DEVICES, SYSTEMS AND COMPUTER-IMPLEMENTED METHODS FOR PREVENTING PASSWORD LEAKAGE IN PHISHING ATTACKS
1. A computer-implemented method, comprising:
- requesting, by a web browser, a webpage of a website over a computer network;
waiting for the requested webpage and all of the resources of the requested webpage to be loaded in the web browser;
waiting for an event on the loaded webpage;
identifying forms on the loaded webpage having fields associated with user credentials;
adding, to the identified forms, at least one of;
an input event listener to at least one of the identified fields, anda click event listener to at least one button or link belonging to the identified forms;
capturing user credentials input to at least one of the forms using the input event listener and/or the click event listener;
generating hashes of the captured user credentials by applying a key-stretching algorithm using a cryptographic salt to the captured user credentials;
storing the generated hashes in a memory, andpreventing leakage of user credentials to phishing websites by comparing the generated hashes stored in the memory with entries of a list of trusted websites hashed credentials and by requesting and acting upon input indicative of whether the website is trusted or whether the website is unknown and/or untrusted.
A computer-implemented method of preventing leakage of user credentials to phishing websites may comprise capturing user credentials input to website; updating a stored list of trusted website credentials upon determining that the domain of the URL of the website is present in a stored list of trusted websites; generating a hash of the captured user credentials; determining whether the hashed user credentials matches one of the hashed user credentials in the list of trusted website credentials; and when a match is found, requesting input whether the website is trusted or whether the website is unknown and/or untrusted; sending the URL to a remote computer server when the input indicates that the website is unknown and/or untrusted and disallowing submission of the user credentials to the website; adding the domain of the URL to the stored list of trusted websites, adding the generated hash of the captured user credentials to a stored list of trusted website credentials and allowing submission of the user credentials to the website.
- 1. A computer-implemented method, comprising:
requesting, by a web browser, a webpage of a website over a computer network; waiting for the requested webpage and all of the resources of the requested webpage to be loaded in the web browser; waiting for an event on the loaded webpage; identifying forms on the loaded webpage having fields associated with user credentials; adding, to the identified forms, at least one of; an input event listener to at least one of the identified fields, and a click event listener to at least one button or link belonging to the identified forms; capturing user credentials input to at least one of the forms using the input event listener and/or the click event listener; generating hashes of the captured user credentials by applying a key-stretching algorithm using a cryptographic salt to the captured user credentials; storing the generated hashes in a memory, and preventing leakage of user credentials to phishing websites by comparing the generated hashes stored in the memory with entries of a list of trusted websites hashed credentials and by requesting and acting upon input indicative of whether the website is trusted or whether the website is unknown and/or untrusted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- 11. A computing device comprising:
at least one processor; at least one data storage device coupled to the at least one processor; a network interface coupled to the at least one processor and to a computer network; a plurality of processes spawned by said at least one processor, the processes including processing logic for; requesting a webpage of a website over a computer network; waiting for an event on the loaded webpage; identifying forms on the loaded webpage having fields associated with user credentials; an input event listener to at least one of the identified fields, and a click event listener to at least one button or link belonging to the identified forms; storing the generated hashes in a memory, and
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
This application is a continuation of and claims priority under 35 USC § 120 to co-pending and commonly-assigned U.S. patent application Ser. No. 15/607,329 filed on May 26, 2017, entitled “DEVICES, SYSTEMS AND COMPUTER-IMPLEMENTED METHODS FOR PREVENTING PASSWORD LEAKAGE IN PHISHING ATTACKS”, which application is incorporated herein by reference in its entirety.
Phishing is the attempt to acquire sensitive data—such as credit card numbers, login credentials, social security numbers—for malicious reasons by masquerading as a trustworthy entity in an electronic communication such as email or text message. Such trustworthy entities may include banks (Chase, HSBC . . . ), online payment services (PayPal . . . ), email service providers (Gmail, Yahoo!, British Telecom, T-Online . . . ), social networks (Facebook, LinkedIn . . . ) and e-commerce websites (Amazon, Alibaba . . . ), to name but a few.
The phishing scam takes place in several consecutive steps. Herein, the worst-case scenario is assumed, in that the victim is trapped by the phishing scam. The sequence of events leading to this bad outcome may include the following:
1. The phisher sets up a counterfeited website. This counterfeited website mimics a selected, well-known and legitimate website. This counterfeited website is configured to capture sensitive data of the victims.
