WO2015078247A1 - Method, apparatus and terminal for monitoring phishing - Google Patents

Method, apparatus and terminal for monitoring phishing Download PDF

Info

Publication number
WO2015078247A1
WO2015078247A1 PCT/CN2014/089269 CN2014089269W WO2015078247A1 WO 2015078247 A1 WO2015078247 A1 WO 2015078247A1 CN 2014089269 W CN2014089269 W CN 2014089269W WO 2015078247 A1 WO2015078247 A1 WO 2015078247A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
safety
address
designated server
verification request
Prior art date
Application number
PCT/CN2014/089269
Other languages
French (fr)
Inventor
Yuehua GUO
Original Assignee
Tencent Technology (Shenzhen) Company Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology (Shenzhen) Company Limited filed Critical Tencent Technology (Shenzhen) Company Limited
Publication of WO2015078247A1 publication Critical patent/WO2015078247A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present application relates to the field of Internet, and in particular, to a method, an apparatus, and a terminal for monitoring phishing.
  • Wi-Fi hotspots are increasingly common. Many facilities, such as restaurants, theme parks, airports, malls, provide Wi-Fi hotspots to attract visitors or provide services.
  • fraudulent measures such as Wi-Fi phishing and DNS hijacking are two common measures of network deception at present.
  • a malicious fake Wi-Fi hotspot is set to attract connections from victims.
  • the fake Wi-Fi site transfers an originally requested "host name server A" to a "malicious server B" through a DNS server built by the fake Wi-Fi site.
  • the malicious server receives and steals the sensitive information.
  • Wi-Fi phishing happens very frequently nowadays.
  • a user terminal is connected through a malicious Wi-Fi hotspot.
  • the Wi-Fi hotspot transfers an original request to access "server A" to a "malicious server B" through a fake DNS server built by the malicious Wi-Fi hotspot;
  • the malicious server may record information about an account and a password of the user, especially, information about a password for network payment, which causes a threat to property of the user, and also results in an offense concerning privacy information of the user.
  • such deception is not limited to the form of a wireless network connection, and the same vulnerability is also applicable to network deception over a wired connection. Therefore, it is desirable to have a method to detect and prevent the risks poses by malicious wireless and wired network access points.
  • a method of increasing security of Internet connections comprises: a user device connecting to the Internet via an access point providing a wireless or wired local network; obtaining a domain name corresponding to an Internet resource; obtaining a first IP address for the domain name through a DNS lookup made via the access point; sending a verification request for verifying safety of the access point to a designated server, the verification request including at least the domain name and the first IP address: upon receiving positive verification of the safety of the access point, establishing communication with the first IP address via the access point; and alternatively, upon receiving a warning of the safety of the access point, prohibiting communication with the first IP address via the access point and alerting the user of safety risk of the access point.
  • a device comprises one or more processors, memory, and one or more program modules stored in the memory and configured for execution by the one or more processors.
  • the one or more program modules include instructions for performing the method described above.
  • a non-transitory computer readable storage medium having stored thereon instructions, which, when executed by a device, cause the device to perform the method described above.
  • FIG. 1 is a schematic diagram of a fake access point tricking a user through phishing
  • FIG. 2 is a flowchart of an implementation of a method for increasing security of Internet connections in accordance with some embodiments
  • FIG. 3 is a schematic diagram of a method for preventing phishing in accordance with some embodiments
  • FIG. 4 is a flowchart of an implementation of a method for increasing security of Internet connections in accordance with some embodiments
  • FIG. 5 is a flowchart of an implementation of a method for increasing security of Internet connections
  • FIG. 6 is a flowchart of a method of increasing security of Internet connections in accordance with some embodiments.
  • FIG. 7 is a schematic structural view of an implementation of an apparatus for monitoring phishing according to a fourth embodiment of the present application.
  • FIG. 8 is a diagram of an example implementation of a user device 800 in accordance with some embodiments.
  • FIG. 2 shows a flowchart of an implementation of a method for increasing security in accordance with some embodiments. The detailed description is as follows.
  • a user device in a step 201, sends an access request for a host name through a network access point, and receives a first IP address obtained through resolving the host name via the network access point.
  • the access request for a specified host name may be an access request for visiting a uniform resource locator (URL) of a host name input by a user in a browser, or may be an access request for a host name through other applications or in a manner of clicking a shortcut.
  • the host name is included in the access request, for example, when a URL address of https: //mail.
  • CNN. com is input, the host name included is CNN. com , that is, a server name.
  • an IP address corresponding to the domain name is obtained through resolving a set domain name system (DNS) resolution server.
  • DNS domain name system
  • the DNS server is provided by a domain name service provider, and its resolution result is a genuine IP address corresponding to the domain name of the host name.
  • an illegal DNS domain name server is used for resolution, or a fake server corresponding to a malicious access point (e.g. , a fake Wi-Fi hotspot) may be obtained through resolution, i.e. , the IP address obtained through the DNS resolution may be not a genuine IP address corresponding to the desired domain name.
  • the user device searches a preset mapping table according to the host name for a second IP address corresponding to the host name, the mapping table storing mapping relationships among host names and IP addresses.
  • the user device contacts a designated server with a known IP address directly (e.g. , via a preset software application installed on the user device) to verify the received IP address.
  • the user device determines whether the second IP address found is the same as the received first IP address.
  • a step 204 if the second IP address found is not the same as the received first IP address, the user device terminates the current network request operation.
  • the first IP address and the second IP address are inconsistent, it indicates that the first IP address obtained currently through resolution may be a malicious IP address, and the current network request operation for the first IP address is terminated.
  • the user device continues to visit the second IP address, and the user is reminded that the current terminal may be subject to a malicious act of phishing.
  • the first IP address and the second IP address are the same, it indicates that the first IP address resolved and returned currently is a normal IP address, and normal access is allowed.
  • FIG. 4 shows a flowchart of an implementation of a method for increasing security in accordance with some embodiments. The detailed description is as follows.
  • the user device in a step 401, sends an access request for a host name, and receives a first IP address obtained through DNS resolving of the host name through the access point.
  • the user device sends a verification request to a designated security server, the verification request including the host name and the first IP address.
  • the designated security server is a server specially arranged against phishing deception, and includes mappings between server IP addresses of common host names and domain names of the host names. Also, a large-scale host name may include multiple IP addresses.
  • the user device receives a second IP address that corresponds to the host name in a mapping table of the designated security server.
  • the user device determines whether the second IP address is the same as the received first IP address.
  • a step 405 if the second IP address found is not the same as the received first IP address, the user device terminate a current network request operation.
  • Step 406 it is verified whether the designated security server is a specified designated security server by using an encryption key.
  • the verifying whether the designated security server is a designated security server by using an encryption key may be obtaining certificate content only after public key encryption of a certificate of the server and private key decryption of a terminal, and determining reliability of the certificate content. As matched public key and private key are used for encryption, the certificate can be prevented from being tampered, thereby ensuring security of the certificate.
  • the step of sending a verification request to a designated security server and the step of receiving a second IP address are specifically sending a request to the designated security server through a virtual private network (VPN) and receiving a second IP address through the VPN.
  • VPN virtual private network
  • the designated security server needs to regularly update mapping relationships between domain names and IP addresses.
  • the verification request further includes information about a unique identification of a terminal (e.g. , the access point or router) ; the method may further include the following steps.
  • a step 407 query whether a phishing record corresponding to the unique identification of an access point is recorded in the designated security server.
  • the unique identification is international mobile equipment identity (IMEI)
  • IMEI international mobile equipment identity
  • MAC media access control
  • a step 408 if the phishing record corresponding to the unique identification of the terminal is included, the user device receives information indicating that the current terminal has a security risk.
  • a terminal that may be in danger is recorded, so as to remind a user in time that a network that the terminal is currently connected to is insecure and remind the user to change a password in time.
