Attack resistant phishing detection

US 7,925,883 B2
Filed: 02/23/2006
Issued: 04/12/2011
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A phishing detection server component comprising:

a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and

,a report verification component that receives a password reuse event report comprising a timestamp, the verification component first determining whether the timestamp is genuine, and, if the timestamp is genuine, employs the timestamp to determine whether the report is false, and, if the report is determined to be false, stores an indication that the report is false and not to be employed to perform phishing analysis, a false report comprising at least one of;

a report received from a phisher;

ora report received with a timestamp associated with a site subsequently identified as a phishing site.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A phishing detection server component and method is provided. The component can be employed as part of a system to detect/phishing attacks. The phishing detection server component can receive password reuse event report(s), for example, from a protection component of client component(s).

Due to the malicious nature of phishing in general, the phishing detection server component can be susceptible to attacks by phishers (e.g., by reverse engineering of the client component). For example, false report(s) of PREs can be received from phisher(s) in an attempt to overwhelm the server component, induce false positives and/or induce false negatives.

Upon receipt of a PRE report, the phishing detection server component can first verify that the timestamp(s) are genuine (e.g., previously generated by the phishing detection server component). The report verification component can employ the timestamp(s) to verify veracity of the report (e.g., to minimize attacks by phishers).

86 Citations

View as Search Results

20 Claims

1. A phishing detection server component comprising:
- a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and
  
  ,a report verification component that receives a password reuse event report comprising a timestamp, the verification component first determining whether the timestamp is genuine, and, if the timestamp is genuine, employs the timestamp to determine whether the report is false, and, if the report is determined to be false, stores an indication that the report is false and not to be employed to perform phishing analysis, a false report comprising at least one of;
  
  a report received from a phisher;
  
  ora report received with a timestamp associated with a site subsequently identified as a phishing site.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The component of claim 1, further comprising a timestamp generator that generates a unique timestamp associated with the password reuse event report.
  - 3. The component of claim 1, the password reuse event report comprising a plurality of timestamps, each timestamp associated with a time that an associated site was added to a client'"'"'s protected credential store.
  - 4. The component of claim 3, the report verification component determines the report is false if none of the timestamps is at least a threshold period of time old.
  - 5. The component of claim 3, the report verification component determines the report is false if any of the timestamps has been used in a report in a second threshold period of time.
  - 6. The component of claim 3, the report verification component determines the report is false if any of the timestamps has appeared more than a third threshold quantity of times.
  - 7. The component of claim 3, the report verification component determines the report is false if any of the timestamps were used to report that a site subsequently identified as phishing has a re-use event against an innocent site.
  - 8. The component of claim 1,the report verification component verifies with at least one trusted site that a claimed login event has actually occurred,the report verification component determines the report is false if the login event is not verified by the trusted site.
  - 9. The component of claim 1, the report verification component determines a likelihood of the password reuse event being false based on learned statistics of password reuse.
  - 10. The component of claim 9, the learned statistics are based, at least in part, upon a geographic location associated with a site associated with the timestamp.
  - 11. The component of claim 1, further comprising a grader that identifies a suspected phishing site and provides a warning to a client component when phishing is suspected, the grader further receiving feedback from the client component as to whether the warning was heeded, the grader employs the feedback in assessing whether the warning was valid.
  - 12. The component of claim 1, the report verification component further receives, after a time of an occurrence of a password reuse event of the report, traffic information with respect to one or more sites and utilizes the traffic information in determining whether the report is false.
  - 13. The component of claim 1, the report comprises a hash based, at least in part, upon one of a userid, a password, a domain name, source code of a viewed web page, timestamp information from the security server, and a time of a previous login at a trusted site.

14. A phishing detection server component comprising:
- a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and
  
  a report verification component that receives password reuse event reports from a plurality of client components, each report comprising a timestamp,the report verification component determining whether one or more of the reports are false, a false report comprising at least one of;
  
  a report received from a phisher;
  
  ora report with a timestamp associated with a site subsequently identified as a phishing site,the report verification component analyzing an aggregation of the reports to ascertain a suspected phishing site and a target.
- View Dependent Claims (15, 16)
- - 15. The component of claim 14,the report verification component further examines the suspected phishing site to determine whether one or more of the reports are false;
    - when one or more of the reports are determined to be false, the report verification component stores an indication that the one or more reports are false and not to be employed to perform phishing analysis.
  - 16. The component of claim 14, the timestamps being previously provided by the phishing detection server component to the client components for identifying the client components.

17. A computer-implemented method comprising:
- receiving a password reuse event report from a client, the password reuse report comprising information regarding use of a protected credential of the client at a site not corresponding to the protected credential;
  
  the protected credential having an associated unique token previously provided to the client for the protected credential;
  
  the password reuse event report received including the token previously provided;
  
  determining, by a processor, that phishing by a phisher has occurred;
  
  providing a target site corresponding to the protected credential with user information of a phished user; and
  
  changing credentials associated with the phished user at the target site to allow access by the phished user to a trusted site and limit or deny access by the phisher to the trusted site.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising notifying the phished user of the changed credentials.
  - 19. The method of claim 18, the notifying comprising an e-mail with the changed credentials.
  - 20. The method of claim 17, the information of the password reuse report comprising a hash based, at least in part, upon one of a userid, a password, a domain name, source code of a viewed web page, the token, and a time of a previous login at a trusted site.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Florencio, Dinei A., Herley, Cormac E.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Wyszynski; Aubrey H

Application Number

US11/360,900
Publication Number

US 20070005984A1
Time in Patent Office

1,874 Days
Field of Search

713/178
US Class Current

713/178
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/14   for detecting or protecting...

H04L 63/1483   service impersonation, e.g....

H04L 9/3226   using a predetermined code,...

H04L 9/3297   involving time stamps, e.g....

Attack resistant phishing detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Attack resistant phishing detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links