US20080163369A1 - Dynamic phishing detection methods and apparatus - Google Patents

Dynamic phishing detection methods and apparatus Download PDF

Info

Publication number
US20080163369A1
US20080163369A1 US11/617,569 US61756906A US2008163369A1 US 20080163369 A1 US20080163369 A1 US 20080163369A1 US 61756906 A US61756906 A US 61756906A US 2008163369 A1 US2008163369 A1 US 2008163369A1
Authority
US
United States
Prior art keywords
website
webpage
hyperlink
transaction
websites
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/617,569
Inventor
Ming-Tai Allen Chang
Yu-Fang Eddie Tsai
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Trend Micro Inc
Original Assignee
Trend Micro Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Trend Micro Inc filed Critical Trend Micro Inc
Priority to US11/617,569 priority Critical patent/US20080163369A1/en
Assigned to TREND MICRO INCORPORATED reassignment TREND MICRO INCORPORATED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHANG, MING-TAI ALLEN, TSAI, YU-FANG EDDIE
Publication of US20080163369A1 publication Critical patent/US20080163369A1/en
Priority to US16/545,995 priority patent/US10951636B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Definitions

  • Phishing represents a fraudulent technique employed to obtain confidential transaction information (such as user name, password, financial information, credit card information, etc.) from computer users for misuse.
  • the phisher employs a phishing server to send an apparently official electronic communication (such as an official looking email) to the victim.
  • an apparently official electronic communication such as an official looking email
  • the email would typically come from an XYZ bank email address and contain official-looking logos and language to deceive the victim into believing that the email is legitimate.
  • the phisher's email typically includes language urging the victim to access the website of XYZ bank in order to verify some information or to confirm some transaction.
  • the email also typically includes a link for use by the victim to supposedly access the website of XYZ bank.
  • the sham website referred to herein as the phishing website, would then ask for confidential information from the victim. Since the victim had been told in advance that the purpose of clicking on the link is to verify some account information or to confirm some transaction, many victims unquestioningly enter the requested information.
  • the confidential information is collected by the phisher, the phisher can subsequently employ the information to perpetrate fraud on the victim by stealing money from the victim's account, by purchasing goods using the account funds, etc.
  • FIG. 1 illustrates an example of a phishing attack.
  • a phisher 102 typically an email server that is under control of a human phisher
  • the email may, for example, attempt to convince the recipient 108 to update his account by clicking on an attached link to access a webpage. If the recipient 108 clicks on the link, the webpage that opens would then request the user to enter the user's confidential information such as userid, password, account number, etc.
  • the user's confidential information is sent ( 110 ) the user's confidential information to a phishing website 112 .
  • Phishing website 112 collects the user's confidential information to allow the phisher to perpetrate fraud on the user.
  • phishers actually divert the victim to another website other than the website of the legitimate business that the victim intended to visit, some knowledgeable users may be able to spot the difference in the website domain names and may become alert to the possibility that a phishing attack is being attempted. For example, if a victim is taken to a website whose domain name “https://218.246.224.203/icons/cgi-bin/xyzbank/login.
  • php appears in the browser's URL address bar, that victim may be alert to the fact that the phisher's website URL address as shown on the browser's URL toolbar is different from the usual “https://www.xyzbank.com/us/cgi-bin/login.php” and may refuse to furnish the confidential information out of suspicion.
  • many users are not sophisticated or always vigilant against phishing attempts. Accordingly, relying on users to stay on guard against phishing attempts has proven to be an inadequate response to the phishing problem.
  • Phishing can also be detected via phishing detection software and/or hardware.
  • URL filtering may be employed by the prior art phishing detection software to detect whether a particular website is a known phishing website.
  • a particular website is a known phishing website.
  • IP address 218.246.224.203 is known to be a phishing website
  • an attempt to access that website by the user (such as done when the user responds to an email sent from the phisher's server by clicking on a link in the email) will be detected by the phishing detection software, and the attempted access to the phishing webpage will be denied.
  • URL filtering requires the prior knowledge pertaining to whether a particular website is a phishing website. If a phisher sets up a new website for the purpose of committing phishing fraud, and the new website has a new IP address that has not yet been detected as a phishing website, URL filtering by the prior art phishing detection software would not be able to detect this newly set up website as a phishing website.
  • the invention relates, in an embodiment, to a computer-implemented method for detecting a phishing attempt by a given website.
  • the computer-implemented method includes receiving a webpage from the given website, which includes computer-readable code for the webpage.
  • the computer-implemented method also includes ascertaining a set of hyperlink references in the computer-readable code. Each hyperlink reference in the set of hyperlink references refers to at least a component of another webpage that is associated with the given website or a website different from the given website.
  • the computer-implemented method further includes performing linking relationship analysis on at least a subset of websites identified to be referenced by the set of hyperlink references, which includes determining whether a first website that is associated with a webpage referenced by a first one of the set of hyperlink references is in a bi-directional linking relationship with the given website or in a uni-directional linking relationship with the given website.
  • the first website is one of the subset of websites.
  • the computer-implemented method yet also includes, if the first website is in the bi-directional linking relationship with the given website, designating the given website a non-phishing website.
  • the computer-implemented method yet further includes, if the first website is in the uni-directional linking relationship with the given website, performing anti-phishing measures with respect to the given website.
  • the invention in another embodiment, relates to a computer-implemented method for detecting a phishing attempt by a given website.
  • the computer-implemented method includes receiving a webpage from the given website, which includes computer-readable code for the webpage.
  • the computer-implemented method also includes obtaining from the computer readable code a transaction destination URL, which includes representing a destination URL for transaction information requested by the webpage.
  • the computer-implemented method further includes ascertaining a set of hyperlink references in the computer-readable code. Each hyperlink reference in the set of hyperlink references refers to at least a component of another webpage that is associated with given website or a website different from the given website.
  • the computer-implemented method yet also includes performing transaction destination analysis on at least a subset of websites identified to be referenced by the set of hyperlink references, which includes ascertaining a first transaction destination URL specified by a transaction page in a first website that is associated with a webpage referenced by a first one of the set of hyperlink references.
  • the first transaction destination URL represents a destination URL for transaction information requested by the transaction page in the first website.
  • the computer-implemented method yet further includes, if the transaction destination URL obtained from the computer readable code for the webpage from the given website is different from the first transaction destination URL, performing anti-phishing measures with respect to the given website.
  • the invention in yet another embodiment relates to an article of manufacture having thereon computer storage medium and computer readable code configured for a phishing attempt by a given website.
