GB2555384A - Preventing phishing attacks - Google Patents

Preventing phishing attacks Download PDF

Info

Publication number
GB2555384A
GB2555384A GB1617801.4A GB201617801A GB2555384A GB 2555384 A GB2555384 A GB 2555384A GB 201617801 A GB201617801 A GB 201617801A GB 2555384 A GB2555384 A GB 2555384A
Authority
GB
United Kingdom
Prior art keywords
content
data
password
copy
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1617801.4A
Other versions
GB2555384B (en
GB201617801D0 (en
Inventor
Hentunen Daavid
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WithSecure Oyj
Original Assignee
F Secure Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F Secure Oyj filed Critical F Secure Oyj
Priority to GB1617801.4A priority Critical patent/GB2555384B/en
Publication of GB201617801D0 publication Critical patent/GB201617801D0/en
Publication of GB2555384A publication Critical patent/GB2555384A/en
Application granted granted Critical
Publication of GB2555384B publication Critical patent/GB2555384B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/031Protect user input by software means

Abstract

An intent to type or copy paste any content to a password field related to a service is detected 202 particularly by detecting data entry into the password field. At least part of the content intended to be typed or copy pasted to the password field is replaced 204 with random data while it is being typed or copy pasted. Service data such as a pin, a digital certificate, or public/private keys related to the matching user password data and the content are compared. In the event the service data of the matching user password data and the content match 210, the random data in the password field is replaced with the content intended to be typed or copy pasted 212. In the event the service data of the matching user password data and the content do not match taking further action 216, particularly blocking the service, preventing operation of the application or website or alerting the user.

