GB2462456A - A method of determining whether a website is a phishing website, and apparatus for the same - Google Patents

A method of determining whether a website is a phishing website, and apparatus for the same Download PDF

Info

Publication number
GB2462456A
GB2462456A GB0814461A GB0814461A GB2462456A GB 2462456 A GB2462456 A GB 2462456A GB 0814461 A GB0814461 A GB 0814461A GB 0814461 A GB0814461 A GB 0814461A GB 2462456 A GB2462456 A GB 2462456A
Authority
GB
United Kingdom
Prior art keywords
website
genuine
subject
characteristic
phishing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0814461A
Other versions
GB0814461D0 (en
Inventor
Anastasios Bitsios
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB0814461A priority Critical patent/GB2462456A/en
Publication of GB0814461D0 publication Critical patent/GB0814461D0/en
Publication of GB2462456A publication Critical patent/GB2462456A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • H04L29/06591
    • H04L29/06911
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A method of determining whether a subject website is a phishing website which is imitating a genuine website is disclosed together with apparatus for the same, the method comprising the steps of: (a) identifying at least one characteristic of the genuine website; (b) comparing the or each characteristic of the genuine website with a corresponding characteristic or characteristics of the subject website; and (c) based on the comparison in step (b), determining whether the subject website is or is likely to be a phishing website.

