Email anti-phishing inspector

US 20060168066A1
Filed: 12/09/2005
Published: 07/27/2006
Est. Priority Date: 11/10/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for determining a phishing email, comprising the steps of:

a. receiving an email message;

b. scoring the email message based on one or more factors, wherein at least one factor is based on the level of trust associated with a URL extracted from the email;

c. comparing the score with a predetermined phishing threshold; and

d. determining if the email is a phishing email based on the comparison.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer program product are provided for implementing embodiments of an EScam Server, which are useful for determining phishing emails. Methods, systems, and program products are also provided to implement embodiments of a Trusted Host Miner, useful for determining servers associated with a Trusted URL, a Trusted Host Browser, useful for communicating to a user when links are Trusted URLs, and a Page Spider, useful for determining on-site links to documents which request a user'"'"'s confidential information.

164 Citations

56 Claims

1. A method for determining a phishing email, comprising the steps of:
- a. receiving an email message;
  
  b. scoring the email message based on one or more factors, wherein at least one factor is based on the level of trust associated with a URL extracted from the email;
  
  c. comparing the score with a predetermined phishing threshold; and
  
  d. determining if the email is a phishing email based on the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein one or more of the factors are stored in a database.
  - 3. The method of claim 1, wherein the level of trust associated with the URL is determined as a function of an IP address associated with the URL.
  - 4. The method of claim 3, wherein the IP address associated with the URL is determined by querying a DNS server.
  - 5. The method of claim 1, wherein the level of trust associated with the URL is retrieved from a database.
  - 6. The method of claim 1, wherein a factor comprises a geographic location of origination of the email message.
  - 7. The method of claim 6, wherein the geographic location is determined as a function of the origination IP address of the email message.
  - 8. The method of claim 1, wherein the step of determining if the email is a phishing email occurs in real time.
  - 9. The method of claim 1, further comprising parsing the email message into a header and a body.
  - 10. The method of claim 1, wherein the email message is an HTML email message.
  - 11. The method of claim 1, wherein the email message is a text email message.
  - 12. The method of claim 1, further comprising the steps of:
    - a. determining one or more URLs contained within the email message;
      
      b. determining if the one or more URLs are associated with trusted servers;
      
      c. if each of the one or more URLs are associated with a trusted server, optimizing the score to reflect that the email is less likely to be a phishing email; and
      
      d. if fewer than all of the one or more URLs are not associated with trusted servers, optimizing the risk score to reflect that the email is more likely to be a phishing email.
  - 13. The method of claim 9, wherein the score is comprised of a header score and a URL score.
  - 14. The method of claim 13, wherein the URL score is adjusted based on a HTML tag associated with the URL.
  - 15. The method of claim 13, wherein the header score is adjusted based on an originating country associated with an IP address included within the email message.
  - 16. The method of claim 1, wherein the email message is received by an email client.
  - 17. The method of claim 1, wherein the determining step occurs before the email message is sent to an email recipient.
  - 18. The method of claim 1, further comprising reporting information associated with the determining step.

19. A method for determining a phishing email, comprising the steps of:
- a. storing descriptive content associated with one or more entities, the content including at least domain names and keywords;
  
  b. receiving an email;
  
  c. extracting descriptive content from the email;
  
  d. determining a first entity that the email may be associated with based on a comparison between the extracted descriptive content and stored descriptive content;
  
  e. extracting a URL from the email;
  
  f. determining a second entity associated with the URL; and
  
  g. determining if the email is a phishing email based on a comparison between the first entity and the second entity.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, wherein the step of determining a second entity associated with the URL comprises the step of determining an IP address associated with the URL.
  - 21. The method of claim 20, wherein the IP address is determined by querying a DNS server.
  - 22. The method of claim 19, wherein the step of storing descriptive content associated with one or more entities comprises the steps of:
    - a. providing an interface for a user to determine keywords and domain names associated with an entity;
      
      b. determining by the user keywords associated with the entity;
      
      c. determining by the user domain names associated with the entity; and
      
      d. storing entity information, the associated keywords, and the associated domain names.
  - 23. The method of claim 22, wherein the entity, keyword, and domain name information is stored in a database.

24. A method for associating one or more Internet Protocol (IP) addresses of a trusted server with a trusted Uniform Resource Locator (URL), comprising the steps of:
- a. receiving the trusted URL;
  
  b. submitting a first query containing the trusted URL to a Domain Name Server (DNS);
  
  c. receiving from the DNS a first IP address;
  
  d. associating the first IP address with the trusted URL, and storing the association;
  
  e. submitting a second query containing the trusted URL to the DNS after a first predetermined amount of time has passed, wherein the first predetermined amount of time is a function of a time-to-live (TTL) value received from the DNS;
  
  f. receiving from the DNS a second IP address; and
  
  g. associating the second IP address with the trusted URL, and storing the association.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The method of claim 24, wherein the step of receiving the trusted URL comprises the step of receiving the trusted URL as the result of a database query.
  - 26. The method of claim 24, further comprising the step of storing one or more IP addresses, TTL values, and the trusted URL in a database.
  - 27. The method of claim 24, further comprising the step of disassociating an IP address from the trusted URL after a second preconfigured amount of time has passed.
  - 28. The method of claim 27, wherein the second preconfigured amount of time is determined as a function of a TTL value.
  - 29. The method of claim 24, further comprising the step of receiving an IP address associated with the trusted URL from an entity associated with the trusted server.
  - 30. The method of claim 29, wherein the entity is the owner of a trusted server.
  - 31. The method of claim 24, wherein steps e through h are repeated one or more times.

