System and method for detecting phishers by analyzing website referrals

US 7,630,987 B1
Filed: 11/24/2004
Issued: 12/08/2009
Est. Priority Date: 11/24/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of facilitating detection of phishing-related websites from among a plurality of referring websites, the method comprising:

accessing a referral list of websites that link to a legitimate website;

calculating statistical outliers within the referral list of websites based on historical patterns to produce a dataset of suspect websites from the referral list of websites;

creating an array of relevant points wherein each relevant point corresponds to a defined HTML tag to construct a referring site fingerprint for each of the suspect websites in the dataset based on content of a suspect website;

comparing each referring site fingerprint to a fingerprint for the legitimate website by determining the number of matches between the array of relevant points and a second array forming the fingerprint for the legitimate website to calculate a relevance score using a percentage match between the referring site fingerprint and the fingerprint for the legitimate website, the relevance score indicating a likelihood that the suspect website is a phishing-related website; and

presenting the relevance score for each of the suspect websites.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for identifying phishers by analyzing website referrals. A combination of statistical analysis and fingerprinting can be used to assign a relevance score to a referring website that indicates the likelihood that the referring website is a phishing-related website. A fingerprint as used herein with respect to example embodiments is an array of relevant points corresponding to defined HTML tags. The relevance score can be determined at least in part by comparing the fingerprint of a suspect website with that of a base website. The number of matches in relevant points between the two websites determines the relevance score. Provisions can be made for displaying, reporting, and tracking relevance scores so that appropriate actions can be taken as phishing is detected. Additionally, a known-good list of websites can be used to reduce the number of false positives.

59 Citations

View as Search Results

18 Claims

1. A computer-implemented method of facilitating detection of phishing-related websites from among a plurality of referring websites, the method comprising:
- accessing a referral list of websites that link to a legitimate website;
  
  calculating statistical outliers within the referral list of websites based on historical patterns to produce a dataset of suspect websites from the referral list of websites;
  
  creating an array of relevant points wherein each relevant point corresponds to a defined HTML tag to construct a referring site fingerprint for each of the suspect websites in the dataset based on content of a suspect website;
  
  comparing each referring site fingerprint to a fingerprint for the legitimate website by determining the number of matches between the array of relevant points and a second array forming the fingerprint for the legitimate website to calculate a relevance score using a percentage match between the referring site fingerprint and the fingerprint for the legitimate website, the relevance score indicating a likelihood that the suspect website is a phishing-related website; and
  
  presenting the relevance score for each of the suspect websites.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1 wherein the producing of the dataset of suspect websites further comprises:
    - discarding known good websites from the referral list of websites.
  - 3. The computer-implemented method of claim 1 further comprising sorting and displaying the relevance score for each of the suspect websites.
  - 4. The computer-implemented method of claim 2 further comprising sorting and displaying the relevance score for each of the suspect websites.

5. A computer program product including at least one of a magnetic, optical and semiconductor computer-readable storage medium comprising a computer program for facilitating detection of phishing-related websites from among a plurality of referring websites, the computer program further comprising:
- instructions for accessing a referral list of websites that link to a legitimate website;
  
  instructions for calculating statistical outliers within the referral list of websites based on historical patterns to produce a dataset of suspect websites from the referral list of websites;
  
  instructions for creating an array of relevant points wherein each relevant point corresponds to a defined HTML tag to construct a referring site fingerprint for a suspect website, the referring site fingerprint based on content of the suspect website;
  
  instructions for comparing the referring site fingerprint to a fingerprint for the legitimate website by determining the number of matches between the array of relevant points and a second array forming the fingerprint for the legitimate website to calculate a relevance score using a percentage match between the referring site fingerprint and the fingerprint for the legitimate website, the relevance score indicating a likelihood that the suspect website is a phishing-related website; and
  
  instructions for presenting the relevance score for each of the suspect websites.
- View Dependent Claims (6, 7, 8)
- - 6. The computer program product of claim 5 wherein the computer program further comprises:
    - instructions for discarding known good websites from the referral list of websites.
  - 7. The computer program product of claim 5 wherein the computer program further comprises instructions for sorting and displaying the relevance score for each of the suspect websites.
  - 8. The computer program product of claim 6 wherein the computer program further comprises instructions for sorting and displaying the relevance score for each of the suspect websites.

9. Apparatus for facilitating detection of phishing-related websites from among a plurality of referring websites, the apparatus comprising:
- means for accessing a referral list of websites that link to a legitimate website;
  
  means for calculating statistical outliers within the referral list of websites based on historical patterns to produce a dataset of suspect websites from the referral list of websites;
  
  means for creating an array of relevant points wherein each relevant point corresponds to a defined HTML tag to construct a referring site fingerprint for a suspect website, the referring site fingerprint based on content of the suspect website;
  
  means for comparing each referring site fingerprint to a fingerprint for the legitimate website by determining the number of matches between the array of relevant points and a second array forming the fingerprint for the legitimate website to calculate a relevance score using a percentage match between the referring site fingerprint and the fingerprint for the legitimate website, the relevance score indicating a likelihood that the suspect website is a phishing-related website; and
  
  means for presenting the relevance score for each of the suspect websites.
- View Dependent Claims (10, 11, 12)
- - 10. The apparatus of claim 9 further comprising:
    - means for discarding known good websites from the referral list of websites.
  - 11. The apparatus of claim 9 further comprising means for sorting and displaying the relevance score for each of the suspect websites.
  - 12. The apparatus of claim 10 further comprising means for sorting and displaying the relevance score for each of the suspect websites.

13. A system for facilitating detection of phishing-related websites from among a plurality of referring websites, the system comprising:
- a data reduction function to access a referral log of websites that link to a legitimate website and to discard known good websites;
  
  a data repository to store information on historical patterns of website access;
  
  a data qualification function linked to the data repository and to the data reduction function, the data qualification function to compute statistical outliers from the referral log to produce a dataset of suspect websites; and
  
  a prioritization and comparison function linked to the data reduction function and the data qualification function to construct a referring site fingerprint for a suspect website and to compare the referring site fingerprint to a fingerprint for the legitimate website by determining the number of matches between the array of relevant points and a second array forming the fingerprint for the legitimate website to calculate a relevance score using a percentage match between the referring site fingerprint and the fingerprint for the legitimate website and to present the relevance score for each of the suspect websites indicating a likelihood that the suspect website is a phishing-related website.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13 further comprising a web services element to provide presentation and feedback.
  - 15. The system of claim 13 further comprising an interface to an investigations reporting system.
  - 16. The system of claim 15 further comprising an interface to a metrics and historical data reporting system.
  - 17. The system of claim 14 further comprising an interface to an investigations reporting system.
  - 18. The system of claim 17 further comprising an interface to a metrics and historical data reporting system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Renfro, Chadwick R., Shnowske, Daniel, Wacker, Brian R.
Primary Examiner(s)
Cottingham, John R.
Assistant Examiner(s)
Badawi, Sherief

Application Number

US10/904,708
Time in Patent Office

1,840 Days
Field of Search

705/50, 705/15, 726/22, 713/176, 713/200, 707/6, 707/3
US Class Current

1/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1483 service impersonation, e.g....

System and method for detecting phishers by analyzing website referrals

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting phishers by analyzing website referrals

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links