From ML to LLM: Evaluating the Robustness of Phishing Webpage Detection Models against Adversarial Attacks
Aditya Kulkarni, Vivek Balachandran, Dinil Mon Divakaran, Tamal Das
TL;DR
PhishOracle demonstrates that adversarial phishing webpages can substantially degrade traditional ML/DL detectors while multimodal LLM-based detectors provide stronger yet incomplete robustness. By generating diverse adversarial pages through embedding a fixed set of $12$ content-based and $5$ visual-based features and simulating lookalike URLs, the tool enables comprehensive robustness testing and data collection. A user study shows that roughly half of PhishOracle pages deceive users visually, and VirusTotal evaluations reveal slow, uneven detection across vendors, highlighting real-world risk. Overall, the work highlights vulnerabilities in current phishing detection and advocates for robust, multimodal defenses, while providing open-source datasets and tools to advance research.
Abstract
Phishing attacks attempt to deceive users into stealing sensitive information, posing a significant cybersecurity threat. Advances in machine learning (ML) and deep learning (DL) have led to the development of numerous phishing webpage detection solutions, but these models remain vulnerable to adversarial attacks. Evaluating their robustness against adversarial phishing webpages is essential. Existing tools contain datasets of pre-designed phishing webpages for a limited number of brands, and lack diversity in phishing features. To address these challenges, we develop PhishOracle, a tool that generates adversarial phishing webpages by embedding diverse phishing features into legitimate webpages. We evaluate the robustness of three existing task-specific models - Stack model, VisualPhishNet, and Phishpedia - against PhishOracle-generated adversarial phishing webpages and observe a significant drop in their detection rates. In contrast, a multimodal large language model (MLLM)-based phishing detector demonstrates stronger robustness against these adversarial attacks but still is prone to evasion. Our findings highlight the vulnerability of phishing detection models to adversarial attacks, emphasizing the need for more robust detection approaches. Furthermore, we conduct a user study to evaluate whether PhishOracle-generated adversarial phishing webpages can deceive users. The results show that many of these phishing webpages evade not only existing detection models but also users.