Wenyin Liu,Xiaotie Deng, Guanglin Huang, and Anthony Y.Fu City University of Hong Kong An Antiphishing Strategy Based on Visual Similarity Assessment The authors’ proposed antiphishing strategy uses visual characteristics to identify potential phishing sites and measure suspicious pages’ similarity to actual sites registered with the system. The first of two sequential processes in the SiteWatcher system runs on local email servers and monitors emails for keywords and suspicious URLs. The second process then compares the potential phishing pages against actual pages and assesses visual similarities between them in terms of key regions, page layouts, and overall styles.The approach is designed to be part of an enterprise antiphishing solution. P hishing attacks are increasing in fre- quency and sophistication. The Anti- Phishing Working Group (APWG; www.antiphishing.org) recently reported that the number of attacks is growing by 50 percent per month, with roughly 5 percent of recipients falling victim to them. Phishing Web pages generally use similar page layouts, styles (font families, sizes, and so on), key regions, and blocks to mimic genuine pages in an effort to convince Internet users to divulge per- sonal information, such as bank account numbers and passwords. To confront those challenges, we de- veloped an antiphishing strategy that uses a visual approach to detect bogus Web pages. To monitor phishing attacks, site owners can register their true URLs and associated keywords with our Site- Watcher system (currently running as a prototype at http://antiphishing.cs.cityu. edu.hk). Given that most phishing attacks are initiated via email, SiteWatcher is designed to run on mail servers and mon- itor and analyze both incoming and out- going messages for potential phishing URLs. (We can deploy the antiphishing service with providers that agree to joint- ly support it with us.) If a message con- tains keywords associated with our client sites, the system considers all the URLs embedded in the message to be suspicious and flags them for further investigation, comparing the Web pages at the suspi- cious URLs against those protected pages designated by the keywords. We’ve built a prototype, which is run- ning on one of the City University of Hong Kong’s internal email servers. Our experi- 58 MARCH • APRIL 2006 Published by the IEEE Computer Society 1089-7801/06/$20.00 © 2006 IEEE IEEE INTERNET COMPUTING Computer Security