Did We Just Accidentally Revolutionize Phishing Detection?

Visual-AI is the missing piece of the puzzle when it comes to tackling Phishing 

By: Alessandro Prest, Chief Technology Officer, VISUA

Some of the best discoveries have been accidental. Perry Spencer was working on a radar related project when he discovered microwave energy after a chocolate bar melted in his pocket. Alexander Fleming discovered that mould growing on Petri dishes containing Staphylococcus bacteria colonies was killing infectious bacteria and preventing them from growing, resulting in the creation of Penicillin. Even the glue from the humble Post-It Note was developed from a failed project to develop a very sticky glue! 

So perhaps, at VISUA, in years to come, we may be able to claim our own life-changing accidental discovery. It may do for cybersecurity what the microwave did for hot dinners or Penicillin did for infections. It might just help put a stop to intrusive, costly, and ever more harmful Phishing scams that have plagued businesses and individuals since the mid-90s. You see, we have discovered that Visual-AI is the key to detecting what are often seen as undetectable, or at least very difficult to detect, traits in phishing campaigns. Could this revolutionize phishing detection?

The phishing problem is growing and growing…and GROWING!

Before I get into how we fell upon this discovery, I will add that following our ‘Eureka’ moment, we began researching the area of phishing and were shocked by some of the statistics that we uncovered. For example, did you know that business email compromise phishing attempts grew by 160% in just four years between 2015 and 2019? Or that in March 2020 alone, there were 50,000 phishing pages spoofing 200 of the world’s biggest brands? Those are quite worrying numbers and while cybersecurity experts have been working hard for decades to stop phishing attempts in their tracks, you can’t deny that it’s a growing problem when faced with figures like those. 

We also discovered the major arms race taking place between the so-called “bad actors” and the anti-phishing industry. Every advance in phishing detection is countered with a new evasion technique.

Given all this, there is clearly a need to increase efforts in some way to give phishing detection systems the edge.  

How we made the discovery 

While working with a partner to analyse what visual assets make a brand authoritative, for example, the presence of a Fortune 500 mark or the logo of an accreditation body, we noticed how often this type of visual ‘marker’ was used in phishing attacks. That led us to realise that a system that could detect and report on these elements could act as an early-warning system to sound the alarm on phishing scams. 

It was noted that the visual presence of authoritative markings is an essentially mandatory element if someone wants to pull off a phishing attack. These corporate assets, such as logos and the use of brand colours and imagery, when added to an email or landing page, act to increase the credibility of the phishing attempt. That, in turn, increases the likelihood of someone unknowingly passing valuable information over to cyber-criminals. 

That was the lightbulb moment: understanding that the key elements used to dupe people into handing over their details to scam artists are visual. 

Visuals in Phishing Detection Evasion 

As we continued investigating the role of visual content in phishing attacks, we realised that it went far beyond simply building trust through imagery. Those setting up phishing scams are not first-timers – they are experts in their field and they are always coming up with new ways to evade detection so they can continue their “work”. We discovered numerous ways in which they make use of graphics and visuals to do this, such as creating noise by distorting or splitting up key images and logos into many small parts, to be reassembled with CSS or JavaScript in the final render. They also convert elements of text into graphics and even entire sections into an image, because HTML parsers can’t see inside images.

Non-Visual Phishing Detection Evasion

We also realised that many of the traditional evasion techniques they employed might be overcome with Visual-AI.  It’s difficult to blacklist a website that is only live for hours, minutes or even seconds! It’s difficult to detect spam through HTML when extra HTML is added that serves no other purpose than to deflect any spam filters, or where the page content is built dynamically using JavaScript or WebAssembly. Bad actors will also pepper a fake email or web page with legitimate URLs and email addresses to throw detection systems off the scent. Yes, it’s clear that things are becoming more sophisticated.

Why we think Visual-AI is the answer

Traditional signals like HTML code and text have been used for a long time in this fight with great levels of success. However, in this game of cat and mouse where scammers are evolving to beat detection, it’s important to stay a step or two ahead. That’s why a combination of HTML and Visual-AI is very powerful – it has the potential to leave them with nowhere to hide. In other words, if Phishing techniques are becoming more sophisticated, so too must the techniques used to beat them. 

For example, context is king when it comes to finding culprits in this field. Contextualizing the presence of a brand, for example, Bank of America, on a login page, as opposed to a news article, is essential in ensuring that detection is accurate. This is not something HTML can do, but it is something Visual-AI can do.  

However, at first glance, we didn’t imagine that VISUA’s multifaceted technology was required for this task. Instead, we thought that perhaps a more basic technology would suffice. Once we delved a little deeper into it, we learned that the task of anti-phishing involves monitoring hundreds of millions of pages and emails on a daily basis, combined with the level of evasion these scammers can reach, the sooner cybersecurity companies introduce this combined method the better. 

What Visual-AI can do 

Visual-AI can detect the undetectable. It can see all the content as a human sees it, but at machine speed. With Visual-AI, we don’t even try to look at the code of a page or email, we simply render it into an image and send it through our engine for analysis. Logos and marks are then detected, along with any out-of-place elements,  and, importantly, text can also be detected and analysed for any trigger words that indicate risk. 

All of this data can then be compiled, scored and returned to the Phishing Detection System which will have gathered its own data. The information can be aggregated and risk can be more accurately assessed than ever. Importantly, all this can be done in one second or less, so users can be better protected in what is essentially real-time.

Cybersecurity companies and anti-phishing teams do not need to replace their current software with technologies like VISUA’s. Instead, they need a Visual-AI system that can partner with their existing technology. This combination could very well be the future of anti-phishing, but I would love to see it become the present as soon as possible to protect businesses and consumers from more sophisticated attacks.