US20150319191A1 - Anti-phishing domain advisor and method thereof - Google Patents

Anti-phishing domain advisor and method thereof Download PDF

Info

Publication number
US20150319191A1
US20150319191A1 US14/797,525 US201514797525A US2015319191A1 US 20150319191 A1 US20150319191 A1 US 20150319191A1 US 201514797525 A US201514797525 A US 201514797525A US 2015319191 A1 US2015319191 A1 US 2015319191A1
Authority
US
United States
Prior art keywords
phishing
advisor
dns
address
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/797,525
Inventor
Milen Georgiev
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
VISICOM MEDIA Inc
Original Assignee
VISICOM MEDIA Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by VISICOM MEDIA Inc filed Critical VISICOM MEDIA Inc
Priority to US14/797,525 priority Critical patent/US20150319191A1/en
Publication of US20150319191A1 publication Critical patent/US20150319191A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • H04L61/1511
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • This disclosure generally relates to techniques for allowing safe browsing of the Internet, and more particularly to protecting from phishing attacks and redirection errors.
  • the Internet has rapidly changed the way people access information.
  • the Internet gives users access to a vast number of resources from locations around the world.
  • the Internet allows users to perform commercial transactions and share private and sensitive information.
  • a significant concern when browsing the Internet is the vulnerability of the Web to attacks from malicious individuals or organizations.
  • the security of information that can be accessed or saved in websites is a challenge.
  • Phishing refers to an attempt to fraudulently retrieve sensitive information, such as bank account information, SSNs, passwords, and credit card information, by masquerading as a trustworthy person or business with a real need for such information.
  • a phishing attack can be committed in two different ways. One way includes sending an email to a user, requesting that the user click on a link in the email that directs the user to enter sensitive information on the ensuing website. Because the links and websites are usually near exact copies of valid websites of well-known enterprises, such as banks, the user is fooled into thinking the websites are legitimate and hence secure.
  • Another way to commit a phishing attack is by redirection of a user to an illegitimate website through technical means. This is typically performed by exploitation of vulnerability in the domain name server (DNS) server software that allows a hacker to acquire the domain name for a site, and to redirect traffic from that website to another website of the fraudster.
  • DNS domain name server
  • an Internet banking customer who routinely logs in to his online banking account through the bank website, may be redirected to an illegitimate website.
  • the user mistyped the address of the bank's website, in the browser address bar, then instead of being redirected to the bank's website holding his/her account, the user is redirected to a website of the fraudster.
  • a DNS translates domain names meaningful to humans into the numerical identifiers, i.e., IP addresses associated with networking equipment for the purpose of locating and addressing these devices worldwide.
  • the DNS is located at the internet service provider (ISP).
  • ISP internet service provider
  • a DNS error is typically returned when the DNS cannot locate the IP address associated with the hostname.
  • hackers and even organizations can utilize DNS errors to perform a DNS hijacking which allows the hijacker to display malicious web pages on the user's browser.
  • the DNS-based protection looks up the translated IP address of a respective hostname in an address blacklist, and if found then a warning is sent to the user's browser and the request is not sent to the illegitimate website.
  • the address blacklist is frequently updated.
  • the disadvantage of this technique that it can monitor only hostnames, but not variance of the URLs given to a domain name. For example, a DNS may translate the host name of www.eBey.com to an IP address designated in the blacklist, but the URL www.eBey.com/vaction.html, may not be alerted.
  • the browser-based detection solution includes a phishing filter that checks the URL as it appears in the browser address bar against a list of sites that are considered fraudster. If the requested site, as designated in the URL, is considered to be a phishing threat, the browser is redirected to a website that returns a warning to the user.
  • the phishing filter is either part of the browser or is installed as a third party browser add-on. However, an anti-phishing filter is limited to certain types of web browsers and cannot work across platforms (different browsers).
  • Certain embodiments disclosed herein include a method of anti-phishing and domain name protection.
  • the method comprises: capturing a system call sent to an operating system of a client by an application requesting an access to an Internet resource; extracting a URL included in the captured system call; capturing a response to the system call sent from operating system to the application; determining if the system call's response includes any one of a domain name system (DNS) error code and fake internet protocol (IP) address; checking the extracted URL against an anti-phishing blacklist to determine if the Internet resource is a malicious website; if any one of the DNS error code and the fake IP address was detected, redirecting the application to an advisor server, wherein the advisor server generates a web page to be displayed by the application; marking a communication session between the application and the Internet resource as blocked; detecting a system call's response call that includes content received from the internet resource during the blocked session; modifying the system call's response by replacing the content with redirection information, wherein the redirection information includes at least an internet protocol
  • the advisor comprises: an interface for interfacing between an operating system of a client and at least one application executed over the client, wherein the interface monitors and captures system calls sent by the at least one application to the operating system and responses to the system calls as generated by the operating system; a memory for storing at least an anti-phishing blacklist; and a processor connected to the interface for determining if a system call's response generated in response to a system call's request of the at least one application to access an internet resource includes any one of a domain name system (DNS) error code and a fake IP address; checking a URL extracted from the system call's request against the anti-phishing blacklist to determine if the Internet resource is a malicious website; if any one of the DNS error code and the fake IP address was detected, redirecting the application to an advisor server, wherein the advisor server generates a web page to be displayed by the application; marking a communication session between the application and the Internet resource as blocked; detecting a system
