EP2661852A1 - Begrenzung der virulenz von bösartigen nachrichten unter verwendung eines proxy-servers - Google Patents

Begrenzung der virulenz von bösartigen nachrichten unter verwendung eines proxy-servers

Info

Publication number
EP2661852A1
EP2661852A1 EP11752691.3A EP11752691A EP2661852A1 EP 2661852 A1 EP2661852 A1 EP 2661852A1 EP 11752691 A EP11752691 A EP 11752691A EP 2661852 A1 EP2661852 A1 EP 2661852A1
Authority
EP
European Patent Office
Prior art keywords
url
content
suspicious
proxy server
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP11752691.3A
Other languages
English (en)
French (fr)
Inventor
Daniel Quinlan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Publication of EP2661852A1 publication Critical patent/EP2661852A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present disclosure generally relates to preventing malicious message attacks, causing malicious message attacks to be less likely to cause harm, and warning recipients of users of the possible presence of a malicious attack.
  • Phishing and targeted attacks continue to be a major problem for web and wireless communications (e.g. email and instant messaging) and web anti-threat technologies. Phishing and targeted attacks are dangerous because susceptible users are presented with emails and other messages purporting to have originated from a legitimate business or organization. A user may mistake the email or message as authentic and consequently reveal sensitive information or other confidential information. Phishing websites may use the user's sensitive information for malicious purposes. Also, other types of attacks such as advance fee fraud scams (commonly known as "419 scams”) and malware can originate from an email or message and can be used to target a user for malicious purposes.
  • a user may mistake the email or message as authentic and consequently reveal sensitive information or other confidential information. Phishing websites may use the user's sensitive information for malicious purposes.
  • other types of attacks such as advance fee fraud scams (commonly known as "419 scams") and malware can originate from an email or message and can be used to target a user for malicious purposes.
  • FIG. 1 is a block diagram showing an example of a network topology including a proxy server configured to limit the virulence of referenced resources from email messages delivered to user terminals.
  • FIG. 2 is a block diagram of an example of an email server device configured to perform a suspicious message designation process to identify emails that are suspicious and warrant further protections by the proxy server.
  • FIG. 3 is a block diagram of an example of the proxy server configured to perform a uniform resource locator (URL) proxy process.
  • URL uniform resource locator
  • FIG. 4 is an example of a flow chart for the suspicious message designation process.
  • FIG. 5 is an example of a flow chart for the URL proxy process.
  • FIG. 6 is a block diagram illustrating how the proxy server delivers protected or safe content associated with a URL contained in an email that is intended for a user at a user terminal.
  • FIG. 7 is an example of a screen shot displayed to a user associated with protected or safe content delivered to a user terminal through the proxy server.
  • FIG. 8 is an example of a screen shot displayed to a user associated with a URL that is determined to be associated with malicious content and thus that is blocked from presentation to a user terminal by the proxy server.
  • a method is provided to prevent phishing and targeted attacks.
  • Email messages are received.
  • an email message is received that contains a suspicious uniform resource locator (URL)
  • the suspicious URL is rewritten such that it points to a proxy server instead of an original destination of the suspicious URL.
  • a request for content associated with the suspicious URL is directed to the proxy server.
  • the proxy server determines whether to deliver content associated with the suspicious URL and if so, delivers a protected or safer version of the content with appropriate warnings.
  • the proxy server blocks access to the content.
  • the network environment 100 comprises an email server 200 and a proxy server 300 that are connected to a plurality of user terminals 120(a)- 120(c) over a network 114 (which may be, for example, the Internet or a private network).
  • network 114 may be a Local Area Network (LAN).
  • a plurality of websites shown at reference numerals 130(1)-130(N) are also connected to the Internet 124 and are referred to hereinafter in connection with the techniques described herein.
  • the user terminals may be personal (laptop or desktop) computers, hand-held mobile devices (e.g., Smartphones, etc.) or other devices configured to receive wireless
  • communications such as email messages or instant messages
  • access content over the Internet.
  • Incoming email messages that may originate, for example, from outside of network 114, that are destined for user terminals 120(a)- 120(c) are received by email server 200 over the Internet 124.
  • the email server 200 is configured to store the incoming email messages such that they can be accessed and read by users at the user terminals 120(a)- 120(c).
  • the email server 200 may also be configured to have firewall capabilities such that email server 200 screens the emails and protects unauthorized or unwanted emails from being delivered to users at user terminals 120(a)-120(c).
  • the email server 200 delivers the incoming messages to their intended destinations, e.g., one or more of the user terminals 120(a)- 120(c).
