CN108173814B - Phishing website detection method, terminal device and storage medium - Google Patents
Phishing website detection method, terminal device and storage medium Download PDFInfo
- Publication number
- CN108173814B CN108173814B CN201711305276.0A CN201711305276A CN108173814B CN 108173814 B CN108173814 B CN 108173814B CN 201711305276 A CN201711305276 A CN 201711305276A CN 108173814 B CN108173814 B CN 108173814B
- Authority
- CN
- China
- Prior art keywords
- webpage
- target
- link address
- jump
- phishing website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a phishing website detection method, terminal equipment and a storage medium. The method determines the corresponding target link address according to the POST request code in the webpage to be detected, captures the target webpage corresponding to the target link address, acquires the jump link address of the target webpage, and determines that the webpage to be detected belongs to the phishing website when the domain names of the target link address and the jump link address are inconsistent, so that the method consumes few computing resources and storage resources, is easy to realize in engineering, has an excellent detection effect, and can detect most phishing websites stealing user information.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a phishing website detection method, terminal equipment and a storage medium.
Background
Phishing websites generally refer to websites where lawless persons spoof private data such as user bank or credit card account numbers, passwords, etc. by using various means to imitate the URL address and page contents of a real website, or by using bugs on a real website server program to insert dangerous HTML codes into some webpages of the website.
The phishing website link address is generally spread through 4 forms of instant messaging, e-mail, short message service and telephone fraud, and the attack mode mainly comprises two types: the first type is fake winning information, and the phishing website of the type is mainly characterized in that winning is used as a bait, and a deceptive user remits money or fills real identity information, account information and the like; the second type is that the phishing attack is more serious by making false payment web pages and stealing the internet bank password and the payment password of the user by imitating the famous e-commerce and various large internet banks, and the phishing attack causes great property loss to the user.
At present, the method for detecting the phishing webpage at home and abroad mainly comprises the following steps: the method comprises the following steps of black and white list technology, a URL (uniform resource locator) feature-based detection method, a page content-based heuristic rule detection method and a page visual similarity-based detection method, but the methods respectively have the problems of difficulty in engineering realization or poor detection effect.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a phishing website detection method, terminal equipment and a storage medium, and aims to solve the technical problems that engineering is not easy to realize or the detection effect is poor in the prior art.
In order to achieve the above object, the present invention provides a phishing website detection method, comprising the steps of:
when a POST request code exists in a webpage to be detected, determining a corresponding target link address according to the POST request code in the webpage to be detected;
grabbing a target webpage corresponding to the target link address;
acquiring a jump link address of the target webpage;
and when the domain names of the target link address and the jump link address are not consistent, determining that the webpage to be detected belongs to a phishing website.
Preferably, the acquiring the jump link address of the target webpage specifically includes:
and determining the jump type of the target webpage, and acquiring the jump link address of the target webpage according to the jump type.
Preferably, the determining the skip type to which the target webpage belongs and obtaining the skip link address of the target webpage according to the skip type specifically include:
judging whether the target webpage has a jump code or not;
when the target webpage has a jump code, determining a jump type of the target webpage according to the jump code, and acquiring a jump link address of the target webpage according to the jump type;
and when the target webpage does not have the jump code, taking the target link address as the jump link address.
Preferably, after determining the skip type to which the target webpage belongs and acquiring the skip link address of the target webpage according to the skip type, the phishing website detection method further includes:
when the domain names of the target link address and the jump link address are consistent, adding 1 to the current verification frequency, and judging whether the current verification frequency reaches a preset verification frequency or not;
when the current verification times do not reach the preset verification times, taking the jump link address as a new target link address, and returning to the step of capturing the target webpage corresponding to the target link address;
and when the current verification times reach the preset verification times, determining that the webpage to be detected does not belong to the phishing website.
Preferably, before determining the corresponding target link address according to the POST request code in the to-be-detected web page when the POST request code exists in the to-be-detected web page, the phishing website detection method further includes:
and responding to a webpage triggering request input by a user, and displaying the webpage to be detected corresponding to the webpage triggering request.
Preferably, the displaying the to-be-detected webpage corresponding to the webpage trigger request in response to the webpage trigger request input by the user specifically includes:
responding to a webpage triggering request input by a user, and determining a corresponding webpage address according to the webpage triggering request;
and acquiring and displaying the webpage to be detected corresponding to the webpage address.