  • DNS domain name system
  • FIG. 1 is a schematic diagram of a system useful in describing the various disclosed embodiments.
  • FIG. 2 is a flowchart illustrating the operation of the anti-phishing domain advisor (ADA) according to one embodiment.
  • FIG. 3 is a screenshot of a web page generated according to one embodiment.
  • FIG. 4 is a block diagram of the ADA according to one embodiment.
  • FIG. 1 shows a schematic diagram of a system 100 useful in describing the various disclosed embodiments.
  • a client 110 runs a web browser 130 which may be, for example, Microsoft® Internet Explorer®, Mozilla Firefox®, Opera, Safari, a wireless application protocol (WAP) type browser, and the like.
  • the client 110 may be a computing device, such as a personal computer, a laptop computer, a personal digital assistant (PDA), a mobile phone, a smart phone, a tablet computer, and the like.
  • PDA personal digital assistant
  • the web browser 130 provides the client 110 an access to the Internet 105 .
  • the client 110 includes an anti-phishing domain advisor (ADA) 120 constructed according to one embodiment.
  • the ADA 120 is installed as a low-level system utility and is operable between an operating system 140 of the client 110 and software applications, such as the web browser 130 .
  • the ADA 120 interfaces between the OS 140 API and the software applications requesting services from the operating system. Therefore, the ADA 120 can capture and monitor any system call request and response sent or received from the applications to the OS 140 , and specifically any requests and responses that are targeted to/from a resource that resides in the Internet 105 .
  • a web browser 130 is shown in FIG. 1
  • other software applications can be handled by the ADA 120 without departing from the scope of the disclosed embodiments.
  • software applications including, but not limited to, email applications, smartphone applications (i.e., applications executed on smartphones and/or tablet computers), or any other software application that can access the Internet and be executed by the client 110 .
  • the ADA 120 comprises computer-readable instructions that reside on some type of computer readable medium. According to this embodiment, the ADA 120 is downloaded to the client 110 and initialized upon booting of the client 110 .
  • the DNS 150 provides an IP address to a URL requested by the client 110 .
  • the anti-phishing server 160 constantly monitors the Internet for threats from phishing scams, i.e., URLs of websites that can commit phishing attacks.
  • the anti-phishing server 160 generates a blacklist containing IP addresses of malicious websites. The blacklist is frequently updated.
  • the ADA 120 maintains a copy of the blacklist as generated by the anti-phishing server 160 .
  • the ADA 120 retrieves the list from the anti-phishing server 160 at predefined time interval, e.g., every 60 seconds.
  • an advisor server 170 adapted to handle requests redirected by the ADA 120 .
  • the advisor server 170 In response to a redirect request, the advisor server 170 generates a web page to be displayed over the web browser 130 .
  • An example for the web page rendered by the web browser 130 is discussed below.
  • FIG. 2 shows a non-limiting and exemplary flowchart 200 illustrating the operation of the ADA 120 according to certain embodiments.
  • the ADA 120 provides an anti-phishing protection that considers both DNS errors and malicious websites that commit phishing attacks. The protection is available for all applications on the client 110 that access the Internet. It should be noted that the ADA 120 does not require reconfiguration of any of the clients 110 , the web browser 130 , or any protected applications.
  • a system call generated by the browser as a result of a request (e.g., a HTTP request) to access a resource over the Internet is captured.
  • a system call may be generated when the user types an address in the address bar of the web browser or clicks on a hyperlink.
  • the system calls generated by the web browser 130 are directed to the OS 140 .
  • the system calls may include requests for domain name resolution or accessing an Internet resource (e.g., a web server hosting a website).
  • the ADA 120 is hooked to the OS 140 API, thus any system calls generated by the web browser 130 and responses from the OS 140 can be monitored by the ADA 120 .
  • the ADA 120 handles system calls for domain name resolution and for sending data from the browser as well as responses generated by the OS in response to such calls.
  • the web browser 130 initiates a request for a domain name resolution for an Internet resource (e.g., a web server hosting a website) and then sends a request to access the Internet resource using the resolved IP address of the resource.
  • an Internet resource e.g., a web server hosting a website
  • the URL is extracted from the captured system call and provided as an input to S 250 .
  • the system calls is returned from the OS 140 , in response to a call for resolving the domain name, are monitored.
  • it is determined if such responses include a DNS error code or a fake IP address.
  • a check is made to determine if the IP address included in the response is the same as an IP determined to be fake.
  • the fake IP is typically returned by a DNS hijacker.
  • the ADA 120 sends a DNS resolution request to the DNS 150 using a domain name that does not exist. If the DNS 150 returns a valid IP address, then this IP address is determined to be fake. It should be noted that such an inquiry can be performed only when the ADA 120 is initialized.
  • S 240 If S 240 returns an affirmative answer, execution continues with S 245 where a flag indicating that a DNS error was detected is raised, and the system call returned by the OS 140 is held until completing the anti-phishing checks; otherwise, execution proceeds to S 250 .
  • the extracted URL or a resolved IP address is checked against the blacklist generated by the anti-phishing server to determine if the requested URL is associated with a malicious website. If so, execution continues with S 260 where an anti-phishing protection procedure is applied; otherwise, proceeding to S 255 , where another check is made to determine if the DNS error flag is raised. If S 255 results with an affirmative answer, execution continues with S 270 where a DNS error correction procedure is applied; otherwise, execution continues with S 280 , where the system calls as generated in response to a client's request are sent back to the web browser 130 . Then, execution terminates.
