Phishing Attacks Modifications and Evolutions

  • Qian CuiEmail author
  • Guy-Vincent Jourdan
  • Gregor V. Bochmann
  • Iosif-Viorel Onut
  • Jason Flood
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11098)


So-called “phishing attacks” are attacks in which phishing sites are disguised as legitimate websites in order to steal sensitive information.

Our previous research [1] showed that phishing attacks tend to be relaunched many times, after sometimes small modifications. In this paper, we look into the details of these modifications and their evolution over time. We propose a model called the “Semi-Complete Linkage” (SCL) graph to perform our evaluation, and we show that unlike usual software, phishing attacks tend to be derived from a small set of master versions, and even the most active attacks in our database only go through a couple of iterations on average over their lifespan.

We also show that phishing attacks tend to evolve independently from one another, without much cross-coordination.


Phishing attacks Attacks modifications Evolution graph 


  1. 1.
    Cui, Q., Jourdan, G.V., Bochmann, G.V., Couturier, R., Onut, I.V.: Tracking phishing attacks over time. In: Proceedings of the 26th International Conference on World Wide Web, International World Wide Web Conferences Steering Committee, pp. 667–676 (2017)Google Scholar
  2. 2.
    Anti-Phishing Working Group: Global Phishing Survey: Trends and Domain Name Use in 2016 (2017).
  3. 3.
    Anti-Phishing Working Group: Phishing Activity Trends Report 1st Half 2017 (2017).
  4. 4.
    Anti-Phishing Working Group: Phishing Activity Trends Report 3rd Quarter 2017 (2017).
  5. 5.
    FBI: 2017 Internet Crime Report.
  6. 6.
    Tekli, J., Chbeir, R., Yetongnon, K.: An overview on XML similarity: background, current trends and future directions. Comput. Sci. Rev. 3(3), 151–173 (2009)CrossRefGoogle Scholar
  7. 7.
    Pawlik, M., Augsten, N.: Tree edit distance: robust and memory-efficient. Inf. Syst. 56, 157–173 (2016)CrossRefGoogle Scholar
  8. 8.
    Manku, G.S., Jain, A., Das Sarma, A.: Detecting near-duplicates for web crawling. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, New York, NY, USA, pp. 141–150 (2007)Google Scholar
  9. 9.
    Fuhr, N., Großjohann, K.: XIRQL: a query language for information retrieval in XML documents. In: Proceedings of the 24th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 172–180. ACM (2001)Google Scholar
  10. 10.
    Grabs, T.: Generating vector spaces on-thefly for flexible xml retrieval. In: [1, Citeseer] (2002)Google Scholar
  11. 11.
    Alexa: Top 500 Sites in Each Country.
  12. 12.
  13. 13.
    Sood, A.K., Enbody, R.J.: Crimeware-as-a-service-a survey of commoditized crimeware in the underground market. Int. J. Crit. Infrastruct. Prot. 6(1), 28–38 (2013)CrossRefGoogle Scholar
  14. 14.
    Rosiello, A.P.E., Kirda, E., Kruegel, C., Ferrandi, F.: A layout-similarity-based approach for detecting phishing pages. In: Proceedings of the 3rd International Conference on Security and Privacy in Communication Networks, SecureComm, Nice, pp. 454–463 (2007)Google Scholar
  15. 15.
    Chen, T.C., Dick, S., Miller, J.: Detecting visually similar web pages: application to phishing detection. ACM Trans. Internet Technol. 10(2), 5:1–5:38 (2010)CrossRefGoogle Scholar
  16. 16.
    Chang, E.H., Chiew, K.L., Sze, S.N., Tiong, W.K.: Phishing detection via identification of website identity. In: 2013 International Conference on IT Convergence and Security, ICITCS 2013, pp. 1–4. IEEE (2013)Google Scholar
  17. 17.
    Geng, G.G., Lee, X.D., Wang, W., Tseng, S.S.: Favicon - a clue to phishing sites detection. In: eCrime Researchers Summit (eCRS), pp. 1–10, September 2013Google Scholar
