An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes a parser to locate a first website icon corresponding to a first website, an icon hasher to generate a first hash of the first website icon, and a hash checker to determine whether the first hash matches a second hash of a second website icon corresponding to a second website in an icon hash database, the hash checker to, in response to the first hash matching the second hash, determine whether a first portion of a first Uniform Resource Locator (URL) corresponding to the first website matches a second portion of a second URL corresponding to the second website, the hash checker to, in response to the first portion not matching the second portion, identify the first website as a phishing website.

Generally discussed herein are devices, systems, and methods for improving phishing webpage content detection. A method can include identifying first webpage content comprises phishing content, determining, using a reinforcement learning (RL) agent, at least one action, generating, based on the determined at least one action and the identified first webpage content, altered first webpage content, identifying that the altered first webpage content is benign, generating, based on the determined at least one action and second webpage content, altered second webpage content, and training, based on the altered second webpage content and a corresponding label of phishing, a phishing detector.

Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive a uniform resource locator (URL). The computing platform may parse and/or tokenize the URL to reduce the URL into a plurality of components. The computing platform may identify human-engineered features of the URL. The computing platform may compute a vector representation of the URL to identify deep learned features of the URL. The computing platform may concatenate the human-engineered features of the URL to the deep learned features of the URL, resulting in a concatenated vector representation. By inputting the concatenated vector representation of the URL to a URL classifier, the computing platform may compute a phish classification score. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.

A method to monitor integrity of webpages. The method includes obtaining rendered code generated using source code of a webpage from a server that hosts the webpage and using remotely called code referenced in the source code, the rendered code used to display the webpage. The method also includes determining a difference between the rendered code and previous rendered code of the webpage. The previous rendered code may be generated before obtaining the rendered code. The method further includes analyzing the difference between the rendered code and the previous rendered code to determine a change in integrity of security of the webpage and in response to a change in the integrity of security of the webpage, generating an alert regarding the integrity of security of the webpage that may indicate the integrity of the webpage may have changed.

Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Detecting a phishing message by providing a phishing detector having a scan engine and a fetcher, detecting a URL in the message by the scan engine, resolving the URL to a webpage by the scan engine, downloading the webpage by the fetcher, analyzing the downloaded webpage by the fetcher to determine whether the webpage is a phishing webpage, and, when the webpage is determined to be a phishing webpage, deleting the message by the scan engine.

The techniques disclosed herein detect Cross-Site Request Forgery (CSRF) vulnerabilities in a web application. In some configurations, CSRF vulnerabilities are detected by analyzing the source code of the web application. Specifically, CSRF vulnerabilities are detected by determining if CSRF mitigation features of one or more frameworks are being used incorrectly or inconsistently. Some CSRF mitigation features provided by web frameworks inject capabilities into the web application, e.g. to automatically store an anti-forgery token in a cookie, copy the anti-forgery token from the cookie into an HTML, form or a request header, or determine whether form submissions or request headers include the same anti-forgery token as the cookie. CSRF vulnerabilities may be detected by analyzing the source code to identify when one of these features is omitted or used incorrectly end-to-end. CSRF vulnerabilities are also detected by identifying when CSRF mitigation features of multiple web frameworks are incompatible.

The present disclosure provides techniques for calculating an entity's cybersecurity risk based on identified relationships between the entity and one or more vendors. Customer/vendor relationships may impact the cybersecurity risk for each of the parties involved because a security compromise of a downstream or upstream provider can lead to a compromise of multiple other companies. For example, if organization A uses B (e.g., a cloud service provider) to store files, and B is compromised, this may lead to organization A being compromised (e.g., the files organization A stored using B may have been compromised by the breach of B's cybersecurity). Embodiments of the present disclosure further provide a technique for calculating a cybersecurity risk score for an organization based on identified customer/vendor relationships.

Methods, systems, apparatuses, and computer-readable storage mediums are described for enabling runtime supply chain security of web applications and the discovery of active malware attacks. For example, a server is configured to receive CSP-based data from browsers executing on various clients. Such data may be received via a browser extension or via a proxy between the web applications and the browsers. Using the CSP-based data, the server generates a database of supply chain inventory. The database specifies resources that are loaded for a particular web application, along with a location from where such resources are loaded. The database further specifies a chain of dependencies between such resources. The database is analyzed to determine whether any such resources have been compromised with malware or whether clients on which such resource have been loaded have been compromised with malware. Responsive to determining such cases, actions(s) may be performed to mitigate the malware.

A system to identify automated submissions of web pages, such as those submitted by bots, in real time. The system comprising a processor configured to update an initial version of a requested web page with at least one hidden field, transmit the updated web page to the client, then, upon receipt parse the completed web page, and identify if a data entry is associated with the at least one hidden field. Where a data entry is associated with the at least one hidden field, the system blocks the transmission of the completed web page to the server. Where a data entry is not associated with the at least one hidden field the system removes the at least one hidden field, and transmits the final web page to the server.