It is relatively easy to change to a new URL and so evade a blacklist of malicious sites. But a phishing site that is trying to impersonate a legitimate site still needs to *look* like the right thing. That is what the color profiling does, it tries to detect sites that are trying to look like legitimate ones.

Most people don’t compare the url or understand the subtle differences that phishers use to hide their fraud.

If you understand the full data string of a url, it’s not for you. But the vast majority of netizens don’t have that savvy.

The color profiling is essentially fingerprinting the website by generating a hash that can be compared with known phishing sites.

This video breaks it down a little more https://twit.tv/shows/tech-break/episodes/6862

But if I’m a phisher it sounds like I just need to include some semi random colors that are visually similar to the actual desired background color in order to fool the hashing algorithm.

There’s probably other heuristics involved especially since websites can often be updated at any time which would make fingerprinting particularly hard.