  • the email server 200 executes suspicious message designation process logic 400 to evaluate email messages with uniform resource identifiers (URIs) associated with content (e.g., content hosted by on one of the websites 130(1)-130(N)) to designate any incoming messages as being suspicious, that is, possibly being associated with a phishing scam or other malicious type of attack.
  • URIs uniform resource identifiers
  • a URI broadly refers to any uniform resource identifier, such as a uniform resource locator (URL). Accordingly, the processes described herein are explained as being executed on email messages with URLs, but it should be appreciated that these processes may also be executed broadly on any type of URI.
  • URLs contained within email messages that are designated as suspicious are rewritten to point to the proxy server 300.
  • the proxy server 300 performs URL proxy process logic 500 to perform special presentation/delivery of content associated with suspicious URLs.
  • the functions of the email server 200 and the functions of the proxy server 300 may be implemented individually (as shown in FIG. 1) or together as part of one server. After an email message is processed by email server 200, the email message is made available to the appropriate destination, e.g. user terminals 120(a)- 120(c), over network 114.
  • incoming email messages with URLs to be evaluated and possibly rewritten to the proxy server 300 are screened and processed by the email server 200 (and proxy server 300 if needed), and email messages with suspicious URLs rewritten to the proxy server 300 are made available to the destination user terminal by the email server 200.
  • the techniques described are also applicable to a virtual environment where user terminals are thin clients that have virtualized desktops managed by a data center or compute elements in a cloud computing system.
  • the functions of the email server 200 and proxy server 300 are additional processes of the data center when serving email to the virtual desktops of the user terminals 120(a)- 120(c).
  • Email server 200 comprises a network interface unit 210, a processor 220 and a memory 230.
  • the memory 230 may comprise read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, acoustical or other physical/tangible memory storage devices.
  • the memory 230 may comprise electrically erasable programmable read only memory (EEPROM) or any tangible (non-transitory) memory media capable of storing instructions, that when executed by the processor 220, cause the processor to perform the operations described herein in connection with the process logic 400.
  • EEPROM electrically erasable programmable read only memory
  • the network interface unit 210 is configured to perform network communications, including receiving an email message from the Internet 124 and transmitting to user terminals 120(a)-(c) over network 114.
  • the processor 220 is configured to execute the suspicious message designation process logic 400 stored in memory 230.
  • the suspicious message designation process logic 400 is configured to determine whether email messages received at email server 200 contain one of a plurality of attacks such as advance fee fraud scams (commonly known as "419 scams"), malware or suspicious URLs and to designate any suspicious URLs to be rewritten to point to the proxy server 300.
  • processor 220 may be implemented by logic encoded in one or more tangible memory media (e.g., embedded logic such as an application specific integrated circuit, digital signal processor instructions, software that is executed by a processor, etc), wherein memory 230 stores data used for operations described herein and stores software or processor executable instructions that are executed to carry out the operations described herein.
  • the suspicious message designation process logic 400 may take any of a variety of forms, so as to be encoded in one or more tangible media for execution, such as fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the processor 220 may be an application specific integrated circuit (ASIC) that comprises fixed digital logic, or a combination thereof.
  • ASIC application specific integrated circuit
  • the processor 220 may be embodied by digital logic gates in a fixed or programmable digital logic integrated circuit, which digital logic gates are configured to perform the operations for the suspicious message designation process logic 400.
  • the suspicious message designation process logic 400 may be embodied in a processor or computer- readable storage media (memory 230) with software comprising computer executable instructions for execution by a computer or processor (e.g. processor 220) that, when executed by the processor, are operable to cause the processor to perform the operations described herein in connection with the suspicious message designation process logic 400.
  • the proxy server 300 comprises a network interface unit 310, a processor 320 and a memory 330.
  • the network interface unit 310 is configured to perform network communications and in particular to enable the proxy server 300 to serve as an intermediate entity between user terminals and any web site or other entity reachable via the Internet 124.
  • the proxy server 300 may receive an email message containing a suspicious URL from the email server 200 for handling by the proxy server 300 as described herein.
  • the processor 320 is configured to execute instructions stored in memory 330 for carrying out the various techniques described herein.
  • the processor 320 is configured to execute the URL proxy process logic 500 stored in memory 330.
  • the URL proxy process logic 500 is configured to rewrite a suspicious URL contained within an email message to point to the proxy server 300 instead of the original destination of the suspicious URL and to determine whether the suspicious URL contains malicious content.