  • a check for a DNS error is performed followed by a check for detection of potential phishing attacks, in order to avoid mitigate situations where a malware is installed in the clients 110 that manipulates DNS errors for performing phishing attacks or DNS hijacking.
  • the anti-phishing protection procedure S 260 is performed during an active HTTP session between the web browser 130 and an Internet resource.
  • the HTTP session is marked as blocked.
  • the OS 140 is required to send the HTTP request to the Internet resource
  • all responses returned by the Internet resource are monitored. This is performed by checking system calls that send such responses to the web browser 130 .
  • the response is modified to include redirection information to navigate the web browser 130 to the advisor web server 170 .
  • a web page generated by the advisor website 170 is rendered by the web browser 130 .
  • the HTTP header is modified to include the address (part of the redirection information) of the advisor server 170 .
  • the redirection information also includes the domain name from the URL extracted at S 220 .
  • the redirection information includes a message that describes the detected problem and the reason for the redirection.
  • the redirection information causes the web browser 130 to navigate to the advisor server 170 , which provides a web page generated, in part, using the domain name and message included in the redirection information. Then, the web page generated by the advisor server 170 is displayed over the web browser 130 .
  • the DNS error correction procedure S 270 includes modifying the system call returned by the OS 140 in response to a DNS resolution request (S 271 ).
  • the modification includes replacing the DNS error code with the redirection information.
  • the redirection information includes an IP address of the advisor server 170 and the domain name from the URL extracted at S 220 .
  • the web browser 130 will access the advisor server 170 using the redirection information.
  • the modified response will cause the web browser to send a HTTP request to the advisor server 170 .
  • a system call generated as a result of the HTTP request is modified to include a message regarding the detected problem and the reason for the redirection. Then, the web page as provided by the advisor server 170 is displayed over the web browser 130 .
  • the web server 170 generates a web page that includes hyperlinks to websites that are related to the domain name included in the redirection information.
  • the hyperlinks contained in the generated web page may be sponsored links.
  • the anti-phishing protection solution disclosed herein can be utilized for collecting revenues. That is, if a user clicks on one of the sponsored links, then the provider of the web page referring to a website of the sponsor receives a commission for such a referral.
  • the advisor server 170 searches the Internet using the keyword which is the domain name and organizes the results according to their relevance to the user.
  • the search may be performed using conventional search engines, e.g., Google®.
  • the web page when displayed by the browser 130 may include the search results and a message regarding the nature of the detected problem.
  • FIG. 3 An exemplary screenshot of a web page 300 generated in a response to malicious URL, according to one embodiment, is shown in FIG. 3 .
  • the malicious URL is “delll.com” where the user tries to access the website of Dell® (dell.com).
  • the returned results are associated with websites where computing equipment may be purchased.
  • one of the hyperlinks included in the web page 300 is of dell.com.
  • one or more the hyperlinks are “sponsored links”.
  • FIG. 4 shows an exemplary and non-limiting block diagram of the ADA 120 according to one embodiment.
  • the ADA 120 includes an interface 410 , a processor 420 , and a memory 430 .
  • the interface 430 interfaces between the operating system 140 and the web browser 130 for monitoring and capturing system calls sent by the web browser to the operating system and responses to the system calls as generated by the operating system.
  • the memory 430 stores the anti-phishing blacklist retrieved from the anti-phishing server 160 and may also maintain the URL extracted from requests to access internet resources.
  • the processor 420 performs the tasks of processing system calls captured by the interface to detecting attempts for phishing attacks, domain attacks (e.g., DNS hijacking) and DNS errors.
  • the processor 420 also performs the tasks of the DNS error correction and anti-phishing protection actions, when such actions are required.
  • the tasks performed by the processor 420 discussed in detail above.
  • the embodiments disclosed herein may be implemented as hardware, firmware, software, or any combination thereof.
  • the software is preferably implemented as an application program tangibly embodied on a program storage unit or tangible computer readable medium consisting of parts, or of certain devices and/or a combination of devices.
  • the application program may be uploaded to, and executed by, a machine comprising any suitable architecture.
  • the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces.
  • CPUs central processing units
  • the computer platform may also include an operating system and microinstruction code.
  • a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
  • the display segments and mini-display segments may be shown on a display area that can be a browser or another other appropriate application, either generic or tailored for the purposes described in detail hereinabove.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method of anti-phishing and domain name protection. The method comprises: capturing a system call; extracting a URL included in the captured system call; capturing a response to the system call; determining if the system call's response includes any one of a domain name system (DNS) error code and fake internet protocol (IP) address; checking the extracted URL against an anti-phishing blacklist to determine if the Internet resource is a malicious website; redirecting the application to an advisor server; marking a communication session between the application and the Internet resource as blocked; detecting a system call's response call that includes content received from the internet resource during the blocked session; modifying the system call's response by replacing the content with redirection information; and sending the modified system call's response to the application, thereby causing the application to access the advisor server.