  • FIG. 5 shows a flowchart of an implementation of a method for increasing security in accordance with some embodiments. The detailed description is as follows.
  • the user device in a step 501, sends an access request for a host name, and receives a first IP address obtained through resolving the host name via the access point.
  • the user device searches a local database according to the host name for a second IP address.
  • the user device determines whether the second IP address found is the same as the received first IP address.
  • a step 504 if the second IP address found is not the same as the received first IP address, the user device terminates a current network request operation.
  • the user device receives update data for a mapping table of host names and IP addresses, the update data being sent by the designated security server, and perform an update.
  • the user device searches for a second IP address corresponding to the host name, and a server is directly accessed through the returned IP address to read and write data.
  • FIG. 6 is a flowchart of increasing security of Internet connections in accordance with some embodiments.
  • the method is performed at a user device of having one or more processors and memory for storing one or more programs to be executed by the one or more processors.
  • the user device can be a desktop computer, a tablet, a wearable device, a mobile phone, a laptop, or any other computing device that is capable of connecting to Internet through a wireless local network or a wired network.
  • the user device connects to the Internet via an access point providing a wireless or wired local network.
  • the wireless local network is a Wi-Fi and the access point is a router connected to a link to an Internet service provider.
  • the wireless local network is provided by a device which is connected with the Internet, e.g. , some handsets and computers can be configured to provide a so-called mobile hot-spot.
  • the wired network may be provided by a port provided by the provider of the access point.
  • the user device obtains a domain name corresponding to an Internet resource.
  • a user enters the domain name or a URL into a browser.
  • Applications or programs on the user device may automatically try to visit the domain name once Wi-Fi is available.
  • the user device obtains a first IP address for the domain name through a DNS lookup made via the access point.
  • the user device requests a domain name resolution via the access point and the DNS server provides the first IP address.
  • the request for domain name resolution is hijacked by an interceptor and a fake IP address is returned.
  • the user device has no knowledge whether the first IP address is genuine or fake.
  • the user device evaluates a current access circumstance by checking a plurality of predetermined risk factors, wherein the verification request for verifying the safety of the access point is sent to the designated server in response to a determination that the current access circumstance fails to meet predetermined safety criteria.
  • the plurality of predetermined risk factors include one or more of: the access point having been reported for having safety risks, the wireless local network being designated as public, sensitivity of the Internet resource corresponding to the domain name, the wireless local network having no authentication requirement for access, the wireless local network is a public network, the DNS address of the domain name being obtained via the wireless local network, lack of previous visiting to the first IP address using the wireless local network, and not using any encrypted VPN.
  • the user device when the user device is connected with a network, it prompts a reminder asking the user to select whether the network belongs to work, home or public. If the user selects public, then it is risk factor that will be considered in the evaluation.
  • the domain name represents a website of an online purchase website, e. g., Amazon and eBay, and this kind of websites have traditionally been the targets of hackers, the user device considers the domain name as risky.
  • the user device assigns a risk score to each possible outcome of every risk factor, and adds all risk scores up to compare with a predetermined risk level. For example, a public network is assigned to a score of 10, a domain name representing an email provider is assigned a score of 2, an access point being previously reported to be risky is assigned a score of 45, and a network with no password protection is assigned a score of 4. If the sum of the risk scores is higher or lower than the predetermined score, the user device takes certain actions. For example, if the sum of risk scores is higher than a first predetermined score, the user device begins to verify IP addresses for sensitive websites.
  • the user device verifies every IP address. If the sum of risk scores is higher than a third predetermined score, which is higher the second predetermined score, the user device terminates the connection with the access point. If the sum of risk sores is lower than the first predetermined score, e.g. , a user accessing a non-sensitive website through an encrypted work network, the user device does not verify the IP address.
  • the user can change the first, second and third predetermined scores by changing security policies of the user device.
  • evaluation the current access circumstance further includes obtaining predetermined circumstance information and sending an evaluation request including the circumstance information to the security server.
  • the security server evaluates the circumstance information and sends an evaluation result to the user device.
  • the user device obtains circumstance information, including what network being connected with, and sends it to the security server.
  • the security server then analyze this circumstance information and sends the evaluation result (sometime risk scores) to the user device.
  • the step 604 may start before step 601, before step 602 or before step 603.
  • An earlier start of step 604 protects against the risks in subsequent steps but also means that the step 604 needs to be performed again when new information is obtained from subsequent steps.
  • the step 604 is continuous, i.e. , the user device performs the step 604 while performing other steps and consistently checks risk factors while related information being obtained from other steps.
  • the step 604 is combined within the step 606, so that the security server performs verification of the safety of the access point as well as evaluating current access circumstances.
  • a step 606 the user device sending a verification request for verifying safety of the access point to a designated server, the verification request including at least the domain name and the first IP address.
  • the user device obtains identification information of the access point.
  • Identification information of the access point includes the name of the network, the IP address being assigned to the user address, the location of the user device, security setting of the access point, etc.
  • the user device includes the identification information of the access point in the verification request before sending the verification request to the designated server, wherein the identification information of the access point is used for verifying safety of the access point by the designated server. For example, a prior user of the wireless local network has sent the identification of the wireless local network to the server and the server finds that the IP address obtained by the prior user is a malicious one, the server then records this incidence in association with the identification of the network.
  • the server may send a warning to the user device of the user.
  • the user device obtains current geographical location of the user device; and includes the current geographical location of the user device in the identification information of the access point.
  • the user device can obtains the current geographical co-ordinates and send it to the server so that the server may record that the wireless local network in this geographical co-ordinates.
  • a user notes that he is accessing the network in a restaurant named as XYZ and the server finds that a prior user has used a network having the same name in the same restaurant and reports a privacy leaking incidence. The server then warns the user device of the later user for security risk.
  • the server receives and decrypts the verification request to obtain at least the domain name and the first IP address.
  • the communication between the user device and the designated server are encrypted, not available to the access point, and can only decrypted by the other.
  • the access point cannot modify the verification result or intercept of information transmitted between the designated server and the user device.
  • the verification request is encrypted by a public key and is configured to be decrypted by the designated server using a private key pre-stored in the designated server.
  • connection between the user device and the designated server is secure and cannot be changed or redirected because the security software application or browser application implementing this method already has the IP address of the designated server, and the communication to the designated server is encrypted by the public key of the designated server.
  • the server in a step 608, the server generates a verification result in accordance with at least the first IP address.
  • the designated server stores a verification result and the identification information of the access point for future evaluation of the safety of the access point.
  • the server may set up a black list which includes access points that are found to have security risks exceeding certain times.
  • the server may warn every user device who send verification requests, even though those verification requests may be found to contain safe IP addresses.
  • the warning of the safety of the access point is at least partly based on information in a past verification request that is associated with the access point, received by the designated server, and containing an erroneous IP address. For example, when the server finds an IP address contained in a previous verification result is erroneous, the server then stores the incidence and the identification of the wireless local network. When the user sends a verification request regarding the wireless local network provided by the same access point, the server sends a warning to the user device regardless whether the IP address from the user device is genuine.
