PhiGARo: Automatic Phishing Detection and Incident Response Framework

We present a comprehensive framework for automatic phishing incident processing and work in progress concerning automatic phishing detection and reporting. Our work is based upon the automatic phishing incident processing tool PhiGARo which locates users responding to phishing attack attempts and prevents access to phishing sites from the protected network. Although PhiGARo processes the phishing incidents automatically, it depends on reports of phishing incidents from users. We propose a framework which introduces honey pots into the process in order to eliminate the reliance on user input. The honey pots are used to capture e-mails, automatically detect messages containing phishing and immediately transfer them to PhiGARo. There is a need to propagate e-mail addresses of a honey pot to attract phishers. We discuss approaches to the honey pot e-mail propagation and propose a further enhancement to using honey pots in response to phishing incidents. We propose providing phishers with false credentials, accounts and documents that will grant them access to other honey pot services. Tracing these honey tokens may lead us to the originators of the phishing attacks and help investigations into phishing incidents.