Methods and systems for phishing detection and notification

US 20060080735A1
Filed: 03/15/2005
Published: 04/13/2006
Est. Priority Date: 09/30/2004
Status: Abandoned Application

First Claim

Patent Images

1. A machine-implemented method for detecting a phishing attack over a computer network, the method comprising:

accessing a web page;

processing information associated with the web page;

setting a first condition in response to the processing step;

comparing the first condition to a set of conditions indicative of a phishing attack; and

informing a user of the phishing attack corresponding to the first condition.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various techniques are provided for detecting phishing attacks and notifying users of such attacks. In one example, a machine-implemented method can be provided for detecting a phishing attack over a computer network. A web page can be accessed and information associated with the web page can be processed. One or more conditions can be set in response to the processing. The conditions can be compared to a set of conditions indicative of a phishing attack. A user can then be informed of a potential phishing attack corresponding to the conditions through the display of an alert window and/or an icon. Such actions can also be performed in response to a user'"'"'s selection of a link appearing in an email message. Appropriate systems and/or computer readable media incorporating these features can also be provided.

Citations

21 Claims

1. A machine-implemented method for detecting a phishing attack over a computer network, the method comprising:
- accessing a web page;
  
  processing information associated with the web page;
  
  setting a first condition in response to the processing step;
  
  comparing the first condition to a set of conditions indicative of a phishing attack; and
  
  informing a user of the phishing attack corresponding to the first condition.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, the accessing step is performed in response to the user'"'"'s selection of a link appearing in an email message.
  - 3. The method of claim 1, the informing step further comprising:
    - displaying an alert window to the user.
  - 4. The method of claim 1, the informing step further comprising:
    - displaying an icon to the user.
  - 5. The method of claim 1, the processing step is a step selected from the group consisting of:
    - parsing a URL associated with the web page;
      
      scanning tags of the web page;
      
      analyzing non-tagged content of the web page;
      
      analyzing input by the user into a form on the web page;
      
      analyzing a URL associated with the web page; and
      
      analyzing an IP address associated with the web page.
  - 6. The method of claim 1, the first condition is a condition selected from the group consisting of:
    - detection of the web page being opened by the user in response to a hyperlink appearing in an email message;
      
      detection of the user currently viewing an email message;
      
      detection of a form existing on the web page;
      
      detection of an open form having a password field existing on the web page;
      
      detection of phishing terms appearing on the web page;
      
      detection of a valid credit card number entered by the user;
      
      detection of escape characters used to obscure phishing terms;
      
      detection of UTF-8 representation of regular printing ASCII characters on the web page;
      
      detection of an open form on a non phishing domain that has been opened within a period of time of the opening of a second web page having a target phishing host name;
      
      detection of a link comprising a visible domain name that differs from a domain name of a URL associated with the link;
      
      detection of a link comprising a target phishing domain name;
      
      detection of a link comprising a target phishing domain name to the left of a @ character in a HREF associated with the link;
      
      detection of escape characters in a path of a HREF;
      
      detection of a 32-bit address used for a host name in a HREF;
      
      detection of a IPV4 address used for a host name in a HREF;
      
      detection of an IP address from a suspect phishing country in a HREF;
      
      detection of a non-HTTPS scheme in a HREF;
      
      detection of a target phishing domain name in a URL;
      
      detection of a target phishing domain name to the left of a @ character in a URL;
      
      detection of escape characters in the path of a URL;
      
      detection of a 32-bit address used for a host name in a URL;
      
      detection of a IPV4 address used for a host name in a URL;
      
      detection of an IP address from a suspect phishing country in a URL; and
      
      detection of a non-HTTPS scheme in a URL.
  - 7. The method of claim 1, method comprising:
    - setting a second condition in response to the processing step;
      
      in place of the first comparing step, comparing the first and second conditions to a set of conditions indicative of a phishing attack; and
      
      in place of the first informing step, informing a user of the phishing attack corresponding to the first and second conditions.

8. A system for detecting a phishing attack over a computer network in communication with the system, the system comprising a computer for performing a method comprising the steps:
- accessing a web page;
  
  processing information associated with the web page;
  
  setting a first condition in response to the processing step;
  
  comparing the first condition to a set of conditions indicative of a phishing attack; and
  
  informing a user of the phishing attack corresponding to the first condition.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, the accessing step is performed in response to the user'"'"'s selection of a link appearing in an email message.
  - 10. The system of claim 8, the informing step further comprising:
    - displaying an alert window to the user.
  - 11. The system of claim 8, the informing step further comprising:
    - displaying an icon to the user.
  - 12. The system of claim 8, the processing step is a step selected from the group consisting of:
    - parsing a URL associated with the web page;
      
      scanning tags of the web page;
      
      analyzing non-tagged content of the web page;
      
      analyzing input by the user into a form on the web page;
      
      analyzing a URL associated with the web page; and
      
      analyzing an IP address associated with the web page.
  - 13. The system of claim 8, the first condition is a condition selected from the group consisting of:
    - detection of the web page being opened by the user in response to a hyperlink appearing in an email message;
      