  • the warning of the safety of the access point is at least partly based on previously reported risk of the first IP address. For example, other users have reported this IP addresses have security risks. Alternatively, other organizations may warn the risks of this IP address. For example, a bank may report that its customers’ information has been intercepted when using this IP address.
  • the user device receives positive verification of the safety of the access point.
  • the user device upon receiving positive verification of the safety of the access point, in a step 610, the user device establishes communication with the first IP address via the access point.
  • the user device receives a warning of the safety of the access point.
  • the user device upon receiving a warning of the safety of the access point, prohibits communication with the first IP address via the access point and alerting the user of safety risk of the access point. In some embodiments, the user device permits the user to continue to use the access point to visit some non-sensitive websites. In some embodiments, the verification is performed for each access to a new domain name even though all previously received IP addresses are shown to be correct. In some embodiments, access to a low risk domain name is permitted if the IP address is correct, even if the risk of the access point for other sensitive domains has been determined to be high. This way, the user is aware of the risk, but may still utilize the access point for some low risk surfing. In some embodiments, the scope of verification efforts and how much a user can continue to a network is determined by the risk scores discussed in step 604.
  • the user device upon receiving the warning of the safety of the access point, obtains a plurality of social network contacts meeting predetermined criteria through a respective social network application, and sends an alert of the risk of the access point to the obtained plurality of social network contacts through the respective social network application.
  • a security application finds the risk and sends it to social network friends within a certain distance of the user through the social network application. The social network friends do not use the security application but nonetheless receives the warning from the social network.
  • the designated server is linked with the user’s social network account, and can send the alerts to the contacts without going through the user’s device.
  • the user can ask the designated server to automatically send warnings to contacts.
  • the user device upon receiving the warning of the safety of the access point, sends the designated server a permission to alert one or more social network contacts of the user associated with the user device.
  • the user device can verify the safety of a wireless local network by trying to solicit intercepting actions.
  • the user device obtains a plurality of domain names that are deemed to be susceptible of security risks. For example, if hackers often target financial service websites and private information services (such as Facebook, emails) , then these domain names are good for testing whether there are any interception efforts in the wireless network.
  • the user device obtains a plurality of IP addresses for the plurality of domain names through respective DNS checks made via the access point.
  • the user device sends, to the designated server, one or more verification requests for verifying safety of visiting the plurality of IP addresses via the access point. For example, the user device may send one verification request including all the plurality of the domain names and obtained IP addresses.
  • this method can be performed when the user first tries to use the access point to access the Internet. For example, this method can be performed in steps 604 and/or 605 so that it becomes part of the evaluation or verification process.
  • the software application automatically generates a set of DNS checks for a set of sensitive domain names, and if any one of the IP address is wrong, the warning for risk of using the access point is generated and shown to the user.
  • FIG. 7 is a schematic structural view of an apparatus for monitoring phishing in accordance with some embodiments. The detailed description is as follows.
  • the apparatus for monitoring phishing in accordance with some embodiments includes: a receiving unit 701, for sending an access request, and receiving a first IP address obtained through resolving the host name; a search unit 702, for searching a preset mapping table according to the host name for a second IP address; a determining unit 703, for determining whether the second IP address found is the same as the received first IP address; and a termination unit 704 for terminating a current network request operation.
  • the preset mapping table of host names and IP addresses is stored in a designated security server.
  • the search unit 702 includes: a verification request sending sub-unit 7021, for sending verification requests to the designated security server, the verification request including the host name and the first IP address; and a search sub-unit 7022, for receiving a second IP address that corresponds to the host name and is found by the designated security server according to the host name in a mapping table of host names and IP addresses.
  • the apparatus further includes a verification unit 705, for verifying whether the designated security server is a specified designated security server by using an encryption key.
  • the verification request sending sub-unit and the search sub-unit are used for sending a request to the designated security server through a VPN or receiving the second IP address through the VPN.
  • the verification request further includes information about a unique identification of a terminal.
  • the apparatus further includes: a query unit 706, for querying whether a phishing record corresponding to the unique identification of the terminal is recorded in the designated security server; and an instruction receiving unit 707, for, if the phishing record corresponding to the unique identification of the terminal is included, receiving an instruction that the current terminal has a security risk.
  • the preset mapping table of host names and IP addresses is stored in a local database, and the search unit 702 is for searching the local database according to the host name for a second IP address corresponding to the host name.
  • FIG. 8 is a diagram of an example implementation of a user device 800 in accordance with some embodiments. While certain specific features are illustrated, those skilled in the art will appreciate from the present disclosure that various other features have not been illustrated for the sake of brevity and so as not to obscure more pertinent aspects of the implementations disclosed herein. To that end, the user device 800 includes one or more processing units (CPU’s) 802, one or more network or other communications interfaces 808, a display 801, memory 806, and one or more communication buses 804 for interconnecting these and various other components.
  • the communication buses may include circuitry (sometimes called a chipset) that interconnects and controls communications between system components.
  • the memory 806 includes high-speed random access memory, such as DRAM, SRAM, DDR RAM or other random access solid state memory devices; and may include non-volatile memory, such as one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, or other non-volatile solid state storage devices.
  • the memory 806 may optionally include one or more storage devices remotely located from the CPU (s) 802.
  • the memory 806, including the non-volatile and volatile memory device (s) within the memory 806, comprises a non-transitory computer readable storage medium.
  • the memory 806 or the non-transitory computer readable storage medium of the memory 806 stores the following programs, modules and data structures, or a subset thereof including an operating system 816, a network communication module 818, and a risk detection program 820.
  • the operating system 816 includes procedures for handling various basic system services and for performing hardware dependent tasks.
  • the network communication module 818 facilitates communication with other devices via the one or more communication network interfaces 808 (wired or wireless) and one or more communication networks, such as the internet, other wide area networks, local area networks, metropolitan area networks, and so on.
  • one or more communication network interfaces 808 wireless or wireless
  • one or more communication networks such as the internet, other wide area networks, local area networks, metropolitan area networks, and so on.
  • the risk detection program 820 is configured to detect risks of a currently available wireless local network.
  • the risk detection module 820 comprises an evaluation module 821 and a verification module 822.
  • the evaluation module 821 is configured to evaluate a current access circumstance by checking a plurality of predetermined risk factors.
  • the verification module 822 is configured to verify the risks of particular IP addresses.
  • the verification module 822 comprises an encryption unit 823, a request unit 824 and an alert unit 825.
  • the encryption unit 823 is configured to encrypt and decrypt communication with the security server.
  • the request unit 824 is configured to generate and send a verification request for verifying safety of the access point and receive verifications and warnings.
  • the alert unit 825 is configured to prohibit communication with the first IP address via the access point and alerting the user of safety risk of the access point, upon receiving a warning of the safety of the access point.
  • the alert unit includes or is connected with a database, which stores security information of access points, including identifications and security records of access points, obtained from previous evaluation and verification requests.
  • stages that are not order dependent may be reordered and other stages may be combined or broken out. While some reordering or other groupings are specifically mentioned, others will be obvious to those of ordinary skill in the art and so do not present an exhaustive list of alternatives. Moreover, it should be recognized that the stages could be implemented in hardware, firmware, software or any combination thereof.