  • processor 320 may be implemented by logic encoded in one or more tangible media (e.g., embedded logic such as an application specific integrated circuit, digital signal processor instructions, software that is executed by a processor, etc), wherein memory 330 stores data used for operations described herein and stores software or processor executable instructions that are executed to carry out the operations described herein.
  • the memory 330 may comprise ROM, RAM, magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, acoustical or other physical/tangible memory storage devices.
  • the URL proxy process logic 500 may take any of a variety of forms, so as to be encode in one or more tangible (non-transitory) memory media for execution, such as fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the processor 320 may be an ASIC that comprises fixed digital logic, or a combination thereof.
  • the processor 320 may be embodied by digital logic gates in a fixed or programmable digital logic integrated circuit, which digital logic gates are configured to perform the operations for the URL proxy process logic 500.
  • the URL proxy process logic 500 may be embodied in a processor or computer-readable storage media (memory 330) with software comprising computer executable instructions for execution by a computer or processor that, when executed by the processor, are operable to cause the processor to perform the operations described herein in connection with the URL proxy process logic 500.
  • the email server 200 receives email messages that are destined to user terminals 120(a)- 120(c).
  • the email messages that are received may contain suspicious URLs that link over Internet 124 to malicious content hosted by websites, for example websites 130(1)-130(N).
  • the email message may contain a URL for a so-called phishing scam that can direct a user that clicks on the phishing URL link to a website that prompts the user to input sensitive information without the user realizing that the website is not legitimate.
  • the website that the phishing URL links to may appear to the user as a reputable business or organization website.
  • a user may click on the phishing URL link and may then be directed to a website that appears as one for a reputable bank. The user may be prompted to enter sensitive information at the website, and the user's data may be collected and used for malicious purposes.
  • the email messages that are received may also contain other attacks, such as account credential phishing and identity and business scams, without necessarily containing a URL link.
  • email server 200 receives an email message that is intended to be delivered to one or more users at user terminals 120(a)-120(c).
  • processor 220 scans the email message to determine whether the email message contains at least one URL. If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430, and if the email message is determined to contain at least one suspicious URL, processor 220 designates, at 440, that the suspicious URL is to be rewritten to point to proxy server 300.
  • processor 220 may also designate that all URLs, suspicious or not, are to be rewritten to point to the proxy server. Processor 220 may make this determination by comparing the URL contained in the email message to a list of known suspicious URLs. For example, processor 220 may scan an email to determine whether any URLs contained in an email message are suspicious and may designate all URLs contained in a suspicious message to be rewritten. There are numerous techniques known to detect a suspicious URL in an email and the details of those techniques are not described herein because they do not pertain to the core of the techniques described herein.
  • processor 220 When at least one suspicious URL is found in an email message, processor 220, at 450, designates that all other URLs found in the email message are to be rewritten unless the URL appears on a list of known acceptable URLs or is otherwise determined to be acceptable. At 460, the processor 220 rewrites the suspicious URLs and any URLs designated to be rewritten such that the URLs point to proxy server 300 instead of to an original destination of the suspicious URL. As a result, a request for content associated with the suspicious URL is directed to the proxy server 300.
  • the processor 220 may, for example, rewrite the URLs before a user receives the email message. After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL. Redirecting the user to the proxy server 300 instead of the web server allows for controlled and safe navigation to content associated with the URL.
  • the proxy server 300 performs additional checks for malware, phishing and other content on the destination URL to provide a level of protection to the user. Specifically, the proxy server 300 allows for safe navigation to URL content by tunneling URL content through a web security solution hypertext transfer protocol (HTTP) proxy and displaying warning information to the user' s browser. Additionally, the URL rewrite may be performed, for example, by an email security appliance (ESA) message filter.
  • ESA email security appliance
  • processor 220 rewrites additional URLs that are contained in the content at the original destination of the suspicious URL such that the additional URLs are captive within proxy server 300 and point to proxy server 300.
  • additional URLs contained in the content at the original destination of the suspicious URL are rewritten to stay within the safety of proxy server 300.
  • a web page associated with a suspicious URL may contain other URLs on that web page that point to other web pages containing potentially harmful content (phishing scams, etc.). It is these additional URLs that are also rewritten to point to the proxy server 300.
