2013 5th International Conference on Intelligent Networking and Collaborative Systems

BaitAlarm: Detecting Phishing Sites Using Similarity in Fundamental Visual

Features

Jian Mao1,2 , Pei Li 1 , Kun Li1 , Tao Wei3 , and Zhenkai Liang4

1
School of Electronic and Information Engineering, BeiHang University, China
2
The State Key Laboratory of Integrated Services Networks, Xidian University, China
3
Institute of Computer Science and Technology, Peking University, China
4
School of Computing, National University of Singapore, Singapore

Abstract—In this paper, we present a new solution, BaitA-
larm, to detect phishing attack using features that are hard
to evade. The intuition of our approach is that phishing pages
need to preserve the visual appearance the target pages. We
present an algorithm to quantify the suspicious ratings of web
pages based on similarity of visual appearance between the
web pages. Since CSS is the standard technique to specify
page layout, our solution uses the CSS as the basis for
detecting visual similarities among web pages. We prototyped
our approach as a Google Chrome extension and used it to
rate the suspiciousness of web pages. The prototype shows the
correctness and accuracy of our approach with a relatively low
performance overhead.
I. I NTRODUCTION
Phishing is a form of social engineering attack in which an
attacker mimics electronic communications to lure users to
provide their confidential information. Such communications
trick users to visit phishing web sites, which collect users’
private information, such as passwords, credit card numbers,
and social security numbers. According to the investigation
report from APWG [1], phishing attacks increased 50% per
month, among which around 5% phishing mails attract users
to visit the phishing web sites.
A widely-used type of solutions detects phishing URLs
and alert users before they visit the URLs. For example,
Bayesian anti-phishing toolbar [2], [3] maintains a blacklist
database of phishing sites. Special characteristics of web
sites hosting phishing pages, such as the lifetime and the
registration date of a web site, can also be used to detect
phishing attacks [4]–[6]. However, the features that such
solutions are based on, such as URL strings, are not funda-
mental features of phishing pages. As a result, it is not hard
for attackers to find ways to evade such defense mechanisms.
Since phishing pages need to lure users by their visual
appearance, i.e., page contents and page layouts, they are
usually similar to the target pages. Recent solutions [7],
[8] check whether the contents of the page being visited is
similar to other pages indexed by search engines. However,
such solutions can be confused by attackers through embed-
ding invisible contents. To capture the similarity in visual
appearance, a few solutions [9]–[11] is based on comparison
of the image of a rendered page. However, this solution
is not efficient. They can be affected by slight differences
caused by different browser rendering engines. Moreover, if
the target page cannot be indexed by search engines, such
as a page that can be displayed only after a user login, the
above solutions cannot be applied.
To robustly detecting phishing sites, we aim to use fun-
damental visual features of a web page’s appearance as
the basis of detecting page similarities. In this paper, we
propose a novel solution, BaitAlarm, to efficiently detect
phishing web pages. Note that page layouts and contents
are fundamental feature of web pages’ appearance. Since
the standard way to specify page layouts is through the style
sheet (CSS), we develop an algorithm to detect similarities
in key elements related to CSS.
We implemented BaitAlarm in a Google Chrome exten-
sion. Our evaluation on more than 7000 phishing pages con-
firms our assumptions. BaitAlarm achieved accurate results
in detecting hundreds of samples in phishtank.com, a
web collection of phishing attack samples.
II. OVERVIEW
A. Page Layout and CSS
The visual appearance of a web page is decided by its
page layout and contents. To achieve a consistent appearance
across all variants of web browsers, Cascading Style Sheets
(CSS) is the standard technology for web pages to specify
their visual appearance. When the user opens a web page, the
browser captures the CSS structure of the page, which is a
series of rules specifying visual properties for page elements.
A CSS rule includes two main components: a selector
and one or more declarations. The selector is usually an
HTML element, and each declaration consists of a property
and a value. The property is the style attribute of the HTML
element. Each property has a value [12].
Selectors can be split into several categories, such as
tag selectors, id selectors, .class selectors and other
selectors (e.g., some attribute selectors, etc). Properties illus-
trate the attributes related to the elements that selected by

