Detecting webpages that share malicious content

1 . (canceled) 2 . A system for detecting malicious activity on webpages comprising: a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising: categorizing each of a first set of webpages as a host of a respective online phishing instrument; calculating a baseline page structure score and a baseline language score based on the identified first set of webpages hosting the respective online phishing instruments; collecting content from a second set of webpages for analysis; analyzing the content collected from the second set of webpages using a machine learning classifier trained based on the calculated baseline page structure and the calculated baseline language scores; and flagging one or more of the second set of webpages as malicious based on the analyzing of the content collected from the second set of webpages using the machine learning classifier. 3 . The system of claim 2 , wherein the categorizing each of the first set of webpages as the host of the respective online phishing instrument comprises searching a plurality of webpages for predefined terms known to be used in webpages associated with hosts of online phishing instruments, wherein each of the first set of webpages is categorized as the host of the respective online phishing instrument based on at least one of the predefined terms being found to be included on a respective webpage of the first set of webpages. 4 . The system of claim 2 , wherein the baseline page structure score is calculated based on Hypertext Markup Language (HTML) feature elements discovered in the first set of webpages. 5 . The system of claim 2 , wherein the baseline language score is calculated based on terms identified from the respective host of the online phishing instrument. 6 . The system of claim 2 , wherein collecting content from the second set of webpages for analysis comprises using a web crawler to identify website content that requires analysis, the identifying being based on searching for terms found within a dictionary of pre-computed terms associated with hosts of online phishing instruments. 7 . The system of claim 6 , wherein the collecting the content from the second set of webpages for analysis further comprises filtering out results from an approved list of domains and advertisements. 8 . The system of claim 2 , wherein analyzing the content collected from the second set of webpages using the machine learning classifier comprises: determining that the collected content does not fit into the known malicious classification by calculating a page structure score based on the baseline page structure score, and calculating a language score based on the baseline page structure score. 9 . A method comprising: categorizing each of a first set of webpages as a host of a respective online phishing instrument; calculating a baseline page structure score and a baseline language score based on the identified first set of webpages hosting the respective online phishing instruments; collecting content from a second set of webpages for analysis; analyzing the content collected from the second set of webpages using a machine learning classifier trained based on the calculated baseline page structure and the calculated baseline language scores; and flagging one or more of the second set of webpages as malicious based on the analyzing of the content collected from the second set of webpages using the machine learning classifier. 10 . The method of claim 9 , wherein the categorizing each of the first set of webpages as the host of the respective online phishing instrument comprises searching a plurality of webpages for predefined terms known to be used in webpages associated with hosts of online phishing instruments, wherein each of the first set of webpages is categorized as the host of the respective online phishing instrument based on at least one of the predefined terms being found to be included on a respective webpage of the first set of webpages. 11 . The method of claim 9 , wherein the baseline page structure score is calculated based on Hypertext Markup Language (HTML) feature elements discovered in the first set of webpages. 12 . The method of claim 9 , wherein the baseline language score is calculated based on terms identified from the respective host of the online phishing instrument. 13 . The method of claim 9 , wherein collecting content from the second set of webpages for analysis comprises using a web crawler to identify website content that requires analysis, the identifying being based on searching for terms found within a dictionary of pre-computed terms associated with hosts of online phishing instruments. 14 . The method of claim 13 , wherein the collecting the content from the second set of webpages for analysis further comprises filtering out results from an approved list of domains and advertisements. 15 . The method of claim 9 , wherein analyzing the content collected from the second set of webpages using the machine learning classifier comprises: determining that the collected content does not fit into the known malicious classification by calculating a page structure score based on the baseline page structure score, and calculating a language score based on the baseline page structure score. 16 . A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause performance of operations comprising: categorizing each of a first set of webpages as a host of a respective online phishing instrument; calculating a baseline page structure score and a baseline language score based on the identified first set of webpages hosting the respective online phishing instruments; collecting content from a second set of webpages for analysis; analyzing the content collected from the second set of webpages using a machine learning classifier trained based on the calculated baseline page structure and the calculated baseline language scores; and flagging one or more of the second set of webpages as malicious based on the analyzing of the content collected from the second set of webpages using the machine learning classifier. 17 . The non-transitory machine-readable medium of claim 16 , wherein the categorizing each of the first set of webpages as the host of the respective online phishing instrument comprises searching a plurality of webpages for predefined terms known to be used in webpages associated with hosts of online phishing instruments, wherein each of the first set of webpages is categorized as the host of the respective online phishing instrument based on at least one of the predefined terms being found to be included on a respective webpage of the first set of webpages. 18 . The non-transitory machine-readable medium of claim 16 , wherein the baseline page structure score is calculated based on Hypertext Markup Language (HTML) feature elements discovered in the first set of webpages. 19 . The non-transitory machine-readable medium of claim 16 , wherein the baseline language score is calculated based on terms identified from the respective host of the online phishing instrument. 20 . The non-transitory machine-readable medium of claim 16 , wherein collecting content from the second set of webpages for analysis comprises using a web crawler to identify website content that requires analysis, the identifying being