US20130031627A1 - Method and System for Preventing Phishing Attacks - Google Patents
Method and System for Preventing Phishing Attacks Download PDFInfo
- Publication number
- US20130031627A1 US20130031627A1 US13/543,935 US201213543935A US2013031627A1 US 20130031627 A1 US20130031627 A1 US 20130031627A1 US 201213543935 A US201213543935 A US 201213543935A US 2013031627 A1 US2013031627 A1 US 2013031627A1
- Authority
- US
- United States
- Prior art keywords
- links
- web page
- classified
- comparison result
- phishing attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title abstract description 36
- 230000004044 response Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 12
- 238000010586 diagram Methods 0.000 description 15
- 230000008569 process Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000008901 benefit Effects 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 244000097202 Rathbunia alamosensis Species 0.000 description 1
- 235000009776 Rathbunia alamosensis Nutrition 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Definitions
- the present invention relates to network security, more particularly, to a method and system for preventing phishing attacks.
- Phishing attack is a criminal fraud procedure that attempts to obtain personal sensitive information like usernames, passwords and credit card details, etc. by using electronic communications to disguise as a creditworthy legal person media. These communications usually claim that they are from Internet banks, electronic payment websites, online retailers, credit card companies or network administrators, to deceive credulous victims. Phishing attacks are usually carried out through emails or instant messages. Phishing attacks usually direct the user to a fake website with an interface appearance highly similar to the genuine legitimate website, to deceive the user to input personal sensitive information. These fake websites usually have Web pages highly similar to the Web pages of trustworthy brands such as Internet banks, electronic payment websites, online retailers and credit card companies, etc., and the victims would often leak their sensitive information such as credit card numbers, bank card accounts, and ID card numbers and so on.
- Illustrative embodiments of the present disclosure have recognized the above disadvantages in the prior art. To this end, the present disclosure provides a lightweight solution capable of helping ordinary users to identify some common type of phishing attacks and thus to prevent unnecessary losses caused thereby.
- a method for preventing phishing attacks comprising: scanning a Web page; acquiring links in a Web page; classifying the acquired links according to link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page.
- the determining whether a phishing attack exists according to the classified links comprises calculating the percentage of the links of a respective type in the total number of links; comparing the calculated percentage of the links of a respective type in the total number of links with a preset threshold; and determining whether a phishing attack exists using the comparison result.
- the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the internal links are less than the preset threshold, warning the user of a possible phishing attack.
- the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the internal links are not less than the preset threshold, displaying the Web page to the user.
- the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the external links are not less than the preset threshold, warning the user of a possible phishing attack.
- the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the external links are less than the preset threshold, displaying the Web page to the user.
- a system for preventing phishing attacks comprising: an acquiring component configured to acquire links in a Web page; a classifying component configured to classify the acquired links according to link types; and a determining component configured to determine whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page.
- an embodiment of the present disclosure further provides a computer program product corresponding to the above method.
- FIG. 1 shows a block diagram of an exemplary computer system 100 suitable for realizing embodiments of the present invention
- FIG. 2 shows a flowchart of a method 200 for preventing phishing attacks according to an embodiment of the present disclosure
- FIG. 3 shows a block diagram of a system 300 for preventing phishing attacks according to an embodiment of the present disclosure.
- the attackers of a phishing attack usually constructs a fake website utilizing the resources of a genuine legitimate website, that is, webpage resources like styles, images and links, etc. of a fake website will be acquired from the genuine legitimate website, thus, the user interface appearance of the fake website is usually highly similar to the genuine legitimate website, so as to easily obtain the trust of users and thus to deceive the users.
- the attacker usually directs the parts, in the fake website highly similar to the genuine legitimate website, requiring the user to input and submit personal sensitive information to a preset address, thereby, when the user inputs and submits personal sensitive information, it seems to the user that he has submitted the personal sensitive information to the genuine legitimate website, while actually he has submitted the personal sensitive information to the attacker of the phishing attack.
- FIG. 1 it shows a block diagram of an exemplary computer system 100 suitable for realizing one or more embodiments of the present disclosure.
- the computer system 100 includes: CPU (Central Processing Unit) 101 , RAM (Random Access Memory) 102 , ROM (Read-Only Memory) 103 , system bus 104 , hard disk controller 105 , keyboard controller 106 , serial interface controller 107 , parallel interface controller 108 , display controller 109 , hard disk 110 , keyboard 111 , serial peripheral device 112 , parallel peripheral device 113 and display 114 .
- CPU Central Processing Unit
- RAM Random Access Memory
- ROM Read-Only Memory
- those coupled with the system bus 104 are CPU 101 , RAM 102 , ROM 103 , hard disk controller 105 , keyboard controller 106 , serial controller 107 , parallel controller 108 and display controller 109 .
- Hard disk 110 is couple with hard disk controller 105
- keyboard 111 is coupled with keyboard controller 106
- serial peripheral device 112 is coupled with serial interface controller 107
- parallel peripheral 113 is coupled with parallel interface controller 108
- display 114 is couple with display controller 109 .
- FIG. 1 is only shown for the purpose of exemplification, rather than limitation to the scope of the present invention. In some circumstances, some devices may be added or removed as required by specific conditions.
- FIG. 2 it illustrates a flowchart of a method 200 for preventing phishing attacks according to an embodiment of the present invention.
- the method 200 for preventing phishing attacks according to an embodiment of the present invention begins with step 202 .
- the links in the Web page may be acquired by scanning the source code of the Web page. These links include:
- HTML ⁇ a> href attribute which specifies the address to which a link is directed
- HTML ⁇ script> src attribute which specifies the source address of an external script file
- HTML ⁇ img> src attribute which specifies the source address of an image
- HTML ⁇ iFrame> src attribute which specifies the source address of the document to be displayed in the iFrame
- HTML ⁇ Form> Action attribute which specifies the target address to which the form is submitted, and so on.
- HTML HyperText Markup Language
- a fake website constructed using the resources of the genuine legitimate website generally have same features, i.e.,
- the attacker fakes as HSBC to send an email or an IM (instant messaging) message to a user, when the user clicks the link in the email or IM message sent by the attacker, he will be directed to a fake website with the address of http://qingadian.com/.
- the fake website has a highly similar webpage to that of the genuine HSBC website, so as to deceive the user to input personal sensitive information.
- the genuine legitimate HSBC website is http://www.hsbc.com.hk/. It can be seen by checking the code of the fake website that most resources in the fake website page are acquired from the genuine legitimate website; refer to the code segments given below.
- the links are classified into two types:
- the domain refers to a domain name. It is believed that links of different domain names belonging to a same company are of the same type. For example, the domain names of www.qq.com, www.tencent.com, etc. belong to Tencent Corp., i.e., links involving the above two domain names are links of the same type; similarly, the domain names of www.sina.com, www.sinaimg.com, weibo.com, etc. all belong to Sina Corp.; and the domain names of www.boc.cn, www.bankofchina.com, etc. all belong to Bank of China, and so on. Different domain names belonging to a same company may be stored in advance in a database in the form of a list or in other forms.
- this link is an internal link. If the domain name corresponding to the address of a link and the domain name corresponding to the address of the Web page are not identical, nor they belong to the same company, then the link is an external link
- step 206 the acquired links are classified.
- the links are classified into the two types of internal links and external links according to an embodiment of the present disclosure.
- the acquired links are classified according to the link types, i.e., whether they belong to internal links or external links.
- the link types i.e., whether they belong to internal links or external links.
- common links of third-party legitimate websites that provide services such as Google® AdWords® that provides advertising services, or Microsoft® Bing® that provides searching services, etc.
- third-party legitimate websites that need to be excluded may be stored in advance in a database in the form of a list or in other forms, so that the links of the common third-party legitimate websites that provide services may be excluded by means of querying the list in the process of acquiring links in the Web page or classifying the links
- step 208 it is determined whether there is a phishing attack according to the classified links.
- it is determined whether there is a phishing attack according to the classified links by calculating the percentage of the links of a respective type in the total number of links; and comparing the calculated percentage of the links of the respective type in the total number of links with a preset threshold.
- links are classified into internal links and external links, and the percentages of internal links and external links in the total number of links are calculated.
- the calculated percentage of internal links in the total number of links is compared with a preset threshold, and if the comparison result indicates that the internal links are less than the preset threshold, the user is warned of a possible phishing attack. If the comparison result indicates that the internal links are not less than the preset threshold, the reproduced Web page is displayed to the user.
- the calculated percentage of external links in the total number of links is compared with a preset threshold, and if the comparison result indicates that the external links are not less than the preset threshold, the user is warned of a possible phishing attack. If the comparison result indicates that the external links are less than the preset threshold, the reproduced Web page is displayed to the user.
- the preset threshold of internal links in the total number of links is 80%. If the user accesses the fake website by clicking, the number of internal links belonging to the same domain as the address accessed by the user by clicking is small. Assume that in this case the percentage of internal links in the total number of links is approximately 5%. Since 5% is much smaller than 80%, this indicates that there may be a phishing attack, in which case the user is warned of a possible phishing attack.
- each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
- the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
- FIG. 3 it illustrates a block diagram of a system 300 for preventing phishing attacks according to an embodiment of the present invention.
- the system 300 for preventing phishing attacks comprises: an acquiring component 302 configured to acquire the links in a Web page; a classifying component 304 configured to classify the acquired links according to link types; and a determining component 306 configured to determine whether there is a phishing attack according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page and external links belonging to a different domain from the address of the Web page.
- the acquiring component 302 is further configured to acquire links in the Web page by scanning the source code of the Web page.
- the system 300 for preventing phishing attacks further comprises: an calculating component (not shown) configured to calculate the percentage of the links of a respective type in the total number of links; and a comparing component (not shown) configured to compare the percentage of the links of the respective type in the total number of links with a preset threshold.
- the system 300 for preventing phishing attacks further comprises: a warning component (not shown) configured to warn the user of a possible phishing attack in response to the comparison result indicating that the internal links are less than a preset threshold; and a displaying component (not shown) configured to display the Web page to the user in response to the comparison result indicating that the internal links are not less than the preset threshold.
- the system 300 for preventing phishing attacks further comprises: a warning component (not shown) configured to warn the user of a possible phishing attack in response to the comparison result indicating that the external links are not less than the preset threshold; and a displaying component (not shown) configured to display the Web page to the user in response to the comparison result indicating that the external links are less than the preset threshold.
- aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, the present invention may take the form of a computer program product embodied in a medium of expression having computer readable program code embodied thereon.
- the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
- a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
- a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
- the computer readable signal medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave.
- the propagated signal can be in various forms, including but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing.
- the computer readable signal medium can be any computer readable medium that is not a computer readable storage medium, but that can transmit, propagate or transport a program for use by or in connection with an instruction execution system, apparatus or device.
- the program code embodied in the computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc, or any suitable combination of the foregoing.
- Computer program code for carrying out operations in embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages.
- the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
- the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
- LAN local area network
- WAN wide area network
- Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
- These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
- the computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Information Transfer Between Computers (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
- This application claims the benefit of priority to Chinese Patent Application No. 201110215504.1, filed on Jul. 29, 2011, the contents of which are hereby incorporated by reference.
- The present invention relates to network security, more particularly, to a method and system for preventing phishing attacks.
- Phishing attack is a criminal fraud procedure that attempts to obtain personal sensitive information like usernames, passwords and credit card details, etc. by using electronic communications to disguise as a creditworthy legal person media. These communications usually claim that they are from Internet banks, electronic payment websites, online retailers, credit card companies or network administrators, to deceive credulous victims. Phishing attacks are usually carried out through emails or instant messages. Phishing attacks usually direct the user to a fake website with an interface appearance highly similar to the genuine legitimate website, to deceive the user to input personal sensitive information. These fake websites usually have Web pages highly similar to the Web pages of trustworthy brands such as Internet banks, electronic payment websites, online retailers and credit card companies, etc., and the victims would often leak their sensitive information such as credit card numbers, bank card accounts, and ID card numbers and so on. Currently there are many methods and tools to help users to find out these fake websites and to avoid exposing their private information, e.g., by SSL secure connection, digital certificates, or establishing a blacklist for shielding against phishing websites. However, these methods have their respective disadvantages, although they can solve part of the problems. For example, it is still difficult to detect whether a website is a fake website even through a SSL secure connection.
