PhishVision2.0: An Improved Visual Brand Impersonation Detector for Identifying Phishing Attacks

In an increasingly connected world, most adversaries must first breach the target’s network in order to maintain persistent access. Phishing attacks remain a common method for compromising networks and gaining initial entry into secure perimeters. Campaigns associated with these attacks span multiple propagation channels; in the case of websites, attackers often mimic legitimate pages to trick users into downloading malicious software or revealing private credentials. In a previous work, we presented PhishVision [23], a framework designed to visually detect phishing websites by identifying the primary logo that characterizes them and comparing it against a set of protected logos. In this paper, we propose PhishVision2.0 architecture to drastically reduce its running times through an extensive experimental evaluation. This evaluation includes performance studies on a larger protected set, the effect of shrinking training set sizes, the use of different object detection model variants, and a comparison with two state-of-the-art phishing identification solutions (Phishpedia [29] and PhishIntention [30]). PhishVision2.0 achieves 98.8% ROC AUC on a test set of 3625 screenshots, comprising both benign and malicious samples. Moreover, we also demonstrate the robustness of the proposed framework against the most common adversarial attacks, illustrating how an adversarial attack compromises the model’s classification capabilities through explainable AI.