  • the article of manufacture includes computer readable code for receiving a webpage from the given website, which includes computer-readable code for the webpage.
  • the article of manufacture also includes computer readable code for obtaining from the computer readable code a transaction destination URL, which includes representing a destination URL for transaction information requested by the webpage.
  • the article of manufacture further includes computer readable code for ascertaining a set of hyperlink references in the computer-readable code. Each hyperlink reference in the set of hyperlink references refers to at least a component of another webpage that is associated with given website or a website different from the given website.
  • the article of manufacture yet also includes performing transaction destination analysis on at least a subset of websites identified to be referenced by the set of hyperlink references, which includes ascertaining a first transaction destination URL specified by a transaction page in a first website that is associated with a webpage referenced by a first one of the set of hyperlink references.
  • the first transaction destination URL represents a destination URL for transaction information requested by the transaction page in the first website.
  • the article of manufacture yet further includes, if the transaction destination URL obtained from the computer readable code for the webpage from the given website is different from the first transaction destination URL, performing anti-phishing measures with respect to the given website.
  • FIG. 1 illustrates an example of a phishing attack.
  • FIG. 2 shows, in accordance with an embodiment of the present invention, an example HTTP hyperlink analysis showing bi-directional hyperlinking between two webpages.
  • FIG. 3 shows, in accordance with an embodiment of the present invention, another example HTTP hyperlink analysis showing uni-directional hyperlinking between two webpages.
  • FIG. 4 shows, in accordance with an embodiment of the present invention, the steps for analyzing a suspect webpage.
  • FIG. 5 shows, in accordance with an embodiment of the invention, the steps for performing HTTP transaction analysis on a suspect webpage.
  • FIG. 6 shows, in accordance with an embodiment of the invention, an example of a pop-up window, which is presented to the user after a phishing attempt is detected.
  • the invention might also cover articles of manufacture that includes a computer readable medium on which computer-readable instructions for carrying out embodiments of the inventive technique are stored.
  • the computer readable medium may include, for example, semiconductor, magnetic, opto-magnetic, optical, or other forms of computer readable medium for storing computer readable code.
  • the invention may also cover apparatuses for practicing embodiments of the invention. Such apparatus may include circuits, dedicated and/or programmable, to carry out tasks pertaining to embodiments of the invention. Examples of such apparatus include a general-purpose computer and/or a dedicated computing device when appropriately programmed and may include a combination of a computer/computing device and dedicated/programmable circuits adapted for the various tasks pertaining to embodiments of the invention.
  • a suspect webpage is a webpage that is suspected of being a phishing webpage and needs further analysis to resolve whether that webpage is indeed a phishing webpage.
  • the computer readable code e.g., HTML or XML
  • embodiments of the invention ascertain whether the suspect webpage originates from a phishing website and should be disallowed. In an embodiment, the determination is made without requiring prior knowledge regarding whether the web server or the website that transmits the suspect webpage has been implicated in phishing in the past.
  • the computer readable code for the webpage under examination (“UE webpage”) is analyzed for the presence of hyperlinks.
  • a hyperlink is a construct that allows component(s) of a webpage (the “link from” webpage) to be derived or obtained from component(s) of another webpage (the “link to” webpage).
  • a webpage “A” to be rendered may be implemented by computer readable code that includes a hyperlink to another webpage “B” so that certain components of webpage “B” can be rendered or executed in webpage “A.”
  • all websites associated with webpages linked to by the hyperlinks are analyzed for their linking relationships with the suspect webpage.
  • the hyperlinks are first ranked to determine the identity of the most relevant website(s). For example, it may be known that certain websites (e.g., the biggest banks) or certain types of websites (e.g., banks, auction sites, electronic payment sites) tend to be targeted by phishers, and these hyperlinked sites would have a higher score (for the purpose of determining whether they are relevant) than other hyperlinked sites. Alternatively or additionally, certain types of hyperlinks may be associated with a higher score (for the purpose of determining whether the hyperlinked sites are relevant) than others.
  • anchor hyperlinks or hyperlinks to certain types of web resources may be associated with higher scores than hyperlinks to static images.
  • the attacked website i.e., the website that the phisher is attempting to imitate to deceive the user into providing confidential transaction information
  • a linking relationship analysis is made to ascertain whether the link between the UE webpage and the attacked website is a uni-directional link or a bi-directional link.
  • a uni-directional link in this case refers to the link from the UE webpage to a webpage in the attacked website without a link back from the attacked website to the UE webpage.
  • the link is said to be bi-directional if there exist one or more links from the UE webpage to the attacked website and there also exist one or more links from the attacked website to the UE webpage.
  • the UE webpage is deemed to be a phishing webpage and anti-phishing measures may be undertaken.
  • the anti-phishing measures may include, for example, flagging the webpage and/or website for blacklisting and/or for further analysis/investigation.
  • the anti-phishing measures may include, for example, blocking the webpage and/or website from reaching the user.
  • the anti-phishing measures may include, for example, preventing any transactional information entered by the user from reaching the phishing website. Other anti-phishing measures may also be taken.
  • the UE webpage is deemed not to be a phishing webpage.
  • HTTP transaction analysis may be performed to ascertain whether phishing is being attempted.
  • an intercepted UE webpage may be analyzed to ascertain whether the HTTP transaction destination matches that of the website being attacked.
  • the HTTP transaction destination for that UE webpage is first ascertained.
  • the HTTP transaction destination may request that the userid entered by the user be transmitted to a given URL.
  • the HTML hyperlinks in that webpage are analyzed to ascertain the webpage(s) that are hyperlinked to.
  • the hyperlinked webpages are then analyzed to ascertain whether the hyperlinked websites (i.e., the websites associated with the hyperlinked webpages) also have similar transaction webpages. Similarity between webpages may be ascertained in many ways, including for example comparing text or images in the webpages. If a similar transaction webpage exists, its HTTP transaction destination is ascertained. For example, the HTTP transaction destination for a transaction page of the legitimate website (e.g., XYZ bank) may specify that the user-input userid and password be transmitted to a given URL. If the HTTP transaction destination associated with the transaction page of the hyperlinked website and the HTTP transaction destination associated with suspect transaction webpage are different, phishing is a possibility and anti-phishing measures may be undertaken.
  • the HTTP transaction destination for a transaction page of the legitimate website e.g., XYZ bank
  • FIG. 2 shows, in accordance with an embodiment of the present invention, an example HTTP hyperlink analysis showing bi-directional hyperlinking between a webpage 202 and a webpage 204 .
  • webpage 202 hyperlinks to webpage 204 (link away from webpage 202 to webpage 204 via arrow 206 ) and is in turn hyperlinked by webpage 204 (link back from webpage 204 to webpage 202 via arrow 208 ).
  • webpage 202 hyperlinks to webpage 220 (via arrow 222 ) and is in turn hyperlinked by webpage 206 (via arrow 224 ). Note that when hyperlinking is employed, it is not necessary that webpages 202 , 204 , and 220 be implemented in the same website or in the same server.
