[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

US20130031627A1 - Method and System for Preventing Phishing Attacks - Google Patents

Method and System for Preventing Phishing Attacks Download PDF

Info

Publication number
US20130031627A1
US20130031627A1 US13/543,935 US201213543935A US2013031627A1 US 20130031627 A1 US20130031627 A1 US 20130031627A1 US 201213543935 A US201213543935 A US 201213543935A US 2013031627 A1 US2013031627 A1 US 2013031627A1
Authority
US
United States
Prior art keywords
links
web page
classified
comparison result
phishing attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/543,935
Inventor
Bin Wang
Lin Xie
Yin Song
Lei Zhang
Man Sun
Dong Li
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zitiao Network Technology Co Ltd
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LI, DONG, SONG, Yin, SUN, Man, WANG, BIN, XIE, LIN, ZHANG, LEI
Priority to US13/564,797 priority Critical patent/US9747441B2/en
Publication of US20130031627A1 publication Critical patent/US20130031627A1/en
Assigned to AWEMANE LTD. reassignment AWEMANE LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INTERNATIONAL BUSINESS MACHINES CORPORATION
Assigned to BEIJING PIANRUOJINGHONG TECHNOLOGY CO., LTD. reassignment BEIJING PIANRUOJINGHONG TECHNOLOGY CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AWEMANE LTD.
Assigned to BEIJING ZITIAO NETWORK TECHNOLOGY CO., LTD. reassignment BEIJING ZITIAO NETWORK TECHNOLOGY CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BEIJING PIANRUOJINGHONG TECHNOLOGY CO., LTD.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the present invention relates to network security, more particularly, to a method and system for preventing phishing attacks.
  • Phishing attack is a criminal fraud procedure that attempts to obtain personal sensitive information like usernames, passwords and credit card details, etc. by using electronic communications to disguise as a creditworthy legal person media. These communications usually claim that they are from Internet banks, electronic payment websites, online retailers, credit card companies or network administrators, to deceive credulous victims. Phishing attacks are usually carried out through emails or instant messages. Phishing attacks usually direct the user to a fake website with an interface appearance highly similar to the genuine legitimate website, to deceive the user to input personal sensitive information. These fake websites usually have Web pages highly similar to the Web pages of trustworthy brands such as Internet banks, electronic payment websites, online retailers and credit card companies, etc., and the victims would often leak their sensitive information such as credit card numbers, bank card accounts, and ID card numbers and so on.
  • Illustrative embodiments of the present disclosure have recognized the above disadvantages in the prior art. To this end, the present disclosure provides a lightweight solution capable of helping ordinary users to identify some common type of phishing attacks and thus to prevent unnecessary losses caused thereby.
  • a method for preventing phishing attacks comprising: scanning a Web page; acquiring links in a Web page; classifying the acquired links according to link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page.
  • the determining whether a phishing attack exists according to the classified links comprises calculating the percentage of the links of a respective type in the total number of links; comparing the calculated percentage of the links of a respective type in the total number of links with a preset threshold; and determining whether a phishing attack exists using the comparison result.
  • the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the internal links are less than the preset threshold, warning the user of a possible phishing attack.
  • the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the internal links are not less than the preset threshold, displaying the Web page to the user.
  • the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the external links are not less than the preset threshold, warning the user of a possible phishing attack.
  • the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the external links are less than the preset threshold, displaying the Web page to the user.
  • a system for preventing phishing attacks comprising: an acquiring component configured to acquire links in a Web page; a classifying component configured to classify the acquired links according to link types; and a determining component configured to determine whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page.
  • an embodiment of the present disclosure further provides a computer program product corresponding to the above method.
  • FIG. 1 shows a block diagram of an exemplary computer system 100 suitable for realizing embodiments of the present invention
  • FIG. 2 shows a flowchart of a method 200 for preventing phishing attacks according to an embodiment of the present disclosure
  • FIG. 3 shows a block diagram of a system 300 for preventing phishing attacks according to an embodiment of the present disclosure.
  • the attackers of a phishing attack usually constructs a fake website utilizing the resources of a genuine legitimate website, that is, webpage resources like styles, images and links, etc. of a fake website will be acquired from the genuine legitimate website, thus, the user interface appearance of the fake website is usually highly similar to the genuine legitimate website, so as to easily obtain the trust of users and thus to deceive the users.
  • the attacker usually directs the parts, in the fake website highly similar to the genuine legitimate website, requiring the user to input and submit personal sensitive information to a preset address, thereby, when the user inputs and submits personal sensitive information, it seems to the user that he has submitted the personal sensitive information to the genuine legitimate website, while actually he has submitted the personal sensitive information to the attacker of the phishing attack.
  • FIG. 1 it shows a block diagram of an exemplary computer system 100 suitable for realizing one or more embodiments of the present disclosure.
  • the computer system 100 includes: CPU (Central Processing Unit) 101 , RAM (Random Access Memory) 102 , ROM (Read-Only Memory) 103 , system bus 104 , hard disk controller 105 , keyboard controller 106 , serial interface controller 107 , parallel interface controller 108 , display controller 109 , hard disk 110 , keyboard 111 , serial peripheral device 112 , parallel peripheral device 113 and display 114 .
  • CPU Central Processing Unit
  • RAM Random Access Memory
  • ROM Read-Only Memory
  • those coupled with the system bus 104 are CPU 101 , RAM 102 , ROM 103 , hard disk controller 105 , keyboard controller 106 , serial controller 107 , parallel controller 108 and display controller 109 .
  • Hard disk 110 is couple with hard disk controller 105
  • keyboard 111 is coupled with keyboard controller 106
  • serial peripheral device 112 is coupled with serial interface controller 107
  • parallel peripheral 113 is coupled with parallel interface controller 108
  • display 114 is couple with display controller 109 .
  • FIG. 1 is only shown for the purpose of exemplification, rather than limitation to the scope of the present invention. In some circumstances, some devices may be added or removed as required by specific conditions.
  • FIG. 2 it illustrates a flowchart of a method 200 for preventing phishing attacks according to an embodiment of the present invention.
  • the method 200 for preventing phishing attacks according to an embodiment of the present invention begins with step 202 .
  • the links in the Web page may be acquired by scanning the source code of the Web page. These links include:
  • HTML ⁇ a> href attribute which specifies the address to which a link is directed
  • HTML ⁇ script> src attribute which specifies the source address of an external script file
  • HTML ⁇ img> src attribute which specifies the source address of an image
  • HTML ⁇ iFrame> src attribute which specifies the source address of the document to be displayed in the iFrame
  • HTML ⁇ Form> Action attribute which specifies the target address to which the form is submitted, and so on.
