential. 

Date

26 Apr 2022

Sources


Share


Other Blog

  • AMD RX 5700 series graphics cards will still be around after Big Navi launch

    It makes sense to keep more GPU options post-launch – particularly if the RX 6000 series suffers any supply issues.

    Read More
  • AMD Ryzen 5000 leaks suggest an evolution in efficiency

    New leaks surrounding the AMD Ryzen 5000 Van Gogh line have surfaced, and they could bring laptops to a new level of power and efficiency.

    Read More
  • AMD's 3D Infinity Cache could be its secret weapon in its fight against Nvidia

    AMD could be set to introduce its 3D V-Cache technology to its Infinity Cache architecture in the next-gen RDNA 3 GPUs expected sometime next year, and it could give Nvidia some serious heartburn.

    First unveiled during AMD's Computex 2021 keynote back in June, 3D chiplet technology is AMD's latest architecture innovation, which utilizes vertical space on a silicon die to fit more component electronics into the same horizontal dimensions. 

    3D V-Cache, or vertical cache, is the company's first known application of the tech, which it has already implemented on a Ryzen 9 5950X processor prototype to improve gameplay performance (which is demonstrated during the June keynote).

    By stacking cache vertically, as TweakTown notes, a processor can have access to significantly more cache memory which can dramatically improve performance, so it would be an obvious step to implement it in the company's next-generation GPU architecture, RDNA 3.

    That appears to be the plan, according to Twitter leaker Greymon55, who cryptically tweeted out "3D IFC" in the early morning hours of November 8. Granted, a two-word tweet isn't gospel, but it's almost certainly on point. AMD's Big Navi GPUs help power some of the best graphics cards on the market right now, but adding 3D V-Cache to mix would be a very big deal.  


    Analysis: of course 3D Infinity Cache is coming to RDNA 3. Why wouldn't it?

    Infinity Cache made a bit of a splash when AMD introduced it with Big Navi, since it allows for improved memory bandwidth without having to rely on a more power-hungry memory 512-bit bus, which would be double the existing 256-bit bus.

    Infinity cache is capable of boosting effective memory bandwidth to be somewhat competitive with Nvidia's larger bus capacity with its higher-end RTX cards like the 320-bit bus in the RTX 3080 and the 384-bit bus in the RTX 3090.

    Combining this technology with a 3D V-Cache architecture could make a much more dramatic difference. Having a dramatically expanded cache for the GPU could do more than neutralize the wider bus in an Nvidia card. 

    If an expanded 3D V-Cache utilized the same performance enhancements of AMD's Infinity Cache, then you would be talking about substantially faster data access with fewer page faults and far fewer fetch cycles to VRAM. 

    Having a thinner bus isn't a problem if you never really need to use it, and if an RDNA 3 GPU can keep fetching from a significantly expanded V-Cache while an Nvidia card has to fetch from VRAM much more often, it could be a game changing performance boost for AMD's next-gen graphics processors.

    Read More
  • Large parts of the internet were taken offline – here’s why it was down

    Outage at Fastly CDN knocks hundreds of top sites offline - here's what we know.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us