32. A method for communicating to a user the level of trust associated with a host of a Uniform Resource Locator (URL), comprising the steps of:
- a. receiving the URL;
  
  b. determining an Internet Protocol (IP) address associated with the URL;
  
  c. determining the level of trust associated with the host of the URL based on one or more factors, wherein at least one factor is based on the IP address; and
  
  d. communicating to the user the level of trust associated with the host.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
- - 33. The method of claim 32, wherein the URL is a URL entered into the address field of an internet web browser.
  - 34. The method of claim 32, wherein a factor is the level of trust received from an EScam server queried with the URL.
  - 35. The method of claim 32, wherein the step of determining an IP address associated with the URL comprises the step of querying a DNS with the URL.
  - 36. The method of claim 32, wherein a factor is the geographic location of the host determined as a function of the IP address.
  - 37. The method of claim 32, wherein the step of determining an IP address associated with the URL comprises the step of retrieving the IP address from a database.
  - 38. The method of claim 32, wherein the step of communicating to the user comprises the step of communicating to the user the level of trust associated with the host by displaying a message to the user indicating the level of trust associated with the URL.
  - 39. The method of claim 32, wherein the step of communicating to the user comprises the step of communicating to the user the level of trust associated with the host by displaying an icon or dialogue box to the user indicating the level of trust associated with the URL.

40. A method for processing links in documents, comprising the steps of:
- a. retrieving a first document available at a first link, the first link containing a first host name;
  
  b. parsing the first document to identify a second link to a second document, wherein the second link contains the same host name as the first host name;
  
  c. inspecting the second document to determine if it requests confidential information such as a login, password, or financial information; and
  
  d. storing the second link in a first list if the second document requests confidential information.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47)
- - 41. The method of claim 40, further comprising the step of storing the second link in a second list if the second document does not requests confidential information.
  - 42. The method of claim 40, wherein documents are HTML compatible documents and links are Uniform Resource Locators (URLs).
  - 43. The method of claim 40, wherein documents are XML compatible documents and links are Uniform Resource Locators (URLs).
  - 44. The method of claim 42, wherein the step of parsing the first document to determine a second link to a second document comprises the step of determining an <
    - A>
      
      HTML tag which contains a link to the second document.
  - 45. The method of claim 42, wherein the step of inspecting the second document to determine if it requests confidential information comprises the step of inspecting the second document to determine if it contains one or more predetermined HTML tags such as a <
    - FORM>
      
      tag or a <
      
      INPUT>
      
      tag.
  - 46. The method of claim 45, wherein the confidential information is requested by a secure login form contained within the second document.
  - 47. The method of claim 40, wherein the confidential information is requested by a secure login form contained within the second document.

48. A method for processing links in documents, comprising the steps of:
- a. retrieving a first document available at a first link, the first link containing a first host name;
  
  b. parsing the first document to identify one or more links to other documents, wherein each identified link contains an identified host name, and wherein the one or more identified links include at least a second link containing a second host name;
  
  c. determining, for the one or more identified links, if the first host name and the identified host name are the same;
  
  d. if the first host name and the identified host name are the same, storing the identified link in a first list; and
  
  e. if the first host name and the identified host name are not the same, storing the identified link in a second list.
- View Dependent Claims (51, 52, 53, 54, 55, 56)
- - 51. The method of claim 48, wherein documents are HTML compatible documents and links are Uniform Resource Locators (URLs).
  - 52. The method of claim 48, wherein documents are XML compatible documents and links are Uniform Resource Locators (URLs).
  - 53. The method of claim 51, wherein the step of parsing the first document to determine the second link to a second document comprises the step of determining an <
    - A>
      
      HTML tag which contains a link to the second document.
  - 54. The method of claim 51, wherein the step of inspecting the second document to determine if it requests confidential information comprises the step of inspecting the second document to determine if it contains one or more predetermined HTML tags such as a <
    - FORM>
      
      tag or a <
      
      INPUT>
      
      tag.
  - 55. The method of claim 54, wherein the confidential information is requested by a secure login form contained within the second document.
  - 56. The method of claim 48, wherein the confidential information is requested by a secure login form contained within the second document.

49. The method of claim 49, further comprising the step of inspecting one or more links in the first list to determine if the inspected link references a document which requests confidential information such as a login, password, or financial information.
- View Dependent Claims (50)
- - 50. The method of claim 49, further comprising the steps of:
    - a. if the document referenced by the inspected link requests confidential information, storing the inspected link in a third list; and
      
      b. if the document referenced by the inspected does not requests confidential information, storing the inspected link in a fourth list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Digital Envoy, Inc. (Landmark Media Enterprises LLC)
Original Assignee
Digital Envoy, Inc. (Landmark Media Enterprises LLC)
Inventors
Helsper, David, Friedman, Robert B., Burdette, Jeffrey

Application Number

US11/298,370
Publication Number

US 20060168066A1
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

Email anti-phishing inspector

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

164 Citations

56 Claims

Specification

Use Cases

Quick Links

Others

Email anti-phishing inspector

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

56 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others