- Illustrative embodiments of the present disclosure have recognized the above disadvantages in the prior art. To this end, the present disclosure provides a lightweight solution capable of helping ordinary users to identify some common type of phishing attacks and thus to prevent unnecessary losses caused thereby.
- According to an embodiment of the present disclosure, there is provided a method for preventing phishing attacks, comprising: scanning a Web page; acquiring links in a Web page; classifying the acquired links according to link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page.
- According to another embodiment of the present disclosure, the determining whether a phishing attack exists according to the classified links comprises calculating the percentage of the links of a respective type in the total number of links; comparing the calculated percentage of the links of a respective type in the total number of links with a preset threshold; and determining whether a phishing attack exists using the comparison result.
- According to another embodiment of the present disclosure, the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the internal links are less than the preset threshold, warning the user of a possible phishing attack.
- According to another embodiment of the present disclosure, the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the internal links are not less than the preset threshold, displaying the Web page to the user.
- According to another embodiment of the present disclosure, the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the external links are not less than the preset threshold, warning the user of a possible phishing attack.
- According to another embodiment of the present disclosure, the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the external links are less than the preset threshold, displaying the Web page to the user.
- According to an embodiment of the present disclosure, there is provided a system for preventing phishing attacks, comprising: an acquiring component configured to acquire links in a Web page; a classifying component configured to classify the acquired links according to link types; and a determining component configured to determine whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page.
- Furthermore, an embodiment of the present disclosure further provides a computer program product corresponding to the above method.
- By implementing the method or system according to the above one or more embodiments of the present disclosure, since a reproduced Web page is first detected to determine whether it is a fake website of a phishing attack before it is displayed to the user and the user is warned upon detecting a fake website, unnecessary losses due to phishing attacks can be prevented.
- The present disclosure may be better understood by referring to the following description when read in conjunction with the accompanying drawings, wherein the same or similar reference numerals are used to denote the same or similar components. The accompanying draws together with the following detailed description are included in the specification and form part thereof, to further illustrate preferred embodiments of the present disclosure and to explain the principles and advantages of the present disclosure. In the drawings:
-
FIG. 1 shows a block diagram of anexemplary computer system 100 suitable for realizing embodiments of the present invention; -
FIG. 2 shows a flowchart of amethod 200 for preventing phishing attacks according to an embodiment of the present disclosure; -
FIG. 3 shows a block diagram of asystem 300 for preventing phishing attacks according to an embodiment of the present disclosure. - In the following will be described exemplary embodiments of the present disclosure in conjunction with the accompanying drawings. For clarity and simplicity, not all the features of the actual embodiments are described herein. However, it should be understood that many decisions specific to the actual embodiments must be made during the process of developing the actual embodiments, so as to realize the specific objects of the developers, e.g., complying with those constraints related to the system and business, which constraints may change with different embodiments. In addition, it should be further understood that although the development may be complex and time-consuming, the development work is merely routine tasks for those skilled in the art with the benefits of the contents of the present disclosure.
- It should also be pointed out here that, in order to prevent the present disclosure to be unnecessarily blurred by details, the drawings only illustrate the apparatus structures and/or processing steps closely related to the solutions according to the present disclosure while omitting the other details with little relevance to the present disclosure.
- The attackers of a phishing attack usually constructs a fake website utilizing the resources of a genuine legitimate website, that is, webpage resources like styles, images and links, etc. of a fake website will be acquired from the genuine legitimate website, thus, the user interface appearance of the fake website is usually highly similar to the genuine legitimate website, so as to easily obtain the trust of users and thus to deceive the users. The attacker usually directs the parts, in the fake website highly similar to the genuine legitimate website, requiring the user to input and submit personal sensitive information to a preset address, thereby, when the user inputs and submits personal sensitive information, it seems to the user that he has submitted the personal sensitive information to the genuine legitimate website, while actually he has submitted the personal sensitive information to the attacker of the phishing attack.
- With respect to the above common phishing attack method, there is provided a method and system according to one or more embodiments of the present disclosure.
- In the following, embodiments of the method and system for preventing phishing attacks according to the present disclosure will be described in detail in conjunction with the figures.
- Now referring to
FIG. 1 , it shows a block diagram of anexemplary computer system 100 suitable for realizing one or more embodiments of the present disclosure. As shown, thecomputer system 100 includes: CPU (Central Processing Unit) 101, RAM (Random Access Memory) 102, ROM (Read-Only Memory) 103,system bus 104,hard disk controller 105,keyboard controller 106,serial interface controller 107,parallel interface controller 108,display controller 109,hard disk 110,keyboard 111, serialperipheral device 112, parallelperipheral device 113 anddisplay 114. In these devices, those coupled with thesystem bus 104 are CPU 101,RAM 102,ROM 103,hard disk controller 105,keyboard controller 106,serial controller 107,parallel controller 108 anddisplay controller 109.Hard disk 110 is couple withhard disk controller 105,keyboard 111 is coupled withkeyboard controller 106, serialperipheral device 112 is coupled withserial interface controller 107, parallel peripheral 113 is coupled withparallel interface controller 108, anddisplay 114 is couple withdisplay controller 109. It should be understood that the block diagram ofFIG. 1 is only shown for the purpose of exemplification, rather than limitation to the scope of the present invention. In some circumstances, some devices may be added or removed as required by specific conditions. - Now referring to
FIG. 2 , it illustrates a flowchart of amethod 200 for preventing phishing attacks according to an embodiment of the present invention. Themethod 200 for preventing phishing attacks according to an embodiment of the present invention begins withstep 202. - Next, the
method 200 proceeds tostep 204, in which the links in the Web page are acquired. The links in the Web page may be acquired by scanning the source code of the Web page. These links include: - HTML <a> href attribute, which specifies the address to which a link is directed;
- HTML <script> src attribute, which specifies the source address of an external script file;
- HTML <img> src attribute, which specifies the source address of an image;
- HTML <iFrame> src attribute, which specifies the source address of the document to be displayed in the iFrame;
- HTML <Form> Action attribute, which specifies the target address to which the form is submitted, and so on.
