The many faces of AI in the Phishing-website landscape
Seminar University of St. Gallen
Saint Gallen, Switzerland
Oneliner: What are some ways in which AI can be used in the context of phishing websites?
Phishing websites are everywhere. This fact may come at a surprise when considering the thousands of papers proposing artificial-intelligence (AI) techniques to counter this threat. Some of these techniques “work”, i.e., they can reliably detect phishing websites—which is clearly an encouraging result. However, many “state-of-the-art” AI methods can also be trivially fooled with little effort by naive attackers—which is clearly a disheartening result. Finally, AI methods can also be offensively used by attackers to circumvent AI-based detectors—which is clearly a worrying result.
In this talk, I will explore these three complementary classes of results, each denoting a different “face” of AI. Specifically, I will explain on how AI can be used to catch phish. Then, I will show how to trivially evade these AI-based methods with simple modifications that anyone could do. Finally, I will reveal more sophisticated—but still affordable—ways to maliciously use AI tools to circumvent phishing detectors powered by AI. During this journey I will also emphasize the role of the end-user: ultimately, a phishing website must deceive a human—not an AI.
(Shoutout to Katerina Mitrokotsa, who “hosted” me for this talk! It was great to see her again after meeting her for the first time in Dagstuhl.)