Description

(54) Title of the Invention: Preventing phishing attacks
Abstract Title: Preventing a phishing attack on an end user device by replacing data in password with random data (57) An intent to type or copy paste any content to a password field related to a service is detected 202 particularly by detecting data entry into the password field. At least part of the content intended to be typed or copy pasted to the password field is replaced 204 with random data while it is being typed or copy pasted. Service data such as a pin, a digital certificate, or public/private keys related to the matching user password data and the content are compared. In the event the service data of the matching user password data and the content match 210, the random data in the password field is replaced with the content intended to be typed or copy pasted 212. In the event the service data of the matching user password data and the content do not match taking further action 216, particularly blocking the service, preventing operation of the application or website or alerting the user.
Figure GB2555384A_D0001
Figure 2
1/3
Figure GB2555384A_D0002
Figure 1
2/3
Figure GB2555384A_D0003
Figure 2
3/3
Figure GB2555384A_D0004
Figure 3
Figure GB2555384A_D0005
Figure 4
Preventing Phishing Attacks
Technical Field
The present invention relates to detecting and preventing phishing attacks.
Background
Phishing is an attempt to acquire sensitive information such as usernames, passwords and credit card details for malicious reasons by masquerading as trustworthy entity in an electronic communications. For example, people tend to click on any links and type in their password to all webpages requesting it. Phishing emails, for example, may contain links to websites that are expecting users to input their information. Among others, phishing may be carried out by email spoofing or instant messaging, for example, and it often directs users to enter details at a fake website that may look and feel almost identical to the legitimate one. The main distribution vector for phishing websites are different communication messages, such as emails. After a phishing web page is setup, people are typically spammed with messages in order to lure them to visit the phishing web page and enable the attackers to acquire their credentials.
Phishing may be initiated also by SMS messages sent by scammers claiming to be from a bank and requesting a user to authenticate by typing in his/her credentials. Attackers may even use phone calls with programmed speech claiming to be from a website that in reality uses such technology, such as banks and ISPs, and request user credentials. Attackers may also abuse SS7 vulnerabilities and be able to send an instant message that appears to have been sent from a close friend and requests user credentials to some service along with a believable excuse. Users may also launch familiar looking applications that normally request his/her credentials but were in reality installed by scammers in order to steal admin credentials.
There is a need for improved methods and systems for preventing users willingly giving out his/her credentials to entities that are not supposed to have access to them.
Summary
It is an object of the present invention to enhance the conventional phishing prevention in order to reduce the risk of attack.
According to a first aspect of the present invention there is provided a method of preventing a phishing attack on an end user device. The method comprises: detecting an intent to type or copy paste any content to a password field related to a service; preventing typing or copy pasting the content to the password field by replacing at least part of the content intended to be typed or copy pasted to the password field with random data while it is being typed or copy pasted; comparing the content intended to be typed or copy pasted to the password field with user password data maintained in a database of user password data and related service data thereof; in the event a matching user password data with the content is found, comparing the service data related to the matching user password data and the content; in the event the service data of the matching user password data and the content also match, replacing the random data in the password field with the content intended to be typed or copy pasted; and in the event the service data of the matching user password data and the content do not match, continuing preventing typing or copy pasting the content to the password field and taking further action.
According to a second aspect of the present invention there is provided an apparatus for preventing a phishing attack on an end user device. The apparatus comprises a processor circuitry and a storage unit for storing instructions executable by the processor circuitry, whereby the apparatus is operative to: detect an intent to type or copy paste any content to a password field related to a service; prevent typing or copy pasting the content to the password field by replacing at least part of the content intended to be typed or copy pasted to the password field with random data while it is being typed or copy pasted; compare the content intended to be typed or copy pasted to the password field with user password data maintained in a database of user password data and related service data thereof; in the event a matching user password data with the content is found, compare the service data related to the matching user password data and the content; in the event the service data of the matching user password data and the content also match, replace the random data in the password field with the content intended to be typed or copy pasted; and in the event the service data of the matching user password data and the content do not match, continue preventing typing or copy pasting the content to the password field and taking further action.
According to a third aspect of the present invention there is provided a non-transitory computer storage medium having stored thereon computer program code for implementing the above method.
Brief Description of the Drawings
Figure 1 illustrates schematically in a block diagram an example network architecture;
Figure 2 is a flow diagram illustrating at a high level the procedure according to an embodiment;
Figure 3 illustrates schematically in a block diagram a user device; and
Figure 4 is a flow diagram showing example steps at an apparatus.
Detailed Description
The following embodiments are exemplary. Although the specification may refer to “an”, “one”, or “some” embodiment(s) in several locations, this does not necessarily mean that each such reference is to the same embodiment(s), or that the feature only applies to a single embodiment. Single features of different embodiments may also be combined to provide other embodiments. Furthermore, words “comprising” and “including” should be understood as not limiting the described embodiments to consist of only those features that have been mentioned and such embodiments may contain also features/structures that have not been specifically mentioned.
Figures 1 and 3 illustrate general examples of apparatuses in which the embodiments of the invention may be applied. It only shows the elements and functional entities that are required for understanding the arrangement according to an embodiment of the invention. Other components have been omitted for the sake of simplicity. The implementation of the elements and functional entities may vary from that shown in the figures. The connections shown are logical connections and the actual physical connections may be different. It is apparent to a person skilled in the field that the arrangement may also comprise other functions and structures. For example, the functional entities of the user device 1 may physically reside in separate locations also. Some or part of the device processes may be implemented using cloud computing in which resources are provided to a local client on an on-demand basis, usually by means of the Internet.
Figure 1 shows a simple network architecture in which a user device 1, such as a personal computer, smartphone, mobile phone, laptop or tablet, is in communication with other network elements such as web resources 2 in the Internet. A web resource may refer to targets of uniform resource locators (URLs) but may also be a referent of any uniform resource identifier or internationalized resource identifier. The web resource may comprise every 'thing' or entity that can be identified, named, addressed or handled, in any way, in the web at large, or in any network information system. The user device 1 may also be in communication with a reputation server 3 and can also connect to other data sources. The devices may connect by any suitable communications network, for example via the Internet.
The end user device 1 comprises a graphical user interface (GUI) 2. Code 3 for implementing an operating system (OS) is installed in a device memory 4, and is run by a processor 5 and other memories 6. The OS may be, for example, Android™, iOS™, or Windows Mobile™.
Figure 2 is a flow diagram illustrating an example of the operation of an apparatus in accordance with one embodiment of the invention.
At step 200, user password data and related service data is maintained in a database. The user password data may, for example, be any of: a user password, a calculated checksum of the user password, any calculated hash value or fingerprint of the user password. In an embodiment, calculated checksums for user passwords and related service data thereof are maintained in the database. The user passwords may have been collected from various places and services, such as passwords that have been saved in a browser password storage or typed in passwords to different website login forms in case the user had opted not to save those (e.g. password fields that show characters as asterisk characters). The user passwords may be collected from one or more password manager applications or cloud based password storages. Also typed in passwords for different applications may be collected by using a key logger. Further any login related hashes may be collected from a memory of the device.
Strong checksums, for example SHA256/SHA512, may be calculated for the collected user passwords before they are stored along with the related service data, such as the application or website (domain) information for which the password is related to. The service data may comprise any number of data that may be used to identify the service for which the password is intended, such as application, website, usernames, PINs, digital certificates, software keys, public/private encryption keys, and/or others. The passwords, hashes and/or checksums and the related service data may be stored in a local database, for example. This database can also be located at the server apparatus or at a separate database that is accessible via a communication network.
A request for a security credential of the user is issued, for example, when the user navigates a browser to a secure application or service, when he/she attempts to open an application program secured with a password, etc. The security credential request is issued by the application, online service, data repository, or other electronic system, via a browser or other logic executing on the requesting device for the purpose of accessing the application, service, repository or other entity.
At step 202, the device monitors any attempts to type or copy paste content to a password field of any such service requesting security credentials. If an intent to type or copy paste to a password field is detected, then 204 is entered where at least part of the content to be typed or copy pasted to the password field is replaced with random data while it is being typed or copy pasted. This means that typing or copy pasting the intended content to the password field is prevented by replacing the content intended to be typed or copy pasted with random or any garbage data while it is being typed or copy pasted. While the user is typing something, the typed content may thus be replaced with other content. However, as password field content may be shown to user as asterisk characters, it is possible that the user will not see any difference.
At 206, a sliding window checksum (SHA256/SHA512) is calculated for the content intended to by typed or copy pasted up to some maximum assumed password length when the user is typing or copy pasting. The maximum length may be derived from the previously collected passwords. This step is required in case the user password data maintained in the database includes checksums of the user passwords.
At 208, the calculated checksums from step 206 and those maintained in the database (step 200) are compared. If matching checksums are detected, then 210 is entered. In the event only passwords are maintained in the database, then at 208, the content intended to be typed or copy pasted to the password field is compared with the passwords maintained in the database. On basis of the detection, it may be determined that the user may be currently giving out his/her password to some service. At 210, the related service data of the matching checksums/passwords are compared. For example, the application or website where the user is typing the password is compared with the applications or websites stored in the database.
If matching service data is found, it can be determined that the user is giving his/her credentials to an application or a website that was supposed to get them. Step 212 is entered where the random data in the password field is replaced with the content that the user intended to be typed or copy pasted at 202. The analysis is ended at 214.
If at 210, no matching service data is detected, then it may be determined as being an indication that the user may be giving his/her credentials to suspect scammers and 216 is entered where further action is taken. The further action may comprise any of: blocking the related service, preventing operation of application or website related to the service, alerting or indicating the user about a potential phishing attack. It is thus possible that the usage of the application or website in question is prevented or stopped for the time being as the user is educated about the potential attack and requested to indicate whether he/she really wants to send credentials to the potential scammer.
In case of applications or websites requiring a user to press enter before password is submitted, the embodiments of the invention may safely protect the user from losing his/her credentials. In case of real-time communication channels, such as live phone calls or virtual reality discussions that do not require separate submit actions, the further action may comprise reporting the user that he/she may have been scammed.
In an embodiment, it is possible that the related application or service for which the password is intended to be used is unknown. This is possible if, for example, a password manager application does not comprise enough information about the possible login URL or the service. In this situation it is possible to start collecting local prevalence data, that is, collecting data identifying in what context (active applications or website URLs) the user uses this specific password. If the user constantly uses the password for a certain URL, then this prevalence data is stored in the local database as the related service data.
In an embodiment, when the communication channel does not require the use of a submission action (press enter) and the password is sufficiently long, the checksums may also be calculated for passwords being few characters shorter versions than the original password. For example, if the original password is “password”, a checksum for “passwo”, “passwor” and “password” can be calculated. This enables preventing user from disclosing his/her full password for the scammers that use a channel that does not require submission action (phone call or real-time text chat). If the password is short enough and only one or two character shorter versions of the password is calculated, the security may not be compromised too much.
In the event a matching user password data with the content is not found at step 208, the new password/checksum related to the relevant service may be stored in the database. Thus the database can be populated with any new user password data and the relevant service data. The first time a password is used for any service, this new data may be stored in the database for further use.
In the event a matching user password data with the content is not found at step 208, it is possible to continue analysis by varying the content intended to be typed or copy pasted to the password field by brute-forcing one or more characters of the content one at a time and/or adding or removing characters of the content, comparing checksums calculated for the varied content with the checksums maintained in the database, and determining whether the checksums match. This is because it is typical for the users to mistype their passwords all the time and this way it is possible to prevent phishing attacks even when user is mistyping password into a phishing site. Thus variations (e.g. bruteforcing couple of characters of the content one at a time and adding and removing character here and there) to the originally typed password can be made and then compare calculated checksums from those with the stored checksums.
In case the original password is stored locally instead of a checksum of it, then it is possible to calculate an edit distance between the stored and typed password, set a threshold limit that determined that few characters can be wrong and if only few characters are wrong, then in that case the passwords could be treated to be the same. Thus, in the event a matching user password data with the content is not found and the user password data maintained in the database comprises the user password, an edit distance may be calculated between the content intended to be typed or copy pasted and the maintained passwords, and it may be determined that matching user password data with the content is found if the calculated edit distance between the content and the maintained password is below the predetermined threshold.
It will be appreciated that various modifications may be made to the above described embodiments without departing from the scope of the invention. For example, various tasks described above as being performed by the end user device may be delegated to a remote server or server cloud. For example, relevant data may be passed from the end user device to a server, with the server performing analysis based upon the comparisons, before notifying the end user device whether or not giving credentials to the application/service can be allowed.
Turning now to Figure 3, there is shown an exemplary user device 1. A first receiver 17 is provided that is arranged to receive a request for user credentials from a service over the Internet or other network. A processor 15 is provided that is arranged to detect an intent to type or copy paste any content to a password field related to the service, prevent typing or copy pasting the content to the password field by replacing at least part of the content intended to be typed or copy pasted to the password field with random data while it is being typed or copy pasted, and compare the content intended to be typed or copy pasted to the password field with user password data maintained in a database of user password data and related service data thereof. The processor 15 is further arranged to compare the service data related to the matching user password data and the content, and replace the random data in the password field with the content intended to be typed or copy pasted in the event the service data of the matching user password data and the content also match. In the event the service data of the matching checksums do not match, the processor 15 is arranged to continue preventing typing or copy pasting the content to the password field and take further action.
In an embodiment, the processor 15 is arranged to display a warning message at the client device when the access to the related web resource has been blocked.
In an embodiment, the processor 15 is arranged to receive a user indication to add the blocked web resource to a whitelist of allowed web resources, and allow access to the web resource after receiving the user indication. The user indication can be received via a user input 25 of the user device 1. The user input 25 is used by the user to input information such as a selection of whether to add URL to a whitelist.
In the above description, the user device 1 is described as having different transmitters and receivers 16, 17, 18, 20. It will be appreciated that these may be disposed in any suitable manner, for example in a single transmitter and receiver, a transceiver and so on. Similarly, a single processor 15 is described but it will be appreciated that the function of the processor may be performed by a single physical processor or by more than one processor.
The user device 1 is also provided with a non-transitory computer readable medium in the form of a memory 22. The memory may be used to store a computer program 23 which, when executed by the processor 15, causes the processor 15 to perform the functions described above. Note that the computer program 23 may be provided from an external source 24 such as a carrier wave, a flash disk, a disk and so on. The memory 22 may also be allocated a region for storing the downloaded electronic file for metadata extraction. An anti-virus application may also be implemented in use by code, stored in the hard disk drive, running on the processor.
The processing system may refer to any one of the following: (a) a hardware-only circuit implementation such as an implementation in only analogue and/or digital circuitry; (b) a combination of hardware circuitry and software and/or firmware, such as (as applicable): (i) a combination of processor(s) or processor cores; or (ii) portions of processor(s)/software including digital signal processor(s), software, and at least one memory that work together to cause the apparatus to perform specific functions; and (c) circuits, such as a microprocessor(s) or a portion of a microprocessor(s), that require software or firmware for operation, even if the software or firmware is not physically present. The processing system may also cover an implementation of merely a processor (or multiple processors) or portion of a processor, e.g. one or multiple cores of a multi-core processor, and its (or their) accompanying software and/or firmware. The term processing system would also cover, for example, an integrated circuit, an application-specific integrated circuit (ASIC), and/or a field-programmable grid array (FPGA) circuit for the apparatus according to an embodiment of the invention.
The processes or methods described may also be carried out in the form of a computer process defined by a computer program. The computer program may be in source code form, object code form, or in some intermediate form, and it may be stored in some sort of carrier, which may be any entity or device capable of carrying the program. Such carriers include transitory and/or non-transitory computer media, e.g. a record medium, computer memory, read-only memory, electrical carrier signal, telecommunications signal, and software distribution package. Depending on the processing power needed, the computer program may be executed in a single electronic digital processing unit or it may be distributed amongst a number of processing units.
According to exemplifying embodiments of the present invention, any one of the processor, the memory and the interface may be implemented as individual modules, chips, chipsets, circuitries or the like, or one or more of them can be implemented as a common module, chip, chipset, circuitry or the like, respectively.
According to exemplifying embodiments of the present invention, a system may comprise any conceivable combination of the thus depicted devices/apparatuses and other network elements, which are configured to cooperate as described above.
Figure 4 is a flow diagram showing exemplary steps at the user device 1.
At 400, user device detects an intent to type or copy paste any content to a password field related to a service.
At 402, user device prevents typing or copy pasting the content to the password field by replacing at least part of the content intended to be typed or copy pasted to the password field with random data while it is being typed or copy pasted.
At 404, user device compares the content intended to be typed or copy pasted to the password field with user password data maintained in a database. The calculated checksums for user passwords and the related service data thereof can be maintained in a database of the end user device or elsewhere.
At 406, in the event matching user password data with the content is found, user device compares the service data related to the matching user password data with the content.
At 408, in the event the service data of the matching user password data and the content also match, user device replaces the random data in the password field with the content intended to be typed or copy pasted.
At 410, in the event the service data of the matching user password data and the content do not match, user device continues preventing typing or copy pasting the content to the password field and takes further action.
In general, it is to be noted that respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts. The mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
Generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention. Such software may be software code independent and can be specified using any known or future developed programming language, such as e.g. Java, C++, C, and Assembler, as long as the functionality defined by the method steps is preserved. Such hardware may be hardware type independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS), BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit)) components, FPGA (Field-programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device) components or DSP (Digital Signal Processor) components. A device/apparatus may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of a device/apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor. A device may be regarded as a device/apparatus or as an assembly of more than one device/apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
Apparatuses and/or units, means or parts thereof can be implemented as individual devices, but this does not exclude that they may be implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible or non-transitory medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof. A computer program product encompasses a computer memory encoded with executable instructions representing a computer program for operating/driving a computer connected to a network.
The present invention also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable.
The present invention is applicable to apparatuses defined above but also to other suitable systems or computer networks. The specifications of the systems develop rapidly and such development may require extra changes to the described embodiments. Therefore, all words and expressions should be interpreted broadly and they are intended to illustrate, not to restrict, the embodiment. It will be obvious to a person skilled in the art that, as technology advances, the inventive concept can be implemented in various ways. The invention and its embodiments are not limited to the examples described above but may vary within the scope of the claims.

Claims (17)

CLAIMS:
1. A method of preventing a phishing attack on an end user device, the method comprising:
detecting an intent to type or copy paste any content to a password field related to a service;
preventing typing or copy pasting the content to the password field by replacing at least part of the content intended to be typed or copy pasted to the password field with random data while it is being typed or copy pasted;
comparing the content intended to be typed or copy pasted to the password field with user password data maintained in a database of user password data and related service data thereof;
in the event a matching user password data with the content is found, comparing the service data related to the matching user password data and the content;
in the event the service data of the matching user password data and the content also match, replacing the random data in the password field with the content intended to be typed or copy pasted; and in the event the service data of the matching user password data and the content do not match, continuing preventing typing or copy pasting the content to the password field and taking further action.
2. The method according to claim 1, wherein taking further action in the event the service data of the matching user password data and the content do not match comprises any of: blocking the related service, preventing operation of application or website related to the service, alerting or indicating the user about a potential phishing attack.
3. The method according to claim 1, wherein the user password data comprises any of: a user password, a calculated checksum of the user password, any calculated hash value or fingerprint of the user password.
4. The method according to claim 1, wherein the service data comprises data related to an application or a website for which the password is intended.
5. The method according to claim 1, wherein calculated checksums for user passwords are maintained in the database and the method further comprises: calculating a checksum for the content intended to be typed or copy pasted to the password field; comparing the calculated checksum with the checksums maintained in the database; in the event a matching checksum is found, comparing the service data related to the matching checksums; in the event the service data of the matching checksums also match, replacing the random data in the password field with the content intended to be typed or copy pasted; and in the event the service data of the matching checksums do not match, continuing preventing typing or copy pasting the content to the password field and take further action.
6. The method according to claim 1, wherein a checksum is calculated for the content up to a predetermined maximum password length.
7. The method according to claim 6, wherein the maximum password length is derived from the user password data maintained in the database.
8. The method according to claim 1, the method further comprising: in the event a matching user password data with the content is not found, varying the content intended to be typed or copy pasted to the password field by brute-forcing one or more characters of the content one at a time and/or adding or removing characters of the content; comparing checksums calculated for the varied content with the checksums maintained in the database; and determining whether the checksums match.
9. The method according to claim 1, the method further comprising: in the event a matching user password data with the content is not found and the user password data maintained in the database comprises the user password, calculating an edit distance between the content intended to be typed or copy pasted and the maintained passwords; and determining that matching user password data with the content is found if a calculated edit distance between the content and the maintained password is below a predetermined threshold.
10. A non-transitory computer storage medium having stored thereon computer program code for implementing the method of claim 1.
11. Apparatus for preventing a phishing attack on an end user device, the apparatus comprising processor circuitry and a storage unit for storing instructions executable by the processor circuitry, whereby the apparatus is operative to:
detect an intent to type or copy paste any content to a password field related to a service;
prevent typing or copy pasting the content to the password field by replacing at least part of the content intended to be typed or copy pasted to the password field with random data while it is being typed or copy pasted;
compare the content intended to be typed or copy pasted to the password field with user password data maintained in a database of user password data and related service data thereof;
in the event a matching user password data with the content is found, compare the service data related to the matching user password data and the content;
in the event the service data of the matching user password data and the content also match, replace the random data in the password field with the content intended to be typed or copy pasted; and in the event the service data of the matching user password data and the content do not match, continue preventing typing or copy pasting the content to the password field and taking further action.
12. The apparatus according to claim 11, wherein the apparatus is operative to take further action in the event the service data of the user password data and the content do not match by any of: blocking the related service, preventing operation of application or website related to the service, alerting or indicating the user about a potential phishing attack.
13. The apparatus according to claim 11, wherein the user password data comprises any of: a user password, a calculated checksum of the user password, any calculated hash value or fingerprint of the user password.
14. The apparatus according to claim 11, wherein the service data comprises data related to an application or a website for which the password is intended.
15. The apparatus according to claim 11, wherein calculated checksums for user passwords are maintained in the database and apparatus is operative to: calculate a checksum for the content intended to be typed or copy pasted to the password field; compare the calculated checksum with the checksums maintained in the database; in the event a matching checksum is found, compare the service data related to the matching checksums; in the event the service data of the matching checksums also match, replace the random data in the password field with the content intended to be typed or copy pasted; and in the event the service data of the matching checksums do not match, continue preventing typing or copy pasting the content to the password field and take further action.
16. The apparatus according to claim 11, wherein in the event a matching user password data with the content is not found, the apparatus is operative to vary the content intended to be typed or copy pasted to the password field by brute-forcing one or more characters of the content one at a time and/or adding or removing characters of the content; compare checksums calculated for the varied content with the checksums maintained in the database; and determine whether the checksums match.
17. The apparatus according to claim 11, wherein in the event a matching user password data with the content is not found and the user password data maintained in the database comprises the user password, the apparatus is operative to calculate an edit distance between the content intended to be typed or copy pasted and the maintained passwords; and determine that matching user password data with the content is found if a calculated edit distance between the content and the maintained password is below a predetermined threshold.
Intellectual
Property
Office
Application No: GB1617801.4 Examiner: Mr Jim Calvert
GB1617801.4A 2016-10-21 2016-10-21 Preventing phishing attacks Active GB2555384B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1617801.4A GB2555384B (en) 2016-10-21 2016-10-21 Preventing phishing attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1617801.4A GB2555384B (en) 2016-10-21 2016-10-21 Preventing phishing attacks

Publications (3)

Publication Number Publication Date
GB201617801D0 GB201617801D0 (en) 2016-12-07
GB2555384A true GB2555384A (en) 2018-05-02
GB2555384B GB2555384B (en) 2020-04-01

Family

ID=57738078

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1617801.4A Active GB2555384B (en) 2016-10-21 2016-10-21 Preventing phishing attacks

Country Status (1)

Country Link
GB (1) GB2555384B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600361A (en) * 2018-11-26 2019-04-09 武汉极意网络科技有限公司 Identifying code anti-attack method and device based on hash algorithm
EP3674933A1 (en) * 2018-12-28 2020-07-01 AO Kaspersky Lab System and method of changing the password of an account record under a threat of unlawful access to user data
US11496511B1 (en) * 2019-09-04 2022-11-08 NortonLifeLock Inc. Systems and methods for identifying and mitigating phishing attacks
WO2023041800A1 (en) * 2021-09-20 2023-03-23 Hid Global Cid Sas Website verification with proof of origin
US11630895B2 (en) 2018-12-28 2023-04-18 AO Kaspersky Lab System and method of changing the password of an account record under a threat of unlawful access to user data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101128A1 (en) * 2004-08-18 2006-05-11 Waterson David L System for preventing keystroke logging software from accessing or identifying keystrokes
US20090254994A1 (en) * 2002-02-18 2009-10-08 David Lynch Waterson Security methods and systems
US8799809B1 (en) * 2008-06-04 2014-08-05 United Services Automobile Association (Usaa) Systems and methods for key logger prevention security techniques

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090254994A1 (en) * 2002-02-18 2009-10-08 David Lynch Waterson Security methods and systems
US20060101128A1 (en) * 2004-08-18 2006-05-11 Waterson David L System for preventing keystroke logging software from accessing or identifying keystrokes
US8799809B1 (en) * 2008-06-04 2014-08-05 United Services Automobile Association (Usaa) Systems and methods for key logger prevention security techniques

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600361A (en) * 2018-11-26 2019-04-09 武汉极意网络科技有限公司 Identifying code anti-attack method and device based on hash algorithm
CN109600361B (en) * 2018-11-26 2021-05-04 武汉极意网络科技有限公司 Hash algorithm-based verification code anti-attack method and device, electronic equipment and non-transitory computer readable storage medium
EP3674933A1 (en) * 2018-12-28 2020-07-01 AO Kaspersky Lab System and method of changing the password of an account record under a threat of unlawful access to user data
US11630895B2 (en) 2018-12-28 2023-04-18 AO Kaspersky Lab System and method of changing the password of an account record under a threat of unlawful access to user data
US11496511B1 (en) * 2019-09-04 2022-11-08 NortonLifeLock Inc. Systems and methods for identifying and mitigating phishing attacks
WO2023041800A1 (en) * 2021-09-20 2023-03-23 Hid Global Cid Sas Website verification with proof of origin

Also Published As

Publication number Publication date
GB2555384B (en) 2020-04-01
GB201617801D0 (en) 2016-12-07

Similar Documents

Publication Publication Date Title
US11888868B2 (en) Identifying security risks and fraud attacks using authentication from a network of websites
US10673896B2 (en) Devices, systems and computer-implemented methods for preventing password leakage in phishing attacks
US11025655B1 (en) Network traffic inspection
TWI620090B (en) Login failure sequence for detecting phishing
US10601865B1 (en) Detection of credential spearphishing attacks using email analysis
GB2555384A (en) Preventing phishing attacks
US9112834B1 (en) Protecting sensitive web transactions using a communication channel associated with a user
WO2017066120A1 (en) Detection of bypass vulnerabilities
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
US10412078B2 (en) Advanced local-network threat response
EP3687140B1 (en) On-demand and proactive detection of application misconfiguration security threats
US11785044B2 (en) System and method for detection of malicious interactions in a computer network
US20210314339A1 (en) On-demand and proactive detection of application misconfiguration security threats
US10834074B2 (en) Phishing attack prevention for OAuth applications
US11509691B2 (en) Protecting from directory enumeration using honeypot pages within a network directory
US11303670B1 (en) Pre-filtering detection of an injected script on a webpage accessed by a computing device
US10474810B2 (en) Controlling access to web resources
Chorghe et al. A survey on anti-phishing techniques in mobile phones
US20220232015A1 (en) Preventing cloud-based phishing attacks using shared documents with malicious links
US9762591B2 (en) Message sender authenticity validation
Taraka Rama Mokshagna Teja et al. Prevention of Phishing Attacks Using QR Code Safe Authentication
US10484422B2 (en) Prevention of rendezvous generation algorithm (RGA) and domain generation algorithm (DGA) malware over existing internet services
US11356481B1 (en) Preventing phishing attempts of one-time passwords
Rahamathunnisa et al. Preventing from phishing attack by implementing url pattern matching technique in web
CN112926056B (en) Method and system for detecting unauthorized access to cloud applications based on speed events

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20221006 AND 20221012