Phishing detection, prevention, and notification

US 7,634,810 B2
Filed: 05/13/2005
Issued: 12/15/2009
Est. Priority Date: 12/02/2004
Status: Expired due to Fees

First Claim

Patent Images

1. One or more computer-readable storage media embodying computer readable instructions which, when executed, implement a method comprising:

rendering a messaging user interface to facilitate communication via a messaging application;

receiving a communication from a domain that is located in a country; and

detecting a phishing attack in the communication by at least one of determining that the domain from which the communication is received is similar to a known phishing domain and detecting suspicious network properties of the domain from which the communication is received;

wherein detecting suspicious network properties includes the following;

detecting that the communication is received from the domain which is a newly established domain on the internet;

detecting that the communication is received from the domain which has a low static rank;

detecting that the content of the domain which includes multiple user-selectable links to a first network-based resource and the first network-based resource is configured to submit form data to a second network-based resource;

detecting that an IP (Internet protocol) address corresponding to the domain does not correlate with the country where the domain is located; and

detecting a phishing attack in the communication at least in part by examining a user-selectable link within the communication, wherein the communication contains a user-selectable link to a web site with a minimal amount of content or a user-selectable link to a little-trafficked site.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Phishing detection, prevention, and notification is described. In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives content, such as data for a Web page, from a network-based resource, such as a Web site or domain. The Web browsing application initiates a display of the content, and a phishing detection module detects a phishing attack in the content by determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.

136 Citations

10 Claims

1. One or more computer-readable storage media embodying computer readable instructions which, when executed, implement a method comprising:
- rendering a messaging user interface to facilitate communication via a messaging application;
  
  receiving a communication from a domain that is located in a country; and
  
  detecting a phishing attack in the communication by at least one of determining that the domain from which the communication is received is similar to a known phishing domain and detecting suspicious network properties of the domain from which the communication is received;
  
  wherein detecting suspicious network properties includes the following;
  
  detecting that the communication is received from the domain which is a newly established domain on the internet;
  
  detecting that the communication is received from the domain which has a low static rank;
  
  detecting that the content of the domain which includes multiple user-selectable links to a first network-based resource and the first network-based resource is configured to submit form data to a second network-based resource;
  
  detecting that an IP (Internet protocol) address corresponding to the domain does not correlate with the country where the domain is located; and
  
  detecting a phishing attack in the communication at least in part by examining a user-selectable link within the communication, wherein the communication contains a user-selectable link to a web site with a minimal amount of content or a user-selectable link to a little-trafficked site.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable storage media as recited in claim 1, wherein detecting the phishing attack includes detecting that a name of the domain is similar in edit-distance to the known phishing domain, the edit-distance being based at least in part on the likelihood of user confusion or on a site-specific change.
  - 3. The computer-readable storage media as recited in claim 1, further comprising comparing the domain to a list of known non-phishing domains to determine that the domain is not a phishing domain.
  - 4. The computer-readable storage media as recited in claim 1, wherein receiving the communication includes receiving an email, and wherein detecting the phishing attack includes examining data in a “
    - From”
      
      field of the email.
  - 5. The computer-readable storage media as recited in claim 1, wherein receiving the communication includes receiving an email, and wherein detecting the phishing attack includes examining a display name in a “
    - From”
      
      field of the email.
  - 6. The computer-readable storage media as recited in claim 1, further comprising sending an email, and wherein detecting the phishing attack includes examining data in at least one of a “
    - To”
      
      field of the email, a “
      
      CC”
      
      (carbon copy) field of the email, or a “
      
      BCC”
      
      (blind carbon copy) field of the email.
  - 7. The computer-readable storage media as recited in claim 1, wherein detecting the phishing attack includes determining that the communication at least one of:
    - fails anti-spoofing detection;
      
      contains suspicious text content;
      
      is received from the domain which does not provide anti-spoofing information;
      
      oris received via at least one of a dial-up, cable, or DSL (Digital Subscriber Line) communication link.

8. One or more computer-readable storage media embodying computer readable instructions which, when executed, implement a method comprising:
- rendering a messaging user interface to facilitate communication via a messaging application;
  
  receiving a communication from a domain that is located in a country;
  
  detecting a phishing attack in the communication by detecting suspicious network properties of the domain from which the communication is received;
  
  wherein detecting suspicious network properties includes the following;
  
  detecting that the communication is received from the domain which is a newly established domain on the internet;
  
  detecting that the communication is received from the domain which has a low static rank;
  
  detecting that the content of the domain which includes multiple user-selectable links to a first network-based resource and the first network-based resource is configured to submit form data to a second network-based resource;
  
  detecting that an IP (Internet protocol) address corresponding to the domain does not correlate with the country where the domain is located; and
  
  detecting a phishing attack in the communication at least in part by examining a user-selectable link within the communication, wherein the communication contains at least one of;
  
  a user-selectable link to a web site with a minimal amount of content;
  
  ora user-selectable link to a little-trafficked site.
- View Dependent Claims (9, 10)
- - 9. The computer-readable storage media as recited in claim 8, wherein detecting the phishing attack includes detecting a user-selectable link within the communication that includes at least one of an IP (Internet protocol) address, an “
    - @”
      
      sign, or suspicious HTML (Hypertext Markup Language) encoding.
  - 10. The computer-readable storage media as recited in claim 8, wherein detecting the phishing attack includes detecting that the user-selectable link is a user-selectable link to at least one of a domain or a Web page that has a low static rank which is based at least in part on incoming links to the domain or to the Web page.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Averbuch, Aaron H, Deyo, Roderic C, Penta, Anthony P., Rounthwaite, Robert L., Hulten, Geoffrey J, Goodman, Joshua T., Rehfuss, Paul S, Mishra, Manav, Richards, Kenneth G
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Nobahar; Abdulhakim

Application Number

US11/129,222
Publication Number

US 20060123464A1
Time in Patent Office

1,677 Days
Field of Search

726/2, 726 22- 25, 709223-225, 709/229
US Class Current

726/22
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

Phishing detection, prevention, and notification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Phishing detection, prevention, and notification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links