  • processor 220 of email server 200 may remove from the email message any capability of accessing the original destination associated with the URL, and the processor 220 may present a warning in the email message concerning the URL. For example, if email server 200 is presented with an email message containing a URL that has JavaScript or other URL obfuscation techniques that cannot easily be rewritten, processor 220 may scan the content associated with the original destination of the URL and may block access to the content by removing or blocking the email message content that has been determined to be malicious.
  • the email message may be quarantined for a predetermined period of time.
  • the quarantining of the email messages allows for information to be obtained about content at the URLs in the email message. This information may be obtained by the email server 200, proxy server 300 or other components of network 100.
  • the quarantining of the email messages also allows for email server 200 and proxy server 300 to obtain and update accurate lists of acceptable, suspicious and/or malicious URLs.
  • the email server 300 can add information to the rewritten URL link to include the point of origin or source of the email message containing the suspicious URL, though it should be appreciated that the email message need not be quarantined to obtain such information.
  • the email server 300 can add this information to the rewritten URL link regardless of whether or not the email message is quarantined. Also, by quarantining the email message, the email server 200 and proxy server 300 can later use the updated lists of acceptable suspicious and/or malicious URLs to improve subsequent decisions on whether to quarantine, block, and/or rewrite URLs contained in email messages that are subsequently received.
  • processor 220 delivers the email message (or information about the email message) to proxy server 300 to perform URL proxy process logic 500 on the email message.
  • Email server 200 may receive emails messages that do not contain URLs. If an email message does not contain a URL, processor 220, at 490, determines whether the email message contains an indication that it may be associated with one of a plurality of types of attacks (e.g. advance fee fraud scams commonly known as "419 scams"). When the processor 220 determines, based on the content, source or other parameters associated with the email message that it is associated with an attack, the processor 220 generates a specific warning to be presented to a user in connection with the email message based on the type of attacked determined for the email message.
  • a plurality of types of attacks e.g. advance fee fraud scams commonly known as "419 scams”
  • an email message may contain an account credential phishing scam where users are directed to email or send their account information to a person/destination email address who purports to be an authentic authority or administrator.
  • An email message may contain a message where users are directed to email or send their bank account information to the alleged reputable authority.
  • an attack may be a message that directs a user to call or respond to a phone number listed in the message. Upon responding, sensitive information may be collected and used for malicious purposes.
  • the processor 220 at 495, generates a message with a specific warning to be presented to the user based on the type of attacked determined by processor 220 at 490.
  • the message warning generated at 495 may be added to the email message itself and presented to the user. If a specific warning is unavailable or unable to be generated, a general warning may be added to the email message and presented to the user.
  • the specific warning message that the processor 220 generates at 495 may contain specific instructions that indicate appropriate actions that a user should take in order to avoid being susceptible to the attack and any future attempted attacks.
  • a warning may contain language such as "This phone number may not be legitimate— Look up the phone number of the sender on their website instead," or "Never email your password to anyone— Any request for your password is from someone trying to steal your account information.”
  • the warnings can take the form of a subject tag or a message header, for example a multipurpose internet mail extension (MIME) text prepended to other body content of the message.
  • MIME multipurpose internet mail extension
  • email server 200 may transmit the email message (or information about the email message) to the proxy server 300 to perform the URL proxy process logic 500 on the email message.
  • FIG. 5 an example of a flow chart for the URL proxy process logic 500 is now described.
  • processor 320 analyzes the content that is located at the destination of the rewritten URL and compares the suspicious URL to a list of known URLs to determine whether the content at the suspicious URL is malicious and thus whether or not to allow a user to be presented with content associated with the suspicious URL in response to receiving a request from a user for the suspicious URL.
  • the proxy server 300 determines that a suspicious URL is associated with malicious content or activity (i.e.
  • the processor 320 blocks the content associated with the original destination of the suspicious URL from being presented to a requesting user.
  • An example of the processor 320 blocking the content of the suspicious URL determined to be associated with malicious content is shown in FIG. 8 described hereinafter.
  • Processor 320 may send information regarding the blocked content and the suspicious URL or a copy of the suspicious email message to a network operator or email server administrator.
