WO2007007988A2 - Procede anti-filoutage - Google Patents

Procede anti-filoutage Download PDF

Info

Publication number
WO2007007988A2
WO2007007988A2 PCT/KR2006/002662 KR2006002662W WO2007007988A2 WO 2007007988 A2 WO2007007988 A2 WO 2007007988A2 KR 2006002662 W KR2006002662 W KR 2006002662W WO 2007007988 A2 WO2007007988 A2 WO 2007007988A2
Authority
WO
WIPO (PCT)
Prior art keywords
site
phishing
user
whitelist
registered
Prior art date
Application number
PCT/KR2006/002662
Other languages
English (en)
Other versions
WO2007007988A3 (fr
Inventor
Giho Yang
Jay-Yeob Hwang
Original Assignee
Whitecore Co., Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Whitecore Co., Ltd filed Critical Whitecore Co., Ltd
Publication of WO2007007988A2 publication Critical patent/WO2007007988A2/fr
Publication of WO2007007988A3 publication Critical patent/WO2007007988A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Definitions

  • the present invention relates to a method of preventing phishing.
  • Phishing which is a compound word made up of "private data” and "fishing” refers to a new type of swindling, in which an e-mail pretending to be an operator of a popular site is sent in order to induce a user to access a fake site and input his or her personal information, and extract important personal information such as a customer's account number or a password.
  • anti-phishing is used as a terminology meaning a technique for preventing phishing.
  • US Laid-open Patent No. 2006-021031 can be taken as an example.
  • a spoof site list and a trusted site list i.e., a blacklist and a whitelist
  • the uniform resource locator (URL) of a downloaded page is compared with the URLs in the lists, thereby indicating a warning or security directions to a user.
  • the whitelist it is hazardous in that if a site is listed in the whitelist, the site is marked as a "safe site", so that even when a site listed in the whitelist pretends to be a popular site, it is still marked as a "safe site”, and thus this method supports attackers on the contrary.
  • a phishing technique that is most widely known presently is using a fake e-mail disguising as an e-mail from an operator of a popular site, in which the e-mail contains an input form for inputting personal information or a link address plausible a user to a fake site.
  • FIG. 1 is a view showing an example of a phishing attack of a new type.
  • a Trojan horse is installed first in a victim's computer.
  • the victim turns on the computer, and when the procedures of confirming a variety of on-line updates are processed, a fake on-line update window or a fake licensed version purchase guide window is floated on the screen.
  • a user having a great interest in the corresponding program inputs his or her personal information without any doubt into the corresponding fake window as the attacker leads.
  • FIG. 2 is a view showing an example of a phishing attack of another type.
  • the present invention has been made in order to solve the above problems occurring in the prior art, and it is an object of the invention to provide a method of preventing phishing, in which an optimal warning message against any type of the aforementioned phishing attacks can be perfectly provided to users.
  • Another object of the invention is to provide an anti-phishing program, in which a self-security function is provided so that the anti-phishing program itself can operate normally against a phishing attack.
  • Phishing is an occasion, in which contents displayed on the screen and the address of a site are not real ones. Therefore, if the contents and address of a site are correctly understood, phishing can be prevented 100 %. However