  • HTML HyperText Markup Language
  • a fake website constructed using the resources of the genuine legitimate website generally have same features, i.e.,
  • the attacker fakes as HSBC to send an email or an IM (instant messaging) message to a user, when the user clicks the link in the email or IM message sent by the attacker, he will be directed to a fake website with the address of http://qingadian.com/.
  • the fake website has a highly similar webpage to that of the genuine HSBC website, so as to deceive the user to input personal sensitive information.
  • the genuine legitimate HSBC website is http://www.hsbc.com.hk/. It can be seen by checking the code of the fake website that most resources in the fake website page are acquired from the genuine legitimate website; refer to the code segments given below.
  • the links are classified into two types:
  • the domain refers to a domain name. It is believed that links of different domain names belonging to a same company are of the same type. For example, the domain names of www.qq.com, www.tencent.com, etc. belong to Tencent Corp., i.e., links involving the above two domain names are links of the same type; similarly, the domain names of www.sina.com, www.sinaimg.com, weibo.com, etc. all belong to Sina Corp.; and the domain names of www.boc.cn, www.bankofchina.com, etc. all belong to Bank of China, and so on. Different domain names belonging to a same company may be stored in advance in a database in the form of a list or in other forms.
  • this link is an internal link. If the domain name corresponding to the address of a link and the domain name corresponding to the address of the Web page are not identical, nor they belong to the same company, then the link is an external link
  • step 206 the acquired links are classified.
  • the links are classified into the two types of internal links and external links according to an embodiment of the present disclosure.
  • the acquired links are classified according to the link types, i.e., whether they belong to internal links or external links.
  • the link types i.e., whether they belong to internal links or external links.
  • common links of third-party legitimate websites that provide services such as Google® AdWords® that provides advertising services, or Microsoft® Bing® that provides searching services, etc.
  • third-party legitimate websites that need to be excluded may be stored in advance in a database in the form of a list or in other forms, so that the links of the common third-party legitimate websites that provide services may be excluded by means of querying the list in the process of acquiring links in the Web page or classifying the links
  • step 208 it is determined whether there is a phishing attack according to the classified links.
  • it is determined whether there is a phishing attack according to the classified links by calculating the percentage of the links of a respective type in the total number of links; and comparing the calculated percentage of the links of the respective type in the total number of links with a preset threshold.
  • links are classified into internal links and external links, and the percentages of internal links and external links in the total number of links are calculated.
  • the calculated percentage of internal links in the total number of links is compared with a preset threshold, and if the comparison result indicates that the internal links are less than the preset threshold, the user is warned of a possible phishing attack. If the comparison result indicates that the internal links are not less than the preset threshold, the reproduced Web page is displayed to the user.
  • the calculated percentage of external links in the total number of links is compared with a preset threshold, and if the comparison result indicates that the external links are not less than the preset threshold, the user is warned of a possible phishing attack. If the comparison result indicates that the external links are less than the preset threshold, the reproduced Web page is displayed to the user.
  • the preset threshold of internal links in the total number of links is 80%. If the user accesses the fake website by clicking, the number of internal links belonging to the same domain as the address accessed by the user by clicking is small. Assume that in this case the percentage of internal links in the total number of links is approximately 5%. Since 5% is much smaller than 80%, this indicates that there may be a phishing attack, in which case the user is warned of a possible phishing attack.
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • FIG. 3 it illustrates a block diagram of a system 300 for preventing phishing attacks according to an embodiment of the present invention.
  • the system 300 for preventing phishing attacks comprises: an acquiring component 302 configured to acquire the links in a Web page; a classifying component 304 configured to classify the acquired links according to link types; and a determining component 306 configured to determine whether there is a phishing attack according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page and external links belonging to a different domain from the address of the Web page.
  • the acquiring component 302 is further configured to acquire links in the Web page by scanning the source code of the Web page.
  • the system 300 for preventing phishing attacks further comprises: an calculating component (not shown) configured to calculate the percentage of the links of a respective type in the total number of links; and a comparing component (not shown) configured to compare the percentage of the links of the respective type in the total number of links with a preset threshold.
  • the system 300 for preventing phishing attacks further comprises: a warning component (not shown) configured to warn the user of a possible phishing attack in response to the comparison result indicating that the internal links are less than a preset threshold; and a displaying component (not shown) configured to display the Web page to the user in response to the comparison result indicating that the internal links are not less than the preset threshold.
  • the system 300 for preventing phishing attacks further comprises: a warning component (not shown) configured to warn the user of a possible phishing attack in response to the comparison result indicating that the external links are not less than the preset threshold; and a displaying component (not shown) configured to display the Web page to the user in response to the comparison result indicating that the external links are less than the preset threshold.
  • aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, the present invention may take the form of a computer program product embodied in a medium of expression having computer readable program code embodied thereon.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • the computer readable signal medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave.
  • the propagated signal can be in various forms, including but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • the computer readable signal medium can be any computer readable medium that is not a computer readable storage medium, but that can transmit, propagate or transport a program for use by or in connection with an instruction execution system, apparatus or device.
  • the program code embodied in the computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc, or any suitable combination of the foregoing.
  • Computer program code for carrying out operations in embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Information Transfer Between Computers (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A method, system and program product for preventing phishing attacks, wherein the method comprises: acquiring links in a Web page; classifying the acquired links according link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page. By carrying out the method or system according to the above one or more embodiments of the present disclosure, since it is first detected whether a Web page is a fake website of a phishing attack before displaying the reproduced Web page to the user and the user is warned upon detecting a fake website, unnecessary losses due to phishing attacks can be prevented.

Description

    CROSS-REFERENCE TO RELATED APPLICATION(S)
  • This application claims the benefit of priority to Chinese Patent Application No. 201110215504.1, filed on Jul. 29, 2011, the contents of which are hereby incorporated by reference.
  • TECHNICAL FIELDS
  • The present invention relates to network security, more particularly, to a method and system for preventing phishing attacks.
  • DESCRIPTION OF THE RELATED ART
  • Phishing attack is a criminal fraud procedure that attempts to obtain personal sensitive information like usernames, passwords and credit card details, etc. by using electronic communications to disguise as a creditworthy legal person media. These communications usually claim that they are from Internet banks, electronic payment websites, online retailers, credit card companies or network administrators, to deceive credulous victims. Phishing attacks are usually carried out through emails or instant messages. Phishing attacks usually direct the user to a fake website with an interface appearance highly similar to the genuine legitimate website, to deceive the user to input personal sensitive information. These fake websites usually have Web pages highly similar to the Web pages of trustworthy brands such as Internet banks, electronic payment websites, online retailers and credit card companies, etc., and the victims would often leak their sensitive information such as credit card numbers, bank card accounts, and ID card numbers and so on. Currently there are many methods and tools to help users to find out these fake websites and to avoid exposing their private information, e.g., by SSL secure connection, digital certificates, or establishing a blacklist for shielding against phishing websites. However, these methods have their respective disadvantages, although they can solve part of the problems. For example, it is still difficult to detect whether a website is a fake website even through a SSL secure connection.
  • SUMMARY OF THE INVENTION
  • Illustrative embodiments of the present disclosure have recognized the above disadvantages in the prior art. To this end, the present disclosure provides a lightweight solution capable of helping ordinary users to identify some common type of phishing attacks and thus to prevent unnecessary losses caused thereby.
  • According to an embodiment of the present disclosure, there is provided a method for preventing phishing attacks, comprising: scanning a Web page; acquiring links in a Web page; classifying the acquired links according to link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page.
  • According to another embodiment of the present disclosure, the determining whether a phishing attack exists according to the classified links comprises calculating the percentage of the links of a respective type in the total number of links; comparing the calculated percentage of the links of a respective type in the total number of links with a preset threshold; and determining whether a phishing attack exists using the comparison result.
  • According to another embodiment of the present disclosure, the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the internal links are less than the preset threshold, warning the user of a possible phishing attack.
  • According to another embodiment of the present disclosure, the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the internal links are not less than the preset threshold, displaying the Web page to the user.
  • According to another embodiment of the present disclosure, the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the external links are not less than the preset threshold, warning the user of a possible phishing attack.
  • According to another embodiment of the present disclosure, the determining whether a phishing attack exists using the comparison result comprises: in response to the comparison result indicating that the external links are less than the preset threshold, displaying the Web page to the user.
  • According to an embodiment of the present disclosure, there is provided a system for preventing phishing attacks, comprising: an acquiring component configured to acquire links in a Web page; a classifying component configured to classify the acquired links according to link types; and a determining component configured to determine whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page.
  • Furthermore, an embodiment of the present disclosure further provides a computer program product corresponding to the above method.
  • By implementing the method or system according to the above one or more embodiments of the present disclosure, since a reproduced Web page is first detected to determine whether it is a fake website of a phishing attack before it is displayed to the user and the user is warned upon detecting a fake website, unnecessary losses due to phishing attacks can be prevented.
  • BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS
  • The present disclosure may be better understood by referring to the following description when read in conjunction with the accompanying drawings, wherein the same or similar reference numerals are used to denote the same or similar components. The accompanying draws together with the following detailed description are included in the specification and form part thereof, to further illustrate preferred embodiments of the present disclosure and to explain the principles and advantages of the present disclosure. In the drawings:
  • FIG. 1 shows a block diagram of an exemplary computer system 100 suitable for realizing embodiments of the present invention;
  • FIG. 2 shows a flowchart of a method 200 for preventing phishing attacks according to an embodiment of the present disclosure;
  • FIG. 3 shows a block diagram of a system 300 for preventing phishing attacks according to an embodiment of the present disclosure.
  • DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
  • In the following will be described exemplary embodiments of the present disclosure in conjunction with the accompanying drawings. For clarity and simplicity, not all the features of the actual embodiments are described herein. However, it should be understood that many decisions specific to the actual embodiments must be made during the process of developing the actual embodiments, so as to realize the specific objects of the developers, e.g., complying with those constraints related to the system and business, which constraints may change with different embodiments. In addition, it should be further understood that although the development may be complex and time-consuming, the development work is merely routine tasks for those skilled in the art with the benefits of the contents of the present disclosure.
  • It should also be pointed out here that, in order to prevent the present disclosure to be unnecessarily blurred by details, the drawings only illustrate the apparatus structures and/or processing steps closely related to the solutions according to the present disclosure while omitting the other details with little relevance to the present disclosure.
  • The attackers of a phishing attack usually constructs a fake website utilizing the resources of a genuine legitimate website, that is, webpage resources like styles, images and links, etc. of a fake website will be acquired from the genuine legitimate website, thus, the user interface appearance of the fake website is usually highly similar to the genuine legitimate website, so as to easily obtain the trust of users and thus to deceive the users. The attacker usually directs the parts, in the fake website highly similar to the genuine legitimate website, requiring the user to input and submit personal sensitive information to a preset address, thereby, when the user inputs and submits personal sensitive information, it seems to the user that he has submitted the personal sensitive information to the genuine legitimate website, while actually he has submitted the personal sensitive information to the attacker of the phishing attack.
  • With respect to the above common phishing attack method, there is provided a method and system according to one or more embodiments of the present disclosure.
  • In the following, embodiments of the method and system for preventing phishing attacks according to the present disclosure will be described in detail in conjunction with the figures.
  • Now referring to FIG. 1, it shows a block diagram of an exemplary computer system 100 suitable for realizing one or more embodiments of the present disclosure. As shown, the computer system 100 includes: CPU (Central Processing Unit) 101, RAM (Random Access Memory) 102, ROM (Read-Only Memory) 103, system bus 104, hard disk controller 105, keyboard controller 106, serial interface controller 107, parallel interface controller 108, display controller 109, hard disk 110, keyboard 111, serial peripheral device 112, parallel peripheral device 113 and display 114. In these devices, those coupled with the system bus 104 are CPU 101, RAM 102, ROM 103, hard disk controller 105, keyboard controller 106, serial controller 107, parallel controller 108 and display controller 109. Hard disk 110 is couple with hard disk controller 105, keyboard 111 is coupled with keyboard controller 106, serial peripheral device 112 is coupled with serial interface controller 107, parallel peripheral 113 is coupled with parallel interface controller 108, and display 114 is couple with display controller 109. It should be understood that the block diagram of FIG. 1 is only shown for the purpose of exemplification, rather than limitation to the scope of the present invention. In some circumstances, some devices may be added or removed as required by specific conditions.
  • Now referring to FIG. 2, it illustrates a flowchart of a method 200 for preventing phishing attacks according to an embodiment of the present invention. The method 200 for preventing phishing attacks according to an embodiment of the present invention begins with step 202.
  • Next, the method 200 proceeds to step 204, in which the links in the Web page are acquired. The links in the Web page may be acquired by scanning the source code of the Web page. These links include:
  • HTML <a> href attribute, which specifies the address to which a link is directed;
  • HTML <script> src attribute, which specifies the source address of an external script file;
  • HTML <img> src attribute, which specifies the source address of an image;
  • HTML <iFrame> src attribute, which specifies the source address of the document to be displayed in the iFrame;
  • HTML <Form> Action attribute, which specifies the target address to which the form is submitted, and so on.
  • Above are listed some examples of attributes related to links in HTML. It should be understood that above are listed only some examples of links in Web page, and other HTML tags and attributes related to links, or tags, attributes and contents related to links in other markup languages such as XHTML, XML, etc., are known to the skilled in the art and not listed here.
  • According to observation of the inventor of the present disclosure, a fake website constructed using the resources of the genuine legitimate website generally have same features, i.e.,
      • 1) Most resources in the Web page of a fake website are acquired from the genuine legitimate website;
      • 2) The parts that require a user to input and submit sensitive information are directed to an address preset by the attacker;
      • 3) The address of the fake website and that of the genuine legitimate website belong to different domains;
      • 4) The address preset by the attacker and that of the genuine legitimate website belong to different domains.
  • In the following is an example of a fake website; the attacker fakes as HSBC to send an email or an IM (instant messaging) message to a user, when the user clicks the link in the email or IM message sent by the attacker, he will be directed to a fake website with the address of http://qingadian.com/. The fake website has a highly similar webpage to that of the genuine HSBC website, so as to deceive the user to input personal sensitive information. The genuine legitimate HSBC website is http://www.hsbc.com.hk/. It can be seen by checking the code of the fake website that most resources in the fake website page are acquired from the genuine legitimate website; refer to the code segments given below.
  • <script src=‘/1/PA_1_3_S5/content/hongkongpws/theme/js/pws_default.js’ type=
       “text/JavaScript”></script>
     <div class=“containerGlobal”><div class=“containerEntity”><div class=“hsbcEntity”>
     <div class=“hsbcEntityTextArea01”>Hong Kong</div>
     <div class=“hsbcEntityTextArea02”>
      <ul>
       <li class=“hsbcEntityTabSelected”><a href=“/1/2/home?fbc=HomeEngTopMenu”>
          Home</a></li>
       <li><a href=“/1/2/hk/personal?fbc=HomeEngTopMenu”>Personal</a></li>
       <li><a href=“/1/2/hsbcpremier/home?fbc=HomeEngTopMenu”>HSBC Premier</a></li>
       <li><a href=“/1/2/hsbcadvance/home?fbc=HomeEngTopMenu”>HSBC Advance</a></li>
       <li><a href=“http://www.commercial.hsbc.com.hk/1/2/commercial/home” ‘width=
          ‘+screen.width+’, height=‘+screen.height*0.88+’,location=yes,directories=no,
          menubar=yes,toolbar=yes,scrollbars=yes,status=yes, resizable=yes,left=0,top=0’);
          return false;”>Commercial</a></li>
       <li><a href=“http://www.hsbcnet.com/hsbc” target=“_blank” >
          (‘http://www.hsbcnet.com/hsbc’,‘_blank’,‘width=‘+screen.width+’,height=‘+screen.
          height*0.88+’,location=yes,directories=no,menubar=yes,toolbar=yes,scrollbars=yes,
          status=yes,resizable=yes,left=0,top=0’);return false;”>Corporate</a></li>
       <li><a href=“/1/2/mpf/home?fbc=HomeEngTopMenu”>MPF</a></li>
       <li><a href=“/1/2/hsbcgreaterchina?fbc=HomeEngTopMenu”>Greater China</a></li>
       <li><a href=“/1/2/about/home?fbc=HomeEngTopMenu”>About HSBC</a></li>
       <li><a href=“/1/2/careers/home?fbc=HomeEngTopMenu”>Careers</a></li>
       <li><a href=“/1/2/contact-us?fbc=HomeEngTopMenu”>Contact us</a></li>
      </ul>
     </div>
     </div>
     </div></div></div>
     ... ....
    <p class=“red”><strong>Personal Internet Banking</strong><br />
    <span style=“display:block;float:left;”><a href=“javascript:void(0)”
    >
    ‘width=‘+screen.width+’,height=‘+screen.height*0.88+’,location=no, directories=no,
    menubar=no,toolbar=no,scrollbars=yes,status=yes,resizable=yes,left=0,top=0’);
    ”><img src=“/1/PA_1_3_S5/content/hongkongpws/hk_home/
    images/logon.gif” alt=“Logon” /></a></span>
  • It may be clearly seen from code of the fake website given above that, most webpage resources in the fake website are acquired from the genuine legitimate website, while the part requiring the user to input personal sensitive information are directed to the address preset by the attacker, i.e., http://qiangadian.com/qingdaohuadian/CRM/login/IBlogin.html. In other words, the user will be directed to the above address by clicking the Logon button on the fake website.
  • According to an embodiment of the present disclosure, the links are classified into two types:
    • 1) internal links, whose link addresses belong to the same domain as the address of the Web page;
    • 2) external links, whose link addresses belong to a different domain from the address of the Web page;
      wherein the user access the above Web page by clicking the link in the email or IM message.
  • Here the domain refers to a domain name. It is believed that links of different domain names belonging to a same company are of the same type. For example, the domain names of www.qq.com, www.tencent.com, etc. belong to Tencent Corp., i.e., links involving the above two domain names are links of the same type; similarly, the domain names of www.sina.com, www.sinaimg.com, weibo.com, etc. all belong to Sina Corp.; and the domain names of www.boc.cn, www.bankofchina.com, etc. all belong to Bank of China, and so on. Different domain names belonging to a same company may be stored in advance in a database in the form of a list or in other forms. In other words, if the domain name corresponding to the address of a link and the domain name corresponding to the address of the Web page are identical or belong to the same company, then this link is an internal link. If the domain name corresponding to the address of a link and the domain name corresponding to the address of the Web page are not identical, nor they belong to the same company, then the link is an external link
  • Next, the method 200 proceeds to step 206, in which the acquired links are classified. As mentioned above, the links are classified into the two types of internal links and external links according to an embodiment of the present disclosure. At step 206, the acquired links are classified according to the link types, i.e., whether they belong to internal links or external links. Thus, after step 206 is performed, the number of the links belonging to internal links and the number of the links belonging to external links are obtained.
  • According to an embodiment of the present disclosure, in the process of acquiring the links in the Web page or classifying the links, common links of third-party legitimate websites that provide services, such as Google® AdWords® that provides advertising services, or Microsoft® Bing® that provides searching services, etc., may be excluded. These third-party legitimate websites that need to be excluded may be stored in advance in a database in the form of a list or in other forms, so that the links of the common third-party legitimate websites that provide services may be excluded by means of querying the list in the process of acquiring links in the Web page or classifying the links
  • Next, the method 200 proceeds to step 208, in which it is determined whether there is a phishing attack according to the classified links. According to an embodiment of the present disclosure, it is determined whether there is a phishing attack according to the classified links by calculating the percentage of the links of a respective type in the total number of links; and comparing the calculated percentage of the links of the respective type in the total number of links with a preset threshold. According to an embodiment of the present disclosure, links are classified into internal links and external links, and the percentages of internal links and external links in the total number of links are calculated. Then, the calculated percentage of internal links in the total number of links is compared with a preset threshold, and if the comparison result indicates that the internal links are less than the preset threshold, the user is warned of a possible phishing attack. If the comparison result indicates that the internal links are not less than the preset threshold, the reproduced Web page is displayed to the user.
  • According to another embodiment of the present disclosure, the calculated percentage of external links in the total number of links is compared with a preset threshold, and if the comparison result indicates that the external links are not less than the preset threshold, the user is warned of a possible phishing attack. If the comparison result indicates that the external links are less than the preset threshold, the reproduced Web page is displayed to the user.
  • Taking the above fake website as an example, assuming that the user clicks the link in the email or IM message that is sent by the attacker, he will then be directed to the address http://qingadian.com/. By scanning the page corresponding to the above address, all links therein are acquired. Then, the acquired links in the page are classified according to the link types, i.e., whether they belong to the internal links or external links, and the percentage of the links of a respective type in the total number of links is calculated. For the above fake website, since most page resources of the fake website are acquired from the genuine legitimate website http://www.hsbc.com.hk/, the number of internal links belonging to the same domain as the address (i.e., http://qiangadian.com/) accessed by user by clicking is small (usually only the links corresponding to the parts that require the user to input personal sensitive information), while most links are from the genuine legitimate website, i.e., http://www.hsbc.com.hk/. If the address accessed by user by clicking were the genuine legitimate website, i.e., http://www.hsbc.com.hk/, the internal links belonging to the same domain as the address accessed by user by clicking should have been the majority. Therefore, assume that the preset threshold of internal links in the total number of links is 80%. If the user accesses the fake website by clicking, the number of internal links belonging to the same domain as the address accessed by the user by clicking is small. Assume that in this case the percentage of internal links in the total number of links is approximately 5%. Since 5% is much smaller than 80%, this indicates that there may be a phishing attack, in which case the user is warned of a possible phishing attack.
  • Above are described the method and system according to one or more embodiments of the present disclosure. The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
  • Now referring to FIG. 3, it illustrates a block diagram of a system 300 for preventing phishing attacks according to an embodiment of the present invention.
  • The system 300 for preventing phishing attacks according to an embodiment of the present disclosure comprises: an acquiring component 302 configured to acquire the links in a Web page; a classifying component 304 configured to classify the acquired links according to link types; and a determining component 306 configured to determine whether there is a phishing attack according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page and external links belonging to a different domain from the address of the Web page. According to an embodiment of the present disclosure, the acquiring component 302 is further configured to acquire links in the Web page by scanning the source code of the Web page.
  • According to an embodiment of the present disclosure, the system 300 for preventing phishing attacks further comprises: an calculating component (not shown) configured to calculate the percentage of the links of a respective type in the total number of links; and a comparing component (not shown) configured to compare the percentage of the links of the respective type in the total number of links with a preset threshold.
  • According to an embodiment of the present disclosure, the system 300 for preventing phishing attacks further comprises: a warning component (not shown) configured to warn the user of a possible phishing attack in response to the comparison result indicating that the internal links are less than a preset threshold; and a displaying component (not shown) configured to display the Web page to the user in response to the comparison result indicating that the internal links are not less than the preset threshold.
  • According to an embodiment of the present disclosure, the system 300 for preventing phishing attacks further comprises: a warning component (not shown) configured to warn the user of a possible phishing attack in response to the comparison result indicating that the external links are not less than the preset threshold; and a displaying component (not shown) configured to display the Web page to the user in response to the comparison result indicating that the external links are less than the preset threshold.
  • Those skilled in the art will appreciate that aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, the present invention may take the form of a computer program product embodied in a medium of expression having computer readable program code embodied thereon.
  • Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • The computer readable signal medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave. The propagated signal can be in various forms, including but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing. The computer readable signal medium can be any computer readable medium that is not a computer readable storage medium, but that can transmit, propagate or transport a program for use by or in connection with an instruction execution system, apparatus or device.
  • The program code embodied in the computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc, or any suitable combination of the foregoing.
  • Computer program code for carrying out operations in embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • Aspects of the present disclosure are described with reference to the flowchart illustrations and/or block diagrams of the methods, apparatus (systems) and computer product. It will be understood that, each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • It should be further pointed out that in the apparatus and method of the present disclosure, obviously the components or steps may be decomposed and/or recombined. The decomposition and/or recombination may be viewed as equivalent solutions of the present disclosure. Moreover, the steps executing the above series of processing may be naturally performed in time order according to the sequence of the description, but they may not necessarily be performed in time order. Some steps may be performed in parallel or independently of each other.
  • Although the present disclosure and advantages thereof have been described in detail, it will be understood that various changes, substitution and transformation may be made thereto without departing from the spirit and scope of the present disclosure. Further, the terms “comprises”, “comprising,” or any variants thereof are intended to cover nonexclusive inclusion, such that a process, method, article or apparatus comprising a series of elements may not only comprise those elements, but may also comprise other elements, or comprise elements inherent to the process, method, article or apparatus. Without further limitation, an element specified by the phrase “comprising a” does not exclude the presence of other identical elements in the process, method, article or apparatus comprising the element.

Claims (12)

1-9. (canceled)
10. A system for preventing phishing attacks, comprising:
an acquiring component configured to acquire links in a Web page;
a classifying component configured to classify the acquired links according to link types to form classified links; and
a determining component configured to determine whether a phishing attack exists according to the classified links,
wherein the acquired links are classified into two types: internal links belonging to a same domain as an address of the Web page, and external links belonging to a different domain from the address of the Web page.
11. The system of claim 10, further comprising:
a calculating component configured to calculate a percentage of links of a respective type in a total number of the links; and
a comparing component configured to compare the calculated percentage of links of a respective type in the total number of links with a preset threshold,
wherein the determining component determines whether a phishing attack exists using the comparison result.
12. The system of claim 11, further comprising:
a warning component configured to warn the user of a possible phishing attack in response to the comparison result indicating that the internal links are less than the preset threshold.
13. The system of claim 11, further comprising:
a displaying component configured to display the Web page to a user in response to the comparison result indicating that the internal links are not less than the preset threshold.
14. The system of claim 11, further comprising:
a warning component configured to warn of a possible phishing attack in response to the comparison result indicating that the external links are not less than the preset threshold.
15. The system of claim 11, further comprising:
a displaying component configured to display the Web page to a user in response to the comparison result indicating that the external links are less than the preset threshold.
16. The system of claim 10, wherein the acquiring component is further configured to acquire the links in the Web page by scanning source code of the Web page.
17. The system of claim 10, wherein certain of the links belonging to a same company are of an identical type.
18. A computer program product comprising a tangible computer readable storage device having program code stored thereon that is operable, when executed by a data processor, for performing steps of:
acquiring links in a Web page;
classifying the acquired links according to link types to form classified links; and
determining whether a phishing attack exists according to the classified links,
wherein the acquired links are classified into two types: internal links belonging to a same domain as an address of the Web page, and external links belonging to a different domain from the address of the Web page.
19. The computer program product of claim 18, wherein the step of determining whether a phishing attack exists according to the classified links comprises:
calculating a percentage of links of a respective type in a total number of the links;
comparing the calculated percentage of links of the respective type in the total number of links with a preset threshold; and
determining whether a phishing attack exists using the comparison result.
20. The computer program product of claim 19, wherein the step of determining whether a phishing attack exists using the comparison result comprises:
warning a user of a possible phishing attack in response to the comparison result indicating that the internal links are less than the preset threshold.
US13/543,935 2011-07-29 2012-07-09 Method and System for Preventing Phishing Attacks Abandoned US20130031627A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/564,797 US9747441B2 (en) 2011-07-29 2012-08-02 Preventing phishing attacks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110215504.1 2011-07-29
CN2011102155041A CN102902917A (en) 2011-07-29 2011-07-29 Method and system for preventing phishing attacks

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/564,797 Continuation US9747441B2 (en) 2011-07-29 2012-08-02 Preventing phishing attacks

Publications (1)

Publication Number Publication Date
US20130031627A1 true US20130031627A1 (en) 2013-01-31

Family

ID=47575144

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/543,935 Abandoned US20130031627A1 (en) 2011-07-29 2012-07-09 Method and System for Preventing Phishing Attacks
US13/564,797 Active 2034-11-12 US9747441B2 (en) 2011-07-29 2012-08-02 Preventing phishing attacks

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/564,797 Active 2034-11-12 US9747441B2 (en) 2011-07-29 2012-08-02 Preventing phishing attacks

Country Status (2)

Country Link
US (2) US20130031627A1 (en)
CN (1) CN102902917A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150180896A1 (en) * 2013-02-08 2015-06-25 PhishMe, Inc. Collaborative phishing attack detection
US9246936B1 (en) 2013-02-08 2016-01-26 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US9253207B2 (en) 2013-02-08 2016-02-02 PhishMe, Inc. Collaborative phishing attack detection
US9262629B2 (en) 2014-01-21 2016-02-16 PhishMe, Inc. Methods and systems for preventing malicious use of phishing simulation records
US9344449B2 (en) 2013-03-11 2016-05-17 Bank Of America Corporation Risk ranking referential links in electronic messages
US9398038B2 (en) 2013-02-08 2016-07-19 PhishMe, Inc. Collaborative phishing attack detection
WO2017044432A1 (en) * 2015-09-11 2017-03-16 Okta, Inc. Secured user credential management
JP2017123142A (en) * 2015-09-30 2017-07-13 エーオー カスペルスキー ラボAO Kaspersky Lab System and method for detection of phishing script
US9906554B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
CN114006746A (en) * 2021-10-26 2022-02-01 深信服科技股份有限公司 Attack detection method, device, equipment and storage medium

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9384348B2 (en) * 2004-04-29 2016-07-05 James A. Roskind Identity theft countermeasures
US8412837B1 (en) 2004-07-08 2013-04-02 James A. Roskind Data privacy
US8800033B2 (en) * 2011-05-26 2014-08-05 International Business Machines Corporation Rotation of web site content to prevent E-mail spam/phishing attacks
CN103368958A (en) * 2013-07-05 2013-10-23 腾讯科技(深圳)有限公司 Method, device and system for detecting webpage
CN104348803B (en) * 2013-07-31 2018-12-11 深圳市腾讯计算机系统有限公司 Link kidnaps detection method, device, user equipment, Analysis server and system
US9253208B1 (en) 2015-03-05 2016-02-02 AO Kaspersky Lab System and method for automated phishing detection rule evolution
EP3125147B1 (en) * 2015-07-27 2020-06-03 Swisscom AG System and method for identifying a phishing website
CN105653941A (en) * 2015-07-31 2016-06-08 哈尔滨安天科技股份有限公司 Heuristic detection method and system for phishing website
US20180007066A1 (en) * 2016-06-30 2018-01-04 Vade Retro Technology Inc. Detection of phishing dropboxes
CN107395488A (en) * 2017-06-08 2017-11-24 深圳市金立通信设备有限公司 A kind of method and terminal for identifying adventure account
CN107800686B (en) * 2017-09-25 2020-06-12 中国互联网络信息中心 Phishing website identification method and device

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060015722A1 (en) * 2004-07-16 2006-01-19 Geotrust Security systems and services to provide identity and uniform resource identifier verification
US20060168202A1 (en) * 2004-12-13 2006-07-27 Eran Reshef System and method for deterring rogue users from attacking protected legitimate users
US20070107053A1 (en) * 2004-05-02 2007-05-10 Markmonitor, Inc. Enhanced responses to online fraud
US20080127319A1 (en) * 2006-11-29 2008-05-29 Yahoo! Inc. Client based online fraud prevention
US20080172738A1 (en) * 2007-01-11 2008-07-17 Cary Lee Bates Method for Detecting and Remediating Misleading Hyperlinks
US20090077383A1 (en) * 2007-08-06 2009-03-19 De Monseignat Bernard System and method for authentication, data transfer, and protection against phishing
US20090089859A1 (en) * 2007-09-28 2009-04-02 Cook Debra L Method and apparatus for detecting phishing attempts solicited by electronic mail
US7668921B2 (en) * 2006-05-30 2010-02-23 Xerox Corporation Method and system for phishing detection
US7681234B2 (en) * 2005-06-30 2010-03-16 Microsoft Corporation Preventing phishing attacks
US7849507B1 (en) * 2006-04-29 2010-12-07 Ironport Systems, Inc. Apparatus for filtering server responses
US8020206B2 (en) * 2006-07-10 2011-09-13 Websense, Inc. System and method of analyzing web content
US8312538B2 (en) * 2005-08-30 2012-11-13 Passlogy Co., Ltd. Site check method
US8321936B1 (en) * 2007-05-30 2012-11-27 M86 Security, Inc. System and method for malicious software detection in multiple protocols
US8346878B2 (en) * 2009-11-06 2013-01-01 International Business Machines Corporation Flagging resource pointers depending on user environment
US8429545B2 (en) * 2005-05-03 2013-04-23 Mcafee, Inc. System, method, and computer program product for presenting an indicia of risk reflecting an analysis associated with search results within a graphical user interface
US8468597B1 (en) * 2008-12-30 2013-06-18 Uab Research Foundation System and method for identifying a phishing website

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6230153B1 (en) * 1998-06-18 2001-05-08 International Business Machines Corporation Association rule ranker for web site emulation
US6442606B1 (en) * 1999-08-12 2002-08-27 Inktomi Corporation Method and apparatus for identifying spoof documents
US6691163B1 (en) * 1999-12-23 2004-02-10 Alexa Internet Use of web usage trail data to identify related links
US6819340B2 (en) * 2001-07-23 2004-11-16 Paul E. Burke Adding a shortcut to a web site
US8132250B2 (en) * 2002-03-08 2012-03-06 Mcafee, Inc. Message profiling systems and methods
US20060168006A1 (en) * 2003-03-24 2006-07-27 Mr. Marvin Shannon System and method for the classification of electronic communication
US7461257B2 (en) * 2003-09-22 2008-12-02 Proofpoint, Inc. System for detecting spoofed hyperlinks
US7441044B2 (en) * 2003-11-05 2008-10-21 Overture Services, Inc. Countrytagging
US20060080735A1 (en) 2004-09-30 2006-04-13 Usa Revco, Llc Methods and systems for phishing detection and notification
US20060168066A1 (en) * 2004-11-10 2006-07-27 David Helsper Email anti-phishing inspector
US7634810B2 (en) 2004-12-02 2009-12-15 Microsoft Corporation Phishing detection, prevention, and notification
US7580982B2 (en) * 2004-12-14 2009-08-25 The Go Daddy Group, Inc. Email filtering system and method
US8171085B1 (en) * 2005-01-19 2012-05-01 Apple Inc. Methods and apparatuses for authenticating electronic messages
CA2600344A1 (en) * 2005-03-02 2006-09-08 Markmonitor Inc. Distribution of trust data
US7634809B1 (en) * 2005-03-11 2009-12-15 Symantec Corporation Detecting unsanctioned network servers
US7975010B1 (en) * 2005-03-23 2011-07-05 Symantec Corporation Countering spam through address comparison
US8560413B1 (en) * 2005-07-14 2013-10-15 John S. Quarterman Method and system for detecting distributed internet crime
KR100723867B1 (en) * 2005-11-23 2007-05-31 한국전자통신연구원 Apparatus and method for blocking access to phishing web page
US8839418B2 (en) * 2006-01-18 2014-09-16 Microsoft Corporation Finding phishing sites
GB0603888D0 (en) 2006-02-27 2006-04-05 Univ Newcastle Phishing mitigation
US8095967B2 (en) * 2006-07-27 2012-01-10 White Sky, Inc. Secure web site authentication using web site characteristics, secure user credentials and private browser
US7802298B1 (en) * 2006-08-10 2010-09-21 Trend Micro Incorporated Methods and apparatus for protecting computers against phishing attacks
US7854001B1 (en) 2007-06-29 2010-12-14 Trend Micro Incorporated Aggregation-based phishing site detection
KR20090019451A (en) 2007-08-21 2009-02-25 한국전자통신연구원 The method and apparatus for alarming phishing and pharming
US20090182818A1 (en) * 2008-01-11 2009-07-16 Fortinet, Inc. A Delaware Corporation Heuristic detection of probable misspelled addresses in electronic communications
US20100042687A1 (en) 2008-08-12 2010-02-18 Yahoo! Inc. System and method for combating phishing
US20100235915A1 (en) * 2009-03-12 2010-09-16 Nasir Memon Using host symptoms, host roles, and/or host reputation for detection of host infection
US8769695B2 (en) * 2009-04-30 2014-07-01 Bank Of America Corporation Phish probability scoring model
US8438642B2 (en) * 2009-06-05 2013-05-07 At&T Intellectual Property I, L.P. Method of detecting potential phishing by analyzing universal resource locators
CN101667979B (en) * 2009-10-12 2012-06-06 哈尔滨工程大学 System and method for anti-phishing emails based on link domain name and user feedback
CN101820366B (en) * 2010-01-27 2012-09-05 南京邮电大学 Pre-fetching-based fishing web page detection method
US8521667B2 (en) * 2010-12-15 2013-08-27 Microsoft Corporation Detection and categorization of malicious URLs