2. The phisher initiates a phishing campaign by a chosen electronic communication modality (email, text message, instant messaging, etc.). The phishing message contain a message designed to prompt the victim to click on a fraudulent Uniform Resource Locator (URL), which leads the victim to the counterfeited website.
3. The victim receives the phishing message and clicks on the fraudulent URL. The victim'"'"'s browser opens the counterfeited website and the victim submits the requested sensitive data to the counterfeited website, thinking that it is the legitimate website that it mimics.
4. The fraudulent website forwards the submitted and captured sensitive data to the phisher, typically to a mailbox previously set up by the phisher to receive such captured sensitive data.
To thwart phishing attacks, the industry, including security vendors, web browser vendors, internet service providers, email service providers, wireless communications service providers, has developed different technologies. Most of these technologies can be classified in two categories:
- Electronic communication (email, text message, instant messaging, etc.) related technologies: these technologies attempt to detect phishing attacks by analyzing the inbound and/or outbound electronic communication traffic. Various methods are used to detect the phishing attacks, such as anti-phishing email filtering technologies used by email service providers (Gmail, Yahoo!, AOL, AT&T, Comcast, British Telecom, Vodafone, Orange and the like) to protect their customers. These email service providers develop their own technologies and/or use existing technologies provided by email security vendors such as Spamhaus, Cloudmark, Cyren or Vade Secure.
- Web-related technologies, which attempt to detect phishing webpages by analyzing the webpage itself. Typical of such approach are anti-phishing technologies available in web browsers, such as Google Safe Browsing for Google Chrome or SmartScreen for Microsoft Edge.
In most cases, a phishing attack is an attempt to capture login credentials (often, login and password) inputted by the user as he or she tries to connect to what is believed to be a trusted website. The fact that the end user submits such sensitive data as a password in an unknown context is highly suspicious. The phishing problem relies on the user'"'"'s inattention and the casualness with which most users provide their credentials upon demand. Rather than attempting to change the user'"'"'s behavior, what is needed is a technological solution to the technological problem of bad actors setting up fraudulent websites to prey on their victims. Such a technological solution should leverage the user'"'"'s own computing device and its connection to computer networks such as the Internet, to address and thwart efforts to steal confidential user credentials.
One embodiment is a technology-based solution to the password (and, more generally, user credential) leakage problem that enables thwarting phishing attacks through the detection and interception of password leakage. In one implementation, a computing device may be provided with a software component that utilizes and/or controls both local and remote hardware resources to thwart phishing attacks by detecting, intercepting and preventing password leakage, which may include phishers obtaining user credentials under false pretenses.
According to one embodiment, a software component, according to one embodiment, may be deployed to connect to a unique centralized service in the cloud (i.e., a centralized service running on one or more remote (e.g., hardware) computer servers and configured to access remote storage memory over a computer network.
According to one embodiment, the remote computer servers providing the centralized service may be configured to create, store and update a list of trusted websites. The centralized service/remote server(s) may be also configured to collect phishing URLs detected by the software component according to one embodiment and confirmed by the end user, thereby keeping pace with phishers as they evolve and develop new counterfeited websites.
A trusted website may be thought of as a website that has a very good reputation and that belongs to a trusted entity. These entities are typically brands of goods and/or services that are targeted by phishing attacks. A trusted website, according to one embodiment, may be identified by its domain name. Examples of trusted websites include, to identify but a few:
- Major banks and online payment services such as paypal.com, chase.com, hsbc.com;
- Major email service providers such as yahoo.com, aol.com, orange.fr;
- Major social networks such as facebook.com and linkedin.com; and
- Major electronic commerce websites such as amazon.com, amazon.co.uk, alibaba.com.
According to one embodiment, a list of trusted websites called TRUSTED_WEBSITES may be created, stored in non-volatile physical memory and maintained. In one implementation, the TRUSTED_WEBSITES list may be stored and/or managed by the computing device running the password leakage preventing software component according to one embodiment. This list, according to one embodiment, may be updated periodically, by the centralized service over a computer network (including, for example, the Internet) according to one embodiment, to follow the natural evolution of the Internet ecosystem. For example, if a new major social network or banking website is created, its domain name may be added to TRUSTED_WEBSITES list.
For example, a TRUSTED_WEBSITES list, according to one embodiment, may include one or more of the following domain names (or may include entirely others): alibaba.com; amazon.co.uk; amazon.com; aol.com; chase.com; facebook.com; hsbc.com; linkedin.com; orange.fr; paypal.com; yahoo.com.