- Above are listed some examples of attributes related to links in HTML. It should be understood that above are listed only some examples of links in Web page, and other HTML tags and attributes related to links, or tags, attributes and contents related to links in other markup languages such as XHTML, XML, etc., are known to the skilled in the art and not listed here.
- According to observation of the inventor of the present disclosure, a fake website constructed using the resources of the genuine legitimate website generally have same features, i.e.,
-
- 1) Most resources in the Web page of a fake website are acquired from the genuine legitimate website;
- 2) The parts that require a user to input and submit sensitive information are directed to an address preset by the attacker;
- 3) The address of the fake website and that of the genuine legitimate website belong to different domains;
- 4) The address preset by the attacker and that of the genuine legitimate website belong to different domains.
- In the following is an example of a fake website; the attacker fakes as HSBC to send an email or an IM (instant messaging) message to a user, when the user clicks the link in the email or IM message sent by the attacker, he will be directed to a fake website with the address of http://qingadian.com/. The fake website has a highly similar webpage to that of the genuine HSBC website, so as to deceive the user to input personal sensitive information. The genuine legitimate HSBC website is http://www.hsbc.com.hk/. It can be seen by checking the code of the fake website that most resources in the fake website page are acquired from the genuine legitimate website; refer to the code segments given below.
-
<script src=‘/1/PA_1_3_S5/content/hongkongpws/theme/js/pws_default.js’ type= “text/JavaScript”></script> <div class=“containerGlobal”><div class=“containerEntity”><div class=“hsbcEntity”> <div class=“hsbcEntityTextArea01”>Hong Kong</div> <div class=“hsbcEntityTextArea02”> <ul> <li class=“hsbcEntityTabSelected”><a href=“/1/2/home?fbc=HomeEngTopMenu”> Home</a></li> <li><a href=“/1/2/hk/personal?fbc=HomeEngTopMenu”>Personal</a></li> <li><a href=“/1/2/hsbcpremier/home?fbc=HomeEngTopMenu”>HSBC Premier</a></li> <li><a href=“/1/2/hsbcadvance/home?fbc=HomeEngTopMenu”>HSBC Advance</a></li> <li><a href=“http://www.commercial.hsbc.com.hk/1/2/commercial/home” ‘width= ‘+screen.width+’, height=‘+screen.height*0.88+’,location=yes,directories=no, menubar=yes,toolbar=yes,scrollbars=yes,status=yes, resizable=yes,left=0,top=0’); return false;”>Commercial</a></li> <li><a href=“http://www.hsbcnet.com/hsbc” target=“_blank” > (‘http://www.hsbcnet.com/hsbc’,‘_blank’,‘width=‘+screen.width+’,height=‘+screen. height*0.88+’,location=yes,directories=no,menubar=yes,toolbar=yes,scrollbars=yes, status=yes,resizable=yes,left=0,top=0’);return false;”>Corporate</a></li> <li><a href=“/1/2/mpf/home?fbc=HomeEngTopMenu”>MPF</a></li> <li><a href=“/1/2/hsbcgreaterchina?fbc=HomeEngTopMenu”>Greater China</a></li> <li><a href=“/1/2/about/home?fbc=HomeEngTopMenu”>About HSBC</a></li> <li><a href=“/1/2/careers/home?fbc=HomeEngTopMenu”>Careers</a></li> <li><a href=“/1/2/contact-us?fbc=HomeEngTopMenu”>Contact us</a></li> </ul> </div> </div> </div></div></div> ... .... <p class=“red”><strong>Personal Internet Banking</strong><br /> <span style=“display:block;float:left;”><a href=“javascript:void(0)” > ‘width=‘+screen.width+’,height=‘+screen.height*0.88+’,location=no, directories=no, menubar=no,toolbar=no,scrollbars=yes,status=yes,resizable=yes,left=0,top=0’); ”><img src=“/1/PA_1_3_S5/content/hongkongpws/hk_home/ images/logon.gif” alt=“Logon” /></a></span> - It may be clearly seen from code of the fake website given above that, most webpage resources in the fake website are acquired from the genuine legitimate website, while the part requiring the user to input personal sensitive information are directed to the address preset by the attacker, i.e., http://qiangadian.com/qingdaohuadian/CRM/login/IBlogin.html. In other words, the user will be directed to the above address by clicking the Logon button on the fake website.
- According to an embodiment of the present disclosure, the links are classified into two types:
- 1) internal links, whose link addresses belong to the same domain as the address of the Web page;
- 2) external links, whose link addresses belong to a different domain from the address of the Web page;
wherein the user access the above Web page by clicking the link in the email or IM message. - Here the domain refers to a domain name. It is believed that links of different domain names belonging to a same company are of the same type. For example, the domain names of www.qq.com, www.tencent.com, etc. belong to Tencent Corp., i.e., links involving the above two domain names are links of the same type; similarly, the domain names of www.sina.com, www.sinaimg.com, weibo.com, etc. all belong to Sina Corp.; and the domain names of www.boc.cn, www.bankofchina.com, etc. all belong to Bank of China, and so on. Different domain names belonging to a same company may be stored in advance in a database in the form of a list or in other forms. In other words, if the domain name corresponding to the address of a link and the domain name corresponding to the address of the Web page are identical or belong to the same company, then this link is an internal link. If the domain name corresponding to the address of a link and the domain name corresponding to the address of the Web page are not identical, nor they belong to the same company, then the link is an external link
- Next, the
method 200 proceeds to step 206, in which the acquired links are classified. As mentioned above, the links are classified into the two types of internal links and external links according to an embodiment of the present disclosure. Atstep 206, the acquired links are classified according to the link types, i.e., whether they belong to internal links or external links. Thus, afterstep 206 is performed, the number of the links belonging to internal links and the number of the links belonging to external links are obtained. - According to an embodiment of the present disclosure, in the process of acquiring the links in the Web page or classifying the links, common links of third-party legitimate websites that provide services, such as Google® AdWords® that provides advertising services, or Microsoft® Bing® that provides searching services, etc., may be excluded. These third-party legitimate websites that need to be excluded may be stored in advance in a database in the form of a list or in other forms, so that the links of the common third-party legitimate websites that provide services may be excluded by means of querying the list in the process of acquiring links in the Web page or classifying the links
- Next, the
method 200 proceeds to step 208, in which it is determined whether there is a phishing attack according to the classified links. According to an embodiment of the present disclosure, it is determined whether there is a phishing attack according to the classified links by calculating the percentage of the links of a respective type in the total number of links; and comparing the calculated percentage of the links of the respective type in the total number of links with a preset threshold. According to an embodiment of the present disclosure, links are classified into internal links and external links, and the percentages of internal links and external links in the total number of links are calculated. Then, the calculated percentage of internal links in the total number of links is compared with a preset threshold, and if the comparison result indicates that the internal links are less than the preset threshold, the user is warned of a possible phishing attack. If the comparison result indicates that the internal links are not less than the preset threshold, the reproduced Web page is displayed to the user. - According to another embodiment of the present disclosure, the calculated percentage of external links in the total number of links is compared with a preset threshold, and if the comparison result indicates that the external links are not less than the preset threshold, the user is warned of a possible phishing attack. If the comparison result indicates that the external links are less than the preset threshold, the reproduced Web page is displayed to the user.
- Taking the above fake website as an example, assuming that the user clicks the link in the email or IM message that is sent by the attacker, he will then be directed to the address http://qingadian.com/. By scanning the page corresponding to the above address, all links therein are acquired. Then, the acquired links in the page are classified according to the link types, i.e., whether they belong to the internal links or external links, and the percentage of the links of a respective type in the total number of links is calculated. For the above fake website, since most page resources of the fake website are acquired from the genuine legitimate website http://www.hsbc.com.hk/, the number of internal links belonging to the same domain as the address (i.e., http://qiangadian.com/) accessed by user by clicking is small (usually only the links corresponding to the parts that require the user to input personal sensitive information), while most links are from the genuine legitimate website, i.e., http://www.hsbc.com.hk/. If the address accessed by user by clicking were the genuine legitimate website, i.e., http://www.hsbc.com.hk/, the internal links belonging to the same domain as the address accessed by user by clicking should have been the majority. Therefore, assume that the preset threshold of internal links in the total number of links is 80%. If the user accesses the fake website by clicking, the number of internal links belonging to the same domain as the address accessed by the user by clicking is small. Assume that in this case the percentage of internal links in the total number of links is approximately 5%. Since 5% is much smaller than 80%, this indicates that there may be a phishing attack, in which case the user is warned of a possible phishing attack.
- Above are described the method and system according to one or more embodiments of the present disclosure. The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
- Now referring to
FIG. 3 , it illustrates a block diagram of asystem 300 for preventing phishing attacks according to an embodiment of the present invention. - The
system 300 for preventing phishing attacks according to an embodiment of the present disclosure comprises: an acquiringcomponent 302 configured to acquire the links in a Web page; a classifyingcomponent 304 configured to classify the acquired links according to link types; and a determiningcomponent 306 configured to determine whether there is a phishing attack according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page and external links belonging to a different domain from the address of the Web page. According to an embodiment of the present disclosure, the acquiringcomponent 302 is further configured to acquire links in the Web page by scanning the source code of the Web page. - According to an embodiment of the present disclosure, the
system 300 for preventing phishing attacks further comprises: an calculating component (not shown) configured to calculate the percentage of the links of a respective type in the total number of links; and a comparing component (not shown) configured to compare the percentage of the links of the respective type in the total number of links with a preset threshold. - According to an embodiment of the present disclosure, the
system 300 for preventing phishing attacks further comprises: a warning component (not shown) configured to warn the user of a possible phishing attack in response to the comparison result indicating that the internal links are less than a preset threshold; and a displaying component (not shown) configured to display the Web page to the user in response to the comparison result indicating that the internal links are not less than the preset threshold. - According to an embodiment of the present disclosure, the
system 300 for preventing phishing attacks further comprises: a warning component (not shown) configured to warn the user of a possible phishing attack in response to the comparison result indicating that the external links are not less than the preset threshold; and a displaying component (not shown) configured to display the Web page to the user in response to the comparison result indicating that the external links are less than the preset threshold. - Those skilled in the art will appreciate that aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, the present invention may take the form of a computer program product embodied in a medium of expression having computer readable program code embodied thereon.
- Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
- The computer readable signal medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave. The propagated signal can be in various forms, including but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing. The computer readable signal medium can be any computer readable medium that is not a computer readable storage medium, but that can transmit, propagate or transport a program for use by or in connection with an instruction execution system, apparatus or device.
- The program code embodied in the computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc, or any suitable combination of the foregoing.
- Computer program code for carrying out operations in embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
- Aspects of the present disclosure are described with reference to the flowchart illustrations and/or block diagrams of the methods, apparatus (systems) and computer product. It will be understood that, each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
- These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
- The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
- It should be further pointed out that in the apparatus and method of the present disclosure, obviously the components or steps may be decomposed and/or recombined. The decomposition and/or recombination may be viewed as equivalent solutions of the present disclosure. Moreover, the steps executing the above series of processing may be naturally performed in time order according to the sequence of the description, but they may not necessarily be performed in time order. Some steps may be performed in parallel or independently of each other.
- Although the present disclosure and advantages thereof have been described in detail, it will be understood that various changes, substitution and transformation may be made thereto without departing from the spirit and scope of the present disclosure. Further, the terms “comprises”, “comprising,” or any variants thereof are intended to cover nonexclusive inclusion, such that a process, method, article or apparatus comprising a series of elements may not only comprise those elements, but may also comprise other elements, or comprise elements inherent to the process, method, article or apparatus. Without further limitation, an element specified by the phrase “comprising a” does not exclude the presence of other identical elements in the process, method, article or apparatus comprising the element.