Description

    CROSS-REFERNCE TO RELATED APPLCIATIONS
  • This application is a continuation of U.S. patent application Ser. No. 13/195,247 filed on Aug. 1, 2011, now allowed, the contents of which are hereby incorporated by reference.
    • TECHNICAL FIELD
  • This disclosure generally relates to techniques for allowing safe browsing of the Internet, and more particularly to protecting from phishing attacks and redirection errors.
    • BACKGROUND
  • The Internet has rapidly changed the way people access information. The Internet gives users access to a vast number of resources from locations around the world. In addition, the Internet allows users to perform commercial transactions and share private and sensitive information. A significant concern when browsing the Internet is the vulnerability of the Web to attacks from malicious individuals or organizations. Thus, the security of information that can be accessed or saved in websites is a challenge.
  • One type of fraudulent act over the Internet is known as phishing, which has become one the fastest growing online threats. In the last few years, there have been sharp increases in the number of phishing attacks over the Internet, thus users are now looking for effective ways for blocking such attacks.
  • Phishing refers to an attempt to fraudulently retrieve sensitive information, such as bank account information, SSNs, passwords, and credit card information, by masquerading as a trustworthy person or business with a real need for such information. A phishing attack can be committed in two different ways. One way includes sending an email to a user, requesting that the user click on a link in the email that directs the user to enter sensitive information on the ensuing website. Because the links and websites are usually near exact copies of valid websites of well-known enterprises, such as banks, the user is fooled into thinking the websites are legitimate and hence secure.
  • Another way to commit a phishing attack (also known as pharming) is by redirection of a user to an illegitimate website through technical means. This is typically performed by exploitation of vulnerability in the domain name server (DNS) server software that allows a hacker to acquire the domain name for a site, and to redirect traffic from that website to another website of the fraudster. For example, an Internet banking customer, who routinely logs in to his online banking account through the bank website, may be redirected to an illegitimate website. As another example, if the user mistyped the address of the bank's website, in the browser address bar, then instead of being redirected to the bank's website holding his/her account, the user is redirected to a website of the fraudster.
  • A DNS translates domain names meaningful to humans into the numerical identifiers, i.e., IP addresses associated with networking equipment for the purpose of locating and addressing these devices worldwide. Typically, the DNS is located at the internet service provider (ISP). A DNS error is typically returned when the DNS cannot locate the IP address associated with the hostname. Hackers and even organizations can utilize DNS errors to perform a DNS hijacking which allows the hijacker to display malicious web pages on the user's browser.
  • Several solutions for detection of phishing attempts that are DNS-based and browser-based are discussed in the related art. The DNS-based protection looks up the translated IP address of a respective hostname in an address blacklist, and if found then a warning is sent to the user's browser and the request is not sent to the illegitimate website. The address blacklist is frequently updated. The disadvantage of this technique that it can monitor only hostnames, but not variance of the URLs given to a domain name. For example, a DNS may translate the host name of www.eBey.com to an IP address designated in the blacklist, but the URL www.eBey.com/vaction.html, may not be alerted.
  • The browser-based detection solution includes a phishing filter that checks the URL as it appears in the browser address bar against a list of sites that are considered fraudster. If the requested site, as designated in the URL, is considered to be a phishing threat, the browser is redirected to a website that returns a warning to the user. The phishing filter is either part of the browser or is installed as a third party browser add-on. However, an anti-phishing filter is limited to certain types of web browsers and cannot work across platforms (different browsers).
  • Therefore, it would be advantageous to provide an anti-phishing solution that overcomes the deficiencies of the solutions discussed above. It would be further advantageous if the anti-phishing solution would also handle DNS errors for securing a client.
    • SUMMARY
  • Certain embodiments disclosed herein include a method of anti-phishing and domain name protection. The method comprises: capturing a system call sent to an operating system of a client by an application requesting an access to an Internet resource; extracting a URL included in the captured system call; capturing a response to the system call sent from operating system to the application; determining if the system call's response includes any one of a domain name system (DNS) error code and fake internet protocol (IP) address; checking the extracted URL against an anti-phishing blacklist to determine if the Internet resource is a malicious website; if any one of the DNS error code and the fake IP address was detected, redirecting the application to an advisor server, wherein the advisor server generates a web page to be displayed by the application; marking a communication session between the application and the Internet resource as blocked; detecting a system call's response call that includes content received from the internet resource during the blocked session; modifying the system call's response by replacing the content with redirection information, wherein the redirection information includes at least an internet protocol (IP) address of the advisor server and the extracted URL; and sending the modified system call's response to the application, thereby causing the application to access the advisor server.
  • Certain embodiments disclosed herein also include an anti-phishing domain advisor. The advisor comprises: an interface for interfacing between an operating system of a client and at least one application executed over the client, wherein the interface monitors and captures system calls sent by the at least one application to the operating system and responses to the system calls as generated by the operating system; a memory for storing at least an anti-phishing blacklist; and a processor connected to the interface for determining if a system call's response generated in response to a system call's request of the at least one application to access an internet resource includes any one of a domain name system (DNS) error code and a fake IP address; checking a URL extracted from the system call's request against the anti-phishing blacklist to determine if the Internet resource is a malicious website; if any one of the DNS error code and the fake IP address was detected, redirecting the application to an advisor server, wherein the advisor server generates a web page to be displayed by the application; marking a communication session between the application and the Internet resource as blocked; detecting a system call's response call that includes content received from the internet resource during the blocked session; modifying the system call's response by replacing the content with redirection information, wherein the redirection information includes at least an internet protocol (IP) address of the advisor server and the extracted URL; and sending the modified system call's response to the application, thereby causing the application to access the advisor server.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The subject matter that is regarded as the disclosed embodiments is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the disclosed embodiments will be apparent from the following detailed description taken in conjunction with the accompanying drawings.
  • FIG. 1 is a schematic diagram of a system useful in describing the various disclosed embodiments.
  • FIG. 2 is a flowchart illustrating the operation of the anti-phishing domain advisor (ADA) according to one embodiment.
  • FIG. 3 is a screenshot of a web page generated according to one embodiment.
  • FIG. 4 is a block diagram of the ADA according to one embodiment.
    •  DETAILED DESCRIPTION
  • It is important to note that the embodiments disclosed herein are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed embodiments. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
  • FIG. 1 shows a schematic diagram of a system 100 useful in describing the various disclosed embodiments. A client 110 runs a web browser 130 which may be, for example, Microsoft® Internet Explorer®, Mozilla Firefox®, Opera, Safari, a wireless application protocol (WAP) type browser, and the like. The client 110 may be a computing device, such as a personal computer, a laptop computer, a personal digital assistant (PDA), a mobile phone, a smart phone, a tablet computer, and the like. The web browser 130 provides the client 110 an access to the Internet 105.
  • The client 110 includes an anti-phishing domain advisor (ADA) 120 constructed according to one embodiment. The ADA 120 is installed as a low-level system utility and is operable between an operating system 140 of the client 110 and software applications, such as the web browser 130. The ADA 120 interfaces between the OS 140 API and the software applications requesting services from the operating system. Therefore, the ADA 120 can capture and monitor any system call request and response sent or received from the applications to the OS 140, and specifically any requests and responses that are targeted to/from a resource that resides in the Internet 105.
  • It should be noted that although a web browser 130 is shown in FIG. 1, other software applications can be handled by the ADA 120 without departing from the scope of the disclosed embodiments. For example, software applications including, but not limited to, email applications, smartphone applications (i.e., applications executed on smartphones and/or tablet computers), or any other software application that can access the Internet and be executed by the client 110. In an embodiment, the ADA 120 comprises computer-readable instructions that reside on some type of computer readable medium. According to this embodiment, the ADA 120 is downloaded to the client 110 and initialized upon booting of the client 110.
