Phishing detection, prevention, and notification

US 8,291,065 B2
Filed: 09/30/2006
Issued: 10/16/2012
Est. Priority Date: 12/02/2004
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable storage media embodying computer readable instructions which, when executed, implement a method, comprising:

receiving content from a network-based resource, the content including multiple selectable links;

rendering a user interface of a Web browsing application to display the content received from the network-based resource;

determining that the content received from the network-based resource contains a phishing attack, including;

associating a plurality of the multiple selectable links with a first Web site,associating another link of the multiple selectable links with an input form hosted at a second Web site, the first Web site being a legitimate Web site and being different from the second Web site, anddetermining, based on the plurality of the multiple selectable links associated with the first Web site and the other link associated with the second Web site, that the content contains the phishing attack; and

warning a user that the content contains the phishing attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Phishing detection, prevention, and notification is described. In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives content, such as data for a Web page, from a network-based resource, such as a Web site or domain. The Web browsing application initiates a display of the content, and a phishing detection module detects a phishing attack in the content by determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.

101 Citations

View as Search Results

19 Claims

1. One or more computer-readable storage media embodying computer readable instructions which, when executed, implement a method, comprising:
- receiving content from a network-based resource, the content including multiple selectable links;
  
  rendering a user interface of a Web browsing application to display the content received from the network-based resource;
  
  determining that the content received from the network-based resource contains a phishing attack, including;
  
  associating a plurality of the multiple selectable links with a first Web site,associating another link of the multiple selectable links with an input form hosted at a second Web site, the first Web site being a legitimate Web site and being different from the second Web site, anddetermining, based on the plurality of the multiple selectable links associated with the first Web site and the other link associated with the second Web site, that the content contains the phishing attack; and
  
  warning a user that the content contains the phishing attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable storage media in claim 1, wherein the warning indicating a difference between a domain associated with the content and a non-phishing domain.
  - 3. The computer-readable storage media in claim 1, wherein the warning is communicated to a user as a warning email.
  - 4. The computer-readable storage media in claim 1, wherein the determining that the content received from the network-based resource contains a phishing attack further determining that a domain associated with the content is from a newly established domain which has a static rank below a predetermined threshold value.
  - 5. The computer-readable storage media in claim 1, further comprising preventing the phishing attack.
  - 6. The computer-readable storage media in claim 5, further comprising obtaining a suspicion score associated with the content, the suspicion score indicating a likelihood of the phishing attack, and wherein the preventing the phishing attack includes combining the suspicion score with phishing information corresponding to the network-based resource to further determine the likelihood of the phishing attack.
  - 7. The computer-readable storage media in claim 1, wherein the warning the user includes warning the user that sensitive data was previously submitted via the user interface displaying the content received from the network-based resource.

8. One or more computer-readable storage media embodying computer readable instructions which, when executed, implement a system, comprising:
- an email or chat-based application to;
  
  receive an electronic mail (email) communication containing a Web based content, the content including multiple selectable links, associated with a phishing attack from a network based resource,determine that the Web based content is associated with the phishing attack,including;
  
  associating a plurality of the multiple selectable links with a first Web site,associating another link of the multiple selectable links with an input form hosted at a second Web site, the first Web site being a legitimate Web site and being different from the second Web site, anddetermining, based on the plurality of the multiple selectable links associated with the first Web site and the other link associated with the second Web site, that the content contains the phishing attack andcommunicate, upon the receiving the email communication, a notification to the Web browsing application that the Web based content is associated with the phishing attack, wherein the notification is communicated to the Web browsing application automatically in response to the receiving the email communication;
  
  and a Web browsing application to render the Web based content, andtransmit a message that the Web based content is associated with the phishing attack.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage media in claim 8, wherein the determining that the Web based content is associated with the phishing attack includes determining that the email communication is received from a domain that does not match a country code where the domain is located.
  - 10. The computer-readable storage media in claim 8, wherein the message is transmitted to a user-via the Web browsing application.
  - 11. The computer-readable storage media in claim 8, wherein the message indicates that a user previously submitted sensitive data.
  - 12. The computer-readable storage media in claim 8, wherein the determining that the Web based content is associated with the phishing attack includes determining that a rendering of the Web based content is consistent with a secure Hypertext Transfer Protocol connection.
  - 13. The computer-readable storage media in claim 8, wherein the determining that the Web based content is associated with the phishing attack includes:
    - obtaining a suspicion score from the email or chat-based application, the suspicion score indicating a likelihood of a phishing attack, andcombining the suspicion score with phishing information corresponding to the network-based resource.
  - 14. The computer-readable storage media in claim 8, wherein the email or chat-based application is further configured to utilize at least one of a referring page, a URI (Uniform Resource Identifier), a Web browser switch, or a Web browser API (Application Program Interface) to communicate the notification to the Web browsing application.

15. One or more computer-readable storage media embodying computer readable instructions which, when executed, implement a system, comprising:
- a Web browsing application to;
  
  receive content from a network based resource, the content including multiple selectable links;
  
  render a user interface to display the content, andreceive sensitive data via the user interface; and
  
  a phishing detection module to;
  
  detect a phishing attack in the content, includingassociating a plurality of the multiple selectable links with a first Web site,associating another link of the multiple selectable links with an input form hosted at a second Web site, the first Web site being a legitimate Web site and being different from the second Web site, anddetermining, based on the plurality of the multiple selectable links associated with the first Web site and the other link associated with the second Web site, that the content contains the phishing attack;
  
  and communicate a warning, after the receiving the sensitive data, that the sensitive data was previously submitted via the user interface.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-readable storage media in claim 15, wherein the warning includes both a domain included in the content and a non-phishing domain.
  - 17. The computer-readable storage media in claim 15, wherein the phishing detection module communicates the warning to a user via a user interface of the Web browsing application.
  - 18. The computer-readable storage media in claim 15, wherein the warning emphasizes the difference between a domain included in the content and a non-phishing domain by underlining characters of the domain included in the content that differ from the non-phishing domain.
  - 19. The computer-readable storage media in claim 15, wherein the detect the phishing attack in the content further includes determining via a referring page and a list of known Web-based email systems that the content is received in response to a request from an email or chat-based application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Goodman, Joshua T., Rehfuss, Paul S, Rounthwaite, Robert L., Mishra, Manav, Hulten, Geoffrey J, Richards, Kenneth G, Averbuch, Aaron H, Penta, Anthony P., Deyo, Roderict C.
Primary Examiner(s)
Nguyen, Phuoc
Assistant Examiner(s)
COONEY, ADAM A

Application Number

US11/537,641
Publication Number

US 20070039038A1
Time in Patent Office

2,208 Days
Field of Search

709/224
US Class Current

709/224
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

Phishing detection, prevention, and notification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Phishing detection, prevention, and notification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links