978-0-7695-4988-0/13 $26.00 © 2013 IEEE 790

DOI 10.1109/INCoS.2013.151
the selectors. For example, a paragraph text contains color,
font-size,font-family, border, margin, padding properties. The
values of the properties determine the display effect of the
selected element.
B. Overview of Our Approach
Intuitively, the higher similarity between the phishing
page and the target page, the more likely users will be
deceived. For this reason, attackers always try their best to
clone the target pages. To maintain a consistent look across
browsers, attackers also need to rely on the CSS technology,
as the target website does. Attackers should use CSS that
results in visual appearance similar to that of the target page
to lure users successfully.
To validate our intuition, we analyzed over 7000 samples
from the database of phishtank.com. We found that
there were two major ways for attackers to develop a
phishing page. One is using the link of target web page’s
CSS directly or create a new CSS document and copy the
content from the original CSS. Most of the phishing pages
we analyzed are developed in this way. The other way is to
completely rewrite the CSS document to generate a similar
appearance as the original page. As a commercial web page
has a lot of page elements and complicated CSS rules, it is
difficult for the attacker to use a completely different CSS
that generates the same visual effect as the target web page.
As a result, the attackers’ CSS usually have the same set
of properties as the target pages after being parsed by the
browser.
The main idea of our approach is to detect phishing page
based on the fundamental feature of the phishing pages, that
is, similarity in page visual layouts. To effectively attract
victims, attackers usually try their best to make a phishing
page look similar to the target page.
However, comparing details of rendered pages are not
efficient. We aim to address this problem by utilizing key
features of page layout without actually rendering them. As
CSS is the standard technology to specifying page layouts,
it is not practical for attackers to achieve universal looking
across browsers without using CSS. Therefore, our solution
will extract the key features in CSS and page contents, and
use them as a basis to decide the similarities of pages.
Advantage to existing solutions: There are two other
kinds of existing phishing detection approaches that are
based on the similarity of web pages: based on page
text and based on rendered page image. Text-content-based
methods [7], [8] detect the phishing pages according to the
frequency of web pages’ keywords, some sensitive words or
the matching ratio between the suspicious page and the target
page. These solutions have their limitations. For example,
attackers may replace the text contents by an image with
the same content. In this way, the phishing page displays
the same content as the original one but antiphishing tools
cannot get the useful text content of the phishing pages for
791
comparison and detection. Attackers may also embed noise
contents with the page’s background color to be invisible to
users. These methods can bypass text-content comparison
without losing the visual similarity to the target page.
Rendered-page-based methods [9]–[11] decide the similarity
between two pages by comparing the pixel of their rendered
pages. This approach has high overhead incurred by image
parsing.
III. D ESIGN
A. Phising Page Detection Using Visual Features
The key component of our solution is an algorithm to
measure page similarities. The algorithm takes two pages,
including page contents and layout specifications, and output
the similarity score based on the visual layout similarity. For
each page, it first extracts the page layout and represents
it in a normalized representation. Then it compares the
normalized representations of two pages and decides their
similarity.
Page layout normalization
To extract formatting features from CSS, we first convert
CSS and page DOM into our own representation.
Step 1: Rules set extraction: When the user open a
web page, browser can capture the CSS structure of the
page. The CSS structure is a series of rules with the general
representation as
Selector1 {Property1 -1:
Value1 -1;Property1 -2: Value1 -2; ...};
Selector2 {Property2 -1:
Value2 -1;Property2 -2: Value2 -2; ...};
...
Step 2: Convert CSS rules into comparison-units:
In order to calculate similarity value more effectively, we
convert CSS rule into a new representation, which we called
comparison-unit.
Definition 1: (Comparison-Unit) Given a Web page’s
CSS rules set, CSS() = {. . . , [Selectori {. . . ; [P ropertyj :
V aluek ; . . .], . . .}], . . .}, the corresponding Comparison-
Units set of the web page is represented as
CompU nit() = {. . . , [P ropertyj : [. . . ; V aluekj :
[. . . , Selectorij,k ; . . .], . . .], . . . , }.
A compare-unit consists of two main parts: a property,
and one or more declarations. Each declaration consists of
a value and one or more selectors.
In addition, we classify the selectors into four categories
Tag, ID, Class and Others. For example, selector p, div
belong to the Tag category. Class selectors belong to the
Class category; ID selectors belong to the ID category and
the other selectors belong to the Others category.
Page similarity detection/computing
Before we illustrate our visual similarity computing algo-
rithm, we first define three notations.
Definition 2: (Complexity Score) The Complexity Score
of a web page is a fundamental visual layout metrics. Given
the comparison-unit of the web page A, CompU nit(A), the
complexity of the web page A is Similarity Checker Layout Model Builder
<Similarity Score> <Comparison Unit>
NA 
 Mn <Decision> <Page Info.>