  18. 18.
    Liu, W., Huang, G., Xiaoyue, L., Min, Z., Deng, X.: Detection of phishing webpages based on visual similarity. In: Special Interest Tracks and Posters of the 14th International Conference on World Wide Web - WWW 2005, pp. 1060–1061 (2005)Google Scholar
  19. 19.
    Jain, A.K., Gupta, B.B.: Phishing detection: analysis of visual similarity based approaches. Secur. Commun. Netw. 2017, 20 (2017)CrossRefGoogle Scholar
  20. 20.
    Zhang, Y., Hong, J., Lorrie, C.: Cantina: a content-based approach to detecting phishing web sites. In: Proceedings of the 16th International Conference on World Wide Web, Banff, AB, pp. 639–648 (2007)Google Scholar
  21. 21.
    Huh, J.H., Kim, H.: Phishing detection with popular search engines: simple and effective. In: Garcia-Alfaro, J., Lafourcade, P. (eds.) FPS 2011. LNCS, vol. 6888, pp. 194–207. Springer, Heidelberg (2012). Scholar
  22. 22.
    Xiang, G., Hong, J., Rose, C.P., Cranor, L.: Cantina+: a feature-rich machine learning framework for detecting phishing web sites. ACM Trans. Inf. Syst. Secur. 14(2), 21:1–21:28 (2011)CrossRefGoogle Scholar
  23. 23.
    Gowtham, R., Krishnamurthi, I.: A comprehensive and efficacious architecture for detecting phishing webpages. Comput. Secur. 40, 23–37 (2014)CrossRefGoogle Scholar
  24. 24.
    Miyamoto, D., Hazeyama, H., Kadobayashi, Y.: An evaluation of machine learning-based methods for detection of phishing sites. In: Köppen, M., Kasabov, N., Coghill, G. (eds.) ICONIP 2008. LNCS, vol. 5506, pp. 539–546. Springer, Heidelberg (2009). Scholar
  25. 25.
    Corona, I., et al.: DeltaPhish: detecting phishing webpages in compromised websites. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 370–388. Springer, Cham (2017). Scholar
  26. 26.
    Cova, M., Kruegel, C., Vigna, G.: There is no free phish: an analysis of “Free” and Live phishing kits. In: 2nd Conference on USENIX Workshop on Offensive Technologies (WOOT), San Jose, CA , vol. 8, pp. 1–8 (2008)Google Scholar
  27. 27.
    McCalley, H., Wardman, B., Warner, G.: Analysis of back-doored phishing kits. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2011. IAICT, vol. 361, pp. 155–168. Springer, Heidelberg (2011). Scholar
  28. 28.
    Han, X., Kheir, N., Balzarotti, D.: Phisheye: live monitoring of sandboxed phishing kits. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1402–1413. ACM (2016)Google Scholar
  29. 29.
    Moradpoor, N., Clavie, B., Buchanan, B.: Employing machine learning techniques for detection and classification of phishing emails. In: IEEE Computing Conference, pp. 149–156 (2017)Google Scholar
  30. 30.
    Akinyelu, A.A., Adewumi, A.O.: Classification of phishing email using random forest machine learning technique. J. Appl. Math. 2014, 6 p. (2014)Google Scholar
  31. 31.
    Smadi, S., Aslam, N., Zhang, L., Alasem, R., Hossain, M.: Detection of phishing emails using data mining algorithms. In: 2015 9th International Conference on Software, Knowledge, Information Management and Applications (SKIMA), pp. 1–8. IEEE (2015)Google Scholar
  32. 32.
    Irani, D., Webb, S., Giffin, J., Pu, C.: Evolutionary study of phishing. In: ECrime Researchers Summit, pp. 1–10. IEEE (2008)Google Scholar
  33. 33.
    Clayton, R., Moore, T., Christin, N.: Concentrating correctly on cybercrime concentration. In: WEIS (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Qian Cui
    • 1
    Email author
  • Guy-Vincent Jourdan
    • 1
  • Gregor V. Bochmann
    • 1
  • Iosif-Viorel Onut
    • 2
  • Jason Flood
    • 3
  1. 1.Faculty of EngineeringUniversity of OttawaOttawaCanada
  2. 2.IBM Centre for Advanced StudiesOttawaCanada
  3. 3.IBM Security Data MatricesDublinIreland

Personalised recommendations