Abstract

Method and device of increasing security of Internet connections are disclosed. The method includes: a user device connecting to the Internet via an access point providing a wireless local network; obtaining a domain name corresponding to an Internet resource; obtaining a first IP address for the domain name through a DNS lookup made via the access point; sending a verification request for verifying safety of the access point to a designated server: upon receiving positive verification of the safety of the access point, establishing communication with the first IP address via the access point; and alternatively, upon receiving a warning of the safety of the access point, prohibiting communication with the first IP address via the access point and alerting the user of safety risk of the access point.

Description

METHOD, APPARATUS AND TERMINAL FOR MONITORING PHISHING
PRIORITY CLAIM AND RELATED APPLICATION
This application claims priority to Chinese Patent Application No. 201310611863.8, entitled "METHOD, APPARATUS AND TERMINAL FOR MONITORING NETWORK PHISHING" filed on November 26, 2013, which is incorporated by reference in its entirety.
FIELD OF THE TECHNOLOGY
The present application relates to the field of Internet, and in particular, to a method, an apparatus, and a terminal for monitoring phishing.
BACKGROUND OF THE TECHNOLOGY
Nowadays, wireless local networks are increasingly common. Many facilities, such as restaurants, theme parks, airports, malls, provide Wi-Fi hotspots to attract visitors or provide services. However, along with conveniences for people, there are also some insecure factors in a network. For example, fraudulent measures such as Wi-Fi phishing and DNS hijacking are two common measures of network deception at present. As shown in FIG. 1, a malicious fake Wi-Fi hotspot is set to attract connections from victims. When a user accesses a host name through the malicious fake Wi-Fi hotspot, the fake Wi-Fi site transfers an originally requested "host name server A" to a "malicious server B" through a DNS server built by the fake Wi-Fi site. When the user inputs sensitive information, the malicious server receives and steals the sensitive information.
Wi-Fi phishing happens very frequently nowadays. A user terminal is connected through a malicious Wi-Fi hotspot. When a user accesses a network through the malicious Wi-Fi hotspot, the Wi-Fi hotspot transfers an original request to access "server A" to a "malicious server B" through a fake DNS server built by the malicious Wi-Fi hotspot; the malicious server may record information about an account and a password of the user, especially, information about a password for network payment, which causes a threat to property of the user, and also results in an offense concerning privacy information of the user.
Certainly, such deception is not limited to the form of a wireless network connection, and the same vulnerability is also applicable to network deception over a wired connection. Therefore, it is desirable to have a method to detect and prevent the risks poses by malicious wireless and wired network access points.
SUMMARY
In accordance with some implementations of the disclosed technology, a method of increasing security of Internet connections is disclosed. The method comprises: a user device connecting to the Internet via an access point providing a wireless or wired local network; obtaining a domain name corresponding to an Internet resource; obtaining a first IP address for the domain name through a DNS lookup made via the access point; sending a verification request for verifying safety of the access point to a designated server, the verification request including at least the domain name and the first IP address: upon receiving positive verification of the safety of the access point, establishing communication with the first IP address via the access point; and alternatively, upon receiving a warning of the safety of the access point, prohibiting communication with the first IP address via the access point and alerting the user of safety risk of the access point.
In another aspect, a device comprises one or more processors, memory, and one or more program modules stored in the memory and configured for execution by the one or more processors. The one or more program modules include instructions for performing the method described above. In another aspect, a non-transitory computer readable storage medium having stored thereon instructions, which, when executed by a device, cause the device to perform the method described above.
BRIEF DESCRIPTION OF THE DRAWINGS
The aforementioned features and advantages of the application as well as additional features and advantages thereof will be more clearly understood hereinafter as a result of a detailed description of preferred embodiments when taken in conjunction with the drawings.
FIG. 1 is a schematic diagram of a fake access point tricking a user through phishing;
FIG. 2 is a flowchart of an implementation of a method for increasing security of Internet connections in accordance with some embodiments;
FIG. 3 is a schematic diagram of a method for preventing phishing in accordance with some embodiments;
FIG. 4 is a flowchart of an implementation of a method for increasing security of Internet connections in accordance with some embodiments;
FIG. 5 is a flowchart of an implementation of a method for increasing security of Internet connections;
FIG. 6 is a flowchart of a method of increasing security of Internet connections in accordance with some embodiments;
FIG. 7 is a schematic structural view of an implementation of an apparatus for monitoring phishing according to a fourth embodiment of the present application; and
FIG. 8 is a diagram of an example implementation of a user device 800 in accordance with some embodiments.
Like reference numerals refer to corresponding parts throughout the several views of the drawings.
DESCRIPTION OF EMBODIMENTS
Reference will now be made in detail to embodiments, examples of which are illustrated in the accompanying drawings. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the subject matter presented herein. But it will be apparent to one skilled in the art that the subject matter may be practiced without these specific details. In other instances, well-known methods, procedures, components, and circuits have not been described in detail so as not to unnecessarily obscure aspects of the embodiments.
To make the objectives, the technical solution and advantages of the present application much clearer, the present application is further described below in detail with reference to the accompanying drawings and embodiments. It should be understood that, the  specific embodiments described herein are merely for explaining the present application, but are not intended to limit the present application.
FIG. 2 shows a flowchart of an implementation of a method for increasing security in accordance with some embodiments. The detailed description is as follows.
In accordance with some embodiments, in a step 201, a user device sends an access request for a host name through a network access point, and receives a first IP address obtained through resolving the host name via the network access point.
Specifically, the access request for a specified host name may be an access request for visiting a uniform resource locator (URL) of a host name input by a user in a browser, or may be an access request for a host name through other applications or in a manner of clicking a shortcut. The host name is included in the access request, for example, when a URL address of https: //mail. CNN. com is input, the host name included is CNN. com , that is, a server name.
Normally, after the access request of the user is received, an IP address corresponding to the domain name is obtained through resolving a set domain name system (DNS) resolution server. The DNS server is provided by a domain name service provider, and its resolution result is a genuine IP address corresponding to the domain name of the host name. However, when a DNS domain name server resolving the domain name is bypassed by the access point, an illegal DNS domain name server is used for resolution, or a fake server corresponding to a malicious access point (e.g. , a fake Wi-Fi hotspot) may be obtained through resolution, i.e. , the IP address obtained through the DNS resolution may be not a genuine IP address corresponding to the desired domain name.
In accordance with some embodiments, in a step 202, the user device searches a preset mapping table according to the host name for a second IP address corresponding to the host name, the mapping table storing mapping relationships among host names and IP addresses. In some embodiments, the user device contacts a designated server with a known IP address directly (e.g. , via a preset software application installed on the user device) to verify the received IP address.
In accordance with some embodiments, in a step 203, the user device determines whether the second IP address found is the same as the received first IP address.
In accordance with some embodiments, in a step 204, if the second IP address found is not the same as the received first IP address, the user device terminates the current network request operation.
When the first IP address and the second IP address are inconsistent, it indicates that the first IP address obtained currently through resolution may be a malicious IP address, and the current network request operation for the first IP address is terminated.
In some embodiments, as shown in FIG. 3, the user device continues to visit the second IP address, and the user is reminded that the current terminal may be subject to a malicious act of phishing.
When the first IP address and the second IP address are the same, it indicates that the first IP address resolved and returned currently is a normal IP address, and normal access is allowed.
Therefore, it can be effectively avoided that a user accesses a malicious server resulting in a property loss because an IP address corresponding to a host name is tampered in phishing, thereby further ensuring information security.
FIG. 4 shows a flowchart of an implementation of a method for increasing security in accordance with some embodiments. The detailed description is as follows.
In accordance with some embodiments, in a step 401, the user device sends an access request for a host name, and receives a first IP address obtained through DNS resolving of the host name through the access point.
In accordance with some embodiments, in a step 402, the user device sends a verification request to a designated security server, the verification request including the host name and the first IP address.
In accordance with some embodiments, the designated security server is a server specially arranged against phishing deception, and includes mappings between server  IP addresses of common host names and domain names of the host names. Also, a large-scale host name may include multiple IP addresses.
In accordance with some embodiments, in a step 403, the user device receives a second IP address that corresponds to the host name in a mapping table of the designated security server.
In accordance with some embodiments, in a step 404, the user device determines whether the second IP address is the same as the received first IP address.
In accordance with some embodiments, in a step 405, if the second IP address found is not the same as the received first IP address, the user device terminate a current network request operation.
In accordance with some embodiments, in Step 406, it is verified whether the designated security server is a specified designated security server by using an encryption key.
The verifying whether the designated security server is a designated security server by using an encryption key may be obtaining certificate content only after public key encryption of a certificate of the server and private key decryption of a terminal, and determining reliability of the certificate content. As matched public key and private key are used for encryption, the certificate can be prevented from being tampered, thereby ensuring security of the certificate.
Alternatively, as a manner that can improve security of the designated security server, the step of sending a verification request to a designated security server and the step of receiving a second IP address are specifically sending a request to the designated security server through a virtual private network (VPN) and receiving a second IP address through the VPN.
In addition, to improve effectiveness of server data and reduce operation mistakes, the designated security server needs to regularly update mapping relationships between domain names and IP addresses.
Further preferably, in Step 402, the verification request further includes information about a unique identification of a terminal (e.g. , the access point or router) ; the method may further include the following steps.