SA = ktn,m ∗wt +kcn,m ∗wc +kin,m ∗wi +kon,m ∗wo

n=1 m=1
,
<Whitelist/Blacklist>

where NA is the number of web page A’s properties;

<Surfing History Info.: Page URL, Layout Model,...; >

Mn is the number of the n-th property’s optional values <Account Info.-Webpage Mapping Table>

n,m
{V aluemn }; kt , kcn,m , kin,m and kon,m represent the num-

ber of the Tag, Class, ID, Others selectors with the value
V aluemn respectively, and wt , wc , wi , wo are corresponding
Figure 1: BaitAlarm Architecture
weight values.
Definition 3: (Match Score) Given the comparison-units
of the web pages A and B, the Match Score of A and B Phase III: Making decision based on the page similarity
A,B
labeled as Smatch is and additional features of the web pages: If the similarity
NA 
Mn
Sim(Sus, V ic) is beyond a preset threshold , that means
A,B
 suspicious page and victim page should be the same page.
Smatch = en,m
t ∗wt +en,m
c ∗wc +en,m
i ∗wi +kon,m ∗eo
n=1 m=1
If there exist some other evidences proving that these two
, pages are different, for example, the URL of two pages have
different domains, we conclude that the suspicious page Sus
is a phishing page and output our decision.
where en,m
t , en,m
c , en,m
i and en,m
o represent the number of This is a first step toward our high-level idea of detecting
equal selectors with the value V aluemn belong to the Tag, page similarity using fundamental page features. It confirms
Class, ID, Others categories respectively. our assumptions on CSS role in detecting phishing attacks.
Definition 4: (Similarity) Given the comparison-units of
the web pages A and B, the Similarity between A and B is B. BaitAlarm Architecture
A,B
match score (A, B) Smatch The overall architecture of the BaitAlarm extension is
Sim(A, B) = = shown in Figure 1. BaitAlarm includes three main compo-
min{score (A), score (B)} min{SA , SB }
. nents: Pre-Processor, Layout Monitor, and Network Library.
The Pre-Processor consists of Page Filter, DOM, and
HTML Parser. After a web page is loaded, the Page Filter
Based on our analysis of phishing pages, the ID and checks it over. If the web page has been loaded before, it
Class selectors influence more in visual layout similarity. does not need further analysis. If the loaded page is new
Generally, different web pages should have different ID and and contains some specific UI (e.g., login form), the Page
Class selectors, especially for some unusual name of the ID Filter triggers the detecting process. The HTML Parser and
selector. the DOM extract the layout information of the suspicious
Summary of our approach. Our visual layout similarity page. When the user inputs personal information, such as
based phishing detection scheme includes three phases. Login ID, the browser holds the page and the Pre-Processor
Phase I: Extracting and normalizing CSS structure of sends the layout information to the Layout Monitor.
the suspicious page: Given a suspicious page Sus, we can The Layout Monitor consists of a Layout Model Builder
get the CSS structure of the page CSS(Sus). Then we and a Similarity Checker. When the Layout Monitor gets
convert CSS(Sus) into the normalized model Comparison- the layout information of the suspicious page from the
unit of web page Sus, Compunit(Sus). Pre-Processor, the Layout Model Builder models them into
Phase II: Computing similarity between the suspicious “comparison-unit” and sent them to the Similarity Checker,
page and victim page: After we obtain the normalized model together with additional page features (e.g., page domain,
Compunit(Sus), we match the two comparison-units of the etc.). After the Similarity Checker gets the comparison unit
suspicious page and victim page, and compute the similarity of the suspicious page, it searches the Network Library for
score of the two pages Sim(Sus, V ic). the victim pages feature model (comparison unit) indexed

