PhishParrot: LLM-Driven Adaptive Crawling to Unveil Cloaked Phishing Sites

TL;DR

PhishParrot is an adaptive crawling system that uses Large Language Models to identify cloaked phishing sites by mimicking attacker profiles, significantly improving detection accuracy against sophisticated cloaking techniques.

Contribution

This work introduces PhishParrot, a novel LLM-driven system that constructs adaptive user profiles to bypass cloaking, enhancing phishing detection capabilities beyond traditional methods.

Findings

Up to 33.8% improvement in detection accuracy

Created 91 diverse crawling environments

Effective use of LLMs for context analysis in phishing detection

Abstract

Phishing attacks continue to evolve, with cloaking techniques posing a significant challenge to detection efforts. Cloaking allows attackers to display phishing sites only to specific users while presenting legitimate pages to security crawlers, rendering traditional detection systems ineffective. This research proposes PhishParrot, a novel crawling environment optimization system designed to counter cloaking techniques. PhishParrot leverages the contextual analysis capabilities of Large Language Models (LLMs) to identify potential patterns in crawling information, enabling the construction of optimal user profiles capable of bypassing cloaking mechanisms. The system accumulates information on phishing sites collected from diverse environments. It then adapts browser settings and network configurations to match the attacker's target user conditions based on information extracted from similar cases. A 21-day evaluation showed that PhishParrot improved detection accuracy by up to 33.8% over standard analysis systems, yielding 91 distinct crawling environments for diverse conditions targeted by attackers. The findings confirm that the combination of similar-case extraction and LLM-based context analysis is an effective approach for detecting cloaked phishing attacks.