Claims (12)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/564,797 US9747441B2 (en) | 2011-07-29 | 2012-08-02 | Preventing phishing attacks |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011102155041A CN102902917A (en) | 2011-07-29 | 2011-07-29 | Method and system for preventing phishing attacks |
CN201110215504.1 | 2011-07-29 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/564,797 Continuation US9747441B2 (en) | 2011-07-29 | 2012-08-02 | Preventing phishing attacks |
Publications (1)
Publication Number | Publication Date |
---|---|
US20130031627A1 true US20130031627A1 (en) | 2013-01-31 |
Family
ID=47575144
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/543,935 Abandoned US20130031627A1 (en) | 2011-07-29 | 2012-07-09 | Method and System for Preventing Phishing Attacks |
US13/564,797 Active 2034-11-12 US9747441B2 (en) | 2011-07-29 | 2012-08-02 | Preventing phishing attacks |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/564,797 Active 2034-11-12 US9747441B2 (en) | 2011-07-29 | 2012-08-02 | Preventing phishing attacks |
Country Status (2)
Country | Link |
---|---|
US (2) | US20130031627A1 (en) |
CN (1) | CN102902917A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150180896A1 (en) * | 2013-02-08 | 2015-06-25 | PhishMe, Inc. | Collaborative phishing attack detection |
US9246936B1 (en) | 2013-02-08 | 2016-01-26 | PhishMe, Inc. | Performance benchmarking for simulated phishing attacks |
US9253207B2 (en) | 2013-02-08 | 2016-02-02 | PhishMe, Inc. | Collaborative phishing attack detection |
US9262629B2 (en) | 2014-01-21 | 2016-02-16 | PhishMe, Inc. | Methods and systems for preventing malicious use of phishing simulation records |
US9344449B2 (en) | 2013-03-11 | 2016-05-17 | Bank Of America Corporation | Risk ranking referential links in electronic messages |
US9398038B2 (en) | 2013-02-08 | 2016-07-19 | PhishMe, Inc. | Collaborative phishing attack detection |
WO2017044432A1 (en) * | 2015-09-11 | 2017-03-16 | Okta, Inc. | Secured user credential management |
JP2017123142A (en) * | 2015-09-30 | 2017-07-13 | エーオー カスペルスキー ラボAO Kaspersky Lab | System and method for detection of phishing script |
US9906554B2 (en) | 2015-04-10 | 2018-02-27 | PhishMe, Inc. | Suspicious message processing and incident response |
CN114006746A (en) * | 2021-10-26 | 2022-02-01 | 深信服科技股份有限公司 | Attack detection method, device, equipment and storage medium |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9384348B2 (en) * | 2004-04-29 | 2016-07-05 | James A. Roskind | Identity theft countermeasures |
US8412837B1 (en) | 2004-07-08 | 2013-04-02 | James A. Roskind | Data privacy |
US8800033B2 (en) * | 2011-05-26 | 2014-08-05 | International Business Machines Corporation | Rotation of web site content to prevent E-mail spam/phishing attacks |
CN103368958A (en) * | 2013-07-05 | 2013-10-23 | 腾讯科技(深圳)有限公司 | Method, device and system for detecting webpage |
CN104348803B (en) * | 2013-07-31 | 2018-12-11 | 深圳市腾讯计算机系统有限公司 | Link kidnaps detection method, device, user equipment, Analysis server and system |
US9253208B1 (en) | 2015-03-05 | 2016-02-02 | AO Kaspersky Lab | System and method for automated phishing detection rule evolution |
EP3125147B1 (en) * | 2015-07-27 | 2020-06-03 | Swisscom AG | System and method for identifying a phishing website |
CN105653941A (en) * | 2015-07-31 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Heuristic detection method and system for phishing website |
US20180007066A1 (en) * | 2016-06-30 | 2018-01-04 | Vade Retro Technology Inc. | Detection of phishing dropboxes |
CN107395488A (en) * | 2017-06-08 | 2017-11-24 | 深圳市金立通信设备有限公司 | A kind of method and terminal for identifying adventure account |
CN107800686B (en) * | 2017-09-25 | 2020-06-12 | 中国互联网络信息中心 | Phishing website identification method and device |
Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060015722A1 (en) * | 2004-07-16 | 2006-01-19 | Geotrust | Security systems and services to provide identity and uniform resource identifier verification |
US20060168202A1 (en) * | 2004-12-13 | 2006-07-27 | Eran Reshef | System and method for deterring rogue users from attacking protected legitimate users |
US20070107053A1 (en) * | 2004-05-02 | 2007-05-10 | Markmonitor, Inc. | Enhanced responses to online fraud |
US20080127319A1 (en) * | 2006-11-29 | 2008-05-29 | Yahoo! Inc. | Client based online fraud prevention |
US20080172738A1 (en) * | 2007-01-11 | 2008-07-17 | Cary Lee Bates | Method for Detecting and Remediating Misleading Hyperlinks |
US20090077383A1 (en) * | 2007-08-06 | 2009-03-19 | De Monseignat Bernard | System and method for authentication, data transfer, and protection against phishing |
US20090089859A1 (en) * | 2007-09-28 | 2009-04-02 | Cook Debra L | Method and apparatus for detecting phishing attempts solicited by electronic mail |
US7668921B2 (en) * | 2006-05-30 | 2010-02-23 | Xerox Corporation | Method and system for phishing detection |
US7681234B2 (en) * | 2005-06-30 | 2010-03-16 | Microsoft Corporation | Preventing phishing attacks |
US7849507B1 (en) * | 2006-04-29 | 2010-12-07 | Ironport Systems, Inc. | Apparatus for filtering server responses |
US8020206B2 (en) * | 2006-07-10 | 2011-09-13 | Websense, Inc. | System and method of analyzing web content |
US8312538B2 (en) * | 2005-08-30 | 2012-11-13 | Passlogy Co., Ltd. | Site check method |
US8321936B1 (en) * | 2007-05-30 | 2012-11-27 | M86 Security, Inc. | System and method for malicious software detection in multiple protocols |
US8346878B2 (en) * | 2009-11-06 | 2013-01-01 | International Business Machines Corporation | Flagging resource pointers depending on user environment |
US8429545B2 (en) * | 2005-05-03 | 2013-04-23 | Mcafee, Inc. | System, method, and computer program product for presenting an indicia of risk reflecting an analysis associated with search results within a graphical user interface |
US8468597B1 (en) * | 2008-12-30 | 2013-06-18 | Uab Research Foundation | System and method for identifying a phishing website |
Family Cites Families (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6230153B1 (en) * | 1998-06-18 | 2001-05-08 | International Business Machines Corporation | Association rule ranker for web site emulation |
US6442606B1 (en) * | 1999-08-12 | 2002-08-27 | Inktomi Corporation | Method and apparatus for identifying spoof documents |
US6691163B1 (en) * | 1999-12-23 | 2004-02-10 | Alexa Internet | Use of web usage trail data to identify related links |
US6819340B2 (en) * | 2001-07-23 | 2004-11-16 | Paul E. Burke | Adding a shortcut to a web site |
US8132250B2 (en) * | 2002-03-08 | 2012-03-06 | Mcafee, Inc. | Message profiling systems and methods |
US20060168006A1 (en) * | 2003-03-24 | 2006-07-27 | Mr. Marvin Shannon | System and method for the classification of electronic communication |
US7461257B2 (en) * | 2003-09-22 | 2008-12-02 | Proofpoint, Inc. | System for detecting spoofed hyperlinks |
US7441044B2 (en) * | 2003-11-05 | 2008-10-21 | Overture Services, Inc. | Countrytagging |
US20060080735A1 (en) | 2004-09-30 | 2006-04-13 | Usa Revco, Llc | Methods and systems for phishing detection and notification |
US20060168066A1 (en) * | 2004-11-10 | 2006-07-27 | David Helsper | Email anti-phishing inspector |
US7634810B2 (en) | 2004-12-02 | 2009-12-15 | Microsoft Corporation | Phishing detection, prevention, and notification |
US7580982B2 (en) * | 2004-12-14 | 2009-08-25 | The Go Daddy Group, Inc. | Email filtering system and method |
US8171085B1 (en) * | 2005-01-19 | 2012-05-01 | Apple Inc. | Methods and apparatuses for authenticating electronic messages |
WO2006094275A2 (en) * | 2005-03-02 | 2006-09-08 | Markmonitor, Inc. | Trust evaluation systems and methods |
US7634809B1 (en) * | 2005-03-11 | 2009-12-15 | Symantec Corporation | Detecting unsanctioned network servers |
US7975010B1 (en) * | 2005-03-23 | 2011-07-05 | Symantec Corporation | Countering spam through address comparison |
US8560413B1 (en) * | 2005-07-14 | 2013-10-15 | John S. Quarterman | Method and system for detecting distributed internet crime |
KR100723867B1 (en) * | 2005-11-23 | 2007-05-31 | 한국전자통신연구원 | Apparatus and method for blocking access to phishing web page |
US8839418B2 (en) * | 2006-01-18 | 2014-09-16 | Microsoft Corporation | Finding phishing sites |
GB0603888D0 (en) | 2006-02-27 | 2006-04-05 | Univ Newcastle | Phishing mitigation |
US8095967B2 (en) * | 2006-07-27 | 2012-01-10 | White Sky, Inc. | Secure web site authentication using web site characteristics, secure user credentials and private browser |
US7802298B1 (en) * | 2006-08-10 | 2010-09-21 | Trend Micro Incorporated | Methods and apparatus for protecting computers against phishing attacks |
US7854001B1 (en) | 2007-06-29 | 2010-12-14 | Trend Micro Incorporated | Aggregation-based phishing site detection |
KR20090019451A (en) | 2007-08-21 | 2009-02-25 | 한국전자통신연구원 | The method and apparatus for alarming phishing and pharming |
US20090182818A1 (en) * | 2008-01-11 | 2009-07-16 | Fortinet, Inc. A Delaware Corporation | Heuristic detection of probable misspelled addresses in electronic communications |
US20100042687A1 (en) | 2008-08-12 | 2010-02-18 | Yahoo! Inc. | System and method for combating phishing |
US20100235915A1 (en) * | 2009-03-12 | 2010-09-16 | Nasir Memon | Using host symptoms, host roles, and/or host reputation for detection of host infection |
US8769695B2 (en) * | 2009-04-30 | 2014-07-01 | Bank Of America Corporation | Phish probability scoring model |
US8438642B2 (en) * | 2009-06-05 | 2013-05-07 | At&T Intellectual Property I, L.P. | Method of detecting potential phishing by analyzing universal resource locators |
CN101667979B (en) * | 2009-10-12 | 2012-06-06 | 哈尔滨工程大学 | System and method for anti-phishing emails based on link domain name and user feedback |
CN101820366B (en) * | 2010-01-27 | 2012-09-05 | 南京邮电大学 | Pre-fetching-based fishing web page detection method |
US8521667B2 (en) * | 2010-12-15 | 2013-08-27 | Microsoft Corporation | Detection and categorization of malicious URLs |
-
2011
- 2011-07-29 CN CN2011102155041A patent/CN102902917A/en active Pending
-
2012
- 2012-07-09 US US13/543,935 patent/US20130031627A1/en not_active Abandoned
- 2012-08-02 US US13/564,797 patent/US9747441B2/en active Active
Patent Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070107053A1 (en) * | 2004-05-02 | 2007-05-10 | Markmonitor, Inc. | Enhanced responses to online fraud |
US20060015722A1 (en) * | 2004-07-16 | 2006-01-19 | Geotrust | Security systems and services to provide identity and uniform resource identifier verification |
US20060168202A1 (en) * | 2004-12-13 | 2006-07-27 | Eran Reshef | System and method for deterring rogue users from attacking protected legitimate users |
US8429545B2 (en) * | 2005-05-03 | 2013-04-23 | Mcafee, Inc. | System, method, and computer program product for presenting an indicia of risk reflecting an analysis associated with search results within a graphical user interface |
US7681234B2 (en) * | 2005-06-30 | 2010-03-16 | Microsoft Corporation | Preventing phishing attacks |
US8312538B2 (en) * | 2005-08-30 | 2012-11-13 | Passlogy Co., Ltd. | Site check method |
US7849507B1 (en) * | 2006-04-29 | 2010-12-07 | Ironport Systems, Inc. | Apparatus for filtering server responses |
US7668921B2 (en) * | 2006-05-30 | 2010-02-23 | Xerox Corporation | Method and system for phishing detection |
US8020206B2 (en) * | 2006-07-10 | 2011-09-13 | Websense, Inc. | System and method of analyzing web content |
US20080127319A1 (en) * | 2006-11-29 | 2008-05-29 | Yahoo! Inc. | Client based online fraud prevention |
US20080172738A1 (en) * | 2007-01-11 | 2008-07-17 | Cary Lee Bates | Method for Detecting and Remediating Misleading Hyperlinks |
US8321936B1 (en) * | 2007-05-30 | 2012-11-27 | M86 Security, Inc. | System and method for malicious software detection in multiple protocols |
US20090077383A1 (en) * | 2007-08-06 | 2009-03-19 | De Monseignat Bernard | System and method for authentication, data transfer, and protection against phishing |
US20090089859A1 (en) * | 2007-09-28 | 2009-04-02 | Cook Debra L | Method and apparatus for detecting phishing attempts solicited by electronic mail |
US8468597B1 (en) * | 2008-12-30 | 2013-06-18 | Uab Research Foundation | System and method for identifying a phishing website |
US8346878B2 (en) * | 2009-11-06 | 2013-01-01 | International Business Machines Corporation | Flagging resource pointers depending on user environment |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9667645B1 (en) | 2013-02-08 | 2017-05-30 | PhishMe, Inc. | Performance benchmarking for simulated phishing attacks |
US9246936B1 (en) | 2013-02-08 | 2016-01-26 | PhishMe, Inc. | Performance benchmarking for simulated phishing attacks |
US9253207B2 (en) | 2013-02-08 | 2016-02-02 | PhishMe, Inc. | Collaborative phishing attack detection |
US10819744B1 (en) | 2013-02-08 | 2020-10-27 | Cofense Inc | Collaborative phishing attack detection |
US9325730B2 (en) * | 2013-02-08 | 2016-04-26 | PhishMe, Inc. | Collaborative phishing attack detection |
US10187407B1 (en) | 2013-02-08 | 2019-01-22 | Cofense Inc. | Collaborative phishing attack detection |
US9356948B2 (en) | 2013-02-08 | 2016-05-31 | PhishMe, Inc. | Collaborative phishing attack detection |
US9398038B2 (en) | 2013-02-08 | 2016-07-19 | PhishMe, Inc. | Collaborative phishing attack detection |
US9591017B1 (en) | 2013-02-08 | 2017-03-07 | PhishMe, Inc. | Collaborative phishing attack detection |
US9674221B1 (en) | 2013-02-08 | 2017-06-06 | PhishMe, Inc. | Collaborative phishing attack detection |
US20150180896A1 (en) * | 2013-02-08 | 2015-06-25 | PhishMe, Inc. | Collaborative phishing attack detection |
US9635042B2 (en) | 2013-03-11 | 2017-04-25 | Bank Of America Corporation | Risk ranking referential links in electronic messages |
US9344449B2 (en) | 2013-03-11 | 2016-05-17 | Bank Of America Corporation | Risk ranking referential links in electronic messages |
US9262629B2 (en) | 2014-01-21 | 2016-02-16 | PhishMe, Inc. | Methods and systems for preventing malicious use of phishing simulation records |
US9906554B2 (en) | 2015-04-10 | 2018-02-27 | PhishMe, Inc. | Suspicious message processing and incident response |
US9906539B2 (en) | 2015-04-10 | 2018-02-27 | PhishMe, Inc. | Suspicious message processing and incident response |
WO2017044432A1 (en) * | 2015-09-11 | 2017-03-16 | Okta, Inc. | Secured user credential management |
US10505980B2 (en) | 2015-09-11 | 2019-12-10 | Okta, Inc. | Secured user credential management |
JP2017123142A (en) * | 2015-09-30 | 2017-07-13 | エーオー カスペルスキー ラボAO Kaspersky Lab | System and method for detection of phishing script |
CN114006746A (en) * | 2021-10-26 | 2022-02-01 | 深信服科技股份有限公司 | Attack detection method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
US20130031628A1 (en) | 2013-01-31 |
CN102902917A (en) | 2013-01-30 |
US9747441B2 (en) | 2017-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9747441B2 (en) | Preventing phishing attacks | |
US11727114B2 (en) | Systems and methods for remote detection of software through browser webinjects | |
US11381598B2 (en) | Phishing detection using certificates associated with uniform resource locators | |
US9223977B2 (en) | Detection of DOM-based cross-site scripting vulnerabilities | |
US11671448B2 (en) | Phishing detection using uniform resource locators | |
US9489515B2 (en) | System and method for blocking the transmission of sensitive data using dynamic data tainting | |
US8839401B2 (en) | Malicious message detection and processing | |
US9129116B1 (en) | System and method for indicating security | |
US12021894B2 (en) | Phishing detection based on modeling of web page content | |
US20140330962A1 (en) | Unified tracking data management | |
US8347381B1 (en) | Detecting malicious social networking profiles | |
CN112703496B (en) | Content policy based notification to application users regarding malicious browser plug-ins | |
US20140283078A1 (en) | Scanning and filtering of hosted content | |
US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
US20190044967A1 (en) | Identification of a malicious string | |
US11470114B2 (en) | Malware and phishing detection and mediation platform | |
US20230021885A1 (en) | Phishing Mitigation Service | |
US10474810B2 (en) | Controlling access to web resources | |
US12120133B1 (en) | Request header anomaly detection | |
Cvitić et al. | Defining cross-site scripting attack resilience guidelines based on BeEF framework simulation | |
US11640479B1 (en) | Mitigating website privacy issues by automatically identifying cookie sharing risks in a cookie ecosystem | |
WO2021133592A1 (en) | Malware and phishing detection and mediation platform | |
EP4184356A1 (en) | Webpage integrity monitoring | |
Guru et al. | A Survey Paper on Browser Extensions to Detect Web Attacks | |
US20240338447A1 (en) | Automated attack chain following by a threat analysis platform |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WANG, BIN;XIE, LIN;SONG, YIN;AND OTHERS;REEL/FRAME:028510/0272 Effective date: 20120621 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: AWEMANE LTD., CAYMAN ISLANDS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:057991/0960 Effective date: 20210826 |
|
AS | Assignment |
Owner name: BEIJING PIANRUOJINGHONG TECHNOLOGY CO., LTD., CHINA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AWEMANE LTD.;REEL/FRAME:064501/0498 Effective date: 20230302 |
|
AS | Assignment |
Owner name: BEIJING ZITIAO NETWORK TECHNOLOGY CO., LTD., CHINA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BEIJING PIANRUOJINGHONG TECHNOLOGY CO., LTD.;REEL/FRAME:066565/0952 Effective date: 20231130 |