Preferably, before the acquiring and displaying the to-be-detected webpage corresponding to the webpage address, the phishing website detection method further includes:
and carrying out format detection on the webpage address, and executing the step of acquiring and displaying the webpage to be detected corresponding to the webpage address after the format detection result shows that the format is qualified.
Preferably, after the webpage to be detected is determined to belong to a phishing website, the phishing website detection method further comprises the following steps:
and stopping displaying the webpage to be detected, and displaying preset prompt information.
In addition, to achieve the above object, the present invention also provides a terminal device, including: a memory, a processor and a phishing website detection program stored on said memory and executable on said processor, said phishing website detection program being configured to implement the steps of the phishing website detection method as described above.
In addition, to achieve the above object, the present invention also provides a computer-readable storage medium having a phishing website detection program stored thereon, which when executed by a processor, implements the steps of the phishing website detection method as described above.
The method determines the corresponding target link address according to the POST request code in the webpage to be detected, captures the target webpage corresponding to the target link address, acquires the jump link address of the target webpage, and determines that the webpage to be detected belongs to the phishing website when the domain names of the target link address and the jump link address are inconsistent, so that the method consumes few computing resources and storage resources, is easy to realize in engineering, has an excellent detection effect, and can detect most phishing websites stealing user information.
Drawings
Fig. 1 is a schematic structural diagram of a terminal device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a phishing website detection method according to a first embodiment of the invention;
FIG. 3 is a flowchart illustrating a phishing website detection method according to a second embodiment of the invention;
FIG. 4 is a flowchart illustrating a phishing website detection method according to a second embodiment of the invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a terminal device in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the terminal device may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
In a specific implementation, the terminal device may be a smart phone, a tablet computer, a notebook computer, or a server, which is not limited in this embodiment.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the terminal device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a phishing website detection program.
In the terminal device shown in fig. 1, the network interface 1004 is mainly used for data communication with an external network; the user interface 1003 is mainly used for receiving input instructions of a user; the terminal device calls a fishing net station detection program stored in the memory 1005 through the processor 1001 and performs the following operations:
when a POST request code exists in a webpage to be detected, determining a corresponding target link address according to the POST request code in the webpage to be detected;
grabbing a target webpage corresponding to the target link address;
acquiring a jump link address of the target webpage;
and when the domain names of the target link address and the jump link address are not consistent, determining that the webpage to be detected belongs to a phishing website.
Further, the processor 1001 may call the fishing net station detection program stored in the memory 1005, and also perform the following operations:
and determining the jump type of the target webpage, and acquiring the jump link address of the target webpage according to the jump type.
Further, the processor 1001 may call the fishing net station detection program stored in the memory 1005, and also perform the following operations:
judging whether the target webpage has a jump code or not;
when the target webpage has a jump code, determining a jump type of the target webpage according to the jump code, and acquiring a jump link address of the target webpage according to the jump type;
and when the target webpage does not have the jump code, taking the target link address as the jump link address.
Further, the processor 1001 may call the fishing net station detection program stored in the memory 1005, and also perform the following operations:
when the domain names of the target link address and the jump link address are consistent, adding 1 to the current verification frequency, and judging whether the current verification frequency reaches a preset verification frequency or not;
when the current verification times do not reach the preset verification times, taking the jump link address as a new target link address, and returning to the step of capturing the target webpage corresponding to the target link address;
and when the current verification times reach the preset verification times, determining that the webpage to be detected does not belong to the phishing website.
Further, the processor 1001 may call the fishing net station detection program stored in the memory 1005, and also perform the following operations:
and responding to a webpage triggering request input by a user, and displaying the webpage to be detected corresponding to the webpage triggering request.
Further, the processor 1001 may call the fishing net station detection program stored in the memory 1005, and also perform the following operations:
responding to a webpage triggering request input by a user, and determining a corresponding webpage address according to the webpage triggering request;
and acquiring and displaying the webpage to be detected corresponding to the webpage address.
Further, the processor 1001 may call the fishing net station detection program stored in the memory 1005, and also perform the following operations:
and carrying out format detection on the webpage address, and executing the step of acquiring and displaying the webpage to be detected corresponding to the webpage address after the format detection result shows that the format is qualified.
Further, the processor 1001 may call the fishing net station detection program stored in the memory 1005, and also perform the following operations:
and stopping displaying the webpage to be detected, and displaying preset prompt information.
