Here is the asymmetry that makes phishing infrastructure cheap: a domain costs a few dollars and burns in days, but a good page template is expensive to build and gets reused for months. Operators rotate the part that is cheap and keep the part that is not. So while domain-based reputation chases thousands of disposable hostnames, the actual page — the markup, the layout, the pixels — barely changes between deployments.
That is the weakness Voretix's similarity layer attacks: if the page is the stable asset, fingerprint the page.
Why exact hashes fail
The naive approach — hash the HTML, look the hash up — dies immediately. Kits inject randomised tokens, timestamps, per-visit session IDs and rotating asset URLs, so two visits to the same page rarely produce byte-identical documents, let alone two deployments of the same kit. Exact matching answers "have I seen this file?"; the question that matters is "have I seen this page?" — and that needs hashes designed to survive small changes.
Fingerprint one: structure
The first fingerprint targets the DOM skeleton. The rendered document is normalised — volatile content stripped, the markup reduced to its structural shape — and hashed with a locality-sensitive scheme in the simhash family. The property that makes this work is the opposite of a cryptographic hash: similar inputs produce similar outputs. Two documents that differ by a session token differ by a few bits; two unrelated pages differ by many. Nearness in hash space becomes a cheap, indexable proxy for "same template", and comparing one scan against the corpus becomes a bit-distance query instead of a million document diffs.
Fingerprint two: pixels
The second fingerprint is perceptual, computed from the page screenshot. It catches what structure misses: kits that re-skin their markup between waves but keep the visual design, and — the reverse case — pages built from different code that are pixel-for-pixel imitating the same brand login. Voretix hashes both the full page and the above-the-fold region separately, because campaign pages often share a distinctive header while diverging in the footer noise below.
Two fingerprints disagree usefully
Running both is not redundancy. The combinations mean different things:
- Structure matches, pixels match — same kit, redeployed. The everyday case.
- Structure matches, pixels differ — same kit re-skinned for a different brand or language. One template, many lures.
- Pixels match, structure differs — independent clones of the same target page, or a rewrite of an old kit. Often the first sign of a new kit entering circulation.
Attackers can rotate domains every hour. Rotating a well-tested page template every hour is a cost they are not willing to pay — so we bill them there.
Where you see it in the report
Every scan report carries a similarity card: how many pages in the corpus share this page's layout, and the closest match with its similarity score and verdict. When a brand-new domain's page matches a convicted scan at high similarity, you are looking at guilt by structural association — the domain has no history, but the template does. And when you want the full picture, the Hunt page lets you sweep the corpus for every deployment of the same fingerprint and watch the campaign's rollout as a timeline.
Frequently asked questions
What is similarity hashing (simhash) for web pages?
A locality-sensitive hashing technique where similar inputs produce similar hashes. Two pages that differ only by a session token end up a few bits apart, so near-duplicate lookup becomes a fast bit-distance query instead of a document diff.
Why do exact hashes fail at matching phishing pages?
Kits inject random tokens, timestamps and per-visit session IDs, so even two visits to the same page rarely produce byte-identical HTML. Matching needs hashes designed to survive small changes.
How does layout matching help SOC triage?
It turns one conviction into many: when a fresh domain serves a page matching a known-bad template, the report shows the match with its similarity score and verdict, so the analyst starts with context instead of a cold page.