  • processor 320 presents the content associated with the original destination of the suspicious URL through proxy server 300. It should be appreciated, however, that the proxy server may present the content associated with the original destination of the suspicious URL if the proxy server is not able to determine that the URL does not contain malicious content, i.e. a "false negative" situation.
  • processor 320 presents a warning to a user to indicate that the content may be malicious. The warning may be presented to the user in one or more user interface controls or other areas on the screen displayed with the content. The user interface controls may be configured to receive input from the user to report whether the content is malicious.
  • processor 320 may present a warning by wrapping the content at the original destination of the suspicious URL in additional warnings or by presenting a splash page warning a user of the dangers of proceeding to the content.
  • the processor may send a copy of the warning, along with information related to the suspicious URL, to a network operator or administrator.
  • the information related to the suspicious URL can be reported to an administrator, for example, individually or in a summary along with information related to other suspicious URLs.
  • processor 320 continuously analyzes whether a URL is malicious, and processor 320 may direct a user to the content associated with the original destination of the suspicious URL through proxy server 300 before ultimate determination of the malicious nature of the URL. If a URL is ultimately determined to be a malicious URL, processor 320 may then block the content of the URL, as described above in connection with operation 530.
  • FIG. 6 a block diagram is shown that depicts the operations of the proxy server 300 when delivering protected or safe content associated with a URL to a user terminal, e.g., user terminal 120(a).
  • a user located at user terminal 120(a) clicks on a link of a suspicious URL the user is directed to proxy server 300 instead of the original destination of the suspicious URL since the URL has been rewritten to point to the proxy server 300.
  • the content associated with the original destination of the suspicious URL shown at reference numeral 610, is not malicious (i.e.
  • the proxy server 300 prevents the user from accessing the content for that URL since that user's access attempt for that URL is directed to the proxy server 300 and the proxy server 300 is configured to prevent access to that URL once it is determined to be malicious. If the proxy server 300 determines that the content associated with the suspicious URL is safe, it may redirect the user to the original URL site to allow the user to access the original URL site directly rather than through the proxy server 300 (i.e., to allow the user to "escape" from the proxy server 300 and access the URL directly).
  • FIG. 7 an example is shown of the protected or safe version of content associated with a suspicious URL that is presented to a user terminal through proxy server 300.
  • a user at a user terminal receives email message 710 that has a suspicious URL link 715.
  • screen 720 is presented to the user, which is displayed through proxy server 300.
  • the screen 720 shows that the URL 715 is written to URL 730 that points to proxy server 300 (as indicated by reference numeral 732 where the proxy server URL is "safe.cisco.com").
  • the proxy server 300 If proxy server 300 has determined that the suspicious URL link 715 is not a malicious URL, the proxy server 300 generates screen 720 to display content 740 associated with a suspicious URL 715.
  • Content 740 may have another URL, as shown in 742, which may be part of or embedded into content 740.
  • the proxy server 300 detects the additional URL 742 and also rewrites it to point to proxy server 300 such that if the user clicks on URL 742, the user is presented with a screen similar to screen 720 to display the content associated with URL 742.
  • Screen 720 also displays a warning 750 that alerts the user that content 740 may not be legitimate or may be part of a scam, even if proxy server 300 has not determined the suspicious URL link 715 to be a malicious URL.
  • the user is also presented with an option to report a misclassification of the content 740 by clicking a report misclassification button 760.
  • proxy server 300 For example, if the user discovers that proxy server 300 has misclassified content 740 as being non- malicious content when, in fact, proxy server 300 should have classified content 740 as being malicious content (i.e. a false negative classified by proxy server 300), the user can click on button 760 to report the misclassification to a network operator or administrator. The network operator or administrator can use this information to update its database for malicious URLs and to prevent further misclassifications of suspicious URLs.
  • FIG. 8 an example is shown of unsafe malicious content that is blocked from delivery to a user terminal by proxy server 300.
  • a user at a user terminal receives an email message 810 that has suspicious URL link 815.
  • the proxy server 300 presents screen 820 to the user.
  • the screen shows that URL 815 is rewritten to URL 830 that points to proxy server 300 (as indicated by reference numeral 832).
  • the proxy server has determined that the suspicious URL link 815 is a malicious URL link, and therefore the screen 820 displays a message 840 to the user through proxy server 300 indicating that the content associated with the original destination of the suspicious URL 815 has been blocked.
  • Message 840 also displays a specific warning pertaining to the malicious content.
  • the user is presented with an option to report a misclassification of the content of the suspicious URL by clicking a report misclassification button 850.
  • a report misclassification button 850 For example, if the user discovers that proxy server 300 has misclassified the content associated with suspicious URL link 815 as being malicious content when, in fact, proxy server 300 should have classified the content associated with suspicious URL link 815 as being non-malicious content (i.e. a false positive classified by proxy server 300), the user can click on button 850 to report the misclassification to a network operator or administrator. The network operator or administrator can use this information to update its database for malicious URLs and to prevent further misclassifications of suspicious URLs.
  • the operations of the email server and proxy server described herein may be performed by the same server device, e.g., the proxy server, the email server or some other server device.
  • the same device the rewrites the URL contained in an email will essentially cause the access to the URL to be directed to it (rather than to the source of the content directly) in order to provide the protected and safe presentation of the content in much the same way as described herein for the proxy server.
  • a method comprising: at an email server, receiving an email message, determining whether the email message contains a suspicious uniform resource locator (URL) that potentially contains malicious content, and rewriting the suspicious URL such that it points to a proxy server instead of an original destination of the suspicious URL so that a request for content associated with the suspicious URL is directed to the proxy server.
  • URL uniform resource locator
  • a method comprising: at a server, receiving a request from a user to access content associated with a suspicious uniform resource locator (URL) obtained from a received email message that has been determined to contain potentially malicious content, determining whether to present content associated with the suspicious URL in response to receiving the request from the user, and when determined to present the content, presenting content associated with the original destination of the suspicious URL to the user.
  • a suspicious uniform resource locator URL
  • an apparatus comprising a network interface device configured to receive an email message, and a processor configured to determine whether the email message contains a suspicious uniform resource locator (URL) and to rewrite the suspicious URL such that it points to a proxy server instead of an original destination of the suspicious URL so that a request for content associated with the suspicious URL is directed to the proxy server.
  • a network interface device configured to receive an email message
  • a processor configured to determine whether the email message contains a suspicious uniform resource locator (URL) and to rewrite the suspicious URL such that it points to a proxy server instead of an original destination of the suspicious URL so that a request for content associated with the suspicious URL is directed to the proxy server.
  • URL uniform resource locator
  • one or more computer readable storage media is provided that is encoded with software comprising computer executable instructions and when the software is executed operable to: receive an email message, determine whether the email message contains a suspicious uniform resource locator (URL) that potentially contains malicious content, and rewrite the suspicious URL such that it points to a proxy server instead of an original destination of the suspicious URL so that a request for content associated with the suspicious URL is directed to the proxy server.
  • a suspicious uniform resource locator URL
  • a system comprising the email server configured to perform the operations described herein and a proxy server configured to perform the operations described herein.
  • a system comprises an email server configured to determine when an email message destined for a user contains a suspicious uniform resource locator (URL) that potentially contains malicious content, and to rewrite the suspicious URL such that it points to a proxy server instead of an original destination of the suspicious URL so that a request for content associated with the suspicious URL is directed to the proxy server.
  • the proxy server is configured to determine whether to present content associated with the suspicious URL in response to receiving a request from a user to access the content associated with the suspicious URL. When it is determined to present the content, the proxy server presents the content associated with the original destination of the suspicious URL to the user.
  • Email and web security solutions are provided by rewriting potentially malicious attacks to be less virulent and by forcing browsing starting from suspicious URL links to be proxied to a proxy server through cloud-based web security.
  • the above techniques and processes can be implemented to prevent malicious short message service (SMS) attacks such as SMS phishing messages.
  • SMS short message service
  • the above techniques and processes can be conducted by a message of a mobile or cellular service provider to prevent the transmission of virulent or malicious SMS messages.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
EP11752691.3A 2011-01-04 2011-08-18 Begrenzung der virulenz von bösartigen nachrichten unter verwendung eines proxy-servers Withdrawn EP2661852A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US98393211A 2011-01-04 2011-01-04
PCT/US2011/048180 WO2012094040A1 (en) 2011-01-04 2011-08-18 Limiting virulence of malicious messages using a proxy server

Publications (1)

Publication Number Publication Date
EP2661852A1 true EP2661852A1 (de) 2013-11-13

Family

ID=44583444

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11752691.3A Withdrawn EP2661852A1 (de) 2011-01-04 2011-08-18 Begrenzung der virulenz von bösartigen nachrichten unter verwendung eines proxy-servers

Country Status (2)

Country Link
EP (1) EP2661852A1 (de)
WO (1) WO2012094040A1 (de)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9961090B2 (en) 2015-06-18 2018-05-01 Bank Of America Corporation Message quarantine
CN111066295A (zh) * 2017-09-14 2020-04-24 三菱电机株式会社 邮件检查装置、邮件检查方法和邮件检查程序

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10015191B2 (en) * 2013-09-18 2018-07-03 Paypal, Inc. Detection of man in the browser style malware using namespace inspection
US10469510B2 (en) 2014-01-31 2019-11-05 Juniper Networks, Inc. Intermediate responses for non-html downloads
US11388192B2 (en) 2018-07-09 2022-07-12 Blackberry Limited Managing third party URL distribution
US10686826B1 (en) * 2019-03-28 2020-06-16 Vade Secure Inc. Optical scanning parameters computation methods, devices and systems for malicious URL detection
US12105816B2 (en) 2019-06-20 2024-10-01 Proofpoint, Inc. Dynamically controlling access to linked content in electronic communications

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7516488B1 (en) 2005-02-23 2009-04-07 Symantec Corporation Preventing data from being submitted to a remote system in response to a malicious e-mail
US20070136806A1 (en) * 2005-12-14 2007-06-14 Aladdin Knowledge Systems Ltd. Method and system for blocking phishing scams

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2012094040A1 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9961090B2 (en) 2015-06-18 2018-05-01 Bank Of America Corporation Message quarantine
CN111066295A (zh) * 2017-09-14 2020-04-24 三菱电机株式会社 邮件检查装置、邮件检查方法和邮件检查程序

Also Published As

Publication number Publication date
WO2012094040A1 (en) 2012-07-12

Similar Documents

Publication Publication Date Title
USRE49634E1 (en) System and method for determining the risk of vulnerabilities on a mobile communications device
US10523609B1 (en) Multi-vector malware detection and analysis
US20240154996A1 (en) Secure Notification on Networked Devices
US10050998B1 (en) Malicious message analysis system
US9900346B2 (en) Identification of and countermeasures against forged websites
US9055090B2 (en) Network based device security and controls
US7634810B2 (en) Phishing detection, prevention, and notification
US8296477B1 (en) Secure data transfer using legitimate QR codes wherein a warning message is given to the user if data transfer is malicious
US8291065B2 (en) Phishing detection, prevention, and notification
EP1681825B1 (de) Netzwerkbasiertes Sicherheitssystem
US9392014B2 (en) Automated detection of harmful content
WO2018213457A1 (en) Using message context to evaluate security of requested data
US20170195363A1 (en) System and method to detect and prevent phishing attacks
US20060123478A1 (en) Phishing detection, prevention, and notification
US20210211462A1 (en) Malicious Email Mitigation
CN111917705B (zh) 用于自动入侵检测的系统和方法
US8839424B2 (en) Cross-site request forgery protection
WO2012094040A1 (en) Limiting virulence of malicious messages using a proxy server
WO2015007231A1 (zh) 一种恶意url的鉴定方法及装置
GB2512954A (en) Detecting and marking client devices
US11785044B2 (en) System and method for detection of malicious interactions in a computer network
US8959626B2 (en) Detecting a suspicious entity in a communication network
Chhikara et al. Phishing & anti-phishing techniques: Case study
US20190020664A1 (en) System and Method for Blocking Persistent Malware
US9787711B2 (en) Enabling custom countermeasures from a security device

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20130730

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20160413

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20160824