Abstract :

"Detecting if a malicious website is a clone of a legit one is challenging. Attackers can modify or obfuscate its HTML, JS or CSS to make it look different than the original for a machine, while still looking the same to a user.

We aimed to implement a new way for making this check by comparing images of the original and the suspect site. With it we can identify if the user is being presented with the same site they regularly use, but on a different domain.

The issue with comparing images is that a perfect comparison will fail if a single pixel on the image is different. So a different character in one of the sites would break the check. We found a solution that uses perceptual hashing algorithms. They reduce the image-comparison problem to a hashing-comparison one, which needs less resources on the users’s CPU. And it allows for an adjustable tolerance, so that similar sites are marked as dangerous even if there are small differences on them.

On this talk we’ll show you the working proof-of-concept of this method: an open-source Firefox plugin. And the issues we encountered along the way, as well as some interesting discussions we had when we shared the results on the web."

Speaker: Diego Freijo

Diego is a Senior Security Engineer at Anvil Secure. He’s been in the infosec industry for more than 6 years performing offensive security audits on web applications, cloud, mobile and networking engagements. Before that he’s been a game developer both as a company employee and as an indie developer, a software consultant and a teacher.

From time to time he write what he find interesting on his blog or on Twitter.