Image Matching for Branding Phishing Kit Images

A phishing website usually selects a particular target (e.g., a bank), and incorporates one or more images that are similar to a targeted brand whether the image is located on the same domain as the phish or a non-local domain. One common method of distributing phishing websites is to use a "phishing kit" or kit, which is a compressed file folder containing all files and directory structures necessary to create a phishing website. A kit is often used repeatedly by a single criminal or criminal group and is a preferred way of creating phishing websites. The kit contains any email address receiving the phished credentials, which can be important during investigations. When identifying a phishing kit's brand, it cannot always be assumed that the phishing kit has the same brand as the phishing website where it was found. Multiple phishing websites can be setup on the same domain and unused kits can be located on active phishing domains. A kit's brand is useful when alerting the organization being targeted or allowing brand specific investigations. Even though the identification can be accomplished manually it is time consuming and unfeasible for the UAB Kit Data Mine, given its size. Phishing kits often incorporate images that are similar to the targeted brand. Finding these brand relevant images and labeling them may lead to automated methods to brand phishing kits. Simple hash matching techniques are limited because it is easy to alter an image’s hash and not its meaning. More robust automated methods are needed to help reduce or eliminate manual effort. The rest of this paper explores the ability of image matching techniques to correctly identify image files associated with a brand. Four image-matching algorithms GCH, LCH, LCH+, and LCH++ are explored.