Thwarting phishing attacks by using pre-established policy files

US 7,590,698 B1
Filed: 03/14/2005
Issued: 09/15/2009
Est. Priority Date: 03/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for thwarting a phishing attack, said method comprising the steps of:

intercepting an electronic message intended for display to a recipient of the electronic message;

extracting a sender domain name from the electronic message;

identifying one or more domain names in remote links contained in the electronic message;

determining one or more domain names related to the sender domain name from a pre-established set of domain names that can legitimately appear in remote links contained in the electronic message;

comparing the one or more domain names in the identified remote links to the one or more domain names related to the sender domain name; and

preventing, in response to the comparison, the electronic message from being delivered to the recipient.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparati, and computer-readable media thwart a phishing attack on a recipient of an electronic message by intercepting the electronic message; extracting a sender domain name from the electronic message; identifying remote links associated with the electronic message; comparing the identified remote links against a pre-established set of acceptable domains, using the extracted sender domain name as an index; and when at least one extracted remote link is not found in the pre-established set of acceptable domains, preventing the message from being delivered to the recipient.

30 Citations

View as Search Results

17 Claims

1. A method for thwarting a phishing attack, said method comprising the steps of:
- intercepting an electronic message intended for display to a recipient of the electronic message;
  
  extracting a sender domain name from the electronic message;
  
  identifying one or more domain names in remote links contained in the electronic message;
  
  determining one or more domain names related to the sender domain name from a pre-established set of domain names that can legitimately appear in remote links contained in the electronic message;
  
  comparing the one or more domain names in the identified remote links to the one or more domain names related to the sender domain name; and
  
  preventing, in response to the comparison, the electronic message from being delivered to the recipient.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the electronic message is a message from the group of messages consisting of:
    - electronic mail;
      
      instant messages; and
      
      simple text messages.
  - 3. The method of claim 1 further comprising:
    - identifying at least one flagged condition established by a controller of the sender domain name and associated with the domain names related to the sender domain name;
      
      checking whether the at least one flagged condition is satisfied by the electronic message; and
      
      preventing, in response to the checking, the electronic message from being delivered to the recipient.
  - 4. The method of claim 3 wherein the at least one flagged condition is a condition from the group of conditions consisting of:
    - whether script is present in the electronic message; and
      
      whether a form is present in the electronic message.
  - 5. The method of claim 3 wherein the pre-established set of domain names is established by a controller of the sender domain name.
  - 6. The method of claim 1 wherein the intercepting, extracting, comparing, and preventing steps are performed at least one location from the group of locations consisting of:
    - a server;
      
      a proxy;
      
      a gateway; and
      
      a client.
  - 7. The method of claim 1 wherein at least one remote link is a link from the group of links consisting of:
    - anchor tags;
      
      link tags;
      
      URLs in text form; and
      
      URLs embedded in Web bugs.
  - 8. The method of claim 7 wherein at least one Web bug is a bug from the group of bugs consisting of:
    - CSS; and
      
      IMG.
  - 9. The method of claim 1 wherein determining the one or more domain names related to the sender domain name further comprises using the sender domain name as an index to the pre-established set of domain names.

10. At least one computer-readable medium containing computer program instructions for thwarting a phishing attack, said computer program instructions performing the steps of:
- intercepting an electronic message intended for display to a recipient of the electronic message;
  
  extracting a sender domain name from the electronic message;
  
  identifying one or more domain names in remote links contained in the electronic message;
  
  determining one or more domain names related to the sender domain name from a pre-established set of domain names that can legitimately appear in remote links contained in the electronic message;
  
  comparing the one or more domain names in the identified remote links to the one or more domain names related to the sender domain name; and
  
  preventing, in response to the comparisons the electronic message from being delivered to the recipient.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The at least one computer-readable medium of claim 10 wherein the electronic message is a message from the group of messages consisting of:
    - electronic mail;
      
      instant messages; and
      
      simple text messages.
  - 12. The at least one computer-readable medium of claim 10 further comprising:
    - identifying at least one flagged condition established by a controller of the sender domain name and associated with the domain names related to the sender domain name;
      
      checking whether the at least one flagged condition is satisfied by the electronic message; and
      
      preventing, in response to the checking, the electronic message from being delivered to the recipient.
  - 13. The at least one computer-readable medium of claim 12 wherein the at least one flagged condition is a condition from the group of conditions consisting of:
    - whether script is present in the electronic message; and
      
      whether a form is present in the electronic message.
  - 14. The at least one computer-readable medium of claim 10 wherein the pre-established set of domain names is established by a controller of the sender domain name.
  - 15. The at least one computer-readable medium of claim 10 wherein the intercepting, extracting, comparing, and preventing steps are performed at least one location from the group of locations consisting of:
    - a server;
      
      a proxy;
      
      a gateway; and
      
      a client.
  - 16. The at least one computer-readable medium of claim 10 wherein at least one remote link is a link from the group of links consisting of:
    - anchor tags;
      
      link tags;
      
      URLs in text form; and
      
      URLs embedded in Web bugs.
  - 17. The at least one computer-readable medium of claim 16 wherein at least one Web bug is a bug from the group of bugs consisting of:
    - CSS; and
      
      IMG.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Cooley, Shaun
Primary Examiner(s)
Caldwell; Andrew
Assistant Examiner(s)
CHAO, MICHAEL W

Application Number

US11/079,132
Time in Patent Office

1,646 Days
Field of Search

709/206
US Class Current

709/206
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06Q 10/107   Computer-aided management o...

H04L 63/0236   Filtering by address, proto...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

Thwarting phishing attacks by using pre-established policy files

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Thwarting phishing attacks by using pre-established policy files

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links