Collaborative phishing attack detection

US 9,356,948 B2
Filed: 08/02/2013
Issued: 05/31/2016
Est. Priority Date: 02/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating, by a network device, a simulated phishing email, the simulated phishing email comprising a first header, wherein the simulated phishing email is a non-malicious email that resembles a phishing attack, and wherein the first header identifies the simulated phishing email as non-malicious;

electronically storing the first header in a computerized data store;

receiving, by the network device from a computing device associated with an individual, a notification triggered by a user interface action by the individual that an email delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;

in response to receiving the notification, determining whether the identified email is a known simulated phishing attack by comparing the first header stored in the data store to one or more headers of the identified email, said determining occurring at the network device or at the computing device;

when the identified email is determined to be a known simulated phishing attack based on the comparison of the first header stored in the computerized data store to the one or more headers of the identified email, electronically recording that the individual has correctly identified the identified email as a possible phishing attack and providing feedback to the individual confirming that the identified email was a simulated phishing attack; and

when the identified email is determined not to be a known simulated phishing attack based on the comparison of the first header stored in the computerized data store to the one or more headers of the identified email, sending the identified email to a computer security technician for review or to an email address configured to receive the identified email or to a computer configured to detect whether or not the identified email is a threat or real phishing attack.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.

Citations

30 Claims

1. A method, comprising:
- generating, by a network device, a simulated phishing email, the simulated phishing email comprising a first header, wherein the simulated phishing email is a non-malicious email that resembles a phishing attack, and wherein the first header identifies the simulated phishing email as non-malicious;
  
  electronically storing the first header in a computerized data store;
  
  receiving, by the network device from a computing device associated with an individual, a notification triggered by a user interface action by the individual that an email delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  in response to receiving the notification, determining whether the identified email is a known simulated phishing attack by comparing the first header stored in the data store to one or more headers of the identified email, said determining occurring at the network device or at the computing device;
  
  when the identified email is determined to be a known simulated phishing attack based on the comparison of the first header stored in the computerized data store to the one or more headers of the identified email, electronically recording that the individual has correctly identified the identified email as a possible phishing attack and providing feedback to the individual confirming that the identified email was a simulated phishing attack; and
  
  when the identified email is determined not to be a known simulated phishing attack based on the comparison of the first header stored in the computerized data store to the one or more headers of the identified email, sending the identified email to a computer security technician for review or to an email address configured to receive the identified email or to a computer configured to detect whether or not the identified email is a threat or real phishing attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein sending the identified email further comprises sending the identified email to a computer security technician for analysis to determine if the identified email is a real phishing attack or not.
  - 3. The method of claim 1, wherein sending the identified email further comprises sending the identified email to computer configured to detect phishing attacks to determine if the identified email is a real phishing attack or not.
  - 4. The method of claim 1, wherein if the identified email is determined not to be a known simulated phishing attack, and processing of the identified email results in a determination that the identified email is a real phishing attack, providing feedback to the individual that identified the identified email as a possible phishing attack confirming that the identified email was a real phishing attack.
  - 5. The method of claim 1, wherein a single graphical user interface action performed by the individual is sufficient to trigger the notification to be sent from the computing device of the individual.
  - 6. The method of claim 1, wherein determining whether the identified email is a known simulated phishing attack comprises comparing the identified email or a portion of the identified email with simulated phishing attacks.
  - 7. The method of claim 1, wherein determining whether the identified email is a known simulated phishing attack comprises analyzing one or more characteristics of the identified email at a client-side plug-in.
  - 8. The method of claim 1, further comprising providing a plug-in at an email client, wherein the plug-in further provides a single graphical user interface action to be performed by the individual for triggering the notification to be sent from the computing device of the individual.
  - 9. The method of claim 1, wherein the computerized data store electronically storing the first header is at a client-side device, and wherein the determining whether the identified email is a known simulated phishing attack is executed at the client-side device.
  - 10. The method of claim 1, wherein the computerized data store electronically storing the first header is at a network server device, and wherein the determining whether the identified email is a known simulated phishing attack is executed at the network server device.
  - 11. The method of claim 1, further comprising searching through a log of simulated phishing attacks to determine whether the identified email is a simulated phishing attack.
  - 12. The method of claim 1, wherein the determining whether the identified email is a known simulated phishing attack is performed at a client-side plug-in executing at the computing device.

13. A system comprising:
- a processor;
  
  a storage device connected to the processor;
  
  a network server device; and
  
  a set of instructions on the storage device that, when executed by the processor, cause the processor perform the steps of;
  
  generating, by a network device, a simulated phishing email, the simulated phishing email comprising a first header, wherein the simulated phishing email is a non-malicious email that resembles a phishing attack, and wherein the first header identifies the simulated phishing email as non-malicious;
  
  electronically storing the first header in a computerized data store;
  
  receiving, by the network device from a computing device associated with an individual, a notification triggered by a user interface action by the individual that an email delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  in response to receiving the notification, determining whether the identified email is a known simulated phishing attack by comparing the first header stored in the data store to one or more headers of the identified email, said determining occurring at the network device or at the computing device;
  
  when the identified email is determined to be a known simulated phishing attack based on the comparison of the first header stored in the data store to the one or more headers of the identified email, electronically recording that the individual has correctly identified the identified email as a possible phishing attack and providing feedback to the individual confirming that the identified email was a simulated phishing attack; and
  
  when the identified email is determined not to be a known simulated phishing attack based on the comparison of the first header stored in the computerized data store to the one or more headers of the identified email, sending the identified email to a computer security technician for review or to an email address configured to receive the identified email or to a computer configured to detect whether or not the identified email is a threat or real phishing attack.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 28, 29, 30)
- - 14. The system of claim 13, wherein sending the identified email further comprises sending the identified email to a computer security technician for analysis to determine if the identified email is a real phishing attack or not.
  - 15. The system of claim 13, wherein sending the identified email further comprises sending the identified email to computer configured to detect phishing attacks to determine if the identified email is a real phishing attack or not.
  - 16. The system of claim 13, wherein if the identified email is determined not to be a known simulated phishing attack, and processing of the identified email results in a determination that the identified email is a real phishing attack, providing feedback to the individual that identified the identified email as a possible phishing attack confirming that the identified email was a real phishing attack.
  - 17. The system of claim 13, wherein a single graphical user interface action performed by the individual is sufficient to trigger the notification to be sent from the computing device of the individual.
  - 18. The system of claim 13, wherein determining whether the identified email is a known simulated phishing attack comprises comparing a characteristic of the identified email with a characteristic of a transmitted simulated phishing attack.
  - 19. The system of claim 18, wherein the characteristic of the identified email message includes one or more of a sender identifier of the identified email, a recipient identifier of the identified email, a subject of the identified email, a time of transmission of the identified email, and a header of the identified email.
  - 20. The system of claim 13, wherein determining whether the identified email is a known simulated phishing attack comprises comparing the identified email or a portion of the identified email with simulated phishing attacks.
  - 21. The system of claim 13, wherein determining whether the identified email is a known simulated phishing attack comprises analyzing one or more characteristics of the identified email at a client-side plug-in.
  - 22. The system of claim 13, further comprising providing a plug-in at an email client, wherein the plug-in further provides a single graphical user interface action to be performed by the individual for triggering the notification to be sent from the computing device of the individual.
  - 23. The system of claim 13, wherein the computerized data store electronically storing the first header is at a client-side device, and wherein the determining whether the identified email is a known simulated phishing attack is executed at the client-side device.
  - 24. The system of claim 13, wherein the computerized data store electronically storing the first header is at a network server device, and wherein the determining whether the identified email is a known simulated phishing attack is executed at the network server device.
  - 25. The method of claim 13, further comprising searching through a log of simulated phishing attacks to determine whether the identified email is a simulated phishing attack.
  - 26. The method of claim 13, wherein the determining whether the identified email is a known simulated phishing attack is performed at a client-side plug-in executing at the computing device.
  - 28. The method of claim 16, wherein the determining whether the identified email is a known simulated phishing attack is performed at a client-side plug-in executing at the computing device.
  - 29. The method of claim 16, wherein a single graphical user interface action performed by the individual is sufficient to trigger the notification to be sent from the computing device of the individual.
  - 30. The method of claim 16, further comprising providing a plug-in at an email client, wherein the plug-in further provides a single graphical user interface action to be performed by the individual for triggering the notification to be sent from the computing device of the individual.

27. A method, comprising:
- generating, by a network device, a simulated phishing email, the simulated phishing email comprising a first header, wherein the simulated phishing email is a non-malicious email that resembles a phishing attack, and wherein the first header identifies the simulated phishing email as non-malicious;
  
  electronically storing the first header in a computerized data store;
  
  receiving, by the network device from a computing device associated with an individual, a notification triggered by a user interface action by the individual that an email delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  in response to receiving the notification, determining whether the identified email is a known simulated phishing attack by comparing the first header stored in the data store to one or more headers of the identified email, said determining occurring at the network device or at the computing device;
  
  sending at least one of the one or more headers of the identified email to the network device; and
  
  when the identified email is determined to be a known simulated phishing attack based on the comparison of the first header stored in the computerized data store to the one or more headers of the identified email, electronically recording that the individual has correctly identified the identified email as a possible phishing attack and providing feedback to the individual confirming that the identified email was a simulated phishing attack; and
  
  when the identified email is determined not to be a known simulated phishing attack based on the comparison of the first header stored in the computerized data store to the one or more headers of the identified email, sending the identified email to a computer security technician for review or to an email address configured to receive the identified email or to a computer configured to detect whether or not the identified email is a threat or real phishing attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cofense, Inc.
Original Assignee
PhishMe Incorporated
Inventors
Higbee, Aaron, Belani, Rohyt, Greaux, Scott
Primary Examiner(s)
Abyaneh, Ali

Application Number

US13/958,480
Publication Number

US 20140230061A1
Time in Patent Office

1,033 Days
Field of Search

726/22, 726/24, 713/188
US Class Current

1/1
CPC Class Codes

G06F 3/04842   Selection of displayed obje...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 67/306   User profiles

Collaborative phishing attack detection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Collaborative phishing attack detection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links