Lightning:Detecting phishing domains

From SHA2017 Wiki
Jump to: navigation, search
Description How can you detect if a domain or a sub-domain is used for phishing?

After analyzing a little more then 2milion dns records we hatched a plan to detect if a hostname is used for phishing using a little bit of AI.

Slides
Website(s) http://www.siteground.com/
Tags security, phishing, dns, ai, artificial intelligence
Person organizing User:Sha2017.org-hackman
Contact: mm@siteground.com
Language en - English
en - English
Duration 5
Desired session Day 3

refresh

I'm the Chief System Architect of Siteground and I'm sick of all of the complains we receive for hosted phishing pages on our servers.

I decided to fight this with a bit of AI. The idea was to train an Word2vec and an SVM models to detect if a newly hosted hostname is possibly registered for phishing.

We manualy selected 2000 domains that we were sure are phishing related, like the ones below:

 ebay.co.uk.aspx.asfdfw.com
 amazon.com.store.3b01no.com

We found around 4000 phishing hostnames with this technique and we are going to deploy it for phishing directories and files.