  • Also connected in the Internet cloud 105 are a DNS 150 and a third-party anti-phishing server 160. The DNS 150 provides an IP address to a URL requested by the client 110. The anti-phishing server 160 constantly monitors the Internet for threats from phishing scams, i.e., URLs of websites that can commit phishing attacks. The anti-phishing server 160 generates a blacklist containing IP addresses of malicious websites. The blacklist is frequently updated.
  • The ADA 120 maintains a copy of the blacklist as generated by the anti-phishing server 160. According to an embodiment, the ADA 120 retrieves the list from the anti-phishing server 160 at predefined time interval, e.g., every 60 seconds.
  • According to certain embodiments, also connected in the Internet cloud 105 is an advisor server 170 adapted to handle requests redirected by the ADA 120. In response to a redirect request, the advisor server 170 generates a web page to be displayed over the web browser 130. An example for the web page rendered by the web browser 130 is discussed below.
  • FIG. 2 shows a non-limiting and exemplary flowchart 200 illustrating the operation of the ADA 120 according to certain embodiments. The ADA 120 provides an anti-phishing protection that considers both DNS errors and malicious websites that commit phishing attacks. The protection is available for all applications on the client 110 that access the Internet. It should be noted that the ADA 120 does not require reconfiguration of any of the clients 110, the web browser 130, or any protected applications.
  • At S210, a system call generated by the browser as a result of a request (e.g., a HTTP request) to access a resource over the Internet is captured. For example, such a system call may be generated when the user types an address in the address bar of the web browser or clicks on a hyperlink. The system calls generated by the web browser 130 are directed to the OS 140. The system calls may include requests for domain name resolution or accessing an Internet resource (e.g., a web server hosting a website).
  • As mentioned above, the ADA 120 is hooked to the OS 140 API, thus any system calls generated by the web browser 130 and responses from the OS 140 can be monitored by the ADA 120. According to a preferred embodiment, the ADA 120 handles system calls for domain name resolution and for sending data from the browser as well as responses generated by the OS in response to such calls. Typically, the web browser 130 initiates a request for a domain name resolution for an Internet resource (e.g., a web server hosting a website) and then sends a request to access the Internet resource using the resolved IP address of the resource.
  • At S220, the URL is extracted from the captured system call and provided as an input to S250. At S230, the system calls is returned from the OS 140, in response to a call for resolving the domain name, are monitored. At S240, it is determined if such responses include a DNS error code or a fake IP address. To determine a fake IP, a check is made to determine if the IP address included in the response is the same as an IP determined to be fake. The fake IP is typically returned by a DNS hijacker. Thus, according to an embodiment, the ADA 120 sends a DNS resolution request to the DNS 150 using a domain name that does not exist. If the DNS 150 returns a valid IP address, then this IP address is determined to be fake. It should be noted that such an inquiry can be performed only when the ADA 120 is initialized.
  • If S240 returns an affirmative answer, execution continues with S245 where a flag indicating that a DNS error was detected is raised, and the system call returned by the OS 140 is held until completing the anti-phishing checks; otherwise, execution proceeds to S250.
  • At S250, the extracted URL or a resolved IP address is checked against the blacklist generated by the anti-phishing server to determine if the requested URL is associated with a malicious website. If so, execution continues with S260 where an anti-phishing protection procedure is applied; otherwise, proceeding to S255, where another check is made to determine if the DNS error flag is raised. If S255 results with an affirmative answer, execution continues with S270 where a DNS error correction procedure is applied; otherwise, execution continues with S280, where the system calls as generated in response to a client's request are sent back to the web browser 130. Then, execution terminates.
  • It should be noted that the checks to detect anti-phishing URLs and DNS errors can be performed at the same time. According to an embodiment, a check for a DNS error is performed followed by a check for detection of potential phishing attacks, in order to avoid mitigate situations where a malware is installed in the clients 110 that manipulates DNS errors for performing phishing attacks or DNS hijacking.
  • According to an embodiment, the anti-phishing protection procedure S260 is performed during an active HTTP session between the web browser 130 and an Internet resource. At S261, the HTTP session is marked as blocked. As the OS 140 is required to send the HTTP request to the Internet resource, at S262, all responses returned by the Internet resource are monitored. This is performed by checking system calls that send such responses to the web browser 130. At S263, once a response of a session marked as blocked is detected, the response is modified to include redirection information to navigate the web browser 130 to the advisor web server 170. Thus, instead of displaying a web page from the malicious website, a web page generated by the advisor website 170 is rendered by the web browser 130. For example, if the response is a HTTP response, then the HTTP header is modified to include the address (part of the redirection information) of the advisor server 170. According to an embodiment, the redirection information also includes the domain name from the URL extracted at S220.
  • According to another embodiment, the redirection information includes a message that describes the detected problem and the reason for the redirection. The redirection information causes the web browser 130 to navigate to the advisor server 170, which provides a web page generated, in part, using the domain name and message included in the redirection information. Then, the web page generated by the advisor server 170 is displayed over the web browser 130.
  • The DNS error correction procedure S270 includes modifying the system call returned by the OS 140 in response to a DNS resolution request (S271). The modification includes replacing the DNS error code with the redirection information. The redirection information includes an IP address of the advisor server 170 and the domain name from the URL extracted at S220. The web browser 130 will access the advisor server 170 using the redirection information. The modified response will cause the web browser to send a HTTP request to the advisor server 170. At S272, a system call generated as a result of the HTTP request is modified to include a message regarding the detected problem and the reason for the redirection. Then, the web page as provided by the advisor server 170 is displayed over the web browser 130.
  • According to certain embodiments, the web server 170 generates a web page that includes hyperlinks to websites that are related to the domain name included in the redirection information. The hyperlinks contained in the generated web page may be sponsored links. Thus, the anti-phishing protection solution disclosed herein can be utilized for collecting revenues. That is, if a user clicks on one of the sponsored links, then the provider of the web page referring to a website of the sponsor receives a commission for such a referral.
  • According to an embodiment, the advisor server 170 searches the Internet using the keyword which is the domain name and organizes the results according to their relevance to the user. The search may be performed using conventional search engines, e.g., Google®. As mentioned above, the web page when displayed by the browser 130 may include the search results and a message regarding the nature of the detected problem.
  • An exemplary screenshot of a web page 300 generated in a response to malicious URL, according to one embodiment, is shown in FIG. 3. In this example, the malicious URL is “delll.com” where the user tries to access the website of Dell® (dell.com). Thus, the returned results are associated with websites where computing equipment may be purchased. As shown in FIG. 3, one of the hyperlinks included in the web page 300 is of dell.com. As mentioned earlier, one or more the hyperlinks are “sponsored links”.
  • FIG. 4 shows an exemplary and non-limiting block diagram of the ADA 120 according to one embodiment. The ADA 120 includes an interface 410, a processor 420, and a memory 430. The interface 430 interfaces between the operating system 140 and the web browser 130 for monitoring and capturing system calls sent by the web browser to the operating system and responses to the system calls as generated by the operating system. The memory 430 stores the anti-phishing blacklist retrieved from the anti-phishing server 160 and may also maintain the URL extracted from requests to access internet resources.
  • The processor 420 performs the tasks of processing system calls captured by the interface to detecting attempts for phishing attacks, domain attacks (e.g., DNS hijacking) and DNS errors. The processor 420 also performs the tasks of the DNS error correction and anti-phishing protection actions, when such actions are required. The tasks performed by the processor 420 discussed in detail above.
  • The embodiments disclosed herein may be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or tangible computer readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. All or some of the servers maybe combined into one or more integrated servers. Furthermore, a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal. The display segments and mini-display segments may be shown on a display area that can be a browser or another other appropriate application, either generic or tailored for the purposes described in detail hereinabove.
  • All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the disclosed embodiments and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosure, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.

Claims (11)

What we claim is:
1. An anti-phishing domain advisor, comprising:
an interface configured to interface between an operating system of a client and at least one application executed over the client, wherein the interface is further configured to monitor and capture system calls sent by the at least one application to an operating system and responses to the system calls as generated by the operating system;
a memory configured to store at least an anti-phishing blacklist; and
a processor connected to the interface can configured to:
determine if a system call's response generated in response to a system call's request of the at least one application to access an internet resource includes any one of a domain name system (DNS) error code and a fake IP address;
check a URL extracted from the system call's request against the anti-phishing blacklist to determine if the Internet resource is a malicious website;
perform a DNS error correction action if any one of the DNS error code and the fake IP address was detected; and
perform an anti-phishing protection action if the internet resource is determined to be a malicious website.
2. The anti-phishing domain advisor of claim 1, wherein each of the DNS error correction action and the anti-phishing protection action causes redirection of the application to an advisor server.
3. The anti-phishing domain advisor of claim 1, wherein the advisor server is further configured to generate a web page to be displayed by the application, the generated web page includes at least one hyperlink related to the extracted URL.
4. The anti-phishing domain advisor of claim 1, wherein the web page generated by the advisor server includes a list of hyperlinks related to the extracted URL.
5. The anti-phishing domain advisor of claim 4, wherein one or more of the hyperlinks are sponsored links.
6. The anti-phishing domain advisor of claim 1, wherein the processor is further configured to:
perform the anti-phishing protection action when both the DNS error code and the phishing attempt are detected.
7. The anti-phishing domain advisor 1, wherein the processor is further configured to detect the fake IP address generated by a DNS hijacker.
8. The anti-phishing domain advisor 1, wherein the system is further configured to:
send through the interface a DNS resolution request to a DNS with a non-existing domain name;
flag a valid IP address returned in a response to the DNS resolution request as a IP address; and
compare the IP address included in the system call's response to the flagged IP address, and if a match exists the IP address in the system call's response is determined to be a fake IP address generated by a DNS hijacker.
9. The anti-phishing domain advisor claim 1, wherein the anti-phishing blacklist is retrieved from a third-party anti-phishing server and updated periodically.
10. The anti-phishing domain advisor of claim 1, wherein the interface is further configured to:
hook to an application programming interface (API) of the operating system in order to capture the system calls.
11. The anti-phishing domain advisor of claim 1, wherein the client is any one of: a personal computer, a mobile phone, a smartphone, and a tablet computer.
US14/797,525 2011-08-01 2015-07-13 Anti-phishing domain advisor and method thereof Abandoned US20150319191A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/797,525 US20150319191A1 (en) 2011-08-01 2015-07-13 Anti-phishing domain advisor and method thereof

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/195,247 US9083733B2 (en) 2011-08-01 2011-08-01 Anti-phishing domain advisor and method thereof
US14/797,525 US20150319191A1 (en) 2011-08-01 2015-07-13 Anti-phishing domain advisor and method thereof

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/195,247 Continuation US9083733B2 (en) 2011-08-01 2011-08-01 Anti-phishing domain advisor and method thereof

Publications (1)

Publication Number Publication Date
US20150319191A1 true US20150319191A1 (en) 2015-11-05

Family

ID=47627817

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/195,247 Expired - Fee Related US9083733B2 (en) 2011-08-01 2011-08-01 Anti-phishing domain advisor and method thereof
US14/797,525 Abandoned US20150319191A1 (en) 2011-08-01 2015-07-13 Anti-phishing domain advisor and method thereof

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/195,247 Expired - Fee Related US9083733B2 (en) 2011-08-01 2011-08-01 Anti-phishing domain advisor and method thereof

Country Status (1)

Country Link
US (2) US9083733B2 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150020204A1 (en) * 2013-06-27 2015-01-15 Tencent Technology (Shenzhen) Co., Ltd. Method, system and server for monitoring and protecting a browser from malicious websites
US20150215296A1 (en) * 2013-08-14 2015-07-30 Iboss, Inc. Selectively performing man in the middle decryption
US9680801B1 (en) 2016-05-03 2017-06-13 Iboss, Inc. Selectively altering references within encrypted pages using man in the middle
CN107135220A (en) * 2017-05-08 2017-09-05 北京智能管家科技有限公司 Cheat page detection method, computer equipment and computer-readable recording medium
US9948649B1 (en) * 2014-12-30 2018-04-17 Juniper Networks, Inc. Internet address filtering based on a local database
US20180183752A1 (en) * 2016-12-23 2018-06-28 Solute Gmbh Method and system for providing additional information relating to primary information
US20180205758A1 (en) * 2015-08-28 2018-07-19 Baidu Online Network Technology (Beijing) Co., Ltd. Method and system for detecting phishing page
US10523706B1 (en) * 2019-03-07 2019-12-31 Lookout, Inc. Phishing protection using cloning detection
US11751046B1 (en) * 2021-04-06 2023-09-05 T-Mobile Innovations Llc Method and system for optimizing device retry behavior