      detection of the user currently viewing an email message;
      
      detection of a form existing on the web page;
      
      detection of an open form having a password field existing on the web page;
      
      detection of phishing terms appearing on the web page;
      
      detection of a valid credit card number entered by the user;
      
      detection of escape characters used to obscure phishing terms;
      
      detection of UTF-8 representation of regular printing ASCII characters on the web page;
      
      detection of an open form on a non phishing domain that has been opened within a period of time of the opening of a second web page having a target phishing host name;
      
      detection of a link comprising a visible domain name that differs from a domain name of a URL associated with the link;
      
      detection of a link comprising a target phishing domain name;
      
      detection of a link comprising a target phishing domain name to the left of a @ character in a HREF associated with the link;
      
      detection of escape characters in a path of a HREF;
      
      detection of a 32-bit address used for a host name in a HREF;
      
      detection of a IPV4 address used for a host name in a HREF;
      
      detection of an IP address from a suspect phishing country in a HREF;
      
      detection of a non-HTTPS scheme in a HREF;
      
      detection of a target phishing domain name in a URL;
      
      detection of a target phishing domain name to the left of a @ character in a URL;
      
      detection of escape characters in the path of a URL;
      
      detection of a 32-bit address used for a host name in a URL;
      
      detection of a IPV4 address used for a host name in a URL;
      
      detection of an IP address from a suspect phishing country in a URL; and
      
      detection of a non-HTTPS scheme in a URL.
  - 14. The system of claim 8, method comprising:
    - setting a second condition in response to the processing step;
      
      in place of the first comparing step, comparing the first and second conditions to a set of conditions indicative of a phishing attack; and
      
      in place of the first informing step, informing a user of the phishing attack corresponding to the first and second conditions.

15. A computer readable medium with software embodied therein, the software operable to perform a method for detecting a phishing attack over a computer network when run by a computer, the method comprising the steps:
- accessing a web page;
  
  processing information associated with the web page;
  
  setting a first condition in response to the processing step;
  
  comparing the first condition to a set of conditions indicative of a phishing attack; and
  
  informing a user of the phishing attack corresponding to the first condition.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer readable medium of claim 15, the accessing step is performed in response to the user'"'"'s selection of a link appearing in an email message.
  - 17. The computer readable medium of claim 15, the informing step further comprising:
    - displaying an alert window to the user.
  - 18. The computer readable medium of claim 15, the informing step further comprising:
    - displaying an icon to the user.
  - 19. The computer readable medium of claim 15, the processing step is a step selected from the group consisting of:
    - parsing a URL associated with the web page;
      
      scanning tags of the web page;
      
      analyzing non-tagged content of the web page;
      
      analyzing input by the user into a form on the web page;
      
      analyzing a URL associated with the web page; and
      
      analyzing an IP address associated with the web page.
  - 20. The computer readable medium of claim 15, the first condition is a condition selected from the group consisting of:
    - detection of the web page being opened by the user in response to a hyperlink appearing in an email message;
      
      detection of the user currently viewing an email message;
      
      detection of a form existing on the web page;
      
      detection of an open form having a password field existing on the web page;
      
      detection of phishing terms appearing on the web page;
      
      detection of a valid credit card number entered by the user;
      
      detection of escape characters used to obscure phishing terms;
      
      detection of UTF-8 representation of regular printing ASCII characters on the web page;
      
      detection of an open form on a non phishing domain that has been opened within a period of time of the opening of a second web page having a target phishing host name;
      
      detection of a link comprising a visible domain name that differs from a domain name of a URL associated with the link;
      
      detection of a link comprising a target phishing domain name;
      
      detection of a link comprising a target phishing domain name to the left of a @ character in a HREF associated with the link;
      
      detection of escape characters in a path of a HREF;
      
      detection of a 32-bit address used for a host name in a HREF;
      
      detection of a IPV4 address used for a host name in a HREF;
      
      detection of an IP address from a suspect phishing country in a HREF;
      
      detection of a non-HTTPS scheme in a HREF;
      
      detection of a target phishing domain name in a URL;
      
      detection of a target phishing domain name to the left of a @ character in a URL;
      
      detection of escape characters in the path of a URL;
      
      detection of a 32-bit address used for a host name in a URL;
      
      detection of a IPV4 address used for a host name in a URL;
      
      detection of an IP address from a suspect phishing country in a URL; and
      
      detection of a non-HTTPS scheme in a URL.
  - 21. The computer readable medium of claim 15, method comprising:
    - setting a second condition in response to the processing step;
      
      in place of the first comparing step, comparing the first and second conditions to a set of conditions indicative of a phishing attack; and
      
      in place of the first informing step, informing a user of the phishing attack corresponding to the first and second conditions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Search Initiatives LLC
Original Assignee
USA Revco, LLC
Inventors
Brinson, Duane, Buiter, Karl, Perkins, Carl, Pelayo, Jesse, Dizon, Philip

Application Number

US11/080,127
Publication Number

US 20060080735A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0236   Filtering by address, proto...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

Methods and systems for phishing detection and notification

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for phishing detection and notification

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links