According to the technical scheme, the corresponding target link address is determined according to the POST request code in the webpage to be detected, the target webpage corresponding to the target link address is captured, the jump link address of the target webpage is obtained, when the domain name of the target link address is inconsistent with the domain name of the jump link address, the webpage to be detected is determined to belong to the phishing website, the consumed computing resources and storage resources are very few, the engineering implementation is easy, the detection effect is excellent, and most of the phishing websites which steal the user information can be detected.
Based on the hardware structure, the embodiment of the phishing website detection method is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a phishing website detection method according to a first embodiment of the invention.
In a first embodiment, the phishing website detection method comprises the following steps:
s10: when a POST request code exists in a webpage to be detected, determining a corresponding target link address according to the POST request code in the webpage to be detected;
it should be noted that the POST request code is a program code for implementing the POST request, and in general, the POST request corresponds to an action attribute, and the action attribute indicates which web page is displayed by calling a target link address after a user submits information, so that the corresponding target link address can be determined according to the POST request code in the web page to be detected.
Of course, the link address is typically an address linked to a web page, which is typically a URL address.
It can be understood that the web page to be detected may be a web page triggered by the user, so as to ensure that the user is prevented from stealing the user information by the phishing website when surfing the internet, and to solve the problem, in this embodiment, before the step S10, the method may include: and responding to a webpage triggering request input by a user, and displaying the webpage to be detected corresponding to the webpage triggering request.
In a specific implementation, the web page trigger request is usually generated based on a web page address, for example: the webpage triggering request of the user is generated based on a webpage address input by the user in an address bar of the browser, can also be generated based on the fact that the user triggers a corresponding webpage address in a navigation webpage, and can also be generated based on the fact that the user clicks a certain webpage address in an email or a document, so that the corresponding webpage address can be determined through the webpage triggering request, and then the webpage to be detected corresponding to the webpage address is obtained and displayed.
Because the web address may have a condition that the format is not qualified, and the web address cannot be linked to the corresponding to-be-detected web page at this time, subsequent processing is not required, in this embodiment, the format of the web address may be detected before the to-be-detected web page corresponding to the web address is acquired and displayed, and the step of acquiring and displaying the to-be-detected web page corresponding to the web address is executed after the format detection result is that the format is qualified.
S20: grabbing a target webpage corresponding to the target link address;
it should be noted that, after the target link address is obtained, the target web page corresponding to the link address may be fetched in the background, and since the fetching process is implemented in the background, the target web page is not displayed.
S30: acquiring a jump link address of the target webpage;
it can be understood that the jump link address is a link address to which the target web page jumps when jumping.
S40: and when the domain names of the target link address and the jump link address are not consistent, determining that the webpage to be detected belongs to a phishing website.
It should be noted that the phishing website will turn to the normal page after the user submits the information to avoid the user's perception. For example, a phishing website imitating the beijing east can jump the webpage to the page of the beijing east after acquiring the account password of the user. Therefore, in the present embodiment, the determination may be made by determining whether the domain names of the target link address and the jump link address are consistent.
It can be understood that, after the webpage to be detected is determined to belong to the phishing website, in order to prevent the user information from being stolen by the phishing website, in this embodiment, the display of the webpage to be detected can be stopped, and the preset prompt information is displayed.
In the prior art, the black-and-white list technology refers to continuously maintaining a phishing website URL black list or a legal website URL white list, and a judgment result is given by directly searching a URL to be detected in the list during detection. Although the black and white list needs few resources and is high in detection speed, the living time of most phishing websites is short, so that the filtering mode based on the black list cannot cope with zero-hour phishing attacks, and in addition, the problems that the process of manually maintaining the black and white list is complicated, the list is updated slowly and incompletely and the like cause poor detection effect when the black and white list is simply used.
The embodiment does not need to maintain and update the black-and-white list, avoids the problems of slow and incomplete list update in the black-and-white list, can detect zero-hour phishing attacks, and avoids the disadvantage of hysteresis of detecting phishing websites by the black-and-white list.
The URL feature detection method in the prior art is to extract abnormal features from a URL address to determine whether a website to be detected belongs to a phishing website. However, with the development of the phishing attack technology, the current phishing websites adopt a certain countermeasure technology, so that the false alarm rate is high when the phishing websites are judged from the URL address characteristics.
However, the present embodiment detects whether the domain name before and after the web page jump is detected all the time, so that some current countermeasure technologies can be immunized.