Families Citing this family (58)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8949982B2 (en) * 2011-12-30 2015-02-03 Verisign, Inc. Method for administering a top-level domain
KR101462311B1 (en) * 2012-05-18 2014-11-14 (주)이스트소프트 Method for preventing malicious code
CN103778113B (en) * 2012-10-17 2017-04-19 腾讯科技(深圳)有限公司 Terminal and server and webpage processing method of terminal and server
CN102957694B (en) * 2012-10-25 2016-08-31 北京奇虎科技有限公司 A kind of method and device judging fishing website
GB201306628D0 (en) * 2013-04-11 2013-05-29 F Secure Oyj Detecting and marking client devices
US9621566B2 (en) 2013-05-31 2017-04-11 Adi Labs Incorporated System and method for detecting phishing webpages
CN103269389B (en) * 2013-06-03 2016-05-25 北京奇虎科技有限公司 Check and repair the method and apparatus that malice DNS arranges
CN104253785B (en) * 2013-06-25 2017-10-27 腾讯科技(深圳)有限公司 Dangerous network address recognition methods, apparatus and system
US20140380480A1 (en) * 2013-06-25 2014-12-25 Tencent Technology (Shenzhen) Company Limited Method, device and system for identifying harmful websites
CN103368958A (en) * 2013-07-05 2013-10-23 腾讯科技(深圳)有限公司 Method, device and system for detecting webpage
US9608962B1 (en) * 2013-07-09 2017-03-28 Pulse Secure, Llc Application-aware connection for network access client
CN104683290A (en) * 2013-11-26 2015-06-03 腾讯科技(深圳)有限公司 Method and device for monitoring phishing and terminal
GB2518460B (en) * 2013-12-09 2015-10-28 F Secure Corp Unauthorised/Malicious redirection
US9521164B1 (en) * 2014-01-15 2016-12-13 Frank Angiolelli Computerized system and method for detecting fraudulent or malicious enterprises
US10142202B2 (en) * 2014-01-30 2018-11-27 Qualcomm Incorporated Determination of end-to-end transport quality
CN103841220A (en) * 2014-02-18 2014-06-04 北京奇虎科技有限公司 Method and device for detecting safety of router through terminal
US9083739B1 (en) 2014-05-29 2015-07-14 Shape Security, Inc. Client/server authentication using dynamic credentials
CN104135471B (en) * 2014-07-14 2018-01-23 嘉兴市辰翔信息科技有限公司 The anti-abduction communication means of DNS
US9398047B2 (en) 2014-11-17 2016-07-19 Vade Retro Technology, Inc. Methods and systems for phishing detection
CN106330849A (en) * 2015-07-07 2017-01-11 安恒通(北京)科技有限公司 Method and device for preventing domain name hijack
EP3125147B1 (en) * 2015-07-27 2020-06-03 Swisscom AG System and method for identifying a phishing website
US9946874B2 (en) 2015-08-06 2018-04-17 International Business Machines Corporation Authenticating application legitimacy
CN106534051B (en) * 2015-09-11 2020-02-14 阿里巴巴集团控股有限公司 Processing method and device for access request
WO2017058519A1 (en) * 2015-09-28 2017-04-06 Arris Enterprises Llc Domain name system response spoofing at customer premise equipment device
CN105376217B (en) * 2015-10-15 2019-01-04 中国互联网络信息中心 A kind of malice jumps and the automatic judging method of malice nested class objectionable website
US20170155667A1 (en) * 2015-11-30 2017-06-01 Symantec Corporation Systems and methods for detecting malware infections via domain name service traffic analysis
CN105872119A (en) * 2015-12-10 2016-08-17 乐视云计算有限公司 Method and apparatus for implementing domain name resolution system
CN105718577B (en) * 2016-01-22 2020-01-21 中国互联网络信息中心 Method and system for automatically detecting phishing aiming at newly added domain name
US10142366B2 (en) 2016-03-15 2018-11-27 Vade Secure, Inc. Methods, systems and devices to mitigate the effects of side effect URLs in legitimate and phishing electronic messages
US10986109B2 (en) 2016-04-22 2021-04-20 Sophos Limited Local proxy detection
US11165797B2 (en) * 2016-04-22 2021-11-02 Sophos Limited Detecting endpoint compromise based on network usage history
US11102238B2 (en) 2016-04-22 2021-08-24 Sophos Limited Detecting triggering events for distributed denial of service attacks
US11277416B2 (en) 2016-04-22 2022-03-15 Sophos Limited Labeling network flows according to source applications
US10938781B2 (en) 2016-04-22 2021-03-02 Sophos Limited Secure labeling of network flows
US20170324774A1 (en) * 2016-05-05 2017-11-09 Javelin Networks, Inc. Adding supplemental data to a security-related query
CN107786526A (en) * 2016-08-31 2018-03-09 北京优朋普乐科技有限公司 Anti-stealing link method, client and server system
CN106790739B (en) * 2016-11-22 2020-05-08 合一智能科技(深圳)有限公司 Pre-loading starting method, pre-loading system and management system of DNS service
US10567430B2 (en) 2016-12-09 2020-02-18 International Business Machines Corporation Protecting against notification based phishing attacks
US20200084225A1 (en) * 2017-12-01 2020-03-12 Trusted Knight Corporation In-stream malware protection
CN110019892B (en) * 2017-12-30 2021-03-02 惠州学院 Method and system for identifying harmful picture based on user ID
CN108388233B (en) * 2018-03-21 2020-07-17 北京科技大学 Industrial control field device hidden attack detection method
CN108737385A (en) * 2018-04-24 2018-11-02 杭州安恒信息技术股份有限公司 A kind of malice domain name matching method mapping IP based on DNS
CN110865818B (en) * 2018-08-28 2023-07-28 阿里巴巴(中国)有限公司 Detection method and device for application associated domain name and electronic equipment
WO2020194275A1 (en) * 2019-03-27 2020-10-01 Uniregistry Corp Anti-phishing apparatus and method
US12047373B2 (en) * 2019-11-05 2024-07-23 Salesforce.Com, Inc. Monitoring resource utilization of an online system based on browser attributes collected for a session
US10735436B1 (en) * 2020-02-05 2020-08-04 Cyberark Software Ltd. Dynamic display capture to verify encoded visual codes and network address information
CN111556045B (en) * 2020-04-23 2022-02-15 亚信科技(成都)有限公司 Malicious program detection method and device
CN113703780B (en) * 2020-05-22 2024-04-19 广州虎牙科技有限公司 Decompilation detection and webpage resource data sending method, device, equipment and medium
CN112165466B (en) * 2020-09-16 2022-06-17 杭州安恒信息技术股份有限公司 Method and device for false alarm identification, electronic device and storage medium
US11811806B2 (en) * 2020-09-25 2023-11-07 Barracuda Networks, Inc. System and apparatus for internet traffic inspection via localized DNS caching
US11632393B2 (en) * 2020-10-16 2023-04-18 International Business Machines Corporation Detecting and mitigating malware by evaluating HTTP errors
CN112671747B (en) * 2020-12-17 2022-08-30 赛尔网络有限公司 Overseas malicious URL statistical method and device, electronic equipment and storage medium
CN114765605B (en) * 2020-12-30 2023-09-08 花瓣云科技有限公司 Resource access method and terminal equipment
CN113115102B (en) * 2021-04-07 2022-04-15 湖南快乐阳光互动娱乐传媒有限公司 Streaming media playing method and device
US12095732B2 (en) * 2021-06-30 2024-09-17 Sony Group Corporation Anti-piracy control based on blacklisting function
CN113556347B (en) * 2021-07-22 2023-04-07 深信服科技股份有限公司 Detection method, device and equipment for phishing mails and storage medium
CN113922980A (en) * 2021-08-23 2022-01-11 北京天融信网络安全技术有限公司 DNS monitoring method, equipment and storage medium based on HTTP detection information
CN114884696A (en) * 2022-04-08 2022-08-09 恒安嘉新(北京)科技股份公司 Fraud early warning method, device, equipment and storage medium

