A Login Page Transparency and Visual Similarity Based Zero Day Phishing Defense Protocol

TL;DR

This paper introduces a proactive, protocol-based phishing defense mechanism called Page Transparency, which logs login pages publicly and uses visual similarity checks to prevent deceptive look-alike sites, all implemented on the client side.

Contribution

It proposes a novel Page Transparency protocol inspired by certificate transparency, enabling cryptographic verification and visual comparison of login pages to detect phishing sites.

Findings

Effective visual matching algorithm for login pages

Client-side implementation of the PT header

Prevents registration of deceptive pages on the PLS

Abstract

Phishing is a prevalent cyberattack that uses look-alike websites to deceive users into revealing sensitive information. Numerous efforts have been made by the Internet community and security organizations to detect, prevent, or train users to avoid falling victim to phishing attacks. Most of this research over the years has been highly diverse and application-oriented, often serving as standalone solutions for HTTP clients, servers, or third parties. However, limited work has been done to develop a comprehensive or proactive protocol-oriented solution to effectively counter phishing attacks. Inspired by the concept of certificate transparency, which allows certificates issued by Certificate Authorities (CAs) to be publicly verified by clients, thereby enhancing transparency, we propose a concept called Page Transparency (PT) for the web. The proposed PT requires login pages that capture users' sensitive information to be publicly logged via PLS and made available to web clients for verification. The pages are verified to be logged using cryptographic proofs. Since all pages are logged on a PLS and visually compared with existing pages through a comprehensive visual page-matching algorithm, it becomes impossible for an attacker to register a deceptive look-alike page on the PLS and receive the cryptographic proof required for client verification. All implementations occur on the client side, facilitated by the introduction of a new HTTP PT header, eliminating the need for platform-specific changes or the installation of third-party solutions for phishing prevention.