Visual recognition of phishing: how to stop cybercriminals using AI and computer vision

Phishing is a well-known method of social engineering that has many different forms: telephone calls,

smeshing (phishing by SMS - "High-tech"), phishingemails and sites. With its help, cybercriminals trick defrauding confidential data, such as credit card details, logins and passwords.

Phishing links leading to malicious sitesoften contained in letters that, at first glance, are sent from reliable sources. They are sent in messages of social networks and applications like Facebook and WhatsApp. They can even appear in search lines, misleading users. And it can be quite difficult to determine if a site is phishing. Many of these resources are almost identical to the replicated sites. Phishing e-mails are usually less effective, as modern technologies recognize them as spam. However, some of them still end up in the Inbox.

The reason for the popularity of phishing is clear -cybercriminals can attack a large number of people at once. To counter the massive attacks of users, Avast specialists use artificial intelligence (AI) technology.

Phishing Detection with AI

To deceive people, attackers create websiteswhich are very similar to real and reliable resources. Visual similarity is often enough to mislead gullible users - they easily leave their credentials and other confidential data.

In theory, cybercriminals can use onThe phishing pages are the same images as on the original resources. However, the owners of the original sites are able to see on their servers links to pictures put by scammers. In addition, creating an exact copy of the site takes time and effort. In this case, cybercriminals would have to reproduce the design on a phishing resource, paying attention to each pixel. As a result, they approach the task creatively and create pages that are very similar to the original ones, but at the same time have minor differences that are hardly noticeable to the average user.

Avast has a network of hundreds.millions of sensors that supply AI data. Avast scans every site that users visit and carefully studies the popularity of the relevant domains. When evaluating whether to load the page, other factors are taken into account, for example, the certificate of the website, the age of the domain and the presence of suspicious tokens in the URL.

The lifetime of a phishing site is usually extremelysmall, and search engines do not have time to index it. This is reflected in the rating of the domain. Its popularity and history can also be the first signs of whether a page is safe or malicious. After checking this information and comparing it with the visual characteristics, the system concludes whether the site can be trusted.

Phishing version of login pageThe original version of the login page

By comparison, these pages lookin a completely different way: the malicious version uses the outdated Orange site design, and the original site has a more modern and secure one, since the password is requested from the user in the second step, and not on the same page simultaneously with the login.

Obviously, the domain of the phishing site has a verylow level of popularity. At the same time, the rating of this page - 7/10. Although the design of a phishing resource is very similar to the previous version of the site, it is not hosted on or on another popular domain. This information, testifying to the potential danger of a fake website, starts a protocol for more thorough study of it.

Analysis domain - phishing version of the site. This data can be used to assess its popularity.

The next stage is design verification. At first glance, a pixel-by-pixel comparison of a fake website with a real one is quite enough. This is not true. A different approach is taken using image hashes. In this method, the original image is compressed to a smaller size while maintaining the necessary detail. The result is a fixed-size bit vector with a simple metric. Thanks to this approach, the AI ​​compares the same type of images with a given statistical deviation. However, this technology turned out to be less reliable and error tolerant than expected.

Far more efficient method turned out to beuse of computer vision. With its help, the AI ​​obtains information about images through a detailed review of specific pixels and their environment. To do this, use descriptors - numeric descriptions of the relative changes in the fragment around a pixel. This process allows you to more accurately assess the variability of shades of gray, including detecting the presence of a gradient and determine its intensity.

The pixels selected by the algorithm, the so-calledpoints of interest, you can check for an updated database of descriptors after they are received. However, the mere fact that there are pixels in the image that are similar to the pixels of another is not enough to conclude that the picture corresponds to the one in the database. For this reason, the method of "spatial verification" is used to compare the spatial relationships between the individual pixels of the image.

a) An example of a valid spatial configuration of pixelsb) An example that was rejected as invalid

Spatial verification is the sourcevalid data, but additional steps are added to eliminate possible false-positive results, including checking on image hashes.

Analysis of points of interest in the image containingThe text is fraught with problems. In such images, by default there are a large number of gradients, as the letters and text elements create a lot of edges. Even a small section of a lettering pattern contains many points of interest, which often leads to false positives. Spatial verification is powerless here.

To solve this problem, developedsoftware capable of analyzing image fragments for text. In these cases, the AI ​​will not use points from such sites in the process of comparing pictures.

The entire verification procedure is carried out completely inautomatic mode. In 99% of cases, it helps to recognize the phishing site in less than ten seconds, and the access of connected Avast users to it will be blocked.

Phishing sites detected

Modern phishing sites are great cheaters. Cybercriminals make great efforts to make them look like real ones. The examples below show how a phishing site may be similar to the original.

In the design of the malicious version there are no Google application logos. Small differences are also in the colors of the user avatar and the selection points in the gray login module. Phishing site.Old version of Google login page.

Over the years, phishing sites have significantlyimproved and look very convincing. Some even use the HTTPS protocol, and the “green lock” in the browser bar gives users a false sense of security.

The fake Apple authorization site icons are slightly different from the original ones. The official page also uses a different typeface. Phishing site.Apple ID login page.

Small flaws in the phishing pagebecome apparent only when compared with the original, reliable resource. By themselves, they do not attract attention. Try to remember now what the login page of the service you use often looks like. You are unlikely to be able to present the design in all its details - and that’s what fraudsters who create fake websites count on.

How is the threat spread?

Links to phishing sites are most often sent to phishing emails, but they can also be found in paid advertisements that appear in search results.

Most often, attackers create fake letters from well-known companies that users trust: banks, airlines, social networks.

Another attack vector is a technology called"Clickback". Cybercriminals usually use this technique on social networks: users see a tempting headline like “Get a free phone” or “N brand with an incredible discount” and click on the malicious link.

In addition, hackers can hack or create fake accounts of popular people and place malicious links in their profiles and posts.

What happens after the victim pecked at the bait?

The goal of phishing, like almost any othercyber attacks, financial gain. Having received the login details of the user through the phishing site, the cybercriminal can use them in various ways, depending on the type of bait page. If this is a malicious copy of a financial institution site - a bank or a company like PayPal, the hacker will get direct access to the money of the deceived person.

Received fraudulently login and password forLogging in to the website of the transport company, for example, UPS or FedEx, of course, will not bring immediate profits. Instead, the attacker may try to use the details to gain access to other accounts with more valuable information - including, try to crack the victim's e-mail. It is well known that people often set the same password to log into different services. Another way of income for cybercriminals is to sell stolen personal data on a darknet.

This is the so-called “pointless attack” mechanism. There are many outdated WordPress sites on the Internet. They can be hacked for a low cost and used for phishing campaigns. The average cost of deploying phishing tools is $ 26.

How to protect yourself

Between a successful phishing attack and a factcybercriminals usually take some time to use stolen details. The sooner the threat is eliminated, the more potential victims we can protect. If the username and password have already been stolen, the user can only change them, and as quickly as possible.

How to protect yourself from one of the most successful cyber attack technologies - phishing:

  • First of all, install antivirus on all your devices - PC, Mac, smartphones and tablets. Antivirus software is a safety net that protects network users.
  • Do not follow links in suspiciousemails and do not download files attached to them. Do not respond to such a letter, even if, at first glance, it came from a person or organization that you trust. Instead, contact the addressee on a different communication channel to confirm that the message actually came from this source.
  • Try to enter the address of the site in the browser in all cases - this will protect you from accidentally switching to the version created by scammers.
  • HTTPS is not a “green lock”security guarantee. This icon only indicates that the connection is protected by encryption. The site on which you are located may be fake. Cybercriminals implement encryption on phishing sites to deceive users, so it is especially important to check and verify the authenticity of the resource that you use.

In 2018, Avast experts investigatedsending malicious emails from hacked MailChimp accounts, cases of sex-phishing and fraudulent campaigns related to the introduction of the GDPR regulations. In the future, according to experts, the amount of phishing attacks will grow. There will be new ways to disguise the actions of intruders aimed at stealing confidential user data.