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182447A1 (en) * 2001-05-31 2003-09-25 Schilling Frank T. Generic top-level domain re-routing system
US7497374B2 (en) 2004-09-17 2009-03-03 Digital Envoy, Inc. Fraud risk advisor
EP1866783B1 (en) 2005-02-24 2020-11-18 EMC Corporation System and method for detecting and mitigating dns spoofing trojans
US7603699B2 (en) 2005-08-25 2009-10-13 Melih Abdulhayoglu Method for establishing trust online
US7831915B2 (en) 2005-11-10 2010-11-09 Microsoft Corporation Dynamically protecting against web resources associated with undesirable activities
AU2007207417A1 (en) 2006-01-20 2007-07-26 Paxfire, Inc. Systems and methods for discerning and controlling communication traffic
US7890612B2 (en) * 2006-05-08 2011-02-15 Electro Guard Corp. Method and apparatus for regulating data flow between a communications device and a network
US8095967B2 (en) 2006-07-27 2012-01-10 White Sky, Inc. Secure web site authentication using web site characteristics, secure user credentials and private browser
US8352738B2 (en) 2006-12-01 2013-01-08 Carnegie Mellon University Method and apparatus for secure online transactions
US20100106854A1 (en) * 2008-10-29 2010-04-29 Hostway Corporation System and method for controlling non-existing domain traffic
US20100125663A1 (en) 2008-11-17 2010-05-20 Donovan John J Systems, methods, and devices for detecting security vulnerabilities in ip networks
US8806632B2 (en) 2008-11-17 2014-08-12 Solarwinds Worldwide, Llc Systems, methods, and devices for detecting security vulnerabilities in IP networks
US20100262688A1 (en) 2009-01-21 2010-10-14 Daniar Hussain Systems, methods, and devices for detecting security vulnerabilities in ip networks
US8863283B2 (en) * 2011-03-31 2014-10-14 Mcafee, Inc. System and method for securing access to system calls

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150020204A1 (en) * 2013-06-27 2015-01-15 Tencent Technology (Shenzhen) Co., Ltd. Method, system and server for monitoring and protecting a browser from malicious websites
US20150215296A1 (en) * 2013-08-14 2015-07-30 Iboss, Inc. Selectively performing man in the middle decryption
US9621517B2 (en) * 2013-08-14 2017-04-11 Iboss, Inc. Selectively performing man in the middle decryption
US9853943B2 (en) 2013-08-14 2017-12-26 Iboss, Inc. Selectively performing man in the middle decryption
US9948649B1 (en) * 2014-12-30 2018-04-17 Juniper Networks, Inc. Internet address filtering based on a local database
US20180205758A1 (en) * 2015-08-28 2018-07-19 Baidu Online Network Technology (Beijing) Co., Ltd. Method and system for detecting phishing page
US10367849B2 (en) * 2015-08-28 2019-07-30 Baidu Online Network Technology (Beijing) Co., Ltd. Method and system for detecting phishing page
US9680801B1 (en) 2016-05-03 2017-06-13 Iboss, Inc. Selectively altering references within encrypted pages using man in the middle
US20180183752A1 (en) * 2016-12-23 2018-06-28 Solute Gmbh Method and system for providing additional information relating to primary information
CN109313657A (en) * 2016-12-23 2019-02-05 塞路特股份有限公司 For providing the method and system of additional information relevant to main information
CN107135220A (en) * 2017-05-08 2017-09-05 北京智能管家科技有限公司 Cheat page detection method, computer equipment and computer-readable recording medium
US10523706B1 (en) * 2019-03-07 2019-12-31 Lookout, Inc. Phishing protection using cloning detection
US11356478B2 (en) 2019-03-07 2022-06-07 Lookout, Inc. Phishing protection using cloning detection
US11751046B1 (en) * 2021-04-06 2023-09-05 T-Mobile Innovations Llc Method and system for optimizing device retry behavior

Also Published As

Publication number Publication date
US20130036468A1 (en) 2013-02-07
US9083733B2 (en) 2015-07-14

Similar Documents

Publication Publication Date Title
US9083733B2 (en) Anti-phishing domain advisor and method thereof
US9900346B2 (en) Identification of and countermeasures against forged websites
US9215242B2 (en) Methods and systems for preventing unauthorized acquisition of user information
KR102130122B1 (en) Systems and methods for detecting online fraud
US10356125B2 (en) Devices, systems and computer-implemented methods for preventing password leakage in phishing attacks
Bin et al. A DNS based anti-phishing approach
KR101689299B1 (en) Automated verification method of security event and automated verification apparatus of security event
US8024804B2 (en) Correlation engine for detecting network attacks and detection method
US9055097B1 (en) Social network scanning
US8286239B1 (en) Identifying and managing web risks
US8646071B2 (en) Method and system for validating site data
US7958555B1 (en) Protecting computer users from online frauds
US20130007882A1 (en) Methods of detecting and removing bidirectional network traffic malware
US20130007870A1 (en) Systems for bi-directional network traffic malware detection and removal
US20090064337A1 (en) Method and apparatus for preventing web page attacks
JP2008532133A (en) System and method for detecting and mitigating DNS camouflaged Trojans
US8646038B2 (en) Automated service for blocking malware hosts
US20130312081A1 (en) Malicious code blocking system
US20060070126A1 (en) A system and methods for blocking submission of online forms.
US20160337378A1 (en) Method and apparatus for detecting security of online shopping environment
US20140283078A1 (en) Scanning and filtering of hosted content
Singh et al. Taxonomy of attacks on web based applications
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
Maroofi et al. Are you human? resilience of phishing detection to evasion techniques based on human verification
WO2007096659A1 (en) Phishing mitigation

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION