Collaborative phishing attack detection

US 9,325,730 B2
Filed: 02/12/2015
Issued: 04/26/2016
Est. Priority Date: 02/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;

electronically storing the predetermined identifier in a computerized data store;

receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;

determining whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the message or to the metadata of the message;

if the message is determined to be a known simulated phishing attack based on the comparison of the identifier, providing feedback to the individual confirming that the message was a simulated phishing attack; and

if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, forwarding the message for threat analysis;

wherein determining whether the message is a known simulated phishing attack comprises comparing a characteristic or identifier of the message with a characteristic or identifier of a transmitted simulated phishing attack.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.

306 Citations

30 Claims

1. A method, comprising:
- generating a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;
  
  electronically storing the predetermined identifier in a computerized data store;
  
  receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  determining whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the message or to the metadata of the message;
  
  if the message is determined to be a known simulated phishing attack based on the comparison of the identifier, providing feedback to the individual confirming that the message was a simulated phishing attack; and
  
  if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, forwarding the message for threat analysis;
  
  wherein determining whether the message is a known simulated phishing attack comprises comparing a characteristic or identifier of the message with a characteristic or identifier of a transmitted simulated phishing attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein forwarding the message for analysis further comprises forwarding the message to a computer security technician for analysis to determine if the message is a real phishing attack or not.
  - 3. The method of claim 1, wherein forwarding the message for analysis further comprises forwarding the message to computer configured to detect phishing attacks to determine if the message is a real phishing attack or not.
  - 4. The method of claim 1, wherein if the message is determined not to be a known simulated phishing attack, and processing of the message results in a determination that the message is a real phishing attack, providing feedback to the individual that identified the message as a possible phishing attack confirming that the message was a real phishing attack.
  - 5. The method of claim 1, wherein a single graphical user interface action performed by a first individual is sufficient to trigger the notification to be sent from the computing device of the first individual.
  - 6. The method of claim 1, further comprising searching through a log of simulated phishing attacks to determine whether the message is a simulated phishing attack.
  - 7. The method of claim 1, wherein the characteristic of the message includes one or more of a sender identifier of the message, a recipient identifier of the message, a subject of the message, a time of transmission of the message, and a header of the message.
  - 8. The method of claim 1, wherein determining whether the message is a known simulated phishing attack comprises comparing the message or a portion of the message with simulated phishing attacks.
  - 9. The method of claim 1, wherein determining whether the message is a known simulated phishing attack comprises analyzing one or more characteristics of the message at a client-side plug-in.
  - 10. The method of claim 1, further comprising providing a plug-in for an e-mail client, wherein the plug-in further provides a single graphical user interface action to be performed by the individual for triggering the notification to be sent from the computing device of the individual.

11. A method, comprising:
- generating a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;
  
  electronically storing the predetermined identifier in a computerized data store;
  
  receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  determining whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the message or to the metadata of the message;
  
  if the message is determined to be a known simulated phishing attack based on the comparison of the identifier, providing feedback to the individual confirming that the message was a simulated phishing attack; and
  
  if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, forwarding the message for threat analysis;
  
  wherein determining whether the message is a known simulated phishing attack comprises comparing the message or a portion of the message with simulated phishing attacks.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein forwarding the message for analysis further comprises forwarding the message to a computer security technician for analysis to determine if the message is a real phishing attack or not.
  - 13. The method of claim 11, wherein forwarding the message for analysis further comprises forwarding the message to computer configured to detect phishing attacks to determine if the message is a real phishing attack or not.
  - 14. The method of claim 11, wherein if the message is determined not to be a known simulated phishing attack, and processing of the message results in a determination that the message is a real phishing attack, providing feedback to the individual that identified the message as a possible phishing attack confirming that the message was a real phishing attack.
  - 15. The method of claim 11, wherein a single graphical user interface action performed by a first individual is sufficient to trigger the notification to be sent from the computing device of the first individual.
  - 16. The method of claim 11, wherein determining whether the message is a known simulated phishing attack comprises comparing a characteristic of the message with a characteristic of a transmitted simulated phishing attack.
  - 17. The method of claim 16, wherein the characteristic of the message includes one or more of a sender identifier of the message, a recipient identifier of the message, a subject of the message, a time of transmission of the message, and a header of the message.
  - 18. The method of claim 11, further comprising searching through a log of simulated phishing attacks to determine whether the message is a simulated phishing attack.
  - 19. The method of claim 11, wherein determining whether the message is a known simulated phishing attack comprises analyzing one or more characteristics of the message at a client-side plug-in.
  - 20. The method of claim 11, further comprising providing a plug-in for an e-mail client, wherein the plug-in further provides a single graphical user interface action to be performed by the individual for triggering the notification to be sent from the computing device of the individual.

21. A method, comprising:
- generating a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;
  
  electronically storing the predetermined identifier in a computerized data store;
  
  receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  determining whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the message or to the metadata of the message;
  
  if the message is determined to be a known simulated phishing attack based on the comparison of the identifier, providing feedback to the individual confirming that the message was a simulated phishing attack; and
  
  if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, forwarding the message for threat analysis;
  
  wherein determining whether the message is a known simulated phishing attack comprises analyzing one or more characteristics or identifiers of the message at a client-side plug-in.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method of claim 21, wherein forwarding the message for analysis further comprises forwarding the message to a computer security technician for analysis to determine if the message is a real phishing attack or not.
  - 23. The method of claim 21, wherein forwarding the message for analysis further comprises forwarding the message to computer configured to detect phishing attacks to determine if the message is a real phishing attack or not.
  - 24. The method of claim 21, wherein if the message is determined not to be a known simulated phishing attack, and processing of the message results in a determination that the message is a real phishing attack, providing feedback to the individual that identified the message as a possible phishing attack confirming that the message was a real phishing attack.
  - 25. The method of claim 21, wherein a single graphical user interface action performed by a first individual is sufficient to trigger the notification to be sent from the computing device of the first individual.
  - 26. The method of claim 21, wherein determining whether the message is a known simulated phishing attack comprises comparing a characteristic of the message with a characteristic of a transmitted simulated phishing attack.
  - 27. The method of claim 26, wherein the characteristic of the message includes one or more of a sender identifier of the message, a recipient identifier of the message, a subject of the message, a time of transmission of the message, and a header of the message.
  - 28. The method of claim 21, wherein determining whether the message is a known simulated phishing attack comprises comparing the message or a portion of the message with simulated phishing attacks.
  - 29. The method of claim 21, further comprising searching through a log of simulated phishing attacks to determine whether the message is a simulated phishing attack.
  - 30. The method of claim 21, further comprising providing a plug-in for an e-mail client, wherein the plug-in further provides a single graphical user interface action to be performed by the individual for triggering the notification to be sent from the computing device of the individual.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cofense, Inc.
Original Assignee
PhishMe Incorporated
Inventors
Higbee, Aaron, Belani, Rohyt, Greaux, Scott
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/620,245
Publication Number

US 20150180896A1
Time in Patent Office

439 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 3/04842   Selection of displayed obje...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 67/306   User profiles

Collaborative phishing attack detection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

306 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Collaborative phishing attack detection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

306 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links