792
 Target Page Paypal Sulake Corp. AOL Blizzard
Number 1978 1029 329 267
Ratio 25.48% 13.25% 4.24% 3.44%
Table I: Statistical Distribution of Target Pages
Similarity p 0.24 < p < 0.3 0.3 ≤ p < 0.4 0.4 ≤ p < 0.6
Number 3 16 9 20
Ratio 0.59% 3.14% 1.76%
Table II: Similar Ratios of PayPal-Phishing Sites
by the same personal information that has been inputted by
the user before.
If the Similarity Checker does not find the matched page,
then it informs the browser to release the page and treat it as
a new registering web site. The Similarity Checker reports
the page information and its layout model to the Network
Library.
If the Similarity Checker finds the matched page (or
pages) and gets its (their) layout model and additional page
information. The checker calculates the similarity score of
the pages and outputs the decision based on their similarity
score and additional page information.
In our scheme, if a page’s similarity score is less than
the preset threshold, the page is innocent. Then browser
releases the page and the Similarity Checker reports the page
information and its layout model to the Network Library.
Otherwise, the Similarity Checker checks additional page
information to make the decision. For example, if the pages
have a relatively high similarity but their URLs have different
domains, the suspicious page is regarded as a phishing
page. The checker will submit the related information to
the Network Library and inform the browser to pop up a
warning page.
The Network Library maintains the user’s surfing history
information (e.g., URL, layout model, etc.), Whitelist/Black-
list and a “Personal Info-Historical Page Mapping Table”.
The table is used to search for the victim pages based on
users’ information captured by the browser.
IV. I MPLEMENTATION AND E VALUATION
We developed BaitAlarm as an extension in the Google
Chrome browser and used it to implement the real-time
phishing detection.
Our evaluation is performed on a computer with an
Intel(R) Core(TM)2 Duo CPU (3.00GHz) and 2GB of mem-
ory. We used Google Chrome v21.0.1180.15. The phishing
pages are collected from Phishtank.com, and the sample
data set consists of 7764 phishing sites.
A. Training and Threshold Determining
We analyzed 7764 phishing samples in our dataset and
counted the forging frequency of the specific victim pages.
The statistical result is shown in Table I. We can see that
793
Orkut Cielo Tibia Facebook Other
207 167 162 109 3516
2.67% 2.15% 2.10% 1.40% 45.28%
0.6 ≤ p < 0.8 0.8 ≤ p < 1 1
42 420
3.29% 8.24% 82.35%
Paypal is the most popular target page for phishing attacks
(with the forging ratio 25.48%); The next three other popular
phishing target pages are Sulake Corp., AOL and Blizzard.
There are almost 46.41% phishing samples targeting these
four websites. We use them and their phishing pages for
BaitAlarm system training and threshold adjustment.
Similarity between phising pages and their target page
Firstly, we analyzed the similarity of the phishing pages
and their victim page. We use Paypal site and Paypal-
phishing pages in the phishtank database as the test samples.
There are totally 1680 phishing Paypal login pages in
the database. Among them, 784 pages were no longer
unavailable online, and 396 pages have the different visual
layout from the Paypal site, in which the similarity ratio
reported by BaitAlarm ranges from 0 to 0.216.
We analyzed the rest 510 Paypal-phishing pages in the
database and show their similarity ratios measured by BaitA-
larm in Table II. We can see that 82.35% paypal-phishing
pages got the similarity score 1. There is only 0.59% pages
with the similarity scores less than 0.3. According to our
manual analysis, pages with the similarity score less than
0.3 are visually different from the Paypal’s page and users
can distinguish them easily.
For AOL websites, we made the same experiment based
on 276 samples selected from phishtank.com that were
labeled as AOL-phishing pages. 242 pages’ visual appear-
ance was distinct from AOL. For the remained 36 phishing
pages, BaitAlarm reported that the similarity score is 1.
Similarity to Other Web Pages
We made experiments to study false positive by illus-
trating the similarity between other web pages and some
target pages (without losing the generality, we took Paypal
as the target page). In this experiment, we chose 302 web
pages randomly that include university websites, government
homepages, E-business websites, and social network sites,
etc. We show the results in Table III. 86.30% of the benign
pages’ similarity score is less than 0.04 and there is no
benign page’s similarity score beyond 0.18.
We also tested the similarity score between phishing
pages and their non-target pages. In this case, we randomly
selected 276 phishing pages cited by the phishtank.com
 Similarity 0-0.04 0.04-0.08 0.08-0.12 0.12-0.18
Number 252 20 9 11
Ratio 86.30% 6.85% 3.08% 3.77%
Table III: Similarity scores of normal web pages and Paypal
Similarity 0-0.1 0.1-0.2 0.2-0.3 0.3-0.5
Number 222 2 3 5 0
Ratio 95.69% 0.86% 1.29% 2.16%
Table IV: Similarity scores of non-AOL phishing web pages
and AOL page
and their similarity scores of AOL was calculated and shown
in Table IV. We can see that most of the similarity scores
of AOL and non-AOL phishing pages are less than 0.1. But
there are 8 similarity scores in the interval [0.2,0.5] and the
similarity results in Table IV are a little higher than the
scores in Table III. It is the result of the normalization in
our algorithm: we normalize the similarity-score by using
the minimum complexity score of the two pages, so that
we can prevent attackers’ attempts to bypass detection by
forging web pages with few CSS rules, which decreases the
page’s similarity score. As a trade-off, however, this induces
some false positive of the detection that some testing pages
with few CSS rules might be wrongly treated as phishing
pages.
To clarify this situation, we manually analyzed the real
phishing pages which are visually similar to their target web
pages and compute their complexity scores. All these testing
pages’ complexity scores are beyond 100. According to the
analysis and experience, we set 100 as an experience thresh-
old to filter the similarity testing input. If BaitAlarm gets
pages with the complexity score less than 100, it will send an
alert to remind users check the page content carefully before
they input their private information because the current
page has a suspicious simple layout. Otherwise, BaitAlarm
computes the similarity score of the testing page and make
the corresponding decision based on the preset threshold
(e.g., an experience value 0.3, in our implementation).
B. Accuracy
To evaluate the accuracy of BaitAlarm, we selected 300
phishing pages from phishtank.com that are labeled as
phishing pages of Google, Hotmail, ASB Bank and Blizard
corporation respectively. BaitAlarm filtered 149 phishing
pages that were not visually similar to the target page
claimed by phishtank.com. The other phishing pages
remained are checked out by BaitAlarm successfully. For all
these 300 testing samples, the detection rate of BaitAlarm
is 100% and false negative rate is 0%.
V. R ELATED W ORK
URL-based detection: SpoofStick [13] is a browser
toolbar to show the real domain of the current page. The
0.18-1
0
0
0.5-1
0
Figure 2: Detection of French Phishing site
approach detects the attempt to hide the true domain of the
site through URL manipulation. For example, an attacker
may provide a page with URL https://online.citibank.com/
US/JPS/portal/Index.do@10.30.12.14/, whose real domain is
10.30.12.14. Bayesian Anti-phishing toolbar [2] is based on
a whitelist. For a given web-site, the toolbar checks with an
analyzer for whether the given URL is a legitimate web site.
If the URL is not in the whitelist, DOM analyzer labels the
given web site with a token and sends the token to a scoring
module. When the output score exceeds a threshold, the URL
is treated as phishing.
Content-based detection: Eric et al. proposed a visual-
similarity-based phishing detection scheme [14] to visually
compare the suspicious phishing page with the legitimate
one. They consider and identify three typical features, i.e.
text pieces and styles, images in the page and the overall
visual appearance of the page. Chen et al. [15] proposes an
approach for detecting visual similarity between two web
pages. The method objectifies and directly compares these
indivisible super signals using algorithmic complexity the-
ory. CANTINA [7] detects phishing web sites based on page
contents. It is based on an algorithm using term frequency-
inverse document frequency (TF-IDF), combined with other
heuristics to detect phishing sites. SpoofGuard [16] is a
browser plug-in that uses domain name, URL, link and
image check to determine if a given page is a part of a
spoof attack. Its false alarm rate depends on the frequency
that users establishes new accounts and the frequency that
users empty the browser history. The above approaches are
not based on fundamental features of phishing pages, and
thus are not resilient to evasions.
Phishing detection using fundamental features: An
SLN-based scheme [17] is proposed by Liu et al. The
method is based on constructing and reasoning of the seman-
tic link network (SLN) of web pages. It constructs the SLN
from the given suspicious web page and its associated web
pages. SLN discloses implicit relations among web pages.
By analysis the relations, suspicious web pages, including
phishing pages, can be identified.
794
 Reputation Scoring: WOT [18] and iTrustPage [4], [5]
aim to rate a page on the possibility of phishing using
reputation scores, which are either reported from the anti-
phishing community or computed from the given web page.
Nevertheless, the two approaches listed above are user
assisted and WOT’s rating scheme is based on the subjective
comments submitted by the users.
Unlike the anti-phishing methods discussed above, BaitA-
larm is based on the fundamental display features of web
pages. These features are monitored by browsers and treated
as objective metrics in phishing web-page detection au-
tomatically. Compared to BaitAlarm, the whitelist based
techniques cannot be used to identify the newly set-up
benign web page, and it needs to be updated manually with
a learning and verification period, which might cause a high
false positive rate.
VI. C ONCLUSION
Phishing is a popular social engineering attack used by
attackers to collect sensitive information from victim users.
This paper introduces a novel antiphishing approach, BaitA-
larm, which is based on efficient similarity comparison be-
tween the suspicious page and the target page. In particular,
BaitAlarm uses CSS and related elements to represent visual
features of a web page. Our evaluation using a large number
of phishing pages supports the key idea of our approach. In
the future work, we will work on improving BaitAlarm’s
resilience to evasion attacks.
Acknowledment. The authors thank anonymous review-
ers for their insightful comments. This work was sup-
ported in part by the Beijing Natural Science Foundation
(No. 4132056), the National Key Basic Research Program
(NKBRP) (973 Program) (No. 2012CB315905), the Beijing
Natural Science Foundation (No.4122024), and the Na-
tional Natural Science Foundation of China (No. 61272501,
61173154, 61003214).
R EFERENCES
[1] APWG, “Investigation report,” http://www.antiphishing.org/
reports/apwg trends report h2 2011.pdf, 2011.
[2] L. P., E. Jung, D. D., H. T.E., and H. J.P., “B-apt: Bayesian
anti-phishing toolbar,” in Proceedings of IEEE International
Conference on Communications, ICC’08. IEEE Press, May
2008.
[3] C.Inc., “Couldmark toolbar,” http://www.cloudmark.com/
desktop/ie-toolbar.
[4] T. Ronda, S. Saroiu, and A. Wolman, “itrustpage: A user-
assisted anti-phishing tool,” in Proceedings of Eurosys’08.
ACM, April 2008.
[5] iTrustPage, http://www.cs.toronto.edu/∼ronda/itrustpage/.
795
[6] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect
phishing emails,” in Proceedings of the International World
Wide Web Conference (WWW), May 2007.
[7] Y. Zhang, J. Hong, and L. Cranor, “Cantina: A content-based
approach to detecting phishing web sites,” in Proceedings of
the International World Wide Web Conference (WWW), May
2007.
[8] A. Nourian, S. Ishtiaq, and M. Maheswaran, “Castle: A
scocial framework for collaborative anti-phishing databases,”
ACM Transactions on Internet Technology, 2009.
[9] C. Y., H. W., and Y. Le, “Anti-phishing based on automated
individual white-list,” in Proceedings of the 4th ACM work-
shop on Digital identity management, 2008, pp. 51–60.
[10] D. Xiaotie, H. Guanglin, and F. A.Y., “An antiphishing
strategy based on visual similarity assessment,” Internet Com-
puting, vol. 10, no. 2, pp. 58–65, 2006.
[11] L. Wenyin and D. Xiaotie, “Detecting phishing web pages
with visual similarity assessment based on earth mover’s
distance,” IEEE Transactions on Dependable and Secure
Computing, vol. 3, no. 4, pp. 301–311, 2006.
[12] W3CSchool, “Css tutorial-w3cschool,” http://www.
w3schools.com/css/.
[13] SpoofStick, “Spoofstick,” http://www.corestreet.com/
spoofstick/.
[14] E. Medvet, E. Kirda, and C. Kruegel, “Visual-similarity-based
phishing detection,” in Proceedings of SecureComm 2008.
ACM, September 2008.
[15] T.-C. Chen, S. Dick, and J. Miller, “Detecting visually similar
web pages: Application to phishing detection,” ACM Trans-
action on Internet Technology, vol. 10, no. 2, pp. 1–38, May
2010.
[16] D. Boneh, “Spoofguard,” http://crypto.stanford.edu/
SpoofGuard.
[17] L. Wenyin, N. Fang, X. Quan, B. Qiu, and G. Liu, “Discover-
ing phishing target based on semantic link network,” Future
Generation Computer Systems, no. 26, pp. 381–388, 2010.
[18] WOT, “Web of trust,” http://www.antiphishing.org/reports/
apwg trends report h2 2011.pdf, 2011.