Recent times have witnessed the rise of anti-phishing schemes powered by deep learning (DL). In particular, logo-based phishing detectors rely on DL models from Computer Vision to identify logos of well-known brands on webpages, to detect malicious webpages that imitate a given brand. For instance, Siamese networks have demonstrated notable performance for these tasks, enabling the corresponding anti-phishing solutions to detect even "zero-day" phishing webpages. In this work, we take the next step of studying the robustness of logo-based phishing detectors against adversarial ML attacks. We propose a novel attack exploiting generative adversarial perturbations to craft "adversarial logos" that evade phishing detectors. We evaluate our attacks through: (i) experiments on datasets containing real logos, to evaluate the robustness of state-of-the-art phishing detectors; and (ii) user studies to gauge whether our adversarial logos can deceive human eyes. The results show that our proposed attack is capable of crafting perturbed logos subtle enough to evade various DL models-achieving an evasion rate of up to 95%. Moreover, users are not able to spot significant differences between generated adversarial logos and original ones.

翻译：近年来，基于深度学习（DL）的反钓鱼方案日益兴起。特别是，基于标识的钓鱼检测器利用计算机视觉领域的DL模型识别网页上知名品牌的标识，以检测模仿特定品牌的恶意网页。例如，孪生网络在这些任务中展现出显著性能，使相应的反钓鱼方案能够检测甚至“零日”钓鱼网页。本研究进一步探索基于标识的钓鱼检测器对抗机器学习攻击的鲁棒性。我们提出了一种新颖的攻击方法，利用生成式对抗性扰动构建能够逃避钓鱼检测器的“对抗性标识”。我们通过以下方式评估攻击效果：（i）在包含真实标识的数据集上进行实验，评估最先进钓鱼检测器的鲁棒性；（ii）开展用户研究，评估对抗性标识是否能欺骗人眼。结果表明，我们提出的攻击能够生成足够细微的扰动标识，以逃避多种DL模型——逃避率高达95%。此外，用户无法察觉生成的对抗性标识与原始标识之间的显著差异。