Abstract: An apparatus, system, product and method comprising: obtaining a selection of page elements of a source page that are estimated to represent a visual appearance of the source page; generating respective representations of the page elements, wherein the representation is configured to be used for acquiring a page element in different pages; obtaining a target page, wherein a user is enabled to interact with the target page; determining a visual similarity measurement between the source page and the target page, wherein the visual similarity measurement is based on a successful acquisition in the target page, of the page elements, using the respective representations; classifying the target page as a phishing attack based on the visual similarity measurement, whereby detecting the phishing attack; and performing a responsive action in response to said detecting the phishing attack.

Abstract: An apparatus, system, product and method comprising: obtaining a selection of page elements of a source page that are estimated to represent a visual appearance of the source page; generating respective representations of the page elements, wherein the representation is configured to be used for acquiring a page element in different pages; obtaining a target page, wherein a user is enabled to interact with the target page; determining a visual similarity measurement between the source page and the target page, wherein the visual similarity measurement is based on a successful acquisition in the target page, of the page elements, using the respective representations; classifying the target page as a phishing attack based on the visual similarity measurement, whereby detecting the phishing attack; and performing a responsive action in response to said detecting the phishing attack.

Abstract: An apparatus, system, product and method comprising: obtaining a selection of page elements of a source page that are estimated to represent a visual appearance of the source page; generating respective representations of the page elements, wherein the representation is configured to be used for acquiring a page element in different pages; obtaining a target page, wherein a user is enabled to interact with the target page; determining a visual similarity measurement between the source page and the target page, wherein the visual similarity measurement is based on a successful acquisition in the target page, of the page elements, using the respective representations; classifying the target page as a phishing attack based on the visual similarity measurement, whereby detecting the phishing attack; and performing a responsive action in response to said detecting the phishing attack.

Abstract: Rules describing attributes of malicious data requests, commonly generated by malware, are determined and stored. For example, a behavior server executes different types of malware and analyzes the data requests produced by the malware to identify attributes common to different malicious data requests. The rules describing malicious data request attributes are stored and subsequent data requests are compared to the stored rules to identify malicious data requests. If a data request has one or more attributes in common with attributes of malicious data requests, the data request is blocked. This allows attributes of a data request to be used to prevent malware executing on a client device from communicating with a malicious server.