In the prior art, a heuristic rule detection method based on page content detects whether a website to be detected belongs to a phishing website or not from characteristics extracted from the page content. The detection based on page content is a method which is adopted by related researchers at present, but the method depends on the diversity of a training set, a fishing website has timeliness, and the fishing website is evolved all the time along with the progress of the detection technology, so that the method has certain timeliness.
In the embodiment, data is not required to be trained, so that the influence of low quality of a training set on the performance of some feature extraction-based methods can be avoided.
In the prior art, a detection method based on page visual similarity mainly judges according to the visual similarity between a webpage to be detected and a target webpage, and a website to be detected is considered as a phishing website when the pages are similar and the domain names are different. However, the detection method based on page visual similarity needs to obtain a snapshot of a webpage in a black and white list, needs larger calculation and storage resources, and mainly detects phishing websites with very similar page visual, but in a real phishing event, more and more phishing websites are not very similar to target websites corresponding to the phishing websites visually.
In the embodiment, white list data does not need to be stored, so that storage resources do not need to be wasted, and after actual inspection, the false alarm rate of the scheme of the embodiment is lower than 1%, and the phishing websites stolen by user information can be basically recalled all.
The method and the device for detecting the phishing website determine the corresponding target link address according to the POST request code in the webpage to be detected, capture the target webpage corresponding to the target link address, acquire the jump link address of the target webpage, and determine that the webpage to be detected belongs to the phishing website when the domain name of the target link address is inconsistent with the domain name of the jump link address.
Further, as shown in fig. 3, a second embodiment of the phishing website detection method of the present invention is proposed based on the first embodiment, in this embodiment, the step S30 specifically includes:
s30': and determining the jump type of the target webpage, and acquiring the jump link address of the target webpage according to the jump type.
It should be noted that, in general, the skip types can be divided into four types, respectively:
(1) skipping by using sendRedirect at the server;
send redirect ("the" socket "), the post-statement server sends an http response without body. After receiving the response, the terminal device will automatically read the Location information and send a request to the pointed URL, and at this time, the user can obtain the name URL in the address bar. For example, after the phishing website obtains the user information, the phishing website will be transferred to the normal website through url http:// mlhc. org/vnz/za/submit. php: www.westpac.co.nz are provided.
(2) Jumping by using jsp or RequestDispatccher at the server end;
the request is forwarded to another resource in the server, and the result is returned to the terminal equipment after processing, and the operation is transparent to the terminal equipment, so that the URL of the address bar cannot be changed; of course, phishing websites generally do not take this approach because it does not change the url and is therefore easily found by humans to be phishing.
(3) Redirecting by using Javascript at a browser end;
location = "game URL" is redirected by the browser of the terminal device through the code window. The browser changes the URL of the address bar to point to the new URL when executing the code. Phishing websites with url = http:// www.newingtongunners.org.au/pngfix/login-alibaba-com/logon. check. php, for example, jump using this approach. And finally jumping to the webpage of the alibaba.
(4) Using the html label to redirect at the browser end;
the implementation is carried out by a code http-equiv = "refresh"; when the browser of the terminal device has successfully obtained the requested page, the browser changes the URL of the address bar to point to a new URL after parsing the code meta http-equ = "refresh". For example, the phishing websites are: http:// www.loankeedukan.com
Html, 20in%20progress and 20% Update; after the method is used for jumping, the user can jump to the website of bay173. mail.live.com.
As can be seen from the above description, because the way of obtaining the jump link address of the target webpage through different jump types is different, in this embodiment, the jump type to which the target webpage belongs needs to be determined first, and then the jump link address of the target webpage needs to be obtained according to the jump type.
It can be understood that, because the target web page may not have the jump code, that is, the target web page may not jump any more, in this embodiment, it may be determined whether the target web page has the jump code or not;
when the target webpage has a jump code, determining a jump type of the target webpage according to the jump code, and acquiring a jump link address of the target webpage according to the jump type;
and when the target webpage does not have the jump code, taking the target link address as the jump link address.
Further, as shown in fig. 4, a third embodiment of the phishing website detection method of the present invention is proposed based on the second embodiment, in this embodiment, after step S30', the method further includes:
s50: when the domain names of the target link address and the jump link address are consistent, adding 1 to the current verification frequency, and judging whether the current verification frequency reaches a preset verification frequency or not;
s60: when the current verification times do not reach the preset verification times, taking the jump link address as a new target link address, and returning to the step S20;
s70: and when the current verification times reach the preset verification times, determining that the webpage to be detected does not belong to the phishing website.
