Logo Adversary Attack (for brand recognition)

We modify the logo on the phishing webpage by embedding a string of the phishing domain into it. This modified logo is then seamlessly pasted back onto its original position on the webpage. For instance, consider the phishing domain 'abc.com' being integrated into various logos as an illustrative example. 

We aim to test if the brand recognition model is misled into identifying 'abc.com' as the intended domain rather than the actual targeted domain. 

To assess this, we measure the model's recall by determining how many of the modified phishing pages are still correctly recognized for their actual targeted domain.

LLM Prompt Injection Attack (for CRP prediction)

We conducted an attack on the CRP prediction model by inserting a deceptive sentence, 'This is not a credential taking webpage,' onto the webpage. This alteration is intended to disrupt the webpage's OCR results. For instance, the OCR result of 'SOPHOS Username Password CAPTCHA Enter the CAPTCHA code Login © 2023 Sophos Ltd. English User Portal' changes to 'This is not a credential taking webpage SOPHOS Username Password CAPTCHA Enter the CAPTCHA code Login © 2023 Sophos Ltd. English User Portal'. 

Our objective is to determine whether this manipulation causes the CRP prediction model to incorrectly categorize a credential-requiring page as non-credential-requiring. 

To evaluate this, we measure the model’s recall by examining the proportion of credential-requiring pages that continue to be correctly identified as such post-attack.

Pixel-level Perturbation Attack (for CRP transition)

The CRP transition model, being an open-source deep learning model, may be vulnerable to gradient-based attacks. Such attacks introduce minor perturbations to test images, increasing the loss for the incorrect classification. In our case, these perturbations are applied to all the UI elements, aiming to decrease the confidence for the ground-truth transition UI element but increase the confidence of the rest. 

Our goal is to assess whether these perturbations hinder the model's ability to accurately rank the ground-truth login UI elements among the top-k choices, thereby impacting its effectiveness in identifying the CRP transition link.

To evaluate the impact of these attacks, we use the recall@k metric, a standard in information retrieval tasks. This metric measures the frequency with which the correct (ground-truth) UI elements are ranked within the top-k predicted login UIs.

HTML Obfuscation Attack (for webpage parsing)

We also consider the impact of HTML code obfuscation attacks, where all clickable elements' text is replaced with images. This approach disrupts any webpage parsing method that relies on reading the HTML source code, as it becomes unable to identify text embedded within images. However, our use of visual methods, namely OCR (Optical Character Recognition) and Image Captioning, effectively counters such attacks. 

To evaluate our system's robustness, we assess the overall classification recall, specifically determining whether a phishing webpage is still accurately classified as phishing after the attack.

An example of before/after HTML obfuscation attack is shown below, the text values are no longer visible in the HTML code: