Anthony Y. Fu,Xiaotie Deng,Wenyin Liu

DOI: https://doi.org/10.1007/11581062_67

2005-01-01

Abstract:We anticipate a potential phishing strategy by obfuscation of Web links using Internationalized Resource Identifier (IRI). In the IRI scheme, the glyphs of many characters look very similar while their Unicodes are different. Hence, certain different IRIs may show high similarity. The potential phishing attacks based on this strategy are very likely to happen in the near future with the boosting utilization of IRI. We report this potential phishing strategy to provoke much further dissections of related counter measures.

Anthony Y. Fu,Xiaotie Deng,Liu Wenyin

DOI: https://doi.org/10.1080/15567280600995501

2006-01-01

Journal of Digital Forensic Practice

Abstract:ABSTRACT We anticipate the widespread usage of an internationalized resource identifier (IRI) 1 1. IRI is a generalization of the uniform resource identifier (URI), which is in turn a generalization of the uniform resource locator (URL). While URIs are limited to a subset of the ASCII character set, IRIs may contain characters from the universal character set (Unicode/ISO 10646). Basically, an IRI is the internationalized version of a URI or internationalized domain name (IDN) 2 2. IDN is an Internet domain name that (potentially) contains non-ASCII characters. Such domain names could contain letters with diacritics, as required by many European languages, or characters from non-Latin scripts such as Arabic or Chinese. on the web as complement to universal resource identifier (URI). IRI/IDN is composed of characters in a subset of Unicode, such that a Unicode attack 3 3. Unicode attack is caused by the coexistence of a large number of visual/semantically similar Unicode strings. On the character level, the visually similar Unicode attack is homograph attack. to IRI/IDN could happen. Hence, visually or semantically, certain phishing IRI/IDNs may show high similarity to the real ones. The potential phishing attacks based on this strategy are very likely to happen in the near future with the boosting utilization of IRI/IDN. We invented a method to detect such phishing attack. We constructed a unicode character similarity list (UC-SimList) based on char-char visual and semantic similarities and use a nondeterministic finite automaton (NFA) 4 4. NFA is a finite state machine where for each pair of state and input symbol there may be several possible next states. We can use it to recognize a string of a certain pattern. When the last input symbol is consumed the NFA accepts if and only if there is some set of transitions it could make that will take it to an accepting state. Equivalently, it rejects if no matter what choices it makes it would not end in an accepting state. to identify the potential IRI/IDN-based phishing patterns. We implemented a phishing IRI/IDN pattern generation tool, REGAP, by which phishing IRI/IDN patterns can be generated into regular expressions (RE) for phishing IRI/IDN detection. We also address how such a tool can be applied to investigations.

Yun Lin,Ruofan Liu,Dinil Mon Divakaran,Jun Yang Ng,Qing Zhou Chan,Yiwen Lu,Yuxuan Si,Fan Zhang,Jin Song Dong

2021-01-01

Abstract:Recent years have seen the development of phishing detection and identification approaches to defend against phishing attacks. Phishing detection solutions often report binary results, i.e., phishing or not, without any explanation. In contrast, phishing identification approaches identify phishing webpages by visually comparing webpages with predefined legitimate references and report phishing along with its target brand, thereby having explainable results. However, there are technical challenges in visual analyses that limit existing solutions from being effective (with high accuracy) and efficient (with low runtime overhead), to be put to practical use. In this work, we design a hybrid deep learning system, Phishpedia, to address two prominent technical challenges in phishing identification, i.e., (i) accurate recognition of identity logos on webpage screenshots, and (ii) matching logo variants of the same brand. Phishpedia achieves both high accuracy and low runtime overhead. And very importantly, different from common approaches, Phishpedia does not require training on any phishing samples. We carry out extensive experiments using real phishing data; the results demonstrate that Phishpedia significantly outperforms baseline identification approaches (EMD, PhishZoo, and LogoSENSE) in accurately and efficiently identifying phishing pages. We also deployed Phishpedia with CertStream service and discovered 1,704 new real phishing websites within 30 days, significantly more than other solutions; moreover, 1,133 of them are not reported by any engines in VirusTotal.

Bowen He,Yuan Chen,Zhuo Chen,Xiaohui Hu,Yufeng Hu,Lei Wu,Rui Chang,Haoyu Wang,Yajin Zhou

DOI: https://doi.org/10.1145/3576915.3623210

2023-01-01

Abstract:The prosperity of Ethereum attracts many users to send transactions and trade crypto assets. However, this has also given rise to a new form of transaction-based phishing scam, named TXPHISH. Specifically, tempted by high profits, users are tricked into visiting fake websites and signing transactions that enable scammers to steal their crypto assets. The past year has witnessed 11 large-scale TXPHISH incidents causing a total loss of more than $70 million. In this paper, we conduct the first empirical study of TXPHISH on Ethereum, encompassing the process of a TXPHISH campaign and details of phishing transactions. To detect TXPHISH websites and extract phishing accounts automatically, we present TxPhishScope, which dynamically visits the suspicious websites, triggers transactions, and simulates results. Between November 25, 2022, and July 31, 2023, we successfully detected and reported 26,333 TXPHISH websites and 3,486 phishing accounts. Among all of documented TXPHISH websites, 78.9% of them were first reported by us, making TxPhishScope the largest TXPHISH website detection system. Moreover, we provided criminal evidence of four phishing accounts and their fund flow totaling $1.5 million to aid in the recovery of funds for the victims. In addition, we identified bugs in six Ethereum projects and received appreciation. Based on the detection results, we perform a comprehensive study of TXPHISH websites and phishing accounts. Our study reveals that TXPHISH websites have a short lifespan, low cost, and fast update frequency. Besides, Our analysis of phishing fund flow demonstrates that 54.0% of phishing funds ($43.7 million) flowed into centralized exchanges, where the identity of owners could be traced. Our research can serve as a valuable reference for Ethereum service providers to safeguard their users against TXPHISH and assist in the recovery of victims' crypto assets.

Ruofan Liu,Yun Lin,Xianglin Yang,Siang Hwee Ng,Dinil Mon Divakaran,Jin Song Dong

2022-01-01

Abstract:Explainable phishing detection approaches are usually based on references, i.e., they compare a suspicious webpage against a reference list of commonly targeted legitimate brands' webpages. If a webpage is detected as similar to any referenced website but their domains are not aligned, a phishing alert is raised with an explanation comprising its targeted brand. In comparison to other techniques, such explainable reference-based solutions are more robust to ever-changing phishing webpages. However, the webpage similarity is still measured by representations conveying only partial intentions (e.g., screenshot and logo), which (i) incurs considerable false positives and (ii) gives an adversary opportunities to compromise user confidence in the approaches. In this work, we propose, PhishIntention, to extract precise phishing intention of a webpage by visually (i) extracting its brand intention and credential-taking intention, and (ii) interacting with the webpage to confirm the credential-taking intention. We design PhishIntention as a heterogeneous system of deep learning vision models, overcoming various technical challenges. The models "look at" and "interact with" the webpage for its intention, which are robust to potential HTML obfuscation. We compare PhishIntention with four state-of-the-art reference-based approaches on the largest phishing identification dataset consisting of 50K phishing and benign webpages. For similar level of recall, PhishIntention achieves significantly higher precision than the baselines. Moreover, we conduct a continuous field study on the Internet for two months to discover emerging phishing webpages. PhishIntention detects 1,942 new phishing webpages (1,368 not reported by VirusTotal). Comparing to the best baseline, PhishIntention generates 86.5% less false alerts (139 vs. 1,033 false positives) while detecting similar number of real phishing webpages. Our models and code are available at https: //github.com/lindsey98/PhishIntention.git.

Arvind Prasad,Shalini Chandra

DOI: https://doi.org/10.1016/j.cose.2023.103545

IF: 5.105

2023-10-22

Computers & Security

Abstract:With the proliferation of the World Wide Web and the increasing sophistication of cyber threats, phishing attacks have emerged as a significant concern for individuals and organizations alike. Phishing attacks, commonly executed through deceptive URLs, aim to deceive users into divulging sensitive information, leading to financial loss, identity theft, or compromising sensitive data. It continues to pose a significant threat to individuals and organizations in today's digital landscape, necessitating the development of effective and efficient detection frameworks. This article presents PhiUSIIL, a Phi shing U RL detection framework based on S imilarity I ndex and I ncremental L earning. The similarity index helps effectively identify visual similarity-based attacks such as zero-width characters, homograph, punycode, homophone, bit squatting, and combosquatting attacks. The incremental learning approach allows the framework to continuously update its knowledge base with new data. Further, implementing diverse security profiles accommodates diverse security requirements of users or organizations. PhiUSIIL extracts URL features, downloads the webpage from URL to extract HTML features, and derives new features from existing information to construct a phishing URL dataset, named PhiUSIIL phishing URL dataset, encompassing 134850 legitimate and 100945 phishing URLs. The proposed phishing URL detection framework has extensively experimented with the PhiUSIIL phishing URL dataset. The constructed dataset helps to improve the detection accuracy when used during pre-training approach. PhiUSIIL achieved an accuracy of 99.24% when experimented with a fully incremental training approach and 99.79% when experimented with a pre-training approach. The experimental results show its effectiveness and ensure the framework remains effective and up-to-date against emerging and sophisticated phishing techniques.

computer science, information systems

Bingyang Guo,Yunyi Zhang,Chengxi Xu,Fan Shi,Yuwei Li,Min Zhang

DOI: https://doi.org/10.3390/app11209733

2021-01-01

Applied Sciences

Abstract:Internet users have suffered from phishing attacks for a long time. Attackers deceive users through malicious constructed phishing websites to steal sensitive information, such as bank account numbers, website usernames, and passwords. In recent years, many phishing detection solutions have been proposed, which mainly leverage whitelists or blacklists, website content, or side channel-based techniques. However, with the continuous improvement of phishing technology, current methods have difficulty in achieving effective detection. Hence, in this paper, we propose an effective phishing website detection approach, which we call HinPhish. HinPhish extracts various link relationships from webpages and uses domains and resource objects to construct a heterogeneous information network. HinPhish applies a modified algorithm to leverage the characteristics of different link types in order to calculate the phish-score of the target domain on the webpage. Moreover, HinPhish not only improves the accuracy of detection, but also can increase the phishing cost for attackers. Extensive experimental results demonstrate that HinPhish can achieve an accuracy of 0.9856 and F1-score of 0.9858.

Weifeng Zhang,Hua Lu,Baowen Xu,Hongji Yang

2013-01-01

Abstract:Web phishing is becoming an increasingly severe security threat in the web domain. Effective and efficient phishing detection is very important for protecting web users from loss of sensitive private information and even personal properties. One of the keys of phishing detection is to efficiently search the legitimate web page library and to find those page that are the most similar to a suspicious phishing page. Most existing phishing detection methods are focused on text and/or image features and have paid very limited attention to spatial layout characteristics of web pages. In this paper, we propose a novel phishing detection method that makes use of the informative spatial layout characteristics of web pages. In particular, we develop two different options to extract the spatial layout features as rectangle blocks from a given web page. Given two web pages, with their respective spatial layout features, we propose a page similarity definition that takes into account their spatial layout characteristics. Furthermore, we build an R-tree to index all the spatial layout features of a legitimate page library. As a result, phishing detection based on the spatial layout feature similarity is facilitated by relevant spatial queries via the R-tree. A series of simulation experiments are conducted to evaluate our proposals. The results demonstrate that the proposed novel phishing detection method is effective and efficient.

Kaigui Bian,Jung-Min Park,Hsiao, M.S.,Belanger, F.

DOI: https://doi.org/10.1109/SAINT.2009.14

2009-01-01

Abstract:Phishing is an attempt to fraudulently acquire userspsila sensitive information, such as passwords or financial information, by masquerading as a trustworthy entity in online transactions. Recently, a number of researchers have proposed using external online resources like the Google Page Rank system to assist phishing detection. The advantage of such an approach is that the detection capability will gradually evolve and improve as the online resources become more sophisticated and manipulation-resistant. In this paper, we evaluate the effectiveness of three popular online resources in detecting phishing sites-viz, Google PageRank system, Yahoo! Inlink data, and Yahoo! directory service. Our results indicate that these online resources can be used to increase the accuracy of phishing site detection when used in conjunction with existing phishing countermeasures. The proposed approach involves examining the following three attributes of a target site (site being examined): (1) the credibility of the target sitepsilas hosting domain, (2) the credibility of in-neighbor sites that link to the hosting domain, and (3) the correlation between the target sitepsilas web category and its hosting domainpsilas web category. The aforementioned online resources by themselves are insufficient to address the phishing attack problem. We provide discussions on how each of those resources may be integrated with existing phishing detection techniques to provide a more effective solution.

WY Liu,XT Deng,GL Huang,AY Fu

DOI: https://doi.org/10.1109/mic.2006.23

IF: 2.68

2006-01-01

IEEE Internet Computing

Abstract:The authors' proposed antiphishing strategy uses visual characteristics to identify potential phishing sites and measure suspicious pages' similarity to actual sites registered with the system. The first of two sequential processes in the SiteWatcher system runs on local email servers and monitors emails for keywords and suspicious URLs. The second process then compares the potential phishing pages against actual pages and assesses visual similarities between them in terms of key regions, page layouts, and overall styles. The approach is designed to be part of an enterprise antiphishing solution.

Anthony Y. Fu,Liu Wenyin,Xiaotie Deng

DOI: https://doi.org/10.1109/tdsc.2006.50

2005-01-01

Abstract:An effective approach to phishing Web page detection is proposed, which uses Earth Mover's Distance (EMD) to measure Web page visual similarity. We first convert the involved Web pages into low resolution images and then use color and coordinate features to represent the image signatures. We use EMD to calculate the signature distances of the images of the Web pages. We train an EMD threshold vector for classifying a Web page as a phishing or a normal one. Large-scale experiments with 10,281 suspected Web pages are carried out to show high classification precision, phishing recall, and applicable time performance for online enterprise solution. We also compare our method with two others to manifest its advantage. We also built up a real system which is already used online and it has caught many real phishing cases.

Yu Zhou,Yongzheng Zhang,Jun Xiao,Yipeng Wang,Weiyao Lin

DOI: https://doi.org/10.1109/trustcom.2014.28

2014-01-01

Abstract:Phishing uses a fake Web page to steal personal sensitive information such as credit card numbers and passwords. Generally, the fake Web page is visually similar to the legitimate target Web page. The phishers can obtain financial benefits through these information. Anti-phishing is very important for a variety of applications such as phishing attacks, online transaction security, and user privacy protection. In this paper, we propose a novel and effective visual similarity based phishing detection approach that compares the snapshot image pair of the suspected Web page and the protected Web page. The proposed approach is based on the key insight that both the local and the global features of the Web page image can be used to represent the visual characteristics of the Web page together. This approach is purely on the image level, and thus can effectively deal with the non-text phishing tricks including images or Flashes objects in the HTML contents. For the local feature, the existence of the target logo is detected. For the global feature, the similarity of the visible part of the Web page is considered. We implemented and evaluated the proposed approach on a large scale dataset consisting of 2,129 real world phishing Web pages and 1,367 irrelevant legitimate Web pages. The experimental results show that the proposed approach can achieve over 90.00% true positive rate and 97.00% true negative rate. Our approach has been applied in the anti-phishing project of a major Internet Service Provider and gives a periodical reports to the potential users.

Sultan Asiri,Yang Xiao,Saleh Alzahrani,Tieshan Li

DOI: https://doi.org/10.1016/j.cose.2024.103843

IF: 5.105

2024-01-01

Computers & Security

Abstract:In recent years, phishing attacks have become more intelligent and more challenging to detect using typical phishing methods. Moreover, attackers have leveraged some web development techniques to increase the website's legitimacy in victims' eyes, such as using JFrame to design a window that looks like a browser inside the webpage. In this paper, we design a system that detects three types of phishing attacks: Tiny Uniform Resource Locators (TinyURLs), Browsers in the Browser (BiTB), and regular phishing attacks. In this system, we aim to protect victims from mistakenly downloading malicious software into their systems. We split our system into three parts: Deep Learning model (DL), browser extension, and docker container. First, we design a DL model using bidirectional long short-term memory (BiLSTM) and an attention mechanism to classify the URL as phishing or benign. Our model shows 99% in its precision, recall, and F1 score. Second, we design a browser extension to extract the original URL from the suspect webpage and then send it to the docker container. Then, the docker container opens the webpage and extracts all URLs from its HyperText Markup Language (HTML) and JavaScript. Then, each URL passes to a DL model for classification, resulting in a list of labels for each webpage. Therefore, we use three decision strategies: Single Phishing Strategy (SPhS), Mean Sum Strategy (MSS), and Weighted Average Strategy (WeAS) to decide whether the webpage is phishing or benign. Our findings indicate that the best results among the three strategies were WeAS.

Jian Mao,Wenqian Tian,Pei Li,Tao Wei,Zhenkai Liang

DOI: https://doi.org/10.1109/access.2017.2743528

IF: 3.9

2017-01-01

IEEE Access

Abstract:Social networks have become one of the most popular platforms for users to interact with each other. Given the huge amount of sensitive data available in social network platforms, user privacy protection on social networks has become one of the most urgent research issues. As a traditional information stealing technique, phishing attacks still work in their way to cause a lot of privacy violation incidents. In a Web-based phishing attack, an attacker sets up scam Web pages (pretending to be an important Website such as a social network portal) to lure users to input their private information, such as passwords, social security numbers, credit card numbers, and so on. In fact, the appearance of Web pages is among the most important factors in deceiving users, and thus, the similarity among Web pages is a critical metric for detecting phishing Websites. In this paper, we present a new solution, called Phishing-Alarm, to detect phishing attacks using features that are hard to evade by attackers. In particular, we present an algorithm to quantify the suspiciousness ratings of Web pages based on the similarity of visual appearance between the Web pages. Since cascading style sheet (CSS) is the technique to specify page layout across browser implementations, our approach uses CSS as the basis to accurately quantify the visual similarity of each page element. As page elements do not have the same influence to pages, we base our rating method on weighted page-component similarity. We prototyped our approach in the Google Chrome browser. Our large-scale evaluation using real-world websites shows the effectiveness of our approach. The proof of concept implementation verifies the correctness and accuracy of our approach with a relatively low performance overhead.

Ying Liu,Baojun Liu

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.008

2017-01-01

Abstract:Internationalized domain names(IDNs)provid a convenient way for homograph phishing attack.To better understand the abusing of IDNs by an attacker, a light-weight detection system based on passive DNS data and graph similarity fingerprint algorithm is proposed to identify IDN homograph domains.At the detection stage,active IDNs are extracted from 360 passive DNS data, and the similarity with the famous domain name is analyzed by a graph similarity algorithm based on fingerprint information.At the measurement stage,the domain names with the register information, DNS query number and content types of web sites are analyzed.The experimental results show that, IDN cybersquatting is a serious problem in real world,172 IDNs have been used toward malicious activities,including phishing and malicious domain parking,etc.There is an urgent need for a better regulation of domain brand protection.

Yuexin Li,Hiok Kuek Tan,Qiaoran Meng,Mei Lin Lock,Tri Cao,Shumin Deng,Nay Oo,Hoon Wei Lim,Bryan Hooi

2024-12-12

Abstract:Phishing is a critical cyber threat, exploiting deceptive tactics to compromise victims and cause significant financial losses. While reference-based phishing detectors (RBPDs) achieve high precision by analyzing brand-domain consistency, their real-world deployment is hindered by challenges such as high latency and inefficiency in URL analysis. To address these limitations, we present PhishIntel, an end-to-end phishing detection system for real-world deployment. PhishIntel intelligently determines whether a URL can be processed immediately or not, segmenting the detection process into two distinct tasks: a fast task that checks against local blacklists and result cache, and a slow task that conducts online blacklist verification, URL crawling, and webpage analysis using an RBPD. This fast-slow task system architecture ensures low response latency while retaining the robust detection capabilities of RBPDs for zero-day phishing threats. Furthermore, we develop two downstream applications based on PhishIntel: a phishing intelligence platform and a phishing email detection plugin for Microsoft Outlook, demonstrating its practical efficacy and utility.

Cryptography and Security

Fujiao Ji,Kiho Lee,Hyungjoon Koo,Wenhao You,Euijin Choo,Hyoungshick Kim,Doowon Kim

2024-05-30

Abstract:Phishing attacks pose a significant threat to Internet users, with cybercriminals elaborately replicating the visual appearance of legitimate websites to deceive victims. Visual similarity-based detection systems have emerged as an effective countermeasure, but their effectiveness and robustness in real-world scenarios have been unexplored. In this paper, we comprehensively scrutinize and evaluate state-of-the-art visual similarity-based anti-phishing models using a large-scale dataset of 450K real-world phishing websites. Our analysis reveals that while certain models maintain high accuracy, others exhibit notably lower performance than results on curated datasets, highlighting the importance of real-world evaluation. In addition, we observe the real-world tactic of manipulating visual components that phishing attackers employ to circumvent the detection systems. To assess the resilience of existing models against adversarial attacks and robustness, we apply visible and perturbation-based manipulations to website logos, which adversaries typically target. We then evaluate the models' robustness in handling these adversarial samples. Our findings reveal vulnerabilities in several models, emphasizing the need for more robust visual similarity techniques capable of withstanding sophisticated evasion attempts. We provide actionable insights for enhancing the security of phishing defense systems, encouraging proactive actions. To the best of our knowledge, this work represents the first large-scale, systematic evaluation of visual similarity-based models for phishing detection in real-world settings, necessitating the development of more effective and robust defenses.

Cryptography and Security

Ye Cao,Weili Han,Yueran Le

DOI: https://doi.org/10.1145/1456424.1456434

2008-01-01

Abstract:ABSTRACTIn phishing and pharming, users could be easily tricked into submitting their username/passwords into fraudulent web sites whose appearances look similar as the genuine ones. The traditional blacklist approach for anti-phishing is partially effective due to its partial list of global phishing sites. In this paper, we present a novel anti-phishing approach named Automated Individual White-List (AIWL). AIWL automatically tries to maintain a white-list of user's all familiar Login User Interfaces (LUIs) of web sites. Once a user tries to submit his/her confidential information to an LUI that is not in the white-list, AIWL will alert the user to the possible attack. Next, AIWL can efficiently defend against pharming attacks, because AIWL will alert the user when the legitimate IP is maliciously changed; the legitimate IP addresses, as one of the contents of LUI, are recorded in the white-list and our experiment shows that popular web sites' IP addresses are basically stable. Furthermore, we use Naïve Bayesian classifier to automatically maintain the white-list in AIWL. Finally, we conclude through experiments that AIWL is an efficient automated tool specializing in detecting phishing and pharming.

Ying Yuan,Giovanni Apruzzese,Mauro Conti

DOI: https://doi.org/10.1016/j.cose.2024.104115

IF: 5.105

2024-09-29

Computers & Security

Abstract:Phishing attacks are on the rise, and phishing websites are everywhere, denoting the brittleness of security mechanisms reliant on blocklists. To cope with this threat, many works proposed to enhance Phishing Website Detectors (PWD) with data-driven techniques powered by Machine Learning (ML). Despite achieving promising results both in research and practice, existing solutions mostly focus "on the West", e.g., they consider websites in English, German, or Italian. In contrast, phishing websites targeting "Eastern" countries, such as China, have been mostly neglected—despite phishing being rampant also in this side of the world.In this paper, we scrutinize whether current PWD can simultaneously work against Western and Chinese phishing websites. First, after highlighting the difficulties of practically testing PWD on Chinese phishing websites, we create CghPghrg—a dataset which enables assessment of PWD on Chinese websites. Then, we evaluate 72 PWD developed by industry practitioners and 10 ML-based PWD proposed in recent research on Western and Chinese websites: our results highlight that existing solutions, despite achieving low false positive rates, exhibit unacceptably low detection rates (sometimes inferior to 1%) on phishing websites of different regions . Next, to bridge the gap we brought to light, we elucidate the differences between Western and Chinese websites, and devise an enhanced feature set that accounts for the unique characteristics of Chinese websites. We empirically demonstrate the effectiveness of our proposed feature set by replicating (and testing) state-of-the-art ML-PWD: our results show a small but statistically significant improvement over the baselines. Finally, we review all our previous contributions and combine them to develop practical PWD that simultaneously work on Chinese and Western websites, achieving over 0.98 detection rate while maintaining only 0.01 false positive rate in a cross-regional setting. We openly release all our tools, disclose all our benchmark results, and also perform proof-of-concept experiments revealing that the problem tackled by our paper extends to other "Eastern" countries that have been overlooked by prior research on PWD.

computer science, information systems

Firat Coskun Dalgic,Ahmet Selman Bozkir,Murat Aydos

DOI: https://doi.org/10.48550/arXiv.1905.07767

2019-05-19

Cryptography and Security

Abstract:Phishing, a continuously growing cyber threat, aims to obtain innocent users' credentials by deceiving them via presenting fake web pages which mimic their legitimate targets. To date, various attempts have been carried out in order to detect phishing pages. In this study, we treat the problem of phishing web page identification as an image classification task and propose a machine learning augmented pure vision based approach which extracts and classifies compact visual features from web page screenshots. For this purpose, we employed several MPEG7 and MPEG7-like compact visual descriptors (SCD, CLD, CEDD, FCTH and JCD) to reveal color and edge based discriminative visual cues. Throughout the feature extraction process we have followed two different schemes working on either whole screenshots in a "holistic" manner or equal sized "patches" constructing a coarse-to-fine "pyramidal" representation. Moreover, for the task of image classification, we have built SVM and Random Forest based machine learning models. In order to assess the performance and generalization capability of the proposed approach, we have collected a mid-sized corpus covering 14 distinct brands and involving 2852 samples. According to the conducted experiments, our approach reaches up to 90.5% F1 score via SCD. As a result, compared to other studies, the suggested approach presents a lightweight schema serving competitive accuracy and superior feature extraction and inferring speed that enables it to be used as a browser plugin.