It can be understood that there may be multiple jumps in some web pages, such as: the target webpage is a member registration webpage, personal identity information of a user needs to be filled in the target webpage, then the target webpage jumps to an account setting page, then jumps to a password setting page, then jumps to an activation code input page, and finally jumps to a registration success notification page; alternatively, phishing websites that impersonate banks may induce users to enter personal information that typically needs to be filled in multiple times.
In this case, even if the domain name of the target link address and the domain name of the jump link address are consistent, it may be that the phishing website has not jumped to the normal website, and in order to accurately detect the phishing website, in this embodiment, when the domain names of the target link address and the jump link address are consistent, the current verification time may be added by 1, and whether the current verification time reaches the preset verification time or not may be determined.
In a specific implementation, the preset verification times may be set as required, for example: the values of 2, 3, 4, etc. are set, usually, the website does not avoid the user experience to be too poor, and the number of jumping is usually set to be less than 5, therefore, in this embodiment, the preset verification number may be set to be 5.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a phishing website detection program is stored on the computer-readable storage medium, and when executed by a processor, the phishing website detection program implements the following operations:
when a POST request code exists in a webpage to be detected, determining a corresponding target link address according to the POST request code in the webpage to be detected;
grabbing a target webpage corresponding to the target link address;
acquiring a jump link address of the target webpage;
and when the domain names of the target link address and the jump link address are not consistent, determining that the webpage to be detected belongs to a phishing website.
Further, the phishing website detection program when executed by the processor further realizes the following operations:
and determining the jump type of the target webpage, and acquiring the jump link address of the target webpage according to the jump type.
Further, the phishing website detection program when executed by the processor further realizes the following operations:
judging whether the target webpage has a jump code or not;
when the target webpage has a jump code, determining a jump type of the target webpage according to the jump code, and acquiring a jump link address of the target webpage according to the jump type;
and when the target webpage does not have the jump code, taking the target link address as the jump link address.
Further, the phishing website detection program when executed by the processor further realizes the following operations:
when the domain names of the target link address and the jump link address are consistent, adding 1 to the current verification frequency, and judging whether the current verification frequency reaches a preset verification frequency or not;
when the current verification times do not reach the preset verification times, taking the jump link address as a new target link address, and returning to the step of capturing the target webpage corresponding to the target link address;
and when the current verification times reach the preset verification times, determining that the webpage to be detected does not belong to the phishing website.
Further, the phishing website detection program when executed by the processor further realizes the following operations:
and responding to a webpage triggering request input by a user, and displaying the webpage to be detected corresponding to the webpage triggering request.
Further, the phishing website detection program when executed by the processor further realizes the following operations:
responding to a webpage triggering request input by a user, and determining a corresponding webpage address according to the webpage triggering request;
and acquiring and displaying the webpage to be detected corresponding to the webpage address.
Further, the phishing website detection program when executed by the processor further realizes the following operations:
and carrying out format detection on the webpage address, and executing the step of acquiring and displaying the webpage to be detected corresponding to the webpage address after the format detection result shows that the format is qualified.
Further, the phishing website detection program when executed by the processor further realizes the following operations:
and stopping displaying the webpage to be detected, and displaying preset prompt information.
According to the technical scheme, the corresponding target link address is determined according to the POST request code in the webpage to be detected, the target webpage corresponding to the target link address is captured, the jump link address of the target webpage is obtained, when the domain name of the target link address is inconsistent with the domain name of the jump link address, the webpage to be detected is determined to belong to the phishing website, the consumed computing resources and storage resources are very few, the engineering implementation is easy, the detection effect is excellent, and most of the phishing websites which steal the user information can be detected.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (8)
1. A phishing website detection method is characterized by comprising the following steps:
when a POST request code exists in a webpage to be detected, determining a corresponding target link address according to the POST request code in the webpage to be detected;
grabbing a target webpage corresponding to the target link address;
judging whether the target webpage has a jump code or not;
when the target webpage has a jump code, determining a jump type of the target webpage according to the jump code, and acquiring a jump link address of the target webpage according to the jump type;
when the target webpage does not have the jump code, taking the target link address as the jump link address;
and when the domain names of the target link address and the jump link address are not consistent, determining that the webpage to be detected belongs to a phishing website.
