Off-the-Hook: An Efficient and Usable Client-Side Phishing Prevention Application

Phishing is a major problem on the Web. Despite the significant attention it has received over the years, there has been no definitive solution. Existing solutions for steering users away from phishing websites are typically server-based and have several drawbacks: they compromise user privacy, are not robust against adaptive attackers who serve different content at different times, and do not provide any guidance to users after flagging a website as a phish.
To address these limitations, we introduced a new phishing prevention system implemented as a client-side application and a browser add-on: Off-the-Hook. It uses information extracted from website visited by the user to detect if it is a phish and warn the user. It also determines the target of the phish and offers to redirect the user there.
The underlying technique for phishing detection and target identification relies on two core observations: (a) although phishers try to make a phishing webpage look similar to its target, they do not have unlimited freedom in structuring the phishing webpage; and (b) a webpage can be characterized by a small set of key terms; how these key terms are used in different parts of a webpage is different in the case of legitimate and phishing webpages. Based on these observations, we developed a machine learning based phishing detection system with several notable properties: it requires very little training data, scales well to much larger test data, is language-independent, fast, resilient to adaptive attacks and implemented entirely on client-side. In addition, we developed a target identification component that can identify the target website that a phishing webpage is attempting to mimic.

Off-the-Hook Add-on

The phishing prevention Add-on Off-the-Hook is available for Mozilla Firefox and Chromium web browers. You can find instructions for download and installation here.

Results

    • Papers:
      • Know Your Phish: Novel Techniques for Detecting Phishing Sites and their Targets (published in IEEE ICDCS 2016)
      • On Designing and Evaluating Phishing Webpage Detection Techniques for the Real World (published in USENIX CSET 2018)
    • Technical Report: at arXiv
    • Demo Paper: Real-Time Client-Side Phishing Prevention Add-on (published in IEEE ICDCS 2016)