Detecting Phishing Patterns with Python on a Zero Budget

In today's cybersecurity landscape, phishing remains a prevalent attack vector, targeting users through deceptive email links and websites. As a Lead QA Engineer, developing an effective method to detect phishing patterns without incurring costs can significantly bolster your security posture. Leveraging Python's rich ecosystem, it is possible to create a lightweight yet powerful solution that identifies potential phishing attempts by analyzing URLs, email contents, and domain metadata.

Understanding the Challenge

Phishing detection relies on spotting telltale signs such as URL anomalies, suspicious email content, or domain misrepresentations. While commercial solutions provide comprehensive tools, they often come with hefty price tags. By focusing on open-source Python libraries, you can implement a detection system that is both cost-effective and adaptable.

Building the Detection Framework

Below, we'll craft a simple yet robust phishing pattern detector that uses URL analysis, domain reputation checks, and pattern recognition techniques.

1. URL Analysis with Regular Expressions

The first step involves analyzing URLs for common phishing traits, such as IP address usage instead of domain names, excessive subdomains, or obfuscated characters.

import re

def analyze_url(url):
    # Detect IP addresses instead of domain names
    ip_pattern = r"(\d{1,3}\.){3}\d{1,3}"
    if re.search(ip_pattern, url):
        return True, "Contains direct IP address"

    # Detect excessive subdomains
    domain_parts = url.split(".")
    if len(domain_parts) > 4:
        return True, "Excessive subdomains"

    # Check for suspicious characters
    if re.search(r"[\^\%\$\#\@\!]+", url):
        return True, "Suspicious characters detected"

    return False, "URL appears normal"

2. Domain Reputation via DNS Lookup

Using Python's built-in socket library, we can resolve domain names and analyze their age or registration details. Although more detailed reputation checks require third-party services, free WHOIS data can provide initial hints.

import socket
import whois

def check_domain_reputation(domain):
    try:
        ip = socket.gethostbyname(domain)
        # Fetch WHOIS data
        w = whois.whois(domain)
        creation_date = w.creation_date
        if creation_date:
            # Basic check: if domain is very new, it might be suspicious
            if isinstance(creation_date, list):
                creation_date = creation_date[0]
            days_since_registration = (datetime.now() - creation_date).days
            if days_since_registration < 180:
                return "Newly registered domain, potential phishing"
        return "Domain appears established"
    except Exception as e:
        return f"Error during WHOIS lookup: {e}"

3. Pattern Recognition on Email Content

Analyzing email subjects and bodies for common phishing language or urgency cues can trigger alerts.

phishing_signatures = ["update your account", "verify your identity", "urgent action required", "click here"]

def analyze_email_content(content):
    for signature in phishing_signatures:
        if signature.lower() in content.lower():
            return True, f"Detected suspicious phrase: {signature}"
    return False, "No phishing signatures found"

Integrating the System

Combining these modules allows for a multi-layered detection. Here is a simplified orchestrator:

def detect_phishing(url, email_content):
    url_flag, url_reason = analyze_url(url)
    domain = re.findall(r"://(www\.)?([^/]+)", url)
    domain_name = domain[0][1] if domain else None
    domain_status = check_domain_reputation(domain_name) if domain_name else "Invalid URL"
    email_flag, email_reason = analyze_email_content(email_content)

    alerts = {
        "url": url_flag,
        "domain": domain_status,
        "email": email_flag
    }
    reasons = [url_reason, domain_status, email_reason]
    return alerts, reasons

Conclusion

While this approach lacks the advanced heuristics of enterprise tools, it demonstrates how a lead QA engineer with limited resources can build a functional, adaptive phishing detection system using open-source Python libraries. Regular updates to signatures and pattern analysis rules will enhance its effectiveness over time.

Final Notes

• Continually update the list of suspicious phrases.
• Incorporate user feedback to refine detection criteria.
• Extend functionality to analyze attachments or embedded links.

By taking this resourceful approach, organizations can maintain a proactive defense against phishing attacks without the need for costly services, empowering teams to identify threats early and protect their environments effectively.

References:

• Fernandes, D. A. B., et al. "A systematic review on phishing detection techniques." Computers & Security 80 (2019): 283-304.

---

🛠️ QA Tip

To test this safely without using real user data, I use TempoMail USA.