2. A phishing website detection method as claimed in claim 1, wherein said determining a jump type to which said target webpage belongs, and after acquiring a jump link address of said target webpage according to said jump type, said phishing website detection method further comprises:
when the domain names of the target link address and the jump link address are consistent, adding 1 to the current verification frequency, and judging whether the current verification frequency reaches a preset verification frequency or not;
when the current verification times do not reach the preset verification times, taking the jump link address as a new target link address, and returning to the step of capturing the target webpage corresponding to the target link address;
and when the current verification times reach the preset verification times, determining that the webpage to be detected does not belong to the phishing website.
3. A phishing website detection method as claimed in claim 1 or 2, wherein before determining a corresponding target link address according to a POST request code in a to-be-detected web page when the POST request code exists in the to-be-detected web page, the phishing website detection method further comprises:
and responding to a webpage triggering request input by a user, and displaying the webpage to be detected corresponding to the webpage triggering request.
4. A phishing website detection method as claimed in claim 3, wherein said responding to a webpage trigger request inputted by a user, and displaying a webpage to be detected corresponding to said webpage trigger request specifically comprises:
responding to a webpage triggering request input by a user, and determining a corresponding webpage address according to the webpage triggering request;
and acquiring and displaying the webpage to be detected corresponding to the webpage address.
5. A phishing website detection method as claimed in claim 4 wherein before said acquiring and presenting a to-be-detected webpage corresponding to said webpage address, said phishing website detection method further comprises:
and carrying out format detection on the webpage address, and executing the step of acquiring and displaying the webpage to be detected corresponding to the webpage address after the format detection result shows that the format is qualified.
6. A phishing website detection method as claimed in claim 1 or 2, wherein after the web page to be detected is determined to belong to a phishing website, the phishing website detection method further comprises:
and stopping displaying the webpage to be detected, and displaying preset prompt information.
7. A terminal device, characterized in that the terminal device comprises: a memory, a processor and a phishing website detection program stored on said memory and executable on said processor, said phishing website detection program being configured to implement the steps of the phishing website detection method as claimed in any one of claims 1 to 6.
8. A computer-readable storage medium, having a phishing website detection program stored thereon, which when executed by a processor, implements the steps of the phishing website detection method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711305276.0A CN108173814B (en) | 2017-12-08 | 2017-12-08 | Phishing website detection method, terminal device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711305276.0A CN108173814B (en) | 2017-12-08 | 2017-12-08 | Phishing website detection method, terminal device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108173814A CN108173814A (en) | 2018-06-15 |
| CN108173814B true CN108173814B (en) | 2021-02-05 |
Family
ID=62525624
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711305276.0A Active CN108173814B (en) | 2017-12-08 | 2017-12-08 | Phishing website detection method, terminal device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108173814B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210231B (en) * | 2019-06-04 | 2023-07-14 | 深信服科技股份有限公司 | Security protection method, system, equipment and computer readable storage medium |
| CN112966263A (en) * | 2021-02-25 | 2021-06-15 | 中国银联股份有限公司 | Target information acquisition method and device and computer readable storage medium |
| CN113676374B (en) * | 2021-08-13 | 2024-03-22 | 杭州安恒信息技术股份有限公司 | Target website clue detection method, device, computer equipment and medium |
| CN114338236B (en) * | 2022-03-01 | 2022-05-13 | 四川省商投信息技术有限责任公司 | Firewall intrusion data analysis method and device |
| CN115186274A (en) * | 2022-09-14 | 2022-10-14 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102594934A (en) * | 2011-12-30 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and device for identifying hijacked website |
| CN102801709A (en) * | 2012-06-28 | 2012-11-28 | 北京奇虎科技有限公司 | Phishing website identification system and method |
| CN102957664A (en) * | 2011-08-17 | 2013-03-06 | 阿里巴巴集团控股有限公司 | Method and device for identifying phishing websites |
| CN104301314A (en) * | 2014-10-31 | 2015-01-21 | 电子科技大学 | Intrusion detection method and device based on browser tag attributes |
| CN104580254A (en) * | 2012-06-28 | 2015-04-29 | 北京奇虎科技有限公司 | Phishing website identification system and method |
| CN104881603A (en) * | 2014-02-27 | 2015-09-02 | 腾讯科技(深圳)有限公司 | Method and apparatus for detecting webpage redirection vulnerabilities |
| CN105100061A (en) * | 2015-06-19 | 2015-11-25 | 小米科技有限责任公司 | Method and device for detecting hijacking of website |
| CN106060038A (en) * | 2016-05-30 | 2016-10-26 | 南京邮电大学 | Client program behavior analysis-based phishing website detection method |
| CN106302438A (en) * | 2016-08-11 | 2017-01-04 | 国家计算机网络与信息安全管理中心 | A kind of method of actively monitoring fishing website of Behavior-based control feature by all kinds of means |
| CN106789888A (en) * | 2016-11-18 | 2017-05-31 | 重庆邮电大学 | A kind of fishing webpage detection method of multiple features fusion |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9240991B2 (en) * | 2012-12-13 | 2016-01-19 | Sap Se | Anti-phishing system for cross-domain web browser single sign-on |
| CN104980309B (en) * | 2014-04-11 | 2018-04-20 | 北京奇安信科技有限公司 | website security detection method and device |
-
2017
- 2017-12-08 CN CN201711305276.0A patent/CN108173814B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102957664A (en) * | 2011-08-17 | 2013-03-06 | 阿里巴巴集团控股有限公司 | Method and device for identifying phishing websites |
| CN102594934A (en) * | 2011-12-30 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and device for identifying hijacked website |
| CN102801709A (en) * | 2012-06-28 | 2012-11-28 | 北京奇虎科技有限公司 | Phishing website identification system and method |
| CN104580254A (en) * | 2012-06-28 | 2015-04-29 | 北京奇虎科技有限公司 | Phishing website identification system and method |
| CN104881603A (en) * | 2014-02-27 | 2015-09-02 | 腾讯科技(深圳)有限公司 | Method and apparatus for detecting webpage redirection vulnerabilities |
| CN104301314A (en) * | 2014-10-31 | 2015-01-21 | 电子科技大学 | Intrusion detection method and device based on browser tag attributes |
| CN105100061A (en) * | 2015-06-19 | 2015-11-25 | 小米科技有限责任公司 | Method and device for detecting hijacking of website |
| CN106060038A (en) * | 2016-05-30 | 2016-10-26 | 南京邮电大学 | Client program behavior analysis-based phishing website detection method |
| CN106302438A (en) * | 2016-08-11 | 2017-01-04 | 国家计算机网络与信息安全管理中心 | A kind of method of actively monitoring fishing website of Behavior-based control feature by all kinds of means |
| CN106789888A (en) * | 2016-11-18 | 2017-05-31 | 重庆邮电大学 | A kind of fishing webpage detection method of multiple features fusion |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108173814A (en) | 2018-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108173814B (en) | Phishing website detection method, terminal device and storage medium | |
| CN108683666B (en) | Webpage identification method and device | |
| US11570211B1 (en) | Detection of phishing attacks using similarity analysis | |
| JP6500086B2 (en) | Two-dimensional code analysis method and apparatus, computer-readable storage medium, computer program, and terminal device | |
| EP2447878A1 (en) | Web based remote malware detection | |
| CN104954372A (en) | Method and system for performing evidence acquisition and verification on phishing website | |
| CN110460612B (en) | Security test method, device, storage medium and apparatus | |
| CN108073828B (en) | Webpage tamper-proofing method, device and system | |
| CN110035075A (en) | Detection method, device, computer equipment and the storage medium of fishing website | |
| CN104967586B (en) | A kind of user ID authentication method, apparatus and system | |
| CN104980404B (en) | Method and system for protecting account information security | |
| CN108733559B (en) | Page event triggering method, terminal equipment and medium | |
| CN109672658B (en) | JSON hijacking vulnerability detection method, device, equipment and storage medium | |
| US20150026813A1 (en) | Method and system for detecting network link | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| CN109547426B (en) | Service response method and server | |
| CN108156121A (en) | The alarm method and device that the monitoring method and device of flow abduction, flow are kidnapped | |
| CN104143008A (en) | Method and device for detecting phishing webpage based on picture matching | |
| CN105141610A (en) | Phishing page detection method and system | |
| Geng et al. | RRPhish: Anti-phishing via mining brand resources request | |
| CN107896225A (en) | Fishing website decision method, server and storage medium | |
| CN105391860A (en) | Method and apparatus for processing communication request | |
| CN114006746A (en) | Attack detection method, device, equipment and storage medium | |
| US8819049B1 (en) | Frame injection blocking | |
| WO2011018316A1 (en) | Web browser security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |