Attack resistant phishing detection
First Claim
1. A phishing detection server component comprising:
- a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and
,a report verification component that receives a password reuse event report comprising a timestamp, the verification component first determining whether the timestamp is genuine, and, if the timestamp is genuine, employs the timestamp to determine whether the report is false, and, if the report is determined to be false, stores an indication that the report is false and not to be employed to perform phishing analysis, a false report comprising at least one of;
a report received from a phisher;
ora report received with a timestamp associated with a site subsequently identified as a phishing site.
2 Assignments
0 Petitions
Accused Products
Abstract
A phishing detection server component and method is provided. The component can be employed as part of a system to detect/phishing attacks. The phishing detection server component can receive password reuse event report(s), for example, from a protection component of client component(s).
Due to the malicious nature of phishing in general, the phishing detection server component can be susceptible to attacks by phishers (e.g., by reverse engineering of the client component). For example, false report(s) of PREs can be received from phisher(s) in an attempt to overwhelm the server component, induce false positives and/or induce false negatives.
Upon receipt of a PRE report, the phishing detection server component can first verify that the timestamp(s) are genuine (e.g., previously generated by the phishing detection server component). The report verification component can employ the timestamp(s) to verify veracity of the report (e.g., to minimize attacks by phishers).
86 Citations
20 Claims
-
1. A phishing detection server component comprising:
-
a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and
,a report verification component that receives a password reuse event report comprising a timestamp, the verification component first determining whether the timestamp is genuine, and, if the timestamp is genuine, employs the timestamp to determine whether the report is false, and, if the report is determined to be false, stores an indication that the report is false and not to be employed to perform phishing analysis, a false report comprising at least one of; a report received from a phisher;
ora report received with a timestamp associated with a site subsequently identified as a phishing site. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A phishing detection server component comprising:
-
a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and a report verification component that receives password reuse event reports from a plurality of client components, each report comprising a timestamp, the report verification component determining whether one or more of the reports are false, a false report comprising at least one of; a report received from a phisher;
ora report with a timestamp associated with a site subsequently identified as a phishing site, the report verification component analyzing an aggregation of the reports to ascertain a suspected phishing site and a target. - View Dependent Claims (15, 16)
-
-
17. A computer-implemented method comprising:
-
receiving a password reuse event report from a client, the password reuse report comprising information regarding use of a protected credential of the client at a site not corresponding to the protected credential; the protected credential having an associated unique token previously provided to the client for the protected credential; the password reuse event report received including the token previously provided; determining, by a processor, that phishing by a phisher has occurred;
providing a target site corresponding to the protected credential with user information of a phished user; andchanging credentials associated with the phished user at the target site to allow access by the phished user to a trusted site and limit or deny access by the phisher to the trusted site. - View Dependent Claims (18, 19, 20)
-
Specification