Description

I
DESCRIPTION
Title of Invention
A METHOD OF DETERMINING WHETHER A WEBSITE IS A
PHISHING WEBSITE, AND APPARATUS FOR THE SAME.
Field of the Invention
This invention relates to a method of determining whether a subject website is a phishing website which is imitating a genuine website, and apparatus for the same.
Background to the Invention
One of the latest plagues to hit the World Wide Web is that of "phishing" and its variants. Phishing is a type of Internet fraud that attempts to lure users of a certain online service to a fraudulent website impersonating the service's website in order to extract sensitive information such as usernames and passwords, PIN numbers or personal information (Social Security Number, Date of Birth etc.). This is usually accomplished by sending fraudulent emails, often indicating some sort of problem or emergency with the account, so as to urge the user to follow the fraudulent link. The term "phishing" is a variation of "fishing", which alludes to the criminals baiting' users with such emails. Instant Messaging is also used as a baiting' medium.
Phishing most commonly targets financial services such as online banking sites, online payment services such as PayPal� and online auction sites such as eBay�. Other types of phishing targets include email providers in order to hijack accounts to send spam and I or more phishing emails. Subscription-based gaming accounts are also known to have been targeted as have social networks such as MySpace� and FaceBook� in order to spam on-site or harvest contacts' email addresses for spamming or phishing.
Phishing relies on the inexperience of users when it comes to online security.
A user can identify the phishing attempt as a fraud at several points; phishing emails vary from being very amateur (spelling mistakes, bad grammar, wrong message layout) to very professional (spoofed sender address, close copy of original messages, personalized greeting). Usually none hold up to close inspection.
Phishing websites' URL5 are always a strong indicator and almost none are over Secure HTTP connections. Phishing sites themselves are often bad copies of the original and may contain out of date graphics or layouts. Ultimately, the force of habit coupled with inexperience causes a lot of users to miss those clues and surrender sensitive information to criminals. The range of damage from phishing can vary from a relatively harmless denial-of-service (e.g. a hijacked gaming account) to devastating financial losses (credit card charges, transferred bank account balances, identity theft loans, etc.). Gartner, a US Consulting agency, reports more than $2.8 billion losses due to phishing in 2006 in the United States alone.
Most modern web browsers implement some sort of anti-phishing measure, either built-in or as a plug-in. However, to date, anti-ph ishing measures implemented are mostly based on the principle of users reporting phishing sites, vendors verifying the submissions and publishing blacklists of known phishing URL5. It is also known to make use of white lists, that is, lists of verified genuine websites.
Anti-phishing techniques based on black lists have several, significant disadvantages. First, in order for a site to be blacklisted, it must first be detected by someone who is willing to take the time to report the site, and thereafter be verified as a phishing site. Only then will such a site be added to a blacklist but, in the meantime, newly created but as yet unblacklisted phishing sites will continue to pose a threat to users. To make matters worse, due to the fierce competition in the web browser market, black lists are typically not shared between the providers of the market leading browsers.
It should also be noted that phishing websites have a limited lifespan. At the time of writing, this appears to be typically between 3 and 4 days and the current trend is of a decreasing lifespan. This means that the current blacklist anti-phishing technique is in a constant cat-and-mouse game with the phishing sites, and in which it will be left further behind as lifespan continues to decrease.
Object of the Invention The object of the invention is to provide an alternative solution to the problem of detecting phishing websites.
Summary of the Invention
In accordance with a first aspect of the present invention, there is provided a method of determining whether a subject website is a phishing website which is imitating a genuine website, and corresponding client-centric and server-centric architectures for the same. The method comprising the steps of: (a) identifying at least one characteristic of the genuine website; (b) comparing the or each characteristic of the genuine website with a corresponding characteristic or characteristics of the subject website; and (c) based on the comparison in step (b), determining whether the subject website is or is likely to be a phishing website.
The inventor has appreciated that for an anti-phishing service to be truly effective, it must be able to protect users regardless of whether the specific phishing site has been seen before, identified as a phishing site before and I or blacklisted.
The present invention enables a phishing site to be identified from a first sighting, thus avoiding the aforementioned disadvantages with the currently predominant blacklisting techniques employed by commercial browsers.
In certain embodiments: * in step (a), a plurality of characteristics of the genuine website may be identified and, in step (b), a plurality of characteristics of the genuine website my be compared with corresponding characteristics of the subject website.
* steps (a) to (c) may be repeated for a plurality of websites.
The at least one characteristic of the genuine website may include a non-visible characteristic and, for example: * may relate to the structure of the code * may include an ID attribute * may includes the genuine website's primary domain * may relate to an appended file. For example, its file name, the date at which it was last saved and I or modified, and I or its size.
* may relates to a hyperlink. For example, the subject website may be determined to be or likely to be a phishing website if it contains the same hyperlink to the genuine website. Alternative, the subject website may be determined to be or likely to be a phishing website if it contains a corresponding hyperlink which is directed to a page on the subject website, especially one whose content is the same or similar to a corresponding page on the genuine website.
The compared characteristics may be visible characteristics of the subject website's, i.e. an image comparison including between rendered text and image files and between single image and multiple, combined images.
In a client-centric architecture, a computer may be provided which is configured to perform, in the course of a user browsing a subject website, a method according to the present invention. Where this is the case, the client will preferably download from a host server a database of both visual and non-visual characteristics of genuine websites.
Alternatively, in a server-centric architecture, a server may be provided which hosts a database of both visual and non-visual characteristics of genuine websites and is configured to perform, upon receipt of a query from a client computer including an url of a subject website, a method according to the present invention.
Such a server may be further configured to transmit to the client computer the outcome of the determination of whether the subject website is or is likely to be a phishing website enabling such a client computer to notify the user in the event of receipt of such a determination from the server.
In accordance with a second aspect of the present invention, there is provided a method comprising the steps of: (a) providing a database of website domains or website homepages which are thought to be genuine; (b) from such website domains or website homepages, automatically searching for corresponding log-in webpages; and (c) building a database of characteristics of such log-in webpages for use as part of an anti-phishing service in which characteristics of such log-in webpages are compared to those of target websites in order to determine whether such target websites are phishing websites.
Brief Description of the Drawings
The present invention will now be described, by way of example only, with reference to the accompanying figure in which a user's computer 10 connected to the Internet and further able to connect to host servers 11 and 12 hosting web content and I or an anti-ph ishing service associated with the present invention.
Details Description
The method of the present invention may be employed in a client-centric architecture where the determination of whether a subject website is a phishing website is done on a client computer 10; or in a server-centric architecture where the determination is done on a server 11 upon request from a client computer 10.
Client-centric architecture A stand-alone client architecture would mean that all processing would happen on the client computer 10. That is, each client computer would keep a database of known genuine "white" sites including details of their characterising features, and would be responsible for checking each URL browsed by the user against the database.
Such a client-centric architecture has the advantage of not depending on a centralized server 11. This means increased privacy as viewed URL5 are not submitted to a server and, furthermore, this architecture is not unduly affected by server downtime. However, disadvantages of not having a centralized server include an increased processing burden on the client computer 10, a significant bandwidth requirement due to the client having to periodically characterise white sites, and an inability for the browsing community as a whole to maintain a unified, trusted list of known phishing sites.
Server-centric architecture A client-server architecture provides a centralized server 11 that will maintain a database of white sites (including periodic characterising the white sites), and which will check URL5 against that database as per the clients' requests. In such an architecture, the user's computer 10 acts as a thin client and functions to submit each browsed URL to the server for checking and to act in accordance with the server reply. If the reply is positive (i.e. URL is believed to be a phishing site), the user is interrupted by temporarily disabling the page and notified accordingly.
Preferably, the user is given options to provide feedback to the server including to verify the site as a phishing site or to report a false positive.
For privacy reasons, it is desirable if all records of URL5 received from clients and stored on the server 11 are deleted if the outcome of the determinations whether such URL5 relate to phishing sites is negative.
Hereafter, the present invention is described in the context of the server-centric architecture, although many of the characterisation and comparison techniques disclosed will of course be equally applicable to the client-centric architecture, and other possible architectures not disclosed herein.
Characterisinci white sites The following elements form the basis of a database of homepages and login pages (being the pages on a website which are most often targeted by phishers) of white sites stored on the server 11: * domain (e.g. paypal.com) * URL5 of login pages (e.g. www.paypal.com/cgi-bin/webscr?cmd=_login-run) * Links (href attributes in <A> tags) * Filenames (e.g. spacer.gif) * Full Filenames (e.g. http://server.com/spacer.gif) * Text nodes (as they appear in the Document Object Model (DOM)).
* Colours in hexadecimal format (e.g. #ff0000 for red) * Images elements: width, height, average colour (R,G,B), * Names of HTML elements, either ID, Name or Source attribute in HTML tags * Comments (as they appear in the DOM) * Meta Tags such as Title, Description and Keywords * Script Contents (JavaScript, VBScript etc.) * Script Hashes * Appended Style Sheets * Style Attributes * Text (optionally limited to special characterised, non-dictionary words etc) Such information can be automatically harvested from a list of white sites (e.g. from Google's white-domain white list).
In this regard, it is contemplated that all homepages of white sites will be characterised, whether or not they contains a log-in or not. This establishes a base reference for colours and other characterising elements that do not necessarily require the correct login page to be found.
Log-in pages of a white site can also be automatically harvested and characterised by searching from the starting point of a homepage. Techniques for finding such log-in pages include searching for pages with combinations of submit and password-type input fields, "sign-in" or "log-in" text (either in text format or embedded in images), etc. In this regard, it should be noted that not all home pages contain a log-in; and many websites have multiple log-in pages (e.g. PayPal� which has a login page on the homepage and a separate login-only page).
It should also be noted that it can not be assumed that all white sites' login pages are in the same domain as the homepage. Certain sites have login pages in other domains. Therefore the search for the login page cannot be restricted to the original domain. On the other hand, one must avoid characterised a login page belonging to a different site after following an irrelevant link (such as advertisement links) as might be evident from significant changes in certain characterising features of the website, e.g. colour schemes etc. Comparinci characteristics of white sites with those of a subiect website The invention is based on the principle that certain characteristics of a white site would be present in a phishing website; inherently, of course, visual characteristics but also non-visual characteristics. However, it is appreciated that perfected innocuous similarities may exist between certain white websites and certain other websites which are not phishing sites.
Accordingly, an optimal comparison of a white site with a subject website will be one which: * encompasses many characteristics.
* is weighted so as to reflect the certainty with which characteristics match * is weighted in favour of matching characteristics which are stronger pointers to phishing sites that others * the result is expressed as a probability or a points score (reflecting that the methodology proposed is of course not infallible) whereby a probability or points score above a predefined threshold yields a determination of the subject site to be a phishing site.
Comparison of many of the attributes is straight forward, but certain attributes are worthy of special consideration.
In respect of domain names, it is expected that the inclusion of the primary domain of a white site in the entire url of a subject site would be considered a positive comparison of that characteristic, i.e. suggesting a phishing site. For example, were "primarydomain" or "primarydomain.com" to be found in "http:II primarydomain.com.some.bad.site.com". Strings such as "cgi", "bin", "html" and "php" need not be checked being very common. A positive comparison may also be assumed if the target website contains a hyperlink to the white site's domain. Indeed, a matching full file name may result in a positive comparison and one which ought to be highly weighted, especially as dynamic linking is a common phishing practice.
In respect of image checking, this can be very time-consuming because individual image files must be downloaded and each pixel checked for its colour. In order to speed up the checking process, image checking can be left until last and only done if the result is marginal.
The identity of compared subject sites may be cached so as to not have to repeat the comparison unnecessarily. Also, if a phishing site is found, it may be added to a list of black sites as the methodology of the present invention may be supplemented by the conventional approach of referencing a black list.
As previously mentioned, it is contemplated that feedback from a user in the event of a suspected phishing site being identified would be relayed to the server; i.e. either verifying the site as a phishing site or to report a false positive. Such feedback can be used to improve the white list which is the foundation of the present invention.
The above description describes in high level terms the architectures and techniques of the present invention which can be employed to detect suspected phishing sites. Of course, such architectures and techniques could be readily implemented by a person skilled in this art without undue effort, and are not dependent on a particular platform, scripting language etc.

Claims (31)

  1. CLAIMS1. A method of determining whether a subject website is a phishing website which is imitating a genuine website, the method comprising the steps of: (a) identifying at least one characteristic of the genuine website; (b) comparing the or each characteristic of the genuine website with a corresponding characteristic or characteristics of the subject website; and (c) based on the comparison in step (b), determining whether the subject website is or is likely to be a phishing website.
  2. 2. A method according to claim I wherein, in step (a), a plurality of characteristics of the genuine website are identified; and wherein, in step (b), a plurality of characteristics of the genuine website are compared with corresponding characteristics of the subject website.
  3. 3. A method according to claim 1 or claim 2 wherein steps (a) to (c) are repeated for a plurality of websites.
  4. 4. A method according to claim 3 wherein repetition of steps (a) to (c) results in the creation of database of genuine websites and their associated characteristics.
  5. 5. A method according to claim 4 wherein the majority of the database records concern either home pages or login pages of the websites.
  6. 6. A method according to any of the preceding claims wherein the at least one characteristic of the genuine website includes a non-visible characteristic.
  7. 7. A method according to claim 6 wherein the at least one characteristic of the genuine website relates to the structure of the code.
  8. 8. A method according to claim 6 wherein the at least one characteristic of the genuine website include an ID attribute.
  9. 9. A method according to claim 6 wherein the at least one characteristic of the genuine website includes its url's primary domain.
  10. 10. A method according to claim 6 wherein the at least one characteristic of the genuine website relates to an appended file.
  11. 11. A method according to claim 10 wherein the at least one characteristic of the genuine website relates to a file name of an appended file.
  12. 12. A method according to claim 10 wherein the at least one characteristic of the genuine website relates to the date at which an appended file was last saved and I or modified.
  13. 13. A method according to claim 10 wherein the at least one characteristic of the genuine website relates to the size of an appended file.
  14. 14. A method according to claim 13 wherein the at least one characteristic of the genuine website relates to a hyperlink; and wherein the subject website is determined to be or likely to be a phishing website if it contains the same hyperlink to the genuine website.
  15. 15. A method according to claim 13 wherein the at least one characteristic of the genuine website relates to a hyperlink; and wherein the subject website is determined to be or likely to be a phishing website if it contains a corresponding hyperlink which is directed to a page on the subject website.
  16. 16. A method according to claim 15 wherein the subject website is determined to be or likely to be a phishing website if it contains a corresponding hyperlink which is directed to a page on the subject website whose content is the same or similar to a corresponding page on the genuine website.
  17. 17. A method according to claim 1 wherein the compared characteristics are visible characteristics of the subject website's.
  18. 18. A method according to claim 17 wherein the at least one characteristic of the genuine website includes text matter; wherein the corresponding characteristic of the subject website is an image which contains such text; and wherein the comparison is a visual comparison of the rendered text of the genuine site compared to the image of the subject site.
  19. 19. A method according to claim 17 wherein the at least one characteristic of the genuine website includes an image containing text; wherein the corresponding characteristic of the subject website is text matter; and wherein the comparison is a visual comparison of the image of the genuine site compared to the rendered text of the subject site.
  20. 20. A method according to claim 17 wherein the at least one characteristic of the genuine website includes an image; wherein the corresponding characteristic of the subject website is a collection of several images; and wherein the comparison is a visual comparison of the image of the genuine site compared to the collection of several images of the subject site.
  21. 21. A method according to claim 17 wherein the at least one characteristic of the genuine website includes a collection of images; wherein the corresponding characteristic of the subject website is a combined images; and wherein the comparison is a visual comparison of the collection of images of the genuine site compared to the combined image of the subject site.
  22. 22. A computer configured to perform, in the course of a user browsing a subject website, a method according to any of the preceding claims.
  23. 23. A computer according to claim 22 further configured to download from a server a database of both visual and non-visual characteristics of genuine websites.
  24. 24. A server hosting a database of both visual and non-visual characteristics of genuine websites and configured to export said database to a plurality of client computers.
  25. 25. A server hosting a database of both visual and non-visual characteristics of genuine websites and configured to perform, upon receipt of a query from a client computer including an url of a subject website, a method according to any of the preceding claims.
  26. 26. A server according to claim 24 further configured to transmit to the client computer the outcome of the determination in step (c).
  27. 27. A server according to claim 24 or claim 25 further configured to delete all records of the url received from the client computer if the outcome of the determination in step (c) is that it does not relate to a phishing site.
  28. 28. A computer configured to perform, in the course of a user browsing a subject website, a query to an external server including the url of the subject website for determining whether the subject website is a phishing website.
  29. 29. A computer according to claim 28 further configured to notify the user in the event of receipt of a determination from the external server that the subject website is or is likely to be a phishing website.
  30. 30. A method comprising the steps of: (a) providing a database of website domains or website homepages which are thought to be genuine; (b) from such website domains or website homepages, automatically searching for corresponding log-in webpages; and (C) building a database of characteristics of such log-in webpages for use as part of an anti-phishing service in which characteristics of such log-in webpages are compared to those of target websites in order to determine whether such target websites are phishing websites.
  31. 31. A computer configured to perform a method according to claim 30.
GB0814461A 2008-08-08 2008-08-08 A method of determining whether a website is a phishing website, and apparatus for the same Withdrawn GB2462456A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0814461A GB2462456A (en) 2008-08-08 2008-08-08 A method of determining whether a website is a phishing website, and apparatus for the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0814461A GB2462456A (en) 2008-08-08 2008-08-08 A method of determining whether a website is a phishing website, and apparatus for the same

Publications (2)

Publication Number Publication Date
GB0814461D0 GB0814461D0 (en) 2008-09-10
GB2462456A true GB2462456A (en) 2010-02-10

Family

ID=39767670

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0814461A Withdrawn GB2462456A (en) 2008-08-08 2008-08-08 A method of determining whether a website is a phishing website, and apparatus for the same

Country Status (1)

Country Link
GB (1) GB2462456A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8438642B2 (en) * 2009-06-05 2013-05-07 At&T Intellectual Property I, L.P. Method of detecting potential phishing by analyzing universal resource locators
CN104077396A (en) * 2014-07-01 2014-10-01 清华大学深圳研究生院 Method and device for detecting phishing website
US20150082451A1 (en) * 2013-09-17 2015-03-19 Exacttarget, Inc. System and Method for Evaluating Domains to Send Emails While Maintaining Sender Reputation
US10200381B2 (en) * 2015-08-05 2019-02-05 Mcafee, Llc Systems and methods for phishing and brand protection

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112217815B (en) * 2020-10-10 2022-09-13 杭州安恒信息技术股份有限公司 Phishing website identification method and device and computer equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040123157A1 (en) * 2002-12-13 2004-06-24 Wholesecurity, Inc. Method, system, and computer program product for security within a global computer network
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
WO2007030764A2 (en) * 2005-09-06 2007-03-15 Daniel Chien Identifying a network address source for authentication
WO2007096659A1 (en) * 2006-02-27 2007-08-30 University Of Newcastle Upon Tyne Phishing mitigation
US20070233643A1 (en) * 2006-03-29 2007-10-04 Kang Jung M Apparatus and method for protecting access to phishing site
EP1850235A1 (en) * 2005-02-18 2007-10-31 Duaxes Corporation Communication control device
US20080046738A1 (en) * 2006-08-04 2008-02-21 Yahoo! Inc. Anti-phishing agent
US20080172741A1 (en) * 2007-01-16 2008-07-17 International Business Machines Corporation Method and Apparatus for Detecting Computer Fraud

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040123157A1 (en) * 2002-12-13 2004-06-24 Wholesecurity, Inc. Method, system, and computer program product for security within a global computer network
EP1850235A1 (en) * 2005-02-18 2007-10-31 Duaxes Corporation Communication control device
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
WO2007030764A2 (en) * 2005-09-06 2007-03-15 Daniel Chien Identifying a network address source for authentication
WO2007096659A1 (en) * 2006-02-27 2007-08-30 University Of Newcastle Upon Tyne Phishing mitigation
US20070233643A1 (en) * 2006-03-29 2007-10-04 Kang Jung M Apparatus and method for protecting access to phishing site
US20080046738A1 (en) * 2006-08-04 2008-02-21 Yahoo! Inc. Anti-phishing agent
US20080172741A1 (en) * 2007-01-16 2008-07-17 International Business Machines Corporation Method and Apparatus for Detecting Computer Fraud

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8438642B2 (en) * 2009-06-05 2013-05-07 At&T Intellectual Property I, L.P. Method of detecting potential phishing by analyzing universal resource locators
US9058487B2 (en) 2009-06-05 2015-06-16 At&T Intellectual Property I, L.P. Method of detecting potential phishing by analyzing universal resource locators
US9521165B2 (en) 2009-06-05 2016-12-13 At&T Intellectual Property I, L.P. Method of detecting potential phishing by analyzing universal resource locators
US20150082451A1 (en) * 2013-09-17 2015-03-19 Exacttarget, Inc. System and Method for Evaluating Domains to Send Emails While Maintaining Sender Reputation
US10135766B2 (en) * 2013-09-17 2018-11-20 Salesforce.Com, Inc. System and method for evaluating domains to send emails while maintaining sender reputation
US10587550B1 (en) 2013-09-17 2020-03-10 Salesforce.Com, Inc. System and method for evaluating domains to send emails while maintaining sender reputation
CN104077396A (en) * 2014-07-01 2014-10-01 清华大学深圳研究生院 Method and device for detecting phishing website
CN104077396B (en) * 2014-07-01 2017-05-17 清华大学深圳研究生院 Method and device for detecting phishing website
US10200381B2 (en) * 2015-08-05 2019-02-05 Mcafee, Llc Systems and methods for phishing and brand protection
US10778704B2 (en) 2015-08-05 2020-09-15 Mcafee, Llc Systems and methods for phishing and brand protection

Also Published As

Publication number Publication date
GB0814461D0 (en) 2008-09-10

Similar Documents

Publication Publication Date Title
US11019094B2 (en) Methods and systems for malicious message detection and processing
US8813239B2 (en) Online fraud detection dynamic scoring aggregation systems and methods
Jain et al. A novel approach to protect against phishing attacks at client side using auto-updated white-list
US9123027B2 (en) Social engineering protection appliance
US8056128B1 (en) Systems and methods for detecting potential communications fraud
US9985978B2 (en) Method and system for misuse detection
Li et al. Knowing your enemy: understanding and detecting malicious web advertising
JP4880675B2 (en) Detection of unwanted email messages based on probabilistic analysis of reference resources
Wondracek et al. Is the Internet for Porn? An Insight Into the Online Adult Industry.
US20130263263A1 (en) Web element spoofing prevention system and method
Banerjee et al. SUT: Quantifying and mitigating url typosquatting
RU2676247C1 (en) Web resources clustering method and computer device
WO2013013475A1 (en) Phishing detection method and device
Geng et al. Combating phishing attacks via brand identity and authorization features
GB2462456A (en) A method of determining whether a website is a phishing website, and apparatus for the same
Mishra et al. Intelligent phishing detection system using similarity matching algorithms
EP3195140B1 (en) Malicious message detection and processing
Wood et al. Systematic Literature Review: Anti-Phishing Defences and Their Application to Before-the-click Phishing Email Detection
Bermudez-Villalva et al. A measurement study on the advertisements displayed to web users coming from the regular web and from tor
Jeun et al. Collecting and filtering out phishing suspicious URLs using SpamTrap system
Agrawal et al. Discernment of search engine spamming and counter measure for it
Patel Design and Implementation of Heuristic based Phishing detection technique
Nittur et al. A Method to Detect Threat in Advertisement URL and its Content
JP2022007278A (en) Signature generation device, detection device, signature generation program, and detection program

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)