In accordance with some embodiments, in a step 407, query whether a phishing record corresponding to the unique identification of an access point is recorded in the designated security server.
For an access point being a mobile terminal, the unique identification is international mobile equipment identity (IMEI) , and for a computer terminal, the unique identification is a media access control (MAC) address.
In accordance with some embodiments, in a step 408, if the phishing record corresponding to the unique identification of the terminal is included, the user device receives information indicating that the current terminal has a security risk.
A terminal that may be in danger is recorded, so as to remind a user in time that a network that the terminal is currently connected to is insecure and remind the user to change a password in time.
FIG. 5 shows a flowchart of an implementation of a method for increasing security in accordance with some embodiments. The detailed description is as follows.
In accordance with some embodiments, in a step 501, the user device sends an access request for a host name, and receives a first IP address obtained through resolving the host name via the access point.
In accordance with some embodiments, in a step 502, the user device searches a local database according to the host name for a second IP address.
In accordance with some embodiments, in a step 503, the user device determines whether the second IP address found is the same as the received first IP address.
In accordance with some embodiments, in a step 504, if the second IP address found is not the same as the received first IP address, the user device terminates a current network request operation.
In accordance with some embodiments, in a step 505, the user device receives update data for a mapping table of host names and IP addresses, the update data being sent by the designated security server, and perform an update.
In addition, in accordance with some embodiments, the user device searches for a second IP address corresponding to the host name, and a server is directly accessed through the returned IP address to read and write data.
FIG. 6 is a flowchart of increasing security of Internet connections in accordance with some embodiments. In some embodiments, the method is performed at a user device of having one or more processors and memory for storing one or more programs to be executed by the one or more processors. The user device can be a desktop computer, a tablet, a wearable device, a mobile phone, a laptop, or any other computing device that is capable of connecting to Internet through a wireless local network or a wired network.
In accordance with some embodiments, in a step 601, the user device connects to the Internet via an access point providing a wireless or wired local network. In some embodiments, the wireless local network is a Wi-Fi and the access point is a router connected to a link to an Internet service provider. Alternatively, the wireless local network is provided by a device which is connected with the Internet, e.g. , some handsets and computers can be configured to provide a so-called mobile hot-spot. The wired network may be provided by a port provided by the provider of the access point.
In accordance with some embodiments, in a step 602, the user device obtains a domain name corresponding to an Internet resource. A user enters the domain name or a URL into a browser. Applications or programs on the user device may automatically try to visit the domain name once Wi-Fi is available.
In accordance with some embodiments, in a step 603, the user device obtains a first IP address for the domain name through a DNS lookup made via the access point. In some embodiments, the user device requests a domain name resolution via the access point and the DNS server provides the first IP address. In some embodiments, the request for domain name resolution is hijacked by an interceptor and a fake IP address is returned. In this step, the user device has no knowledge whether the first IP address is genuine or fake.
In accordance with some embodiments, in a step 604, before sending the verification request to the designated server, the user device evaluates a current access circumstance by checking a plurality of predetermined risk factors, wherein the verification request for verifying the safety of the access point is sent to the designated server in response to a determination that the current access circumstance fails to meet predetermined safety criteria.
In accordance with some embodiments, the plurality of predetermined risk factors include one or more of: the access point having been reported for having safety risks, the wireless local network being designated as public, sensitivity of the Internet resource corresponding to the domain name, the wireless local network having no authentication requirement for access, the wireless local network is a public network, the DNS address of the domain name being obtained via the wireless local network, lack of previous visiting to the first IP address using the wireless local network, and not using any encrypted VPN. For example, when the user device is connected with a network, it prompts a reminder asking the user to select whether the network belongs to work, home or public. If the user selects public, then it is risk factor that will be considered in the evaluation. For another example, if the domain name represents a website of an online purchase website, e. g., Amazon and eBay, and this kind of websites have traditionally been the targets of hackers, the user device considers the domain name as risky.
In accordance with some embodiments, the user device assigns a risk score to each possible outcome of every risk factor, and adds all risk scores up to compare with a predetermined risk level. For example, a public network is assigned to a score of 10, a domain name representing an email provider is assigned a score of 2, an access point being previously reported to be risky is assigned a score of 45, and a network with no password protection is assigned a score of 4. If the sum of the risk scores is higher or lower than the predetermined score, the user device takes certain actions. For example, if the sum of risk scores is higher than a first predetermined score, the user device begins to verify IP addresses for sensitive websites. If the sum of risk scores is higher than a second predetermined score, which is higher the first predetermined score, the user device verifies every IP address. If the sum of risk scores is higher than a third predetermined score, which is higher the second predetermined score, the user device terminates the connection with the access point. If the  sum of risk sores is lower than the first predetermined score, e.g. , a user accessing a non-sensitive website through an encrypted work network, the user device does not verify the IP address. In some embodiments, the user can change the first, second and third predetermined scores by changing security policies of the user device.
In accordance with some embodiments, evaluation the current access circumstance further includes obtaining predetermined circumstance information and sending an evaluation request including the circumstance information to the security server. The security server evaluates the circumstance information and sends an evaluation result to the user device. For example, the user device obtains circumstance information, including what network being connected with, and sends it to the security server. The security server then analyze this circumstance information and sends the evaluation result (sometime risk scores) to the user device.
In accordance with some embodiments, the step 604 may start before step 601, before step 602 or before step 603. An earlier start of step 604 protects against the risks in subsequent steps but also means that the step 604 needs to be performed again when new information is obtained from subsequent steps. For example, if the step 604 starts before step 602, the user device does not have the domain name and cannot determined whether the Internet resource corresponding to the domain name is sensitive. However, other meaningful evaluations, including the safety of the network, can be conducted. In some embodiments, the step 604 is continuous, i.e. , the user device performs the step 604 while performing other steps and consistently checks risk factors while related information being obtained from other steps. In some embodiments, the step 604 is combined within the step 606, so that the security server performs verification of the safety of the access point as well as evaluating current access circumstances.
In accordance with some embodiments, in a step 606, the user device sending a verification request for verifying safety of the access point to a designated server, the verification request including at least the domain name and the first IP address.
In accordance with some embodiments, the user device obtains identification information of the access point. Identification information of the access point includes the name of the network, the IP address being assigned to the user address, the location of the  user device, security setting of the access point, etc. The user device includes the identification information of the access point in the verification request before sending the verification request to the designated server, wherein the identification information of the access point is used for verifying safety of the access point by the designated server. For example, a prior user of the wireless local network has sent the identification of the wireless local network to the server and the server finds that the IP address obtained by the prior user is a malicious one, the server then records this incidence in association with the identification of the network. When a later user of the network sends the identification of the same network to the user, the server may send a warning to the user device of the user. In accordance with some embodiments, the user device obtains current geographical location of the user device; and includes the current geographical location of the user device in the identification information of the access point. For example, the user device can obtains the current geographical co-ordinates and send it to the server so that the server may record that the wireless local network in this geographical co-ordinates. For another example, a user notes that he is accessing the network in a restaurant named as XYZ and the server finds that a prior user has used a network having the same name in the same restaurant and reports a privacy leaking incidence. The server then warns the user device of the later user for security risk.
In accordance with some embodiments, in a step 607, the server receives and decrypts the verification request to obtain at least the domain name and the first IP address.
In accordance with some embodiments, the communication between the user device and the designated server are encrypted, not available to the access point, and can only decrypted by the other. When the user device sends any instruction or results that are going through the access point, the access point cannot modify the verification result or intercept of information transmitted between the designated server and the user device. In some embodiments, the verification request is encrypted by a public key and is configured to be decrypted by the designated server using a private key pre-stored in the designated server.
In some embodiments, the connection between the user device and the designated server is secure and cannot be changed or redirected because the security software application or browser application implementing this method already has the IP address of  the designated server, and the communication to the designated server is encrypted by the public key of the designated server.
In accordance with some embodiments, in a step 608, the server generates a verification result in accordance with at least the first IP address.
In accordance with some embodiments, the designated server stores a verification result and the identification information of the access point for future evaluation of the safety of the access point. In some embodiments, the server may set up a black list which includes access points that are found to have security risks exceeding certain times. In addition, if one verification request associated with the access point is found to contain erroneous IP address, the server may warn every user device who send verification requests, even though those verification requests may be found to contain safe IP addresses.
In accordance with some embodiments, the warning of the safety of the access point is at least partly based on information in a past verification request that is associated with the access point, received by the designated server, and containing an erroneous IP address. For example, when the server finds an IP address contained in a previous verification result is erroneous, the server then stores the incidence and the identification of the wireless local network. When the user sends a verification request regarding the wireless local network provided by the same access point, the server sends a warning to the user device regardless whether the IP address from the user device is genuine.
In accordance with some embodiments, the warning of the safety of the access point is at least partly based on previously reported risk of the first IP address. For example, other users have reported this IP addresses have security risks. Alternatively, other organizations may warn the risks of this IP address. For example, a bank may report that its customers’ information has been intercepted when using this IP address.
If the verification result is positive, i.e. , the first IP address is genuine, in a step 609, the user device receives positive verification of the safety of the access point.
In accordance with some embodiments, upon receiving positive verification of the safety of the access point, in a step 610, the user device establishes communication with the first IP address via the access point.
If the verification result is negative, i.e. , the first IP address is wrong or malicious, the user device receives a warning of the safety of the access point.
In accordance with some embodiments, upon receiving a warning of the safety of the access point, the user device prohibits communication with the first IP address via the access point and alerting the user of safety risk of the access point. In some embodiments, the user device permits the user to continue to use the access point to visit some non-sensitive websites. In some embodiments, the verification is performed for each access to a new domain name even though all previously received IP addresses are shown to be correct. In some embodiments, access to a low risk domain name is permitted if the IP address is correct, even if the risk of the access point for other sensitive domains has been determined to be high. This way, the user is aware of the risk, but may still utilize the access point for some low risk surfing. In some embodiments, the scope of verification efforts and how much a user can continue to a network is determined by the risk scores discussed in step 604.
In accordance with some embodiments, upon receiving the warning of the safety of the access point, the user device obtains a plurality of social network contacts meeting predetermined criteria through a respective social network application, and sends an alert of the risk of the access point to the obtained plurality of social network contacts through the respective social network application. For example, a security application finds the risk and sends it to social network friends within a certain distance of the user through the social network application. The social network friends do not use the security application but nonetheless receives the warning from the social network. Alternatively, the designated server is linked with the user’s social network account, and can send the alerts to the contacts without going through the user’s device. For example, when a verification request from the user device contains fake IP addresses, the user can ask the designated server to automatically send warnings to contacts. In some embodiments, upon receiving the warning of the safety of the access point, the user device sends the designated server a permission to alert one or more social network contacts of the user associated with the user device.
In some embodiments, the user device can verify the safety of a wireless local network by trying to solicit intercepting actions. First, the user device obtains a plurality of domain names that are deemed to be susceptible of security risks. For example, if hackers  often target financial service websites and private information services (such as Facebook, emails) , then these domain names are good for testing whether there are any interception efforts in the wireless network. Second, the user device obtains a plurality of IP addresses for the plurality of domain names through respective DNS checks made via the access point. Third, the user device sends, to the designated server, one or more verification requests for verifying safety of visiting the plurality of IP addresses via the access point. For example, the user device may send one verification request including all the plurality of the domain names and obtained IP addresses. At last, upon receiving from the designated server a warning of the respective safety of visiting any of the IP addresses, the user device alerts the user of the safety risk of the access point. In accordance with some embodiments, this method can be performed when the user first tries to use the access point to access the Internet. For example, this method can be performed in steps 604 and/or 605 so that it becomes part of the evaluation or verification process. In some embodiments, the software application automatically generates a set of DNS checks for a set of sensitive domain names, and if any one of the IP address is wrong, the warning for risk of using the access point is generated and shown to the user.
FIG. 7 is a schematic structural view of an apparatus for monitoring phishing in accordance with some embodiments. The detailed description is as follows.
The apparatus for monitoring phishing in accordance with some embodiments includes: a receiving unit 701, for sending an access request, and receiving a first IP address obtained through resolving the host name; a search unit 702, for searching a preset mapping table according to the host name for a second IP address; a determining unit 703, for determining whether the second IP address found is the same as the received first IP address; and a termination unit 704 for terminating a current network request operation.
In accordance with some embodiments, the preset mapping table of host names and IP addresses is stored in a designated security server. The search unit 702 includes: a verification request sending sub-unit 7021, for sending verification requests to the designated security server, the verification request including the host name and the first IP address; and a search sub-unit 7022, for receiving a second IP address that corresponds to the  host name and is found by the designated security server according to the host name in a mapping table of host names and IP addresses.
In accordance with some embodiments, the apparatus further includes a verification unit 705, for verifying whether the designated security server is a specified designated security server by using an encryption key.
Optionally, the verification request sending sub-unit and the search sub-unit, are used for sending a request to the designated security server through a VPN or receiving the second IP address through the VPN. In some embodiments, in the verification request sending sub-unit 7021, the verification request further includes information about a unique identification of a terminal.
In accordance with some embodiments, the apparatus further includes: a query unit 706, for querying whether a phishing record corresponding to the unique identification of the terminal is recorded in the designated security server; and an instruction receiving unit 707, for, if the phishing record corresponding to the unique identification of the terminal is included, receiving an instruction that the current terminal has a security risk.
Alternatively, in some embodiments, the preset mapping table of host names and IP addresses is stored in a local database, and the search unit 702 is for searching the local database according to the host name for a second IP address corresponding to the host name.
FIG. 8 is a diagram of an example implementation of a user device 800 in accordance with some embodiments. While certain specific features are illustrated, those skilled in the art will appreciate from the present disclosure that various other features have not been illustrated for the sake of brevity and so as not to obscure more pertinent aspects of the implementations disclosed herein. To that end, the user device 800 includes one or more processing units (CPU’s) 802, one or more network or other communications interfaces 808, a display 801, memory 806, and one or more communication buses 804 for interconnecting these and various other components. The communication buses may include circuitry (sometimes called a chipset) that interconnects and controls communications between system components. The memory 806 includes high-speed random access memory, such as DRAM,  SRAM, DDR RAM or other random access solid state memory devices; and may include non-volatile memory, such as one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, or other non-volatile solid state storage devices. The memory 806 may optionally include one or more storage devices remotely located from the CPU (s) 802. The memory 806, including the non-volatile and volatile memory device (s) within the memory 806, comprises a non-transitory computer readable storage medium.
In some implementations, the memory 806 or the non-transitory computer readable storage medium of the memory 806 stores the following programs, modules and data structures, or a subset thereof including an operating system 816, a network communication module 818, and a risk detection program 820.
In accordance with some embodiments, the operating system 816 includes procedures for handling various basic system services and for performing hardware dependent tasks.
In accordance with some embodiments, the network communication module 818 facilitates communication with other devices via the one or more communication network interfaces 808 (wired or wireless) and one or more communication networks, such as the internet, other wide area networks, local area networks, metropolitan area networks, and so on.
In accordance with some embodiments, the risk detection program 820 is configured to detect risks of a currently available wireless local network. In some embodiments, the risk detection module 820 comprises an evaluation module 821 and a verification module 822. The evaluation module 821 is configured to evaluate a current access circumstance by checking a plurality of predetermined risk factors. The verification module 822 is configured to verify the risks of particular IP addresses. The verification module 822 comprises an encryption unit 823, a request unit 824 and an alert unit 825. The encryption unit 823 is configured to encrypt and decrypt communication with the security server. The request unit 824 is configured to generate and send a verification request for verifying safety of the access point and receive verifications and warnings. The alert unit 825 is configured to prohibit communication with the first IP address via the access point and alerting the user of safety risk of the access point, upon receiving a warning of the safety of  the access point. In some embodiments, the alert unit includes or is connected with a database, which stores security information of access points, including identifications and security records of access points, obtained from previous evaluation and verification requests.
The above descriptions are merely preferred embodiments, but the present application is not limited thereto. Any modifications, equivalent replacements or improvements made within the spirit and principle of the present application should fall within the protection scope of the present application.
Although some of the various drawings illustrate a number of logical stages in a particular order, stages that are not order dependent may be reordered and other stages may be combined or broken out. While some reordering or other groupings are specifically mentioned, others will be obvious to those of ordinary skill in the art and so do not present an exhaustive list of alternatives. Moreover, it should be recognized that the stages could be implemented in hardware, firmware, software or any combination thereof.
The foregoing description, for purpose of explanation, has been described with reference to specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the application to the precise forms disclosed. Many modifications and variations are possible in diagram of the above teachings. The embodiments were chosen and described in order to best explain the principles of the application and its practical applications, to thereby enable others skilled in the art to best utilize the application and various embodiments with various modifications as are suited to the particular use contemplated.

Claims (20)

  1. A method of increasing security of Internet connections, comprising:
    at a user device of having one or more processors and memory for storing one or more programs to be executed by the one or more processors:
    connecting to the Internet via an access point providing a wireless local network;
    obtaining a domain name corresponding to an Internet resource;
    obtaining a first IP address for the domain name through a DNS lookup made via the access point;
    sending a verification request for verifying safety of the access point to a designated server, the verification request including at least the domain name and the first IP address:
    upon receiving positive verification of the safety of the access point, establishing communication with the first IP address via the access point; and
    alternatively, upon receiving a warning of the safety of the access point, prohibiting communication with the first IP address via the access point and alerting the user of safety risk of the access point.
  2. The method of claim 1, further comprising:
    before sending the verification request to the designated server, evaluating a current access circumstance by checking a plurality of predetermined risk factors, wherein the verification request for verifying the safety of the access point is sent to the designated server in response to a determination that the current access circumstance fails to meet predetermined safety criteria.
  3. The method of claim 2, wherein the plurality of predetermined risk factors include one or more of: the access point having been reported for having safety risks, the wireless local network being designated as public, sensitivity of the Internet resource corresponding to the domain name, the wireless local network having no authentication requirement for access, the DNS address of the domain name being obtained via the wireless local network, lack of previous visiting to the first IP address using the wireless local network, and not using any encrypted VPN.
  4. The method of claim 1, further comprising:
    obtaining identification information of the access point; and
    including the identification information of the access point in the verification request before sending the verification request to the designated server, wherein the identification information of the access point is used for verifying safety of the access point by the designated server.
  5. The method of claim 4, wherein the designated server stores a verification result and the identification information of the access point for future evaluation of the safety of the access point.
  6. The method of claim 1, wherein the warning of the safety of the access point is at least partly based on information in a past verification request that is associated with the access point, received by the designated server, and containing an erroneous IP address.
  7. The method of claim 1, further comprising:
    obtaining a plurality of domain names that are deemed to be susceptible of security risks;
    obtaining a plurality of IP addresses for the plurality of domain names through respective DNS checks made via the access point;
    sending, to the designated server, one or more verification requests for verifying safety of visiting the plurality of IP addresses via the access point; and
    upon receiving from the designated server a respective warning of the respective safety of visiting any of the IP addresses, alerting the user of the safety risk of the access point.
  8. A device of increasing security of Internet connections, comprising:
    one or more processors; and
    memory storing one or more programs for execution by the one or more processors, the one or more programs including instructions for:
    connecting to the Internet via an access point providing a wireless local network;
    obtaining a domain name corresponding to an Internet resource;
    obtaining a first IP address for the domain name through a DNS lookup made  via the access point;
    sending a verification request for verifying safety of the access point to a designated server, the verification request including at least the domain name and the first IP address:
    upon receiving positive verification of the safety of the access point, establishing communication with the first IP address via the access point; and
    alternatively, upon receiving a warning of the safety of the access point, prohibiting communication with the first IP address via the access point and alerting the user of safety risk of the access point.
  9. The device of claim 8, wherein the operations further comprise:
    before sending the verification request to the designated server, evaluating a current access circumstance by checking a plurality of predetermined risk factors, wherein the verification request for verifying the safety of the access point is sent to the designated server in response to a determination that the current access circumstance fails to meet predetermined safety criteria.
  10. The device of claim 9, wherein the plurality of predetermined risk factors include one or more of: the access point having been reported for having safety risks, the wireless local network being designated as public, sensitivity of the Internet resource corresponding to the domain name, the wireless local network having no authentication requirement for access, the DNS address of the domain name being obtained via the wireless local network, lack of previous visiting to the first IP address using the wireless local network, and not using any encrypted VPN.
  11. The device of claim 8, wherein the operations further comprise:
    obtaining identification information of the access point; and
    including the identification information of the access point in the verification request before sending the verification request to the designated server, wherein the identification information of the access point is used for verifying safety of the access point by the designated server.
  12. The device of claim 11, wherein the designated server stores a verification result and the identification information of the access point for future evaluation of the safety of the access point.
  13. The device of claim 8, wherein the warning of the safety of the access point is at least partly based on information in a past verification request that is associated with the access point, received by the designated server, and containing an erroneous IP address.
  14. The device of claim 8, wherein the operations further comprise:
    obtaining a plurality of domain names that are deemed to be susceptible of security risks;
    obtaining a plurality of IP addresses for the plurality of domain names through respective DNS checks made via the access point;
    sending, to the designated server, one or more verification requests for verifying safety of visiting the plurality of IP addresses via the access point ; and
    upon receiving from the designated server a respective warning of the respective safety of visiting any of the IP addresses, alerting the user of the safety risk of the access point.
  15. A non-transitory computer readable storage medium having instructions stored thereon, the instructions, when executed by one or more processors, cause the processors to perform operations comprising:
    connecting to the Internet via an access point providing a wireless local network;
    obtaining a domain name corresponding to an Internet resource;
    obtaining a first IP address for the domain name through a DNS lookup made via the access point;
    sending a verification request for verifying safety of the access point to a designated server, the verification request including at least the domain name and the first IP address:
    upon receiving positive verification of the safety of the access point, establishing communication with the first IP address via the access point; and
    alternatively, upon receiving a warning of the safety of the access point, prohibiting communication with the first IP address via the access point and alerting the user of safety risk of the access point.
  16. The non-transitory computer readable storage medium of claim 15, wherein the operations further comprise:
    before sending the verification request to the designated server, evaluating a current access circumstance by checking a plurality of predetermined risk factors, wherein the verification request for verifying the safety of the access point is sent to the designated server in response to a determination that the current access circumstance fails to meet predetermined safety criteria.
  17. The non-transitory computer readable storage medium of claim 16, wherein the plurality of predetermined risk factors include one or more of: the access point having been reported for having safety risks, the wireless local network being designated as public, sensitivity of the Internet resource corresponding to the domain name, the wireless local network having no authentication requirement for access, the DNS address of the domain name being obtained via the wireless local network, lack of previous visiting to the first IP address using the wireless local network, and not using any encrypted VPN.
  18. The non-transitory computer readable storage medium of claim 15, wherein the operations further comprise:
    obtaining identification information of the access point; and
    including the identification information of the access point in the verification request before sending the verification request to the designated server, wherein the identification information of the access point is used for verifying safety of the access point by the designated server.
  19. The non-transitory computer readable storage medium of claim 18, wherein the designated server stores a verification result and the identification information of the access point for future evaluation of the safety of the access point.
  20. The non-transitory computer readable storage medium of claim 15, wherein the warning of the safety of the access point is at least partly based on information in a past verification request that is associated with the access point, received by the designated server, and containing an erroneous IP address.
PCT/CN2014/089269 2013-11-26 2014-10-23 Method, apparatus and terminal for monitoring phishing WO2015078247A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310611863.8 2013-11-26
CN201310611863.8A CN104683290A (en) 2013-11-26 2013-11-26 Method and device for monitoring phishing and terminal

Publications (1)

Publication Number Publication Date
WO2015078247A1 true WO2015078247A1 (en) 2015-06-04

Family

ID=53198325

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/089269 WO2015078247A1 (en) 2013-11-26 2014-10-23 Method, apparatus and terminal for monitoring phishing

Country Status (2)

Country Link
CN (1) CN104683290A (en)
WO (1) WO2015078247A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109788435A (en) * 2018-12-28 2019-05-21 北京奇安信科技有限公司 Hotspot management-control method, device, electronic equipment and storage medium

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681358A (en) * 2016-03-31 2016-06-15 北京奇虎科技有限公司 Domain name hijacking detection method, device and system
CN106095781A (en) * 2016-05-26 2016-11-09 北京小米移动软件有限公司 Malicious websites recognition methods and device
CN106230864A (en) * 2016-09-22 2016-12-14 安徽云图信息技术有限公司 Website security detection system
CN106789979B (en) * 2016-12-07 2020-01-21 北京亚鸿世纪科技发展有限公司 Method and device for diagnosing effectiveness of active domain name in IDC machine room
CN110766845A (en) * 2019-09-11 2020-02-07 中国南方电网有限责任公司 Identification method and device for power construction user information and computer equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120240213A1 (en) * 2011-03-14 2012-09-20 Hon Hai Precision Industry Co., Ltd. Gateway device and method for using the same to prevent phishing attacks
US20130036468A1 (en) * 2011-08-01 2013-02-07 Visicom Media Inc. Anti-phishing domain advisor and method thereof
CN103152354A (en) * 2013-03-19 2013-06-12 北京奇虎科技有限公司 Method and system for promoting dangerous website and client device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103220302A (en) * 2013-05-07 2013-07-24 腾讯科技(深圳)有限公司 Malicious website access defending method and related device
CN103269389B (en) * 2013-06-03 2016-05-25 北京奇虎科技有限公司 Check and repair the method and apparatus that malice DNS arranges

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120240213A1 (en) * 2011-03-14 2012-09-20 Hon Hai Precision Industry Co., Ltd. Gateway device and method for using the same to prevent phishing attacks
US20130036468A1 (en) * 2011-08-01 2013-02-07 Visicom Media Inc. Anti-phishing domain advisor and method thereof
CN103152354A (en) * 2013-03-19 2013-06-12 北京奇虎科技有限公司 Method and system for promoting dangerous website and client device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109788435A (en) * 2018-12-28 2019-05-21 北京奇安信科技有限公司 Hotspot management-control method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN104683290A (en) 2015-06-03

Similar Documents

Publication Publication Date Title
US11716324B2 (en) Systems and methods for location-based authentication
US9942220B2 (en) Preventing unauthorized account access using compromised login credentials
US11831642B2 (en) Systems and methods for endpoint management
US9712565B2 (en) System and method to provide server control for access to mobile client data
US11488084B2 (en) Computer systems and methods to protect user credential against phishing
US8763078B1 (en) System and method for monitoring authentication attempts
WO2015078247A1 (en) Method, apparatus and terminal for monitoring phishing
US20160261606A1 (en) Location-based network security
US20140020067A1 (en) Apparatus and method for controlling traffic based on captcha
JP2019511048A (en) Identity security and containment based on detected threat events
US9178874B2 (en) Method, device and system for logging in through a browser application at a client terminal
US11025635B2 (en) Secure remote support authorization
US9635017B2 (en) Computer network security management system and method
CN106060072A (en) Authentication method and device
JP2019506660A (en) Data leak detection system
KR101001197B1 (en) System and method for log-in control
KR20140023085A (en) A method for user authentication, a authentication server and a user authentication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14866326

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12.10.2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14866326

Country of ref document: EP

Kind code of ref document: A1