Posted: 3 Min ReadExpert Perspectives

Project Dolphin Eats its One-millionth Phish

Dolphin ate its one-millionth phish

Earlier this month, one of our favorite projects hit a major milestone: Dolphin ate its one-millionth phish.

Dolphin (so-called "because dolphins are smart, and eat phish") was born a few years ago when one of our GIN (Global Intelligence Network) researchers was reflecting on how phishing attacks worked:

  • Lure victims to the phishing site (usually via e-mail).
  • Present a believable page that mimics another site.
  • The victims, thinking they are on the real site, enter their credentials.
  • Those credentials are instead sent to the “phisherman.”

The second point was interesting: the phishing site had to look authentic. So, what if we built a system that could visually compare a screenshot of a possible phishing site with a saved collection of such sites? Would it be fast enough and accurate enough to be useful?

He thought it would, so he went to work and produced a functional prototype, and demo'ed it to the rest of the GIN R&D team. We loved it -- it was such a cool idea! And yes, it was really accurate at catching phishing pages.

Well, Dolphin has been running in production mode for a couple of years, leading to the milestone of one million phishing page detections.

Even for someone in the business of Internet security, the thought of a million phishing pages (on hundreds of thousands of different sites) boggles the mind. Especially given that a very large percentage of those sites are set up via "phishing kits" on someone else's legitimate site that's been compromised. (That is a whale – or a shark -- of a lot of hacked sites!)

A Bit About Phishing Kits

As an offshoot of the research on Project Dolphin, we've also been collecting information about the phishing kits we see being used in the wild. There are interesting statistics galore, such as tracking the most common brands that the phishing kits are mimicking. For example, here are the top brands being mimicked or targeted in December 2017, as collected in our "Aquarium" (i.e., the place where you go to look at captive phish).


*A mimicked brand phishing page may not actually be targeting login data for that brand's real site; it may be in use as "bait" to get other credentials. Typically, the credentials being phished for in that case are the victim's e-mail account/password.
*A mimicked brand phishing page may not actually be targeting login data for that brand's real site; it may be in use as "bait" to get other credentials. Typically, the credentials being phished for in that case are the victim's e-mail account/password.

In a typical day, Dolphin sees well over 1,000 different phishing pages (screenshots in the Aquarium, representing unique URLs). And that's just for the Top Ten Brands -- there is also a long "tail" of other brands that Dolphin is watching for, so the total daily count is a lot higher.

Thinking About the Targeted/Mimicked Brands

When Dolphin was created, our WebPulse system had been doing dynamic detection of phishing sites for a decade, so we weren't strangers to the phishing ecosystem. However, we didn't view phishing protection as a primary mission for WebPulse; the focus was supposed to be on more "serious threats" -- things like advanced malware and attacks that were a threat to an Organization; phishing seemed like more of a threat to Individuals' data and money.

As the Aquarium began to fill up with captured phishing pages, however, we got some surprises. We saw that a lot of the top-targeted brands were not what we thought of as typical phishing -- banking and finance sites -- but instead were various Email and Cloud services.

This led to a talk at last year's RSAC-APJ conference, warning that organizations needed to re-think the threat posed by "phishing" -- it wasn't something that was just targeting their individual employee's personal data.

We recommended, among other things, that organizations expand their employees' security training to include the full spectrum of phishing attacks, and add training about the risks of Shadow Data as well. It's also good to explain *why* these things are important.

Looking ahead, we'll continue to feed Dolphin a high-protein stream of probable and possible phishing URLs to check. Through a combination of Web, endpoint, and e-mail intelligence; cloud infrastructure; and image processing, analysis, and comparison, driven by a machine learning system, Dolphin will continue to identify pages from an ever-widening ecosystem of phishing targets -- both traditional and new.

Unfortunately, it probably won't take a couple of years for Dolphin to eat its two-millionth phish.


If you found this information useful, you may also enjoy:


Phisherman Changing Targets: Impact Shift from Personal to Organizational

Symantec Web Isolation Phishing Demo Video


About the Author

Chris Larsen

Architect, Research Engineer- Symantec

Chris Larsen has decades of software development, natural language processing, and machine learning experience. At Symantec, he’s an Architect and Research Engineer on the WebPulse threat research team, and a long-time security blogger.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.