Phishing and threat detection and prevention

US 9,509,715 B2
Filed: 02/18/2015
Issued: 11/29/2016
Est. Priority Date: 08/21/2014
Status: Active Grant

First Claim

Patent Images

1. A database system for detecting and preventing phishing attacks, the database system comprising:

a hardware processor; and

one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;

detecting a request to open an electronic mail message (email) after the email has arrived in a user mailbox;

prior to opening the email in the user mailbox, sending a link contained in the email to a threat detection server in response to detecting the request to open the email;

receiving a threat level identifier from the threat detection server associated with the link after being compared with blacklisted links; and

opening the email and displaying a message with the email and the threat level identifier associated with the link.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat detection system receives links from emails opened in web browsers. The received links are compared with a whitelist of trusted links and blacklisted links associated with security threats. The threat detection system sends trusted identifiers when the received links are identified in the whitelist and sends block identifiers back to the web browsers when the received links are identified in the blacklist. The trusted identifiers cause the web browsers to display a trusted message and the block identifiers cause the web browsers to remove the received link and display a warning message. The threat detection system may receive threat reports for suspected links from employees of a same enterprise and allow an enterprise security administrator to asynchronously update the blacklists and whitelists based on the threat reports received from the enterprise users.

186 Citations

22 Claims

1. A database system for detecting and preventing phishing attacks, the database system comprising:
- a hardware processor; and
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  detecting a request to open an electronic mail message (email) after the email has arrived in a user mailbox;
  
  prior to opening the email in the user mailbox, sending a link contained in the email to a threat detection server in response to detecting the request to open the email;
  
  receiving a threat level identifier from the threat detection server associated with the link after being compared with blacklisted links; and
  
  opening the email and displaying a message with the email and the threat level identifier associated with the link.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The database system of claim 1, wherein the instructions further cause the processor to carry out the steps of:
    - receiving a block indication in the threat level identifier;
      
      removing the link from the email based on the block indication received in the threat level identifier; and
      
      displaying a warning in the message indicating the link is associated with a phishing attack.
  - 3. The database system of claim 2, wherein the instructions further cause the processor to carry out the steps of:
    - inserting the link into the message; and
      
      replacing the link from the email with an image of a crossed out name for the link.
  - 4. The database system of claim 1, wherein the instructions further cause the processor to carry out the steps of:
    - receiving a trust indication in the threat level identifier; and
      
      displaying a trusted notice in the message based on the trust indication received in the threat level identifier.
  - 5. The database system of claim 1, wherein the instructions further cause the processor to carry out the steps of:
    - inserting a reporting link in the message configured to connect to the threat detection server and report the link as a possible phishing attack.
  - 6. The database system of claim 1, wherein the instructions further cause the processor to carry out the steps of operating a security agent in a web browser, wherein the security agent is configured to:
    - detect the request to open the email;
      
      identify the link in the email;
      
      send the link to the threat detection server;
      
      receive the threat level identifier back from the threat detection server; and
      
      modify a document object model (DOM) for the email to display the message based on the threat level identifier.
  - 7. The database system of claim 6, wherein the security agent is further configured to display a reporting window in the web browser for reporting suspected phishing links to the threat detection server, wherein the threat detection server is configured to add the suspected phishing links to the blacklisted links based on a verification the suspected phishing links are associated with phishing attacks.

8. A database system for detecting and preventing security threats, the database system comprising:
- a hardware processor configured to;
  
  receive reports from user systems associated with an enterprise;
  
  identify suspected links in the reports as blacklisted links when the suspected links are associated with security threats;
  
  receive a link associated with an object of an email residing on one or more of the user systems and selected to be opened by one or more of the user systems after the email has arrived in a user mailbox and prior to opening the email from the user mailbox;
  
  compare the received link with the blacklisted links; and
  
  send a threat level identifier back to the one or more user systems based on the comparison of the received link with the blacklisted links to cause the object to be opened and the threat level identifier to be displayed with the opened object.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The database system of claim 8, wherein the object comprises an email message or a web page.
  - 10. The database system of claim 8, wherein the processor is further configured to send a block indication in the threat level identifier when the received link matches one of the blacklisted links, wherein the block indication causes the one or more user systems to remove the received link from the associated object.
  - 11. The database system of claim 10, wherein the block indication causes the one or more user systems to display a warning message that includes the received link and indicates the received link was identified as one of the blacklisted links.
  - 12. The database system of claim 8, wherein the processor is further configured to:
    - compare the received link to whitelisted links verified as not associated with phishing attacks prior to comparing the received link with the blacklisted links; and
      
      send a trusted indication in the threat level identifier when the received link matches one of the whitelisted links, wherein the trusted indication causes the one or more user systems to display a trusted message in conjunction with the received link.
  - 13. The database system of claim 12, wherein the processor is further configured to send an ok indication in the threat level identifier when the received link does not match any of the blacklisted links and does not match any of the whitelisted links, wherein the ok indication causes the user systems to display an ok message in conjunction with the received link.
  - 14. The database system of claim 8, wherein the processor is further configured to assign the suspected links in the reports to the blacklisted links based on a number of the reports identifying the suspected links.
  - 15. The database system of claim 14, wherein the processor is further configured to:
    - identify whitelisted links in the reports indicated as safe and not associated with phishing attacks;
      
      compare the received link with the whitelisted links; and
      
      send the threat level identifier back to the one or more user systems based on the comparison of the received link with the blacklisted links and the whitelisted links.
  - 16. The database system of claim 8, wherein the processor is further configured to:
    - identify a number of times the received link is blocked in response to matching one of the blacklisted links; and
      
      report the received link as a phishing attack when the number of times is above a given threshold.

17. A method for detecting security threats in a database system, comprising:
- receiving, by a hardware processor of the database system, a link associated with an email residing in a user mailbox and selected in a web browser from the user mailbox after the email has arrived in the user mailbox and prior to opening the email from the user mailbox;
  
  comparing, by the database system, the received link with a whitelist of trusted links;
  
  sending, by the database system, a trusted identifier back to the web browser when the received link is identified in the whitelist, wherein the trusted identifier causes the web browser to display a level of the trusted identifier and a trusted message in conjunction with the received link in the email;
  
  comparing, by the database system, the received link with a blacklist of links associated with the security threats; and
  
  sending, by the database system, a block identifier back to the web browser when the received link is identified in the blacklist, wherein the block identifier causes the web browser to remove the received link from the email.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method of claim 17, further comprising sending an ok identifier back to the web browser when the received link is not identified in the whitelist or blacklist, wherein the ok identifier causes the web browser to display an ok message in conjunction with the received link in the email.
  - 19. The method of claim 17, further comprising:
    - receiving threat reports identifying suspected phishing links;
      
      displaying the threat reports on a user interface; and
      
      updating the blacklist with the suspected phishing links selected via the user interface.
  - 20. The method of claim 19, wherein processor is further configured to:
    - count a number of the threat reports that include a common one of the suspected phishing links; and
      
      assign a warning identifier to the common one of the suspected phishing links when the number of the threat reports is above a first threshold value.
  - 21. The method of claim 20, wherein processor is further configured to add the common one of the suspected phishing links to the blacklist when the number of the threat reports is above a second threshold value greater than the first threshold value.
  - 22. The method of claim 17, further comprising:
    - identifying blacklisted internet protocol (IP) addresses;
      
      identifying a universal resource locator (URL) in the received link;
      
      resolving the URL to an associated IP address; and
      
      sending the block identifier and adding the URL to the blacklist when the associated IP address matches one of the blacklisted IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Bach, Timothy
Primary Examiner(s)
Chai, Longbit

Application Number

US14/625,431
Publication Number

US 20160057167A1
Time in Patent Office

650 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2119   Authenticating web pages, e...

H04L 51/18   Commands or executable codes

H04L 51/212   using filtering or selectiv...

H04L 63/101   Access control lists [ACL]

H04L 63/1483   service impersonation, e.g....

Phishing and threat detection and prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

186 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Phishing and threat detection and prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links