Phishing detection, prevention, and notification

US 20060123464A1
Filed: 05/13/2005
Published: 06/08/2006
Est. Priority Date: 12/02/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

rendering a messaging user interface to facilitate communication via a messaging application;

receiving a communication from a domain; and

detecting a phishing attack in the communication by at least one of determining that the domain from which the communication is received is similar to a known phishing domain, or detecting suspicious network properties of the domain from which the communication is received.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Phishing detection, prevention, and notification is described. In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives content, such as data for a Web page, from a network-based resource, such as a Web site or domain. The Web browsing application initiates a display of the content, and a phishing detection module detects a phishing attack in the content by determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.

Citations

20 Claims

1. A method, comprising:
- rendering a messaging user interface to facilitate communication via a messaging application;
  
  receiving a communication from a domain; and
  
  detecting a phishing attack in the communication by at least one of determining that the domain from which the communication is received is similar to a known phishing domain, or detecting suspicious network properties of the domain from which the communication is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as recited in claim 1, wherein detecting the phishing attack includes detecting that a name of the domain is similar in edit-distance to the known phishing domain.
  - 3. A method as recited in claim 1, wherein detecting the phishing attack includes detecting that a name of the domain is similar in edit-distance to the known phishing domain, the edit-distance being based at least in part on the likelihood of user confusion or on a site-specific change.
  - 4. A method as recited in claim 1, further comprising comparing the domain to a list of known non-phishing domains to determine that the domain is not a phishing domain.
  - 5. A method as recited in claim 1, wherein receiving the communication includes receiving an email, and wherein detecting the phishing attack includes examining data in a “
    - From”
      
      field of the email.
  - 6. A method as recited in claim 1, wherein receiving the communication includes receiving an email, and wherein detecting the phishing attack includes examining a display name in a “
    - From”
      
      field of the email.
  - 7. A method as recited in claim 1, further comprising sending an email, and wherein detecting the phishing attack includes examining data in at least one of a “
    - To”
      
      field of the email, a “
      
      CC”
      
      (carbon copy) field of the email, or a “
      
      BCC”
      
      (blind carbon copy) field of the email.
  - 8. A method as recited in claim 1, wherein detecting the phishing attack includes determining that the communication at least one of:
    - fails anti-spoofing detection;
      
      contains suspicious text content;
      
      is received from the domain which does not provide anti-spoofing information;
      
      or is received via at least one of a dial-up, cable, or DSL (Digital Subscriber Line) communication link.
  - 9. A method as recited in claim 1, wherein detecting the suspicious network properties of the sender of the communication includes detecting that the communication is received from the domain which is a new domain.
  - 10. A method as recited in claim 1, wherein receiving the communication includes receiving the communication from the domain which is located in a country, and wherein detecting the suspicious network properties of the sender of the communication includes detecting that an IP (Internet protocol) address corresponding to the domain does not correlate with the country.

11. A method, comprising:
- rendering a messaging user interface to facilitate communication via a messaging application;
  
  receiving a communication from a domain; and
  
  detecting a phishing attack in the communication at least in part by examining a user-selectable link within the communication.
- View Dependent Claims (12, 13, 14)
- - 12. A method as recited in claim 11, wherein detecting the phishing attack includes detecting a user-selectable link within the communication that includes at least one of an IP (Internet protocol) address, an “
    - @”
      
      sign, or suspicious HTML (Hypertext Markup Language) encoding.
  - 13. A method as recited in claim 11, wherein detecting the phishing attack includes determining that the communication at least one of:
    - contains a user-selectable link to a minimal amount of content;
      
      contains a user-selectable link to at least one of a new or little-trafficked site;
      
      contains at least one user-selectable link to a known phishing target and at least one link to a different domain;
      
      or contains at least one user-selectable link which includes link text and a mismatched URL (Uniform Resource Locator).
  - 14. A method as recited in claim 11, wherein detecting the phishing attack includes detecting that the user-selectable link is a user-selectable link to at least one of a domain or a Web page that has a low static rank which is based at least in part on incoming links to the domain or to the Web page.

15. A system, comprising:
- a messaging application configured to facilitate communication via a messaging user interface, and further configured to receive a communication from a domain; and
  
  a phishing detection module configured to detect a phishing attack in the communication at least in part by determining that the domain is similar to a known phishing domain.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. A system as recited in claim 15, wherein the phishing detection module is further configured to detect that a name of the domain is similar in edit-distance to the known phishing domain.
  - 17. A system as recited in claim 15, wherein the phishing detection module is further configured to compare the domain to a list of false positive domains to determine that the domain is not a phishing domain.
  - 18. A system as recited in claim 15, wherein the messaging application is further configured to receive an email as the communication, and wherein the phishing detection module is further configured to examine data in a “
    - From”
      
      field of the email to detect the phishing attack.
  - 19. A system as recited in claim 15, wherein the messaging application is further configured to send an email, and wherein the phishing detection module is further configured to examine data in at least one of a “
    - To”
      
      field of the email, a “
      
      CC”
      
      (carbon copy) field of the email, or a “
      
      BCC”
      
      (blind carbon copy) field of the email to detect the phishing attack.
  - 20. A system as recited in claim 15, wherein the phishing detection module is further configured to detect that the communication contains a user-selectable link to at least one of a domain or a Web page with a low score which is based at least in part on incoming links to the domain or to the Web page.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Penta, Anthony P., Hulten, Geoffrey J., Averbuch, Aaron H., Rounthwaite, Robert L., Goodman, Joshua T., Mishra, Manav, Rehfuss, Paul S., Deyo, Roderic C., Richards, Kenneth G.

Granted Patent

US 7,634,810 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

Phishing detection, prevention, and notification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Phishing detection, prevention, and notification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links