Phishing detection, prevention, and notification

US 20060123478A1
Filed: 05/13/2005
Published: 06/08/2006
Est. Priority Date: 12/02/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

receiving content from a network-based resource;

rendering a user interface of a Web browsing application to display the content received from the network-based resource;

detecting a phishing attack in the content by at least one of determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Phishing detection, prevention, and notification is described. In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives content, such as data for a Web page, from a network-based resource, such as a Web site or domain. The Web browsing application initiates a display of the content, and a phishing detection module detects a phishing attack in the content by determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.

Citations

20 Claims

1. A method, comprising:
- receiving content from a network-based resource;
  
  rendering a user interface of a Web browsing application to display the content received from the network-based resource;
  
  detecting a phishing attack in the content by at least one of determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as recited in claim 1, wherein detecting the phishing attack includes detecting that a name of the domain is similar in edit-distance to the known phishing domain.
  - 3. A method as recited in claim 1, wherein detecting the phishing attack includes detecting that a name of the domain is similar in edit-distance to the known phishing domain, the edit-distance being based at least in part on the likelihood of user confusion.
  - 4. A method as recited in claim 1, wherein detecting the phishing attack includes detecting that a name of the domain is similar in edit-distance to the known phishing domain, the edit-distance being based at least in part on a site-specific change.
  - 5. A method as recited in claim 1, further comprising comparing the domain to a list of known phishing domains to determine that the domain is similar to the known phishing domain.
  - 6. A method as recited in claim 1, further comprising comparing the domain to a list of known phishing domains to determine that the domain is similar to the known phishing domain, the list of known phishing domains being based on historical data corresponding to the known phishing domains.
  - 7. A method as recited in claim 1, further comprising comparing the domain to a list of false positive domains to determine that the domain is not a phishing domain.
  - 8. A method as recited in claim 1, wherein detecting the suspicious network properties of the address includes detecting that the address includes an IP (Internet protocol) address.
  - 9. A method as recited in claim 1, wherein detecting the suspicious network properties of the address includes detecting that the address includes an “
    - @”
      
      sign.
  - 10. A method as recited in claim 1, wherein detecting the suspicious network properties of the address includes detecting that the address includes suspicious HTML (Hypertext Markup Language) encoding.
  - 11. A method as recited in claim 1, wherein detecting the suspicious network properties of the address includes determining that the address resolves to at least one of a dial-up, cable, or DSL (Digital Subscriber Line) communication link.
  - 12. A method as recited in claim 1, wherein detecting the phishing attack includes detecting that the content is received from the network-based resource which is a new domain.
  - 13. A method as recited in claim 1, wherein detecting the suspicious network properties of the address includes detecting that the content has a low static rank.

14. A method, comprising:
- receiving content from a network-based resource;
  
  rendering a user interface of a Web browsing application to display the content received from the network-based resource; and
  
  detecting a phishing attack at least in part by examining the content for suspicious material.
- View Dependent Claims (15, 16)
- - 15. A method as recited in claim 14, further comprising determining that that the phishing attack is not a phishing attack if the content can not return data.
  - 16. A method as recited in claim 14, wherein detecting the phishing attack includes detecting that the content includes multiple user-selectable links to an additional network-based resource, and is configured to submit form data to a network-based resource other than the additional network-based resource.

17. A system, comprising:
- a Web browsing application configured to receive content from a network-based resource and initiate a display of the content; and
  
  a phishing detection module configured to detect a phishing attack in the content at least in part by determining that a domain of the network-based resource is similar to a known phishing domain.
- View Dependent Claims (18, 19, 20)
- - 18. A system as recited in claim 17, wherein the phishing detection module is further configured to detect that a name of the domain is similar in edit-distance to the known phishing domain.
  - 19. A system as recited in claim 17, wherein the phishing detection module is further configured to compare the domain to a list of known phishing domains to determine that the domain is similar to the known phishing domain.
  - 20. A system as recited in claim 17, wherein the phishing detection module is further configured to detect suspicious text content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Penta, Anthony P., Hulten, Geoffrey J., Averbuch, Aaron H., Rounthwaite, Robert L., Goodman, Joshua T., Mishra, Manav, Deyo, Roderic C., Rehfuss, Paul S., Richards, Kenneth G.

Application Number

US11/129,665
Publication Number

US 20060123478A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 67/02 based on web technology, e....

Phishing detection, prevention, and notification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Phishing detection, prevention, and notification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links