March 2, 2020 · project security

nofish - using Levenshtein distance for spear-phishing detection

nofish is a work in progress Chrome extension to block spear-phishing attempts. It uses the Levenshtein edit distance to calculate a "similarity score" between the requested hostname and a known list of good hosts. If the requested hostname is too similar, but not identical to a known host, nofish will block the request. I have yet to benchmark the efficacy of this approach, but using data from Google Safe Browsing Lists against Alexa top 1000 ranked sites should give a good indication.

This extension can also thwart IDN homoglyph attacks. By modifying the symbol equality check in the Levenshtein algorithm to also include Unicode confusables, visually similar characters like this ะต U+0435 character from the Cyrillic charset and this e U+0065 from the Latin charset are considered equal. Major browsers already defend against this kind of attack though, by rendering punycode instead of the Unicode characters. This phishing detection technique could also be implemented at a DNS server level to block bitsquatting attacks.

The source is available on GitHub.

nofish blocking a phishing attempt.