Abstract
Recent times have witnessed the rise of anti-phishing schemes powered by deep learning (DL). In particular, logo-based phishing detectors rely on DL models from Computer Vision to identify logos of well-known brands on webpages, to detect malicious webpages that imitate a given brand. For instance, Siamese networks have demonstrated notable performance for these tasks, enabling the corresponding anti-phishing solutions to detect even “zero-day” phishing webpages. In this work, we take the next step of studying the robustness of logo-based phishing detectors against adversarial ML attacks. We propose a novel attack leveraging generative adversarial perturbations to craft “adversarial logos” that, with no knowledge of phishing detection models, can successfully evade the detectors. We evaluate our attacks through: (i) experiments on datasets containing real logos, to evaluate the robustness of state-of-the-art phishing detectors; and (ii) user studies to gauge whether our adversarial logos can deceive human eyes. The results show that our proposed attack is capable of crafting perturbed logos subtle enough to evade various DL models—achieving an evasion rate of up to 95%. Moreover, users are not able to spot significant differences between generated adversarial logos and original ones.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Background: in simple terms, logo-based phishing detection seeks to identify those (malicious) webpages that attempt to imitate a well-known brand. Intuitively, if a given webpage has the logo of a well-known brand (e.g., PayPal), but the domain does not correspond to the same brand (e.g., www.p4y-p4l.com), the webpage is classified as phishing. Though these approaches require maintenance of a database of logos for brands, such a task is not impractical given that the number of brands targeted by attackers is typically small (\(\approx 200\)) [7, 18, 34].
- 2.
FGSM and DeepFool assume an adversary with complete knowledge of the target classifier, which is much stronger (and less realistic [11]) than the attacker envisioned in our threat model.
- 3.
Remark: Our attack relies on the logos generated by the Generator, which in turn depend on a Discriminator, i.e., a DL model for identifying logos. However, the Discriminator does not necessarily have to be the identical one used in the targeted phishing detection system: as our experiments show, our adversarial logos evade even DL models that have not been used to develop the Generator (by leveraging the well-known transferability property of adversarial examples [21]).
- 4.
- 5.
For HS, we received 322 responses, but we removed 35 because some users took too little time to answer the entire questionnaire, or did not pass our attention checks.
References
Adversarial logos against phishing detection systems: Code repository. https://github.com/JehLeeKR/Adversarial-phishing-logos
APWG: Phishing activity trends report, 4th quarter 2022. https://docs.apwg.org//reports/apwg_trends_report_q4_2022.pdf
Browser In The Browser (BITB) Attack. https://mrd0x.com/browser-in-the-browser-phishing-attack/ (2022)
COFENSE: Phishing URLs 4x more likely than attachments to reach users. https://cofense.com/blog/urls-4x-more-likely-than-phishing-attachments-to-reach-users/ (2023)
Google Safe Browsing. https://developers.google.com/safe-browsing/ (2023)
Phishing attacks jump 61% in 2022. https://venturebeat.com/security/report-phishing-attacks-jump-61-in-2022-with-255m-attacks-detected/ (2023)
Abdelnabi, S., Krombholz, K., Fritz, M.: VisualphishNet: zero-day phishing website detection by visual similarity. In: Proceedings ACM CCS, pp. 1681–1698 (2020)
Abu-Nimeh, S., Nappa, D., Wang, X., Nair, S.: A comparison of machine learning techniques for phishing detection. In: Proceedings of the Anti-Phishing Working Groups, 2nd Annual eCrime Researchers Summit. eCrime ’07 (2007)
Afroz, S., Greenstadt, R.: Phishzoo: detecting phishing websites by looking at them. In: IEEE International Conference on Semantic Computing (2011)
Alsharnouby, M., Alaca, F., Chiasson, S.: Why phishing still works: user strategies for combating phishing attacks. Int. J. Hum Comput Stud. 82, 69–82 (2015)
Apruzzese, G., Anderson, H., Dambra, S., Freeman, D., Pierazzi, F., Roundy, K.: Position:“Real Attackers Don’t Compute Gradients”: Bridging the Gap Between Adversarial ML Research and Practice. In: IEEE Conference on Secure and Trustworthy Machine Learning (2023)
Apruzzese, G., Andreolini, M., Marchetti, M., Venturi, A., Colajanni, M.: Deep reinforcement adversarial learning against botnet evasion attacks. IEEE Trans. Netw. Serv. Manage. 17, 1975–1987 (2020)
Apruzzese, G., Conti, M., Yuan, Y.: SpacePhish: the evasion-space of adversarial attacks against phishing website detectors using machine learning. In: Proceedings ACSAC (2022)
Bailey, M., Dittrich, D., Kenneally, E., Maughan, D.: The Menlo Report. IEEE S &P (2012)
Bhagoji, A.N., He, W., Li, B., Song, D.: Practical black-box attacks on deep neural networks using efficient query mechanisms. In: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (eds.) ECCV 2018. LNCS, vol. 11216, pp. 158–174. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01258-8_10
Bhurtel, M., Siwakoti, Y.R., Rawat, D.B.: Phishing attack detection with ML-based siamese empowered ORB logo recognition and IP mapper. In: Proceedings IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) (2022)
Biggio, B., Roli, F.: Wild patterns: ten years after the rise of adversarial machine learning. Pattern Recogn. 84, 317–331 (2018)
Bitaab, M., et al.: Scam pandemic: how attackers exploit public fear through phishing. In: Proceedings APWG Symposium on Electronic Crime Research (eCrime), pp. 1–10. IEEE (2020)
Bozkir, A.S., Aydos, M.: LogoSENSE: a companion HOG based logo detection scheme for phishing web page and e-mail brand recognition. Comput. Secur. 95, 101855 (2020)
Corona, I., et al.: DeltaPhish: detecting phishing webpages in compromised websites. In: Proceedings ESORICS (2017)
Demontis, A., et al.: Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks. In: USENIX Security Symposium (2019)
Divakaran, D.M., Oest, A.: Phishing detection leveraging machine learning and deep learning: a review. IEEE Secur. Priv. 20(5), 86–95 (2022)
Dosovitskiy, A., et al.: An image is worth 16 \(\times \) 16 words: transformers for image recognition at scale. arXiv preprint arXiv:2010.11929 (2020)
Fu, A.Y., Wenyin, L., Deng, X.: Detecting phishing web pages with visual similarity assessment based on earth mover’s distance (EMD). IEEE Trans. Dependable Secure Comput. 3(4), 301–311 (2006)
Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: Proceedings ACM Workshop on Recurring Malcode (2007)
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: International Conference on Learning Representations (Poster) (2015)
He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings IEEE CVPR, pp. 770–778 (2016)
Hout, T.v.d., Wabeke, T., Moura, G.C.M., Hesselman, C.: LogoMotive: detecting logos on websites to identify online scams - a TLD case study. In: Proceedings of PAM (2022)
Kondracki, B., Azad, B.A., Starov, O., Nikiforakis, N.: Catching transparent phish: analyzing and detecting MITM phishing toolkits. In: Proceedings of ACM CCS (2021)
Le, H., Pham, Q., Sahoo, D., Hoi, S.C.: URLNet: learning a URL representation with deep learning for malicious URL detection. arXiv preprint arXiv:1802.03162 (2018)
Lee, J., Tang, F., Ye, P., Abbasi, F., Hay, P., Divakaran, D.M.: D-Fence: a flexible, efficient, and comprehensive phishing email detection system. In: Proceedings IEEE EuroS &P (2021)
Lee, J., Ye, P., Liu, R., Divakaran, D.M., Choon, C.M.: Building robust phishing detection system: an empirical analysis. In: Proceedings NDSS MADWeb (2020)
Liang, B., Su, M., You, W., Shi, W., Yang, G.: Cracking classifiers for evasion: a case study on the Google’s phishing pages filter. In: Proceedings WWW (2016)
Lin, Y., et al.: Phishpedia: a hybrid deep learning based approach to visually identify phishing webpages. In: Proceedings USENIX Security Symposium (2021)
Liu, R., Lin, Y., Yang, X., Ng, S.H., Divakaran, D.M., Dong, J.S.: Inferring phishing intention via webpage appearance and dynamics: a deep vision based approach. In: Proceedings USENIX Security Symposium (2022)
Liu, Z., et al.: Swin transformer: hierarchical vision transformer using shifted windows. In: Proceedings the IEEE/CVF International Conference on Computer Vision, pp. 10012–10022 (2021)
Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Identifying suspicious URLs: an application of large-scale online learning. In: Proceedings ICML (2009)
Moosavi-Dezfooli, S.M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: Proceedings IEEE CVPR, pp. 1765–1773 (2017)
Moosavi-Dezfooli, S.M., Fawzi, A., Frossard, P.: DeepFool: a simple and accurate method to fool deep neural networks. In: Proceedings IEEE CVPR, pp. 2574–2582 (2016)
Mopuri, K.R., Ganeshan, A., Babu, R.V.: Generalizable data-free objective for crafting universal adversarial perturbations. IEEE Trans. Pattern Anal. Mach. Intell. 41(10), 2452–2465 (2018)
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Proceedings ACM ASIACCS (2017)
Pawar, R.: Logo images dataset. https://github.com/revanks/logo-images-dataset (2021), gitHub repository
Poursaeed, O., Katsman, I., Gao, B., Belongie, S.: Generative adversarial perturbations. In: Proceedings IEEE CVPR, pp. 4422–4431 (2018)
Quiring, E., et al.: Do’s and don’ts of machine learning in computer security. In: Proceedings USENIX Security Symposium (2022)
Rahman, M.S., Imani, M., Mathews, N., Wright, M.: Mockingbird: defending against deep-learning-based website fingerprinting attacks with adversarial traces. IEEE Trans. Inf. Forensics Secur. 16, 1594–1609 (2020)
Shafahi, A., et al.: Adversarial training for free! In: Advances in Neural Information Processing Systems (2019)
Shafahi, A., Najibi, M., Xu, Z., Dickerson, J., Davis, L.S., Goldstein, T.: Universal adversarial training. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, pp. 5636–5643 (2020)
Sharma, K., Zhan, X., Nah, F.F.H., Siau, K., Cheng, M.X.: Impact of digital nudging on information security behavior: an experimental study on framing and priming in cybersecurity. Organ. Cybersecur. J. Pract. Process People 1(1), 69–91 (2021)
Shenoi, A., Vairam, P.K., Sabharwal, K., Li, J., Divakaran, D.M.: iPET: privacy enhancing traffic perturbations for secure IoT communications. Proce. Priv. Enhan. Technol. 2, 206–220 (2023)
Szegedy, C., et al.: Intriguing Properties of Neural Networks. CoRR (2014)
Tian, K., Jan, S.T., Hu, H., Yao, D., Wang, G.: Needle in a haystack: tracking down elite phishing domains in the wild. In: Internet Measurement Conference (2018)
Vaswani, A., et al.: Attention is all you need. In: Advances in Neural Information Processing Systems 30 (2017)
Verma, R., Dyer, K.: On the character of phishing URLs: accurate and robust statistical learning classifiers. In: Proceedings ACM Conference Data Application Security Privacy (2015)
Wang, G., et al.: Verilogo: Proactive phishing detection via logo recognition, Department of Computer Science and Engineering. University of California, San Diego (2011)
Wang, J., et al.: Logo-2K+: a large-scale logo dataset for scalable logo classification. In: Proceedings AAAI, pp. 6194–6201 (2020)
Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages. In: Proceedings NDSS (2010)
Xiang, G., Hong, J., Rose, C.P., Cranor, L.: CANTINA+: a feature-rich machine learning framework for detecting phishing web sites. ACM Trans. Inform. Syst. Secur. 14(2), 1–28 (2011)
Zhang, C., Benz, P., Imtiaz, T., Kweon, I.S.: CD-UAP: class discriminative universal adversarial perturbation. In: Proceedings AAAI Conference on Artificial Intelligence, vol. 34, pp. 6754–6761 (2020)
Zhang, P., et al.: CrawlPhish: large-scale analysis of client-side cloaking techniques in phishing. In: Proceedings IEEE S &P (2021)
Acknowledgment
We thank the Hilti Corporation, Trustwave, NUS (National University of Singapore) and Acronis, for supporting this research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Ethical Statement
Our institutions do not require any formal IRB approval to carry out the research discussed herein. We always followed the guidelines of the Menlo report [14]. For our user-studies, we never asked for sensitive data or PII. Finally, although we publicly release our code for the sake of science, as mentioned on the GitHub page [1], such code should not be used for any unethical or illegal purposes.
Appendix
Appendix
1.1 A Step-ReLu activation Function
The step-ReLU function utilised in training the robust Siamese model \(\mathcal D_{\text {Siamese}^{++}}\) (Sect. 3.3) is expressed as:
1.2 B Discriminator and generator configurations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lee, J., Xin, Z., See, M.N.P., Sabharwal, K., Apruzzese, G., Divakaran, D.M. (2024). Attacking Logo-Based Phishing Website Detectors with Adversarial Perturbations. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14346. Springer, Cham. https://doi.org/10.1007/978-3-031-51479-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-51479-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51478-4
Online ISBN: 978-3-031-51479-1
eBook Packages: Computer ScienceComputer Science (R0)