System and method for detecting phishing using password prediction

US 9,888,016 B1
Filed: 06/28/2013
Issued: 02/06/2018
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting phishing activity by determining a password used to decrypt an attachment of a communication message that is intended to be decrypted by a recipient of the communication message, the method comprising:

in response to a communication message having an encrypted attachment, parsing content of the communication message and predicting a password candidate within a non-encrypted portion of the communication message by identifying a pattern of the content operating as a reference point in predicting the password candidate, wherein the pattern being one or more words and the predicted password candidate being (i) different than and distinct from the pattern and (ii) determined, at least in part, as a portion of the content that is within a predetermined number of words prior to or after the pattern of the content within the non-encrypted portion of the communication message;

attempting to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and

in response to decrypting the encrypted attachment using the predicted password candidate, performing a malicious content analysis on the decrypted attachment to determine a likelihood of the decrypted attachment containing malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Phishing detection techniques for predicting a password for decrypting an attachment for the purpose of malicious content detection are described herein. According to one embodiment, in response to a communication message, as such an electronic mail (email) message having an encrypted attachment, content of the communication message is parsed to predict a password based on a pattern of the content. The encrypted attachment is then decrypted using the predicted password to generate a decrypted attachment. Thereafter, a malicious content analysis is performed on the decrypted attachment to determine a likelihood as to whether the decrypted attachment contains malicious content.

463 Citations

31 Claims

1. A computer-implemented method for detecting phishing activity by determining a password used to decrypt an attachment of a communication message that is intended to be decrypted by a recipient of the communication message, the method comprising:
- in response to a communication message having an encrypted attachment, parsing content of the communication message and predicting a password candidate within a non-encrypted portion of the communication message by identifying a pattern of the content operating as a reference point in predicting the password candidate, wherein the pattern being one or more words and the predicted password candidate being (i) different than and distinct from the pattern and (ii) determined, at least in part, as a portion of the content that is within a predetermined number of words prior to or after the pattern of the content within the non-encrypted portion of the communication message;
  
  attempting to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and
  
  in response to decrypting the encrypted attachment using the predicted password candidate, performing a malicious content analysis on the decrypted attachment to determine a likelihood of the decrypted attachment containing malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein prior to parsing content of the communication message, the method further comprising:
    - retrieving a list of one or more default passwords from a local storage; and
      
      attempting to decrypt the encrypted attachment that is part of a phishing attack using the one or more default passwords.
  - 3. The method of claim 1, wherein the parsing of the content of the communication message and the predicting of the password candidate within a non-encrypted portion of the communication message, comprises:
    - recognizing a text string pattern within the content of the non-encrypted portion of the communication message that represents the pattern of the content; and
      
      extracting one or more characters that are positioned subsequent to the recognized text string pattern as the predicted password candidate.
  - 4. The method of claim 1, whereinthe predicted password candidate and one or more additional predicted password candidates are determined, at least in part, on the proximity of the content associated with the predicted password candidate and content associated with the one or more additional predicted password candidates to the pattern of the content within the non-encrypted portion of the communication message, andin response to the predicted password candidate failing to decrypt the encrypted attachment, attempting to decrypt the encrypted attachment sequentially using the one or more additional predicted password candidates that reside within a predetermined number of words before or after the pattern of content.
  - 5. The method of claim 1, wherein the parsing of the content of the communication message and the predicting of the password candidate within the non-encrypted portion of the communication message, comprises:
    - recognizing a text string pattern within the content of the non-encrypted portion of the communication message based on a comparison of the text string pattern with a predetermined template; and
      
      extracting a string of characters that is within a predetermined amount of text prior to or after the recognized text string pattern as the predicted password candidate.
  - 6. The method of claim 5, wherein the string of characters includes consecutive characters that immediately follow the recognized text string pattern.
  - 7. The method of claim 1, wherein the parsing of the content of the communication message comprises parsing metadata of the communication message to predict the password candidate, the metadata includes content within one or more of the FROM, TO or SUBJECT fields of the communication message.
  - 8. The method of claim 7, wherein the metadata used to predict the password candidate includes metadata identifying at least one of a sender and a recipient of the communication message.
  - 9. The method of claim 7, wherein the metadata used to predict the password candidate includes metadata identifying at least one of an address, a domain name, and a uniform resource locator (URL) associated with the communication message.
  - 10. The method of claim 1 further comprising:
    - retrieving a list of one or more default passwords from a local storage; and
      
      attempting to decrypt the encrypted attachment that is part of a phishing attack using the one or more default passwords,wherein one or more of the receiving and the attempting to decrypt the encrypted attachment using the one or more default passwords is conducted in parallel with one or more of the predicting of the password candidate and the attempt to decrypt the encrypted attachment using the predicted password candidate.

11. A non-transitory machine-readable storage medium including instructions stored therein, which when executed by a processor, cause the processor to perform a method of detecting phishing activity by determining a password candidate used to decrypt an attachment of a communication message that is intended to be decrypted by a recipient of the communication message, comprising:
- in response to the communication message having an encrypted attachment, parsing content of the communication message to predict the password candidate within a non-encrypted portion of the communication message by identifying a pattern of the content operating as a reference point in predicting the password candidate, wherein the pattern being one or more words and the predicted password candidate being (i) different than and distinct from the pattern and (ii) determined, at least in part, as a portion of the content that is within a predetermined number of words prior to or after the pattern of the content within the non-encrypted portion of the communication message;
  
  attempting to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and
  
  in response to decrypting the encrypted attachment using the predicted password candidate, performing a malicious content analysis on the decrypted attachment to determine whether the decrypted attachment likely contains malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory machine-readable storage medium of claim 11, wherein the instructions, when executed by the processor, further cause the processor to perform operations prior to parsing content of the communication message, comprising:
    - retrieving a list of one or more default passwords from a local storage; and
      
      attempting to decrypt the encrypted attachment that is part of a phishing attack using the one or more default passwords.
  - 13. The non-transitory machine-readable storage medium of claim 11, wherein the instructions, when executed by the processor, further cause the processor to perform operations for parsing the content of the communication message to predict the password candidate, comprising:
    - recognizing a text string pattern within the content of the non-encrypted portion of the communication message that represents the pattern of the content; and
      
      extracting a string of characters that is positioned subsequent in an order of the parsing to the recognized text string pattern as the predicted password candidate.
  - 14. The non-transitory machine-readable storage medium of claim 13, whereinthe predicted password candidate and one or more additional predicted password candidates are determined, at least in part, on the proximity of the content associated with the predicted password candidate and content associated with the one or more additional predicted password candidates to the pattern of the content within the non-encrypted portion of the communication message;
    - andin response to the predicted password candidate failing to decrypt the encrypted attachment, attempting to decrypt the encrypted attachment sequentially using the one or more additional predicted password candidates that reside within a predetermined number of words before or after the pattern of content.
  - 15. The non-transitory machine-readable storage medium of claim 11, wherein the instructions, when executed by the processor, further cause the processor to perform operations for parsing the content of the communication message to predict the password comprising:
    - recognizing a text string pattern within the content of the non-encrypted portion of the communication message based on a comparison of the text string pattern with a predetermined template; and
      
      extracting a string of characters that is within a predetermined amount of text prior to or after the recognized text string pattern as the predicted password candidate, wherein the string of characters is different from any text of the text string pattern.
  - 16. The non-transitory machine-readable storage medium of claim 11, wherein the instructions, when executed by the processor, further cause the processor to perform operations for parsing of the content of the communication message to predict the password candidate, comprising:
    - recognizing a text string pattern within the content of the non-encrypted portion of the communication message; and
      
      extracting a string of characters that are consecutive characters that immediately follow the recognized text string pattern as the predicted password candidate.
  - 17. The non-transitory machine-readable storage medium of claim 11, wherein the parsing of the content of the communication message comprises parsing metadata of the communication message to predict the password candidate.
  - 18. The non-transitory machine-readable storage medium of claim 17, wherein the metadata used to predict the password candidate includes metadata identifying at least one of a sender and a recipient of the communication message.
  - 19. The non-transitory machine-readable storage medium of claim 17, wherein the metadata used to predict the password candidate includes metadata identifying at least one of an address, a domain name, and a uniform resource locator (URL) associated with the communication message.
  - 20. The non-transitory machine-readable storage medium of claim 11, wherein the instructions, when executed by the processor, further cause the processor to perform operations in parallel to parsing content of the communication message to predict the password candidate, comprising:
    - retrieving a list of one or more default passwords from a local storage; and
      
      attempting to decrypt the encrypted attachment that is part of a phishing attack using the one or more default passwords.

21. A data processing system for detecting phishing activity, comprising:
- a password predictor, in response to a communication message having an encrypted attachment, to parse content of the communication message to predict a password candidate within a non-encrypted portion of the communication message by identifying a pattern within the content that operates as a reference point in predicting the password candidate, wherein the pattern being one or more words and the predicted password candidate being (i) different than and distinct from the pattern and (ii) determined, at least in part, as a portion of the content that is within a predetermined number of words prior to or after the pattern of the content within the non-encrypted portion of the communication message;
  
  an attachment processing module to attempt to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and
  
  a content analysis module, in response to decrypting the encrypted attachment using the predicted password candidate, to perform a malicious content analysis on the decrypted attachment to determine whether the decrypted attachment likely contains malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein the attachment processing module is to retrieve a list of one or more default passwords from a local storage and to decrypt the encrypted attachment using the one or more default passwords in attempt to generate the decrypted attachment.
  - 23. The system of claim 22, wherein the parsing of the content of the communication message to predict the password candidate within the non-encrypted portion of the communication message comprises:
    - recognizing a text string pattern within the content of the non-encrypted portion of the communication message that represents the pattern of the content; and
      
      extracting one or more characters that are positioned a prescribed amount of text prior to or after the recognized text string pattern as the predicted password candidate.
  - 24. The system of claim 21, wherein the predicted password candidate and one or more additional predicted password candidates are determined, at least in part, on the proximity of the content associated with the predicted password candidate and content associated with the one or more additional predicted password candidates to the pattern of the content within the non-encrypted portion of the communication message.
  - 25. The system of claim 21, wherein the parsing of the content of the communication message to predict the password candidate comprises:
    - recognizing a text string pattern within the content of the non-encrypted portion of the communication message; and
      
      extracting a string of characters that is within a predetermined proximity of the recognized text string pattern as the predicted password candidate and the string of characters being different characters than the text string pattern.
  - 26. The system of claim 25, wherein the string of characters are consecutive characters that immediately follow the recognized text string pattern.
  - 27. The system of claim 21, wherein the password predictor is further configured to parse metadata of the communication message to predict the password candidate.
  - 28. The system of claim 27, wherein the metadata used to predict the password candidate includes metadata identifying at least one of a sender and a recipient of the communication message.
  - 29. The system of claim 27, wherein the metadata used to predict the password candidate includes metadata identifying at least one of an address, a domain name, and a uniform resource locator (URL) associated with the communication message.
  - 30. The system of claim 21, wherein the attachment processing module is to retrieve a list of one or more default passwords from a local storage and to decrypt the encrypted attachment using the one or more default passwords in attempt to generate the decrypted attachment, the attachment processing module operating in parallel with the password predictor.

31. A server comprising:
- a processor; and
  
  a memory coupled to the processor, the memory includes a plurality of modules that are executed by the processor, the plurality of modules comprise;
  
  a password predictor configured to detect phishing activity for a communication message having an encrypted attachment upon predicting a password candidate from information within a non-encrypted portion of the communication message, wherein the predicting of the password candidate comprising (i) recognizing a text string pattern within content of the non-encrypted portion of the communication message and (ii) responsive to recognizing the text string pattern, extracting a string of characters that are consecutive characters at least a predetermined number of words or characters prior to or after the recognized text string pattern and distinct from the recognized text string pattern and part of the information within a non-encrypted portion of the communication message as the predicted password candidate;
  
  an attachment processing module to attempt to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and
  
  a content analysis module, in response to decrypting the encrypted attachment using the predicted password candidate, to perform a malicious content analysis on the decrypted attachment to determine a likelihood of whether the decrypted attachment is associated with phishing activity by including malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines,wherein the password predictor and the attachment processing module to extract a second string of characters at most a predetermined distance in characters prior to or after the recognized text string pattern for use as a second predicted password candidate if the attachment processing module is unable to decrypt the encrypted attachment using the predicted password candidate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Amin, Muhammad, Samuelraj, Mohan, Uyeno, Henry
Primary Examiner(s)
Korsak, Oleg

Application Number

US13/931,664
Time in Patent Office

1,684 Days
Field of Search

726 23, 713188
US Class Current
CPC Class Codes

H04L 51/08   Annexed information, e.g. a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

System and method for detecting phishing using password prediction

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

463 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting phishing using password prediction

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

463 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links