The TRUSTED_WEBSITES list, in one embodiment, may also be updated when a computing device running the password leakage preventing software component according to one embodiment receives input (e.g., from a user or other programmatic source) that is indicative that a website is legitimate and should be trusted. For example, if the computing device running the password leakage preventing software component receives input that indicates that ucwv.edu (the University of Charleston website) is legitimate and should be trusted, the present software component may then add the ucwv.edu domain name to the TRUSTED_WEBSITES list. Within the present context and according to one embodiment, an unknown website is a website whose domain name is not included in the TRUSTED_WEBSITES list.
Embodiments include a computing device and a computer-implemented method that are configured to:
- capture every password submitted by the end user;
- analyze the password and, based on the results of the analysis, either generate and show a warning page or allow the login credentials to be sent to the website. In one embodiment, this computer-implemented method may be carried out at least in part by a password leakage preventing component according to one embodiment, on a computing device, such as a desktop computer, a laptop computer, a mobile device, a digital assistant (such as Amazon'"'"'s Echo and Google'"'"'s Google Home).
In a typical website login process, an end user fills in the fields required to login by, for example, typing, speaking, selecting pre-populated input fields to populate the input fields with his or her credentials. Most often, the credentials may include an identifier and a password, or the functional equivalents thereof. These credentials may then be submitted to the website by the computing device, responsive to receiving input representative of the user having clicked a button, pressed the Enter/Return key or having carried out a functionally equivalent positive action. In one embodiment, the login credentials may be stored as HyperText Markup Language (HTML) input tags within a HTML form. The login credentials may be stored differently in other embodiments, as implementations of the present embodiments are not limited to HTML or derivatives thereof. The password field can be easily identified because the type of the HTML input tag is usually “password”. When the HTML form is submitted, the login credentials may be encoded and transmitted to the website in a HyperText transfer protocol (HTTP) request using POST or GET method—according to the action and method attributes defined in the HTML form.
Below is an example of a login HTML form:
There are different ways to capture user credentials, and any may be used herein.
Described hereunder relative to
For every HTML form found, the password leakage preventing software component, according to one embodiment, may add input event listeners as shown at B105 to capture specific events (such as mouse clicks, touch events, and the like). Indeed, an input event listener may be added for the password field, so the present password leakage preventing software component may capture any change to the password field. Alternatively, or in addition, a click event listener may be added as shown at B106 for buttons and links within the form so that the password leakage preventing software component may capture a password field submission following receipt of input that is indicative of significant end user action such as a click on a button, a click on a link and/or an Enter/Return key press. As shown in
According to one embodiment, the list of passwords may be stored in TRUSTED_WEBSITES_PASSWORDS data structure, stored on a non-volatile physical memory store such as, for example, a solid-state memory and/or one or more hard disk drives. Each of the passwords stored in the TRUSTED_WEBSITES_PASSWORDS data structure is associated with a trusted website. In one embodiment, for each trusted website, the present password leakage preventing component may store at most a maximum number of passwords stored in TRUSTED_WEBSITES_PASSWORDS_MAX (default, but selectable value: 3) and may implement, for each trusted website, First In, First Out (FIFO) strategy, such that the oldest password stored is the first deleted as new passwords are captured and stored in the data structure. Even if there is only one valid password for a trusted website, more than one password may be stored, as there are several use cases in which a connection is attempted to a trusted website with an invalid (e.g., mistyped) password. Examples of such use cases include the case in which the end user makes a mistake while typing the password, the case in which the Caps Lock key is pressed while the end user is typing the password or the case in which, for example, the end user has forgotten the password for the website.
In one embodiment, the password may be stored as a hash. In one implementation, the passwords may be stored in persistent memory (e.g., on flash memory and/or on a hard disk drive or other non-volatile memory of a computing device) as a hash produced by, according to one embodiment, a key-stretching algorithm. Such a key-stretching algorithm makes a possibly weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key. Indeed, passwords or passphrases created by humans are often short or predictable enough to allow password cracking. Key-stretching makes such attacks more difficult. In one implementation, the key-stretching algorithm may be PBKDF2, for example. Other key stretching algorithms could be used as well, such as bcrypt, scrypt or Argon2, for example. According to one embodiment, a cryptographic salt may be generated by the present password leakage preventing software component after its installation. The cryptographic salt may use random data that functions as an additional input to the (e.g., one-way) function that hashes the passwords, to render the hashed, encrypted passwords more resistant to, for example, pre-computed rainbow table attacks against hashed values.
Example of Password Storage
In this implementation example, end user John Smith has installed the present password leakage preventing software component in the computing device with which he accesses websites. In this example, the TRUSTED_WEBSITES_PASSWORDS_MAX=2. Moreover, the key-stretching algorithm used to hash the passwords is the PBKDF2 algorithm with 1,000 iterations. The cryptographic salt used in this example is, in hexadecimal notation, 085A4FDBA2732B44427AD47668C63DBF. John Smith connects successfully to facebook.com by submitting his password alpha1982 on Jan. 12, 2017 at 8:41:12 am. In this case, the password leakage preventing software component will update TRUSTED_WEBSITES_PASSWORDS with the following data.
John Smith then connects to linkedIn.com on Jan. 14, 2017 at 6:56:09 PM with the same password; namely, alpha1982. The password leakage preventing software component will update the TRUSTED_WEBSITES_PASSWORDS data structure with the following data.
However, this password (alpha1982), submitted to LinkedIn.com, is invalid. He tries again at 6:56:27 PM with alpha1982linkedin—which is the correct password. The password leakage preventing software component then updates TRUSTED_WEBSITES_PASSWORDS with the following data:
Several days later, John Smith tries to connect to paypal.com with alpha1982. The password leakage preventing component may update TRUSTED_WEBSITES_PASSWORDS with the following data.
However, the alpha1982 password submitted to paypal.com is incorrect. Notice that the hash entered for the password submitted for paypal.com is the same as the hash generated for the password previously submitted to facebook.com, as well as the hash for the (incorrect) password submitted to LinkedIn.com. This is because the same key-stretching algorithm and the same cryptographic salt were used. John Smith later tries again with alpha1982papyal—note the miss-spelling of the “papyal” portion of the password. The present password leakage preventing component will, therefore, update the TRUSTED_WEBSITES_PASSWORDS data structure with the following data:
The password is still incorrect. Finally, John Smith tries again with alpha1982paypal—note the spelling of the “paypal” portion of the password—and finally connects successfully to his account at paypal.com. Notice that the password leakage preventing software component has deleted the oldest paypal.com password, as the TRUSTED_WEBSITES_PASSWORDS data structure operates, in this embodiment, as a FIFO queue for each trusted website, storing new hashes as it deletes the oldest from memory.
One embodiment of a computer-implemented method 200 is described with reference to
If, however, the domain of the website or webpage to which the user is logging onto is not present in the TRUSTED_WEBSITES data structure ([No] branch of B202), it may be determined whether the hash of the password submitted to the website upon logon is present in the TRUSTED_WEBSITES_PASSWORDS data structure, as shown at B205. If the domain of the website is not in the TRUSTED_WEBSITES and the hash of the password captured is not present in the TRUSTED_WEBSITES_PASSWORDS data structure ([No] branch of B205), the connection may continue as shown at B206 and the computer-implemented method ends at B299, as there is no possibility of password leakage in this case.
If, however, the hash of the password submitted to the website upon logon is present in the TRUSTED_WEBSITES_PASSWORDS data structure ([Yes] branch of B205), a warning may be generated, to alert the user of a potential security risk in submitting the password captured in B201 to the website to which the user is logging on. One example of such a warning is shown in
Turning back to
In this case, the user-entered password is not submitted to the website, thereby preventing the bad actors behind the counterfeited website from learning and profiting from the user'"'"'s credentials. The present computer-implemented method may then end at B299.
After the warning is shown in B207, if the user'"'"'s computing device receives input from the user that is indicative of the user knows and trusts the website to which he or she has submitted the password, block B209 may be carried out. As shown in B209, the URL of the domain of the now trusted website may be added to the TRUSTED WEB SITES. Moreover, as also shown at B209, a hash of the password may be added to the TRUSTED WEBSITE PASSWORDS data structure, in the manner discussed herein above. The user'"'"'s credentials may now be safely submitted to the website and the connection may be allowed to continue as shown at B210. That is, the user-submitted login credentials may be encoded and transmitted to the website in an HTTP request using POST or GET method—according to the action and method attributes defined in the HTML form. This submission of the user'"'"'s login credentials may, therefore, be safely submitted to the website with a relatively high degree of confidence that the website is most likely legitimate and will likely prove to be a trustworthy steward of submitted login information.
One embodiment may be configured as a computing device such as a desktop computer, a tablet or a network-connected mobile device, as shown at 404, 410 and 416 in
As shown in
The phishing URLs reported to the centralized service/remote computer server and storage 422 may update a blacklist of phishing URLs for each computing device 404, 410, 416. Alternatively, a single blacklist of suspected phishing URLs, whose constituent phishing URLs may have been contributed by one or more of the computing devices 404, 410, 416 may be shared with and/or utilized by each of the computing devices 404, 410, 416. Similarly, a plurality of lists of trusted websites sent from the centralized service/remote computer server and storage 422 to the computing devices 404, 410, 416 may be maintained, each individualized for each of the computing devices 404, 410, 416. Alternatively, a single list of trusted websites, comprising contributions from one or more of the computing devices 404, 410, 416 may be maintained by the centralized service/remote computer server and storage 422, may be pushed out or otherwise provided to each of the computing devices 404, 410, 416, thereby providing each computing device with the benefit of prior contributions from others of the computing devices 404, 410, 416 embodying a leakage preventing component according to an embodiment.
Embodiments of the present invention are related to the use of computing devices to prevent password (and/or other confidential information or credentials) leakage in phishing attacks. According to one embodiment, the methods, devices and systems described herein may be provided by one or more computing devices in response to processor(s) 502 executing sequences of instructions, embodying aspects of the computer-implemented methods shown and described herein, contained in memory 504. Such instructions may be read into memory 504 from another computer-readable medium, such as data storage device 507. Execution of the sequences of instructions contained in memory 504 causes processor(s) 502 to perform the steps and have the functionality described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the described embodiments. Thus, embodiments are not limited to any specific combination of hardware circuitry and software. Indeed, it should be understood by those skilled in the art that any suitable computer system may implement the functionality described herein. The computing devices may include one or a plurality of microprocessors working to perform the desired functions. In one embodiment, the instructions executed by the microprocessor or microprocessors are operable to cause the microprocessor(s) to perform the steps described herein. The instructions may be stored in any computer-readable medium. In one embodiment, they may be stored on a non-volatile semiconductor memory external to the microprocessor, or integrated with the microprocessor. In another embodiment, the instructions may be stored on a disk and read into a volatile semiconductor memory before execution by the microprocessor.
Portions of the detailed description that follows describe processes and symbolic representations of operations by computing devices that may include conventional computer components, including a local processing unit, memory storage devices for the local processing unit, display devices, and input devices. Furthermore, such processes and operations may utilize conventional computer components in a heterogeneous distributed computing environment including, for example, remote file servers, computer servers, and memory storage devices. These distributed computing components may be accessible to the local processing unit by a communication network.
The processes and operations performed by the computer include the manipulation of data bits by a local processing unit and/or remote server and the maintenance of these bits within data structures resident in one or more of the local or remote memory storage devices. These data structures impose a physical organization upon the collection of data bits stored within a memory storage device and represent electromagnetic spectrum elements.
A process, such as the computer-implemented methods of preventing password leakage described herein, may generally be defined as being a sequence of computer-executed steps leading to a desired result. These steps generally require physical manipulations of physical quantities. Usually, though not necessarily, these quantities may take the form of electrical, magnetic, or optical signals capable of being stored, transferred, combined, compared, or otherwise manipulated. It is conventional for those skilled in the art to refer to these signals as bits or bytes (when they have binary logic levels), pixel values, works, values, elements, symbols, characters, terms, numbers, points, records, objects, images, files, directories, subdirectories, or the like. It should be kept in mind, however, that these and similar terms should be associated with appropriate physical quantities for computer operations, and that these terms are merely conventional labels applied to physical quantities that exist within and during operation of the computer.
It should also be understood that manipulations within the computer are often referred to in terms such as adding, comparing, moving, positioning, placing, illuminating, removing, altering and the like. The operations described herein are machine operations performed in conjunction with various input provided by a human or artificial intelligence agent operator or user that interacts with the computer. The machines used for performing the operations described herein include local or remote general-purpose digital computers or other similar computing devices.
In addition, it should be understood that the programs, processes, methods, etc. described herein are not related or limited to any particular computer or apparatus nor are they related or limited to any particular communication network architecture. Rather, various types of general-purpose hardware machines may be used with program modules constructed in accordance with the teachings described herein. Similarly, it may prove advantageous to construct a specialized apparatus to perform the method steps described herein by way of dedicated computer systems in a specific network architecture with hard-wired logic or programs stored in nonvolatile memory, such as read only memory.
While certain example embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of the embodiments disclosed herein. Thus, nothing in the foregoing description is intended to imply that any particular feature, characteristic, step, module, or block is necessary or indispensable. Indeed, the novel methods and systems described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions and changes in the form of the methods and systems described herein may be made without departing from the spirit of the embodiments disclosed herein.