  • FIG. 3 shows, in accordance with an embodiment of the present invention, another example HTTP hyperlink analysis showing uni-directional hyperlinking between a webpage 302 and a webpage 202 .
  • webpage 302 hyperlinks to webpage 202 (via arrow 304 ).
  • the HTTP hyperlink analysis suggests that webpage 302 may represent a webpage that is attempting to perform a phishing attack on the website associated with webpage 202 by deceiving a user to enter confidential information normally entered into webpage 202 .
  • FIG. 4 shows, in accordance with an embodiment of the present invention, the steps for analyzing a suspect webpage.
  • the computer readable code such as the HTML code that implements the webpage is analyzed for hyperlink references and for credential information transaction constructs, e.g., one that requests the user to enter login information such as userid, password, or identification information such as name, birth date, social security number, driver license number or financial-related information such as bank account number, credit card number, etc.
  • the hyperlinks ascertained in step 402 are ranked to determine which linked-to webpages (and thus websites) are most relevant.
  • suspect webpage is not a transaction webpage, no further analysis is necessary since the purpose of phishing is to acquire the transaction information, and the suspect webpage is now no longer a suspect since that suspect webpage does not ask for transaction information.
  • such ranking may be deemed optional and may be omitted if desired.
  • certain hyperlinks may be deemed more relevant than others based on types, the identity of the linked-to webpages and/or linked-to websites, etc. From step 404 , a set of websites deemed relevant is ascertained.
  • step 406 link relationship analysis is performed for the most relevant website that is either ranked in step 404 or, depending on the specific embodiments, ascertained in via hyperlinks in step 402 .
  • the linked-to website is analyzed to determine whether the hyperlink references between the suspect webpage and the linked-to website are bi-directional or unidirectional. If the hyperlink reference is only unidirectional (i.e., only from the suspect webpage to the linked-to website) (step 408 ), anti-phishing measures may be undertaken ( 410 ), including for example flagging the suspect webpage for further analysis and/or prohibiting user access to the suspect website. On the other hand, if the hyperlink references are bi-directional (i.e., from the suspect webpage to the linked-to website and from the linked-to website back to the suspect webpage, it is deemed that phishing is unlikely ( 412 ).
  • HTTP transaction analysis may be performed.
  • the suspect webpage may be analyzed to ascertain whether the HTTP transaction destination specified by the suspect transaction webpage is the same or different from that specified the transaction webpage of the website being attacked.
  • FIG. 5 shows, in accordance with an embodiment of the invention, the steps for performing HTTP transaction analysis on a suspect webpage.
  • the computer readable code of the suspect webpage is analyzed to ascertain whether the suspect webpage is implementing a transaction page, e.g., one that requests the user to enter login information such as userid, password, or identification information such as name, birth date, social security number, driver license number or financial-related information such as bank account number, credit card number, etc.
  • suspect webpage is not a transaction webpage (as determined by step 504 )
  • no further analysis is necessary since the purpose of phishing is to acquire the transaction information, and the suspect webpage is now no longer a suspect since that suspect webpage does not ask for transaction information.
  • the suspect webpage is a transaction page
  • its computer readable code e.g., HTML
  • This HTTP destination link represents the URL to which the requested transaction information would have been sent if the user had entered the information as requested by the suspect webpage.
  • step 508 the computer readable code, such as the HTML code that implements the webpage, is analyzed for hyperlink references.
  • the hyperlinks ascertained in step 508 are ranked to determine which linked-to webpages and websites are most relevant. In an embodiment, such ranking may be deemed optional and may be omitted if desired. As mentioned, certain hyperlinks may be deemed more relevant than others based on types, the identity of the linked-to webpages and/or linked-to websites, etc. From step 510 , a set of websites deemed relevant is ascertained.
  • step 512 the websites ascertained in step 510 are tested to ascertain which of these websites the suspect webpage may have tried to attack (i.e., to fraudulently emulate). For example, the text and/or images associated with webpages in these websites may be compared against the text and/or images of the suspect webpage to determine the identity of the webpage being fraudulently imitated (which in turn reveals the identity of the website being attacked, e.g., XYZ bank).
  • step 514 the transaction page (e.g., the login page) of the website being attacked (e.g., the XYZ bank website) is analyzed for its transaction destination hyperlink(s). These transaction destination links (which represent the destinations for the transaction information if the user had entered such transaction information into the transaction page of the website being attacked) are then compared (step 516 ) against the transaction destination hyperlinks obtained from the suspect webpage.
  • the transaction destination links which represent the destinations for the transaction information if the user had entered such transaction information into the transaction page of the website being attacked
  • step 516 If the two sets of transaction destination hyperlinks are the same (step 516 ), the phishing risk is negligible since the user's transaction information would have been sent to the transaction destination specified by the transaction page of the legitimate website anyway.
  • a pop-up webpage may be provided to the user if a website is found to be a phishing website.
  • the popup page can include information about the phishing site, such as its IP address, its location, its URL, etc.
  • an option “Take me away” may be provided to the user to allow the user to be taken to the legitimate site that is being attacked (e.g., the login page of a bank, for example), thereby conveniently allowing the user to continue his access with the legitimate website.
  • FIG. 6 is an example of such a pop-up window, which is presented to the user after a phishing attempt is detected.
  • embodiments of the invention render it possible to dynamically ascertain whether a particular webpage that the user is attempting to access is likely to be associated with a phishing website.
  • embodiments of the invention render it possible to detect a phishing attempt even if the phishing website has never been ascertained and/or designated previously as a phishing website.
  • the detection may be performed when the fraudulent email is transmitted to the user's email system, or in response to the user clicking on the embedded link to attempt to access the suspect webpage, or when the suspect webpage is received, or even when the user attempts to enter transaction data into a suspect webpage.
  • the link relationship analysis and the HTTP transaction analysis may be performed on the suspect website, if desired.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A computer-implemented method for detecting a phishing attempt by a given website is provided. The method includes receiving a webpage from the given website, which includes computer-readable code for the webpage. The method also includes ascertaining hyperlink references in the computer-readable code. Each hyperlink reference refers to at least a component of another webpage. The method further includes performing linking relationship analysis on at least a subset of websites identified to be referenced by the hyperlink references, which includes determining whether a first website is in a bi-directional/uni-directional linking relationship with the given website. The first website is one of the subset of websites. The method yet also includes, if the first website is in the bi-directional linking relationship, designating the given website a non-phishing website. The method yet further includes, if the first website is in the uni-directional linking relationship, performing anti-phishing measures with respect to the given website.