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070107053A1 (en) * 2004-05-02 2007-05-10 Markmonitor, Inc. Enhanced responses to online fraud
US20060015722A1 (en) * 2004-07-16 2006-01-19 Geotrust Security systems and services to provide identity and uniform resource identifier verification
US20060168202A1 (en) * 2004-12-13 2006-07-27 Eran Reshef System and method for deterring rogue users from attacking protected legitimate users
US8429545B2 (en) * 2005-05-03 2013-04-23 Mcafee, Inc. System, method, and computer program product for presenting an indicia of risk reflecting an analysis associated with search results within a graphical user interface
US7681234B2 (en) * 2005-06-30 2010-03-16 Microsoft Corporation Preventing phishing attacks
US8312538B2 (en) * 2005-08-30 2012-11-13 Passlogy Co., Ltd. Site check method
US7849507B1 (en) * 2006-04-29 2010-12-07 Ironport Systems, Inc. Apparatus for filtering server responses
US7668921B2 (en) * 2006-05-30 2010-02-23 Xerox Corporation Method and system for phishing detection
US8020206B2 (en) * 2006-07-10 2011-09-13 Websense, Inc. System and method of analyzing web content
US20080127319A1 (en) * 2006-11-29 2008-05-29 Yahoo! Inc. Client based online fraud prevention
US20080172738A1 (en) * 2007-01-11 2008-07-17 Cary Lee Bates Method for Detecting and Remediating Misleading Hyperlinks
US8321936B1 (en) * 2007-05-30 2012-11-27 M86 Security, Inc. System and method for malicious software detection in multiple protocols
US20090077383A1 (en) * 2007-08-06 2009-03-19 De Monseignat Bernard System and method for authentication, data transfer, and protection against phishing
US20090089859A1 (en) * 2007-09-28 2009-04-02 Cook Debra L Method and apparatus for detecting phishing attempts solicited by electronic mail
US8468597B1 (en) * 2008-12-30 2013-06-18 Uab Research Foundation System and method for identifying a phishing website
US8346878B2 (en) * 2009-11-06 2013-01-01 International Business Machines Corporation Flagging resource pointers depending on user environment

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9667645B1 (en) 2013-02-08 2017-05-30 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US9246936B1 (en) 2013-02-08 2016-01-26 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US9253207B2 (en) 2013-02-08 2016-02-02 PhishMe, Inc. Collaborative phishing attack detection
US10819744B1 (en) 2013-02-08 2020-10-27 Cofense Inc Collaborative phishing attack detection
US9325730B2 (en) * 2013-02-08 2016-04-26 PhishMe, Inc. Collaborative phishing attack detection
US10187407B1 (en) 2013-02-08 2019-01-22 Cofense Inc. Collaborative phishing attack detection
US9356948B2 (en) 2013-02-08 2016-05-31 PhishMe, Inc. Collaborative phishing attack detection
US9398038B2 (en) 2013-02-08 2016-07-19 PhishMe, Inc. Collaborative phishing attack detection
US9591017B1 (en) 2013-02-08 2017-03-07 PhishMe, Inc. Collaborative phishing attack detection
US9674221B1 (en) 2013-02-08 2017-06-06 PhishMe, Inc. Collaborative phishing attack detection
US20150180896A1 (en) * 2013-02-08 2015-06-25 PhishMe, Inc. Collaborative phishing attack detection
US9635042B2 (en) 2013-03-11 2017-04-25 Bank Of America Corporation Risk ranking referential links in electronic messages
US9344449B2 (en) 2013-03-11 2016-05-17 Bank Of America Corporation Risk ranking referential links in electronic messages
US9262629B2 (en) 2014-01-21 2016-02-16 PhishMe, Inc. Methods and systems for preventing malicious use of phishing simulation records
US9906554B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
US9906539B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
WO2017044432A1 (en) * 2015-09-11 2017-03-16 Okta, Inc. Secured user credential management
US10505980B2 (en) 2015-09-11 2019-12-10 Okta, Inc. Secured user credential management
JP2017123142A (en) * 2015-09-30 2017-07-13 エーオー カスペルスキー ラボAO Kaspersky Lab System and method for detection of phishing script
CN114006746A (en) * 2021-10-26 2022-02-01 深信服科技股份有限公司 Attack detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
US20130031628A1 (en) 2013-01-31
US9747441B2 (en) 2017-08-29
CN102902917A (en) 2013-01-30

Similar Documents

Publication Publication Date Title
US9747441B2 (en) Preventing phishing attacks
US11727114B2 (en) Systems and methods for remote detection of software through browser webinjects
US11381598B2 (en) Phishing detection using certificates associated with uniform resource locators
US11671448B2 (en) Phishing detection using uniform resource locators
US8683596B2 (en) Detection of DOM-based cross-site scripting vulnerabilities
US9489515B2 (en) System and method for blocking the transmission of sensitive data using dynamic data tainting
US8839401B2 (en) Malicious message detection and processing
US9247016B2 (en) Unified tracking data management
US9680911B2 (en) Method and apparatus of short uniform resource locator lookup and feedback
US12021894B2 (en) Phishing detection based on modeling of web page content
US8347381B1 (en) Detecting malicious social networking profiles
WO2016058489A1 (en) Method and device for providing access page
CN112703496B (en) Content policy based notification to application users regarding malicious browser plug-ins
US20140283078A1 (en) Scanning and filtering of hosted content
US20190044967A1 (en) Identification of a malicious string
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
US20230021885A1 (en) Phishing Mitigation Service
US11470114B2 (en) Malware and phishing detection and mediation platform
US10474810B2 (en) Controlling access to web resources
US12120133B1 (en) Request header anomaly detection
US11640479B1 (en) Mitigating website privacy issues by automatically identifying cookie sharing risks in a cookie ecosystem
Cvitić et al. Defining cross-site scripting attack resilience guidelines based on BeEF framework simulation
WO2021133592A1 (en) Malware and phishing detection and mediation platform
EP4184356A1 (en) Webpage integrity monitoring
US20240338447A1 (en) Automated attack chain following by a threat analysis platform

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WANG, BIN;XIE, LIN;SONG, YIN;AND OTHERS;REEL/FRAME:028510/0272

Effective date: 20120621

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: AWEMANE LTD., CAYMAN ISLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:057991/0960

Effective date: 20210826

AS Assignment

Owner name: BEIJING PIANRUOJINGHONG TECHNOLOGY CO., LTD., CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AWEMANE LTD.;REEL/FRAME:064501/0498

Effective date: 20230302

AS Assignment

Owner name: BEIJING ZITIAO NETWORK TECHNOLOGY CO., LTD., CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BEIJING PIANRUOJINGHONG TECHNOLOGY CO., LTD.;REEL/FRAME:066565/0952

Effective date: 20231130