In the introductory post for this blog, we mentioned that Huginn, our active phishing discovery tool, was being used to seed Yggdrasil and that we'd have more to share soon. Well, here it is. This is the first in what we plan to be a monthly series where we share what Huginn has been finding in the wild, break down interesting attacks, and report on how existing detection tools are performing. Our hope is that these posts are useful both as a resource for understanding the current phishing landscape and as a way to demonstrate what our tools can do.
The Numbers
Over the course of February, Huginn processed URLs sourced from public threat intelligence feeds and identified 254 confirmed phishing websites. For each of these, we checked whether Google Safe Browsing (GSB) had flagged the URL at the time of our scan. The results were striking: GSB had flagged just 41 of the 254, meaning 83.9% of confirmed phishing sites were not flagged by the tool that underpins Chrome's built-in protection at the time we discovered them.
83.9% Missed by Google Safe Browsing 213 of 254 confirmed phishing sites 94.1% Caught by Muninn's Automatic Scan Zero user interaction required
100% Caught by Muninn's Deep Scan Zero false negatives across full dataset 58.7% Hosted on Trusted Platforms 149 of 254 on Weebly, Vercel, GitHub, etc.
Now, to be fair, some of these may have been flagged later. But that's kind of the point. Phishing pages are often short-lived by design. The attacker sets up a page, blasts out a campaign, harvests whatever credentials they can, and takes it down before anyone catches on. If the detection comes hours or days after the page goes live, the damage is already done. This is the fundamental limitation of blocklist-based detection: it's reactive. Something has to be reported and reviewed before protection kicks in.
We also ran the full dataset of 263 URLs (254 phishing, 9 confirmed legitimate) through Muninn's automatic scan. This is the scan that runs on every page you visit without any action on your part. On its own, the automatic scan correctly identified 238 of the 254 phishing sites and only incorrectly flagged 6 legitimate pages.
But the automatic scan is just the first layer. When it flags something as suspicious or when a user wants to investigate a page further, Muninn offers a deeper scan that analyzes a screenshot of the page. Where the automatic scan is optimized for precision (keeping false alarms low so it doesn't disrupt your browsing), the deep scan is optimized for coverage. When we ran the full dataset through the deep scan, it caught every single confirmed phishing site with zero false negatives. The tradeoff is that it flagged all 9 of the legitimate sites in our dataset as suspicious, which is worth it when you're actively investigating a link you don't trust. The way to think about it is that the automatic scan is your always-on safety net that stays out of your way, and the deep scan is the cautious second opinion that would rather be wrong about a safe page than let a phishing page through.
Automatic Scan Results (263 URLs) True Positives 238 Phishing correctly identified False Positives 6 Clean sites incorrectly flagged False Negatives 15 Caught by deep scan instead True Negatives 3 Clean sites correctly cleared The 15 false negatives from the automatic scan were all caught by the deep scan, which had zero false negatives across the full dataset.
Where Phishing Lives
... continue reading