Description

    BACKGROUND OF THE INVENTION
  • Phishing represents a fraudulent technique employed to obtain confidential transaction information (such as user name, password, financial information, credit card information, etc.) from computer users for misuse. In phishing, the phisher employs a phishing server to send an apparently official electronic communication (such as an official looking email) to the victim. For example, if a phisher wishes to obtain confidential information to access a victim's account at XYZ bank, the email would typically come from an XYZ bank email address and contain official-looking logos and language to deceive the victim into believing that the email is legitimate.
  • Further, the phisher's email typically includes language urging the victim to access the website of XYZ bank in order to verify some information or to confirm some transaction. The email also typically includes a link for use by the victim to supposedly access the website of XYZ bank. However, when the victim clicks on the link included in the email, the victim is taken instead to a sham website set up in advance by the phisher. The sham website, referred to herein as the phishing website, would then ask for confidential information from the victim. Since the victim had been told in advance that the purpose of clicking on the link is to verify some account information or to confirm some transaction, many victims unquestioningly enter the requested information. Once the confidential information is collected by the phisher, the phisher can subsequently employ the information to perpetrate fraud on the victim by stealing money from the victim's account, by purchasing goods using the account funds, etc.
  • FIG. 1 illustrates an example of a phishing attack. In FIG. 1, a phisher 102 (typically an email server that is under control of a human phisher) sends an official-looking email 104 designed to convince a recipient 108 that the email is sent by a legitimate business, such as by bank 106. The email may, for example, attempt to convince the recipient 108 to update his account by clicking on an attached link to access a webpage. If the recipient 108 clicks on the link, the webpage that opens would then request the user to enter the user's confidential information such as userid, password, account number, etc.
  • However, since the webpage did not come from the legitimate business 106, the user's confidential information is sent (110) the user's confidential information to a phishing website 112. Phishing website 112 then collects the user's confidential information to allow the phisher to perpetrate fraud on the user.
  • Because phishers actually divert the victim to another website other than the website of the legitimate business that the victim intended to visit, some knowledgeable users may be able to spot the difference in the website domain names and may become alert to the possibility that a phishing attack is being attempted. For example, if a victim is taken to a website whose domain name “https://218.246.224.203/icons/cgi-bin/xyzbank/login. php” appears in the browser's URL address bar, that victim may be alert to the fact that the phisher's website URL address as shown on the browser's URL toolbar is different from the usual “https://www.xyzbank.com/us/cgi-bin/login.php” and may refuse to furnish the confidential information out of suspicion. However, it is known that many users are not sophisticated or always vigilant against phishing attempts. Accordingly, relying on users to stay on guard against phishing attempts has proven to be an inadequate response to the phishing problem.
  • Phishing can also be detected via phishing detection software and/or hardware. For example, URL filtering may be employed by the prior art phishing detection software to detect whether a particular website is a known phishing website. As an example, if the website with IP address 218.246.224.203 is known to be a phishing website, an attempt to access that website by the user (such as done when the user responds to an email sent from the phisher's server by clicking on a link in the email) will be detected by the phishing detection software, and the attempted access to the phishing webpage will be denied.
  • However, URL filtering requires the prior knowledge pertaining to whether a particular website is a phishing website. If a phisher sets up a new website for the purpose of committing phishing fraud, and the new website has a new IP address that has not yet been detected as a phishing website, URL filtering by the prior art phishing detection software would not be able to detect this newly set up website as a phishing website.
  • SUMMARY OF INVENTION
  • The invention relates, in an embodiment, to a computer-implemented method for detecting a phishing attempt by a given website. The computer-implemented method includes receiving a webpage from the given website, which includes computer-readable code for the webpage. The computer-implemented method also includes ascertaining a set of hyperlink references in the computer-readable code. Each hyperlink reference in the set of hyperlink references refers to at least a component of another webpage that is associated with the given website or a website different from the given website. The computer-implemented method further includes performing linking relationship analysis on at least a subset of websites identified to be referenced by the set of hyperlink references, which includes determining whether a first website that is associated with a webpage referenced by a first one of the set of hyperlink references is in a bi-directional linking relationship with the given website or in a uni-directional linking relationship with the given website. The first website is one of the subset of websites. The computer-implemented method yet also includes, if the first website is in the bi-directional linking relationship with the given website, designating the given website a non-phishing website. The computer-implemented method yet further includes, if the first website is in the uni-directional linking relationship with the given website, performing anti-phishing measures with respect to the given website.
  • In another embodiment, the invention relates to a computer-implemented method for detecting a phishing attempt by a given website. The computer-implemented method includes receiving a webpage from the given website, which includes computer-readable code for the webpage. The computer-implemented method also includes obtaining from the computer readable code a transaction destination URL, which includes representing a destination URL for transaction information requested by the webpage. The computer-implemented method further includes ascertaining a set of hyperlink references in the computer-readable code. Each hyperlink reference in the set of hyperlink references refers to at least a component of another webpage that is associated with given website or a website different from the given website. The computer-implemented method yet also includes performing transaction destination analysis on at least a subset of websites identified to be referenced by the set of hyperlink references, which includes ascertaining a first transaction destination URL specified by a transaction page in a first website that is associated with a webpage referenced by a first one of the set of hyperlink references. The first transaction destination URL represents a destination URL for transaction information requested by the transaction page in the first website. The computer-implemented method yet further includes, if the transaction destination URL obtained from the computer readable code for the webpage from the given website is different from the first transaction destination URL, performing anti-phishing measures with respect to the given website.
  • In yet another embodiment the invention relates to an article of manufacture having thereon computer storage medium and computer readable code configured for a phishing attempt by a given website. The article of manufacture includes computer readable code for receiving a webpage from the given website, which includes computer-readable code for the webpage. The article of manufacture also includes computer readable code for obtaining from the computer readable code a transaction destination URL, which includes representing a destination URL for transaction information requested by the webpage. The article of manufacture further includes computer readable code for ascertaining a set of hyperlink references in the computer-readable code. Each hyperlink reference in the set of hyperlink references refers to at least a component of another webpage that is associated with given website or a website different from the given website. The article of manufacture yet also includes performing transaction destination analysis on at least a subset of websites identified to be referenced by the set of hyperlink references, which includes ascertaining a first transaction destination URL specified by a transaction page in a first website that is associated with a webpage referenced by a first one of the set of hyperlink references. The first transaction destination URL represents a destination URL for transaction information requested by the transaction page in the first website. The article of manufacture yet further includes, if the transaction destination URL obtained from the computer readable code for the webpage from the given website is different from the first transaction destination URL, performing anti-phishing measures with respect to the given website.
  • The above summary relates to only one of the many embodiments of the invention disclosed herein and is not intended to limit the scope of the invention, which is set forth in the claims herein. These and other features of the present invention will be described in more detail below in the detailed description of the invention and in conjunction with the following figures.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which:
  • FIG. 1 illustrates an example of a phishing attack.
  • FIG. 2 shows, in accordance with an embodiment of the present invention, an example HTTP hyperlink analysis showing bi-directional hyperlinking between two webpages.
  • FIG. 3 shows, in accordance with an embodiment of the present invention, another example HTTP hyperlink analysis showing uni-directional hyperlinking between two webpages.
  • FIG. 4 shows, in accordance with an embodiment of the present invention, the steps for analyzing a suspect webpage.
  • FIG. 5 shows, in accordance with an embodiment of the invention, the steps for performing HTTP transaction analysis on a suspect webpage.
  • FIG. 6 shows, in accordance with an embodiment of the invention, an example of a pop-up window, which is presented to the user after a phishing attempt is detected.
  • DETAILED DESCRIPTION OF EMBODIMENTS
  • The present invention will now be described in detail with reference to a few embodiments thereof as illustrated in the accompanying drawings. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art, that the present invention may be practiced without some or all of these specific details. In other instances, well known process steps and/or structures have not been described in detail in order to not unnecessarily obscure the present invention.
  • Various embodiments are described herein below, including methods and techniques. It should be kept in mind that the invention might also cover articles of manufacture that includes a computer readable medium on which computer-readable instructions for carrying out embodiments of the inventive technique are stored. The computer readable medium may include, for example, semiconductor, magnetic, opto-magnetic, optical, or other forms of computer readable medium for storing computer readable code. Further, the invention may also cover apparatuses for practicing embodiments of the invention. Such apparatus may include circuits, dedicated and/or programmable, to carry out tasks pertaining to embodiments of the invention. Examples of such apparatus include a general-purpose computer and/or a dedicated computing device when appropriately programmed and may include a combination of a computer/computing device and dedicated/programmable circuits adapted for the various tasks pertaining to embodiments of the invention.
  • In accordance with embodiments of the present invention, there are provided methods and apparatus for dynamically detecting an attempted phishing fraud. As the user (e.g., the recipient of the email suggesting that the recipient needs to click on a link to confirm some transaction information) attempts to access the webpage that is configured to extract the transaction information (such as authentication information or financial/credit information), the suspect webpage is first intercepted and analyzed. In the context of the present invention, a suspect webpage is a webpage that is suspected of being a phishing webpage and needs further analysis to resolve whether that webpage is indeed a phishing webpage.
  • In an embodiment, the computer readable code (e.g., HTML or XML) that implements/renders the suspect webpage is examined. From this examination, embodiments of the invention ascertain whether the suspect webpage originates from a phishing website and should be disallowed. In an embodiment, the determination is made without requiring prior knowledge regarding whether the web server or the website that transmits the suspect webpage has been implicated in phishing in the past.
  • In an embodiment, the computer readable code for the webpage under examination (“UE webpage”) is analyzed for the presence of hyperlinks. A hyperlink is a construct that allows component(s) of a webpage (the “link from” webpage) to be derived or obtained from component(s) of another webpage (the “link to” webpage). For example, a webpage “A” to be rendered may be implemented by computer readable code that includes a hyperlink to another webpage “B” so that certain components of webpage “B” can be rendered or executed in webpage “A.”
  • In an embodiment, all websites associated with webpages linked to by the hyperlinks are analyzed for their linking relationships with the suspect webpage. In another embodiment, the hyperlinks are first ranked to determine the identity of the most relevant website(s). For example, it may be known that certain websites (e.g., the biggest banks) or certain types of websites (e.g., banks, auction sites, electronic payment sites) tend to be targeted by phishers, and these hyperlinked sites would have a higher score (for the purpose of determining whether they are relevant) than other hyperlinked sites. Alternatively or additionally, certain types of hyperlinks may be associated with a higher score (for the purpose of determining whether the hyperlinked sites are relevant) than others. For example, anchor hyperlinks or hyperlinks to certain types of web resources may be associated with higher scores than hyperlinks to static images. The hypothesis is that if the UE webpage is indeed a phishing webpage, the attacked website (i.e., the website that the phisher is attempting to imitate to deceive the user into providing confidential transaction information) would be one of the more relevant website(s) ascertained from the hyperlinks.
  • After the relevant website(s) are ascertained, a linking relationship analysis is made to ascertain whether the link between the UE webpage and the attacked website is a uni-directional link or a bi-directional link. A uni-directional link in this case refers to the link from the UE webpage to a webpage in the attacked website without a link back from the attacked website to the UE webpage. On the other hand, the link is said to be bi-directional if there exist one or more links from the UE webpage to the attacked website and there also exist one or more links from the attacked website to the UE webpage.
  • If the link is only uni-directional, the UE webpage is deemed to be a phishing webpage and anti-phishing measures may be undertaken. The anti-phishing measures may include, for example, flagging the webpage and/or website for blacklisting and/or for further analysis/investigation. Alternatively or additionally, the anti-phishing measures may include, for example, blocking the webpage and/or website from reaching the user. Alternatively or additionally, the anti-phishing measures may include, for example, preventing any transactional information entered by the user from reaching the phishing website. Other anti-phishing measures may also be taken.
  • On the other hand, if the link is bi-directional, the UE webpage is deemed not to be a phishing webpage.
  • In one or more embodiments of the invention, HTTP transaction analysis may be performed to ascertain whether phishing is being attempted. In an embodiment, an intercepted UE webpage may be analyzed to ascertain whether the HTTP transaction destination matches that of the website being attacked. In an embodiment, if the UE webpage is a transaction webpage (i.e., one that asks for login information such as userid, password, or asks for financial information such as social security number, bank account number, etc.) the HTTP transaction destination for that UE webpage is first ascertained. For example, the HTTP transaction destination may request that the userid entered by the user be transmitted to a given URL. Furthermore, the HTML hyperlinks in that webpage are analyzed to ascertain the webpage(s) that are hyperlinked to.
  • In an embodiment, the hyperlinked webpages are then analyzed to ascertain whether the hyperlinked websites (i.e., the websites associated with the hyperlinked webpages) also have similar transaction webpages. Similarity between webpages may be ascertained in many ways, including for example comparing text or images in the webpages. If a similar transaction webpage exists, its HTTP transaction destination is ascertained. For example, the HTTP transaction destination for a transaction page of the legitimate website (e.g., XYZ bank) may specify that the user-input userid and password be transmitted to a given URL. If the HTTP transaction destination associated with the transaction page of the hyperlinked website and the HTTP transaction destination associated with suspect transaction webpage are different, phishing is a possibility and anti-phishing measures may be undertaken.
  • The features and advantages of the invention may be better understood with reference to the figures and discussion that follow. FIG. 2 shows, in accordance with an embodiment of the present invention, an example HTTP hyperlink analysis showing bi-directional hyperlinking between a webpage 202 and a webpage 204. In this case, webpage 202 hyperlinks to webpage 204 (link away from webpage 202 to webpage 204 via arrow 206) and is in turn hyperlinked by webpage 204 (link back from webpage 204 to webpage 202 via arrow 208). Likewise, there is bi-directional hyperlinking between a webpage 202 and a webpage 220. In this case, webpage 202 hyperlinks to webpage 220 (via arrow 222) and is in turn hyperlinked by webpage 206 (via arrow 224). Note that when hyperlinking is employed, it is not necessary that webpages 202, 204, and 220 be implemented in the same website or in the same server.
  • FIG. 3 shows, in accordance with an embodiment of the present invention, another example HTTP hyperlink analysis showing uni-directional hyperlinking between a webpage 302 and a webpage 202. In this case, webpage 302 hyperlinks to webpage 202 (via arrow 304). However, there are no hyperlinks that link from webpage 202 to webpage 302. In this case, the HTTP hyperlink analysis suggests that webpage 302 may represent a webpage that is attempting to perform a phishing attack on the website associated with webpage 202 by deceiving a user to enter confidential information normally entered into webpage 202.
  • FIG. 4 shows, in accordance with an embodiment of the present invention, the steps for analyzing a suspect webpage. In step 402, the computer readable code such as the HTML code that implements the webpage is analyzed for hyperlink references and for credential information transaction constructs, e.g., one that requests the user to enter login information such as userid, password, or identification information such as name, birth date, social security number, driver license number or financial-related information such as bank account number, credit card number, etc. In step 404, the hyperlinks ascertained in step 402 are ranked to determine which linked-to webpages (and thus websites) are most relevant.
  • If the suspect webpage is not a transaction webpage, no further analysis is necessary since the purpose of phishing is to acquire the transaction information, and the suspect webpage is now no longer a suspect since that suspect webpage does not ask for transaction information.
  • In an embodiment, such ranking may be deemed optional and may be omitted if desired. As mentioned, certain hyperlinks may be deemed more relevant than others based on types, the identity of the linked-to webpages and/or linked-to websites, etc. From step 404, a set of websites deemed relevant is ascertained.
  • In step 406, link relationship analysis is performed for the most relevant website that is either ranked in step 404 or, depending on the specific embodiments, ascertained in via hyperlinks in step 402. In linking relationship analysis, the linked-to website is analyzed to determine whether the hyperlink references between the suspect webpage and the linked-to website are bi-directional or unidirectional. If the hyperlink reference is only unidirectional (i.e., only from the suspect webpage to the linked-to website) (step 408), anti-phishing measures may be undertaken (410), including for example flagging the suspect webpage for further analysis and/or prohibiting user access to the suspect website. On the other hand, if the hyperlink references are bi-directional (i.e., from the suspect webpage to the linked-to website and from the linked-to website back to the suspect webpage, it is deemed that phishing is unlikely (412).
  • Alternatively or additionally, HTTP transaction analysis may be performed. In HTTP transaction analysis, the suspect webpage may be analyzed to ascertain whether the HTTP transaction destination specified by the suspect transaction webpage is the same or different from that specified the transaction webpage of the website being attacked. FIG. 5 shows, in accordance with an embodiment of the invention, the steps for performing HTTP transaction analysis on a suspect webpage. In step 502, the computer readable code of the suspect webpage is analyzed to ascertain whether the suspect webpage is implementing a transaction page, e.g., one that requests the user to enter login information such as userid, password, or identification information such as name, birth date, social security number, driver license number or financial-related information such as bank account number, credit card number, etc.
  • If the suspect webpage is not a transaction webpage (as determined by step 504), no further analysis is necessary since the purpose of phishing is to acquire the transaction information, and the suspect webpage is now no longer a suspect since that suspect webpage does not ask for transaction information.
  • On the other hand, if the suspect webpage is a transaction page, its computer readable code (e.g., HTML) is then analyzed (step 506) to ascertain the HTTP destination link(s) for the user-input transaction data. This HTTP destination link represents the URL to which the requested transaction information would have been sent if the user had entered the information as requested by the suspect webpage.
  • In step 508, the computer readable code, such as the HTML code that implements the webpage, is analyzed for hyperlink references. In step 510, the hyperlinks ascertained in step 508 are ranked to determine which linked-to webpages and websites are most relevant. In an embodiment, such ranking may be deemed optional and may be omitted if desired. As mentioned, certain hyperlinks may be deemed more relevant than others based on types, the identity of the linked-to webpages and/or linked-to websites, etc. From step 510, a set of websites deemed relevant is ascertained.
  • In step 512, the websites ascertained in step 510 are tested to ascertain which of these websites the suspect webpage may have tried to attack (i.e., to fraudulently emulate). For example, the text and/or images associated with webpages in these websites may be compared against the text and/or images of the suspect webpage to determine the identity of the webpage being fraudulently imitated (which in turn reveals the identity of the website being attacked, e.g., XYZ bank).
  • In step 514, the transaction page (e.g., the login page) of the website being attacked (e.g., the XYZ bank website) is analyzed for its transaction destination hyperlink(s). These transaction destination links (which represent the destinations for the transaction information if the user had entered such transaction information into the transaction page of the website being attacked) are then compared (step 516) against the transaction destination hyperlinks obtained from the suspect webpage.
  • If the two sets of transaction destination hyperlinks are the same (step 516), the phishing risk is negligible since the user's transaction information would have been sent to the transaction destination specified by the transaction page of the legitimate website anyway.
  • On the other hand, if the two sets of transaction hyperlinks are different, phishing is a possibility since the transaction information entered by the user using the suspect webpage is transmitted to a HTTP transaction destination that is different from the HTTP transaction destination specified by the transaction page of the legitimate website. In this case, anti-phishing measures may be undertaken.
  • In one or more embodiment, a pop-up webpage may be provided to the user if a website is found to be a phishing website. In this case, since the identity of the target website can be ascertained, the popup page can include information about the phishing site, such as its IP address, its location, its URL, etc. Furthermore, an option “Take me away” may be provided to the user to allow the user to be taken to the legitimate site that is being attacked (e.g., the login page of a bank, for example), thereby conveniently allowing the user to continue his access with the legitimate website. FIG. 6 is an example of such a pop-up window, which is presented to the user after a phishing attempt is detected.
  • As can be appreciated from the foregoing, embodiments of the invention render it possible to dynamically ascertain whether a particular webpage that the user is attempting to access is likely to be associated with a phishing website. In other word, embodiments of the invention render it possible to detect a phishing attempt even if the phishing website has never been ascertained and/or designated previously as a phishing website. In various embodiments, the detection may be performed when the fraudulent email is transmitted to the user's email system, or in response to the user clicking on the embedded link to attempt to access the suspect webpage, or when the suspect webpage is received, or even when the user attempts to enter transaction data into a suspect webpage. For higher performance, one or both of the link relationship analysis and the HTTP transaction analysis may be performed on the suspect website, if desired.
  • While this invention has been described in terms of several embodiments, there are alterations, permutations, and equivalents, which fall within the scope of this invention. It should also be noted that there are many alternative ways of implementing the methods and apparatuses of the present invention. Additionally, it is intended that the abstract section, having a limit to the number of words that can be provided, be furnished for convenience to the reader and not to be construed as limiting of the claims herein. It is therefore intended that the following appended claims be interpreted as including all such alterations, permutations, and equivalents as fall within the true spirit and scope of the present invention.

Claims (17)

1. A computer-implemented method for detecting a phishing attempt by a given website, comprising:
receiving a webpage from said given website, including computer-readable code for said webpage;
ascertaining a set of hyperlink references in said computer-readable code, each hyperlink reference in said set of hyperlink references referencing at least a component of another webpage that is associated with said given website or a website different from said given website;
performing linking relationship analysis on at least a subset of websites identified to be referenced by said set of hyperlink references, including determining whether a first website that is associated with a webpage referenced by a first one of said set of hyperlink references is in a bi-directional linking relationship with said given website or in a uni-directional linking relationship with said given website, said first website being one of said subset of websites;
if said first website is in said bi-directional linking relationship with said given website, designating said given website a non-phishing website; and
if said first website is in said uni-directional linking relationship with said given website, performing anti-phishing measures with respect to said given website.
2. The method of claim 1 wherein said first one of said set of hyperlink references has a first type, said first type being a member of a predefined set of triggering hyperlink reference types.
3. The method of claim 2 wherein said subset of websites represents websites associated with hyperlink references whose types belong to said predefined set of triggering hyperlink reference types, said performing said linking relationship analysis is performed only on said subset of websites.
4. The method of claim 3 wherein said predefined set of triggering hyperlink reference types includes an anchor hyperlink reference type.
5. The method of claim 1 wherein said subset of websites represents or more website identified to be most relevant.
6. A computer-implemented method for detecting a phishing attempt by a given website, comprising:
receiving a webpage from said given website, including computer-readable code for said webpage;
obtaining from said computer readable code a transaction destination URL, said transaction destination URL representing a destination URL for transaction information requested by said webpage;
ascertaining a set of hyperlink references in said computer-readable code, each hyperlink reference in said set of hyperlink references referencing at least a component of another webpage that is associated with given website or a website different from said given website;
performing transaction destination analysis on at least a subset of websites identified to be referenced by said set of hyperlink references, including ascertaining a first transaction destination URL specified by a transaction page in a first website that is associated with a webpage referenced by a first one of said set of hyperlink references, said first transaction destination URL representing a destination URL for transaction information requested by said transaction page in said first website; and
if said transaction destination URL obtained from said computer readable code for said webpage from said given website is different from said first transaction destination URL, performing anti-phishing measures with respect to said given website.
7. The method of claim 6 wherein said transaction information requested by said webpage pertains to at least one of user authentication information and user financial information.
8. The method of claim 6 wherein said first one of said set of hyperlink references has a first type, said first type being a member of a predefined set of triggering hyperlink reference types.
9. The method of claim 8 wherein said subset of websites represents websites associated with hyperlink references whose types belong to said predefined set of triggering hyperlink reference types, said performing said linking relationship analysis is performed only on said subset of websites.
10. The method of claim 9 wherein said predefined set of triggering hyperlink reference types includes an anchor hyperlink reference type.
11. The method of claim 6 wherein said subset of websites represents or more website identified to be most relevant.
12. An article of manufacture having thereon computer storage medium and computer readable code configured for a phishing attempt by a given website, comprising:
computer readable code for receiving a webpage from said given website, including computer-readable code for said webpage;
computer readable code for obtaining from said computer readable code a transaction destination URL, said transaction destination URL representing a destination URL for transaction information requested by said webpage;
computer readable code for ascertaining a set of hyperlink references in said computer-readable code, each hyperlink reference in said set of hyperlink references referencing at least a component of another webpage that is associated with given website or a website different from said given website;
performing transaction destination analysis on at least a subset of websites identified to be referenced by said set of hyperlink references, including ascertaining a first transaction destination URL specified by a transaction page in a first website that is associated with a webpage referenced by a first one of said set of hyperlink references, said first transaction destination URL representing a destination URL for transaction information requested by said transaction page in said first website; and
if said transaction destination URL obtained from said computer readable code for said webpage from said given website is different from said first transaction destination URL, performing anti-phishing measures with respect to said given website.
13. The method of claim 12 wherein said transaction information requested by said webpage pertains to at least one of user authentication information and user financial information.
14. The method of claim 12 wherein said first one of said set of hyperlink references has a first type, said first type being a member of a predefined set of triggering hyperlink reference types.
15. The method of claim 14 wherein said subset of websites represents websites associated with hyperlink references whose types belong to said predefined set of triggering hyperlink reference types, said performing said linking relationship analysis is performed only on said subset of websites.
16. The method of claim 15 wherein said predefined set of triggering hyperlink reference types includes an anchor hyperlink reference type.
17. The method of claim 12 wherein said subset of websites represents or more website identified to be most relevant.
US11/617,569 2006-12-28 2006-12-28 Dynamic phishing detection methods and apparatus Abandoned US20080163369A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/617,569 US20080163369A1 (en) 2006-12-28 2006-12-28 Dynamic phishing detection methods and apparatus
US16/545,995 US10951636B2 (en) 2006-12-28 2019-08-20 Dynamic phishing detection methods and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/617,569 US20080163369A1 (en) 2006-12-28 2006-12-28 Dynamic phishing detection methods and apparatus

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/545,995 Continuation US10951636B2 (en) 2006-12-28 2019-08-20 Dynamic phishing detection methods and apparatus

Publications (1)

Publication Number Publication Date
US20080163369A1 true US20080163369A1 (en) 2008-07-03

Family

ID=39586022

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/617,569 Abandoned US20080163369A1 (en) 2006-12-28 2006-12-28 Dynamic phishing detection methods and apparatus
US16/545,995 Active 2027-01-27 US10951636B2 (en) 2006-12-28 2019-08-20 Dynamic phishing detection methods and apparatus

Family Applications After (1)

Application Number Title Priority Date Filing Date
US16/545,995 Active 2027-01-27 US10951636B2 (en) 2006-12-28 2019-08-20 Dynamic phishing detection methods and apparatus

Country Status (1)

Country Link
US (2) US20080163369A1 (en)

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090006532A1 (en) * 2007-06-28 2009-01-01 Yahoo! Inc. Dynamic phishing protection in instant messaging
US20090150448A1 (en) * 2006-12-06 2009-06-11 Stephan Lechner Method for identifying at least two similar webpages
US20100043071A1 (en) * 2008-08-12 2010-02-18 Yahoo! Inc. System and method for combating phishing
US20100043058A1 (en) * 2008-08-13 2010-02-18 Novell, Inc. System and method for facilitating user authentication of web page content
US20100083098A1 (en) * 2008-09-30 2010-04-01 Microsoft Corporation Streaming Information that Describes a Webpage
US20100257024A1 (en) * 2009-04-07 2010-10-07 Verisign, Inc. Domain Traffic Ranking
WO2010118115A1 (en) * 2009-04-07 2010-10-14 Verisign, Inc. Domain status, purpose and categories
US20100274836A1 (en) * 2009-04-22 2010-10-28 Verisign, Inc. Internet Profile Service
US20110040604A1 (en) * 2009-08-13 2011-02-17 Vertical Acuity, Inc. Systems and Methods for Providing Targeted Content
US20120159620A1 (en) * 2010-12-21 2012-06-21 Microsoft Corporation Scareware Detection
US8424091B1 (en) * 2010-01-12 2013-04-16 Trend Micro Incorporated Automatic local detection of computer security threats
US20130263263A1 (en) * 2010-12-13 2013-10-03 Comitari Technologies Ltd. Web element spoofing prevention system and method
US20140259158A1 (en) * 2013-03-11 2014-09-11 Bank Of America Corporation Risk Ranking Referential Links in Electronic Messages
US8893286B1 (en) * 2011-04-08 2014-11-18 Symantec Corporation Systems and methods for preventing fraudulent activity associated with typo-squatting procedures
US9065850B1 (en) 2011-02-07 2015-06-23 Zscaler, Inc. Phishing detection systems and methods
US20160036853A1 (en) * 2014-07-30 2016-02-04 DeNA Co., Ltd. Storage medium storing program for login alerts, and method and system thereof
US20170070460A1 (en) * 2015-09-08 2017-03-09 F-Secure Corporation Controlling Access to Web Resources
US9621566B2 (en) 2013-05-31 2017-04-11 Adi Labs Incorporated System and method for detecting phishing webpages
US20200042696A1 (en) * 2006-12-28 2020-02-06 Trend Micro Incorporated Dynamic page similarity measurement
US20220368699A1 (en) * 2021-05-11 2022-11-17 AVAST Software s.r.o. User and group specific threat protection system and method
US11870808B1 (en) * 2019-12-12 2024-01-09 Zimperium, Inc. Mobile device security application for malicious website detection based on representative image

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050240756A1 (en) * 2003-01-12 2005-10-27 Yaron Mayer System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows.
US20060123478A1 (en) * 2004-12-02 2006-06-08 Microsoft Corporation Phishing detection, prevention, and notification
US20060179005A1 (en) * 2005-02-04 2006-08-10 Farstone Tech, Inc. Network security system and methods regarding the same
US20080046970A1 (en) * 2006-08-15 2008-02-21 Ian Oliver Determining an invalid request

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8037527B2 (en) * 2004-11-08 2011-10-11 Bt Web Solutions, Llc Method and apparatus for look-ahead security scanning
US7630987B1 (en) * 2004-11-24 2009-12-08 Bank Of America Corporation System and method for detecting phishers by analyzing website referrals

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050240756A1 (en) * 2003-01-12 2005-10-27 Yaron Mayer System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows.
US20060123478A1 (en) * 2004-12-02 2006-06-08 Microsoft Corporation Phishing detection, prevention, and notification
US20060179005A1 (en) * 2005-02-04 2006-08-10 Farstone Tech, Inc. Network security system and methods regarding the same
US20080046970A1 (en) * 2006-08-15 2008-02-21 Ian Oliver Determining an invalid request

Cited By (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150448A1 (en) * 2006-12-06 2009-06-11 Stephan Lechner Method for identifying at least two similar webpages
US20200042696A1 (en) * 2006-12-28 2020-02-06 Trend Micro Incorporated Dynamic page similarity measurement
US11042630B2 (en) * 2006-12-28 2021-06-22 Trend Micro Incorporated Dynamic page similarity measurement
US20090006532A1 (en) * 2007-06-28 2009-01-01 Yahoo! Inc. Dynamic phishing protection in instant messaging
US8528079B2 (en) * 2008-08-12 2013-09-03 Yahoo! Inc. System and method for combating phishing
US20100043071A1 (en) * 2008-08-12 2010-02-18 Yahoo! Inc. System and method for combating phishing
US20100043058A1 (en) * 2008-08-13 2010-02-18 Novell, Inc. System and method for facilitating user authentication of web page content
US8701172B2 (en) * 2008-08-13 2014-04-15 Apple Inc. System and method for facilitating user authentication of web page content
US20100083098A1 (en) * 2008-09-30 2010-04-01 Microsoft Corporation Streaming Information that Describes a Webpage
WO2010118115A1 (en) * 2009-04-07 2010-10-14 Verisign, Inc. Domain status, purpose and categories
CN102460417A (en) * 2009-04-07 2012-05-16 弗里塞恩公司 Domain status, purpose and categories
US9769035B2 (en) 2009-04-07 2017-09-19 Verisign, Inc. Domain popularity scoring
US20100257024A1 (en) * 2009-04-07 2010-10-07 Verisign, Inc. Domain Traffic Ranking
US8521908B2 (en) 2009-04-07 2013-08-27 Verisign, Inc. Existent domain name DNS traffic capture and analysis
US20110087769A1 (en) * 2009-04-07 2011-04-14 Verisign, Inc. Domain Popularity Scoring
US8527658B2 (en) 2009-04-07 2013-09-03 Verisign, Inc Domain traffic ranking
US8909760B2 (en) 2009-04-07 2014-12-09 Verisign, Inc. Domain popularity scoring
US20100274836A1 (en) * 2009-04-22 2010-10-28 Verisign, Inc. Internet Profile Service
US9742723B2 (en) 2009-04-22 2017-08-22 Verisign, Inc. Internet profile service
US9292612B2 (en) 2009-04-22 2016-03-22 Verisign, Inc. Internet profile service
US20110040604A1 (en) * 2009-08-13 2011-02-17 Vertical Acuity, Inc. Systems and Methods for Providing Targeted Content
US8424091B1 (en) * 2010-01-12 2013-04-16 Trend Micro Incorporated Automatic local detection of computer security threats
US20130263263A1 (en) * 2010-12-13 2013-10-03 Comitari Technologies Ltd. Web element spoofing prevention system and method
US9130988B2 (en) * 2010-12-21 2015-09-08 Microsoft Technology Licensing, Llc Scareware detection
US20120159620A1 (en) * 2010-12-21 2012-06-21 Microsoft Corporation Scareware Detection
US9065850B1 (en) 2011-02-07 2015-06-23 Zscaler, Inc. Phishing detection systems and methods
US8893286B1 (en) * 2011-04-08 2014-11-18 Symantec Corporation Systems and methods for preventing fraudulent activity associated with typo-squatting procedures
US20140259158A1 (en) * 2013-03-11 2014-09-11 Bank Of America Corporation Risk Ranking Referential Links in Electronic Messages
US9635042B2 (en) * 2013-03-11 2017-04-25 Bank Of America Corporation Risk ranking referential links in electronic messages
US9344449B2 (en) * 2013-03-11 2016-05-17 Bank Of America Corporation Risk ranking referential links in electronic messages
US9621566B2 (en) 2013-05-31 2017-04-11 Adi Labs Incorporated System and method for detecting phishing webpages
US20160036853A1 (en) * 2014-07-30 2016-02-04 DeNA Co., Ltd. Storage medium storing program for login alerts, and method and system thereof
GB2542140A (en) * 2015-09-08 2017-03-15 F Secure Corp Controlling access to web resources
US20170070460A1 (en) * 2015-09-08 2017-03-09 F-Secure Corporation Controlling Access to Web Resources
GB2542140B (en) * 2015-09-08 2019-09-11 F Secure Corp Controlling access to web resources
US10474810B2 (en) * 2015-09-08 2019-11-12 F-Secure Corporation Controlling access to web resources
US11870808B1 (en) * 2019-12-12 2024-01-09 Zimperium, Inc. Mobile device security application for malicious website detection based on representative image
US20220368699A1 (en) * 2021-05-11 2022-11-17 AVAST Software s.r.o. User and group specific threat protection system and method
US11949693B2 (en) * 2021-05-11 2024-04-02 AVAST Software s.r.o. User and group specific threat protection system and method

Also Published As

Publication number Publication date
US20200045067A1 (en) 2020-02-06
US10951636B2 (en) 2021-03-16

Similar Documents

Publication Publication Date Title
US10951636B2 (en) Dynamic phishing detection methods and apparatus
US11042630B2 (en) Dynamic page similarity measurement
US9148445B2 (en) Method and system for misuse detection
Alkhozae et al. Phishing websites detection based on phishing characteristics in the webpage source code
US20130263263A1 (en) Web element spoofing prevention system and method
US20060070126A1 (en) A system and methods for blocking submission of online forms.
AU2006200688A1 (en) Internet security
WO2014063520A1 (en) Method and apparatus for determining phishing website
KR20190026691A (en) System and method for detecting online fraud
CN104580230B (en) Verification method and device are attacked in website
CN106789939A (en) A kind of detection method for phishing site and device
Bin et al. A DNS based anti-phishing approach
Dadkhah et al. An introduction to journal phishings and their detection approach
Aburrous et al. Phishing detection plug-in toolbar using intelligent Fuzzy-classification mining techniques
JP4781922B2 (en) Link information verification method, system, apparatus, and program
KR20070067651A (en) Method on prevention of phishing through analysis of the internet site pattern
Roopak et al. On effectiveness of source code and SSL based features for phishing website detection
Glăvan et al. Detection of phishing attacks using the anti-phishing framework
Prem et al. Phishing and anti-phishing techniques
Paturi et al. Detection of phishing attacks using visual similarity model
US11496510B1 (en) Fully automated target identification of a phishing web site
CN107682346B (en) System and method for rapidly positioning and identifying CSRF attack
Enoch et al. Mitigating Cyber Identity Fraud using Advanced Multi Anti-Phishing Technique
US20220131877A1 (en) Neutralizing Evasion Techniques of Malicious Websites
JP2007233904A (en) Forged site detection method and computer program

Legal Events

Date Code Title Description
AS Assignment

Owner name: TREND MICRO INCORPORATED, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHANG, MING-TAI ALLEN;TSAI, YU-FANG EDDIE;REEL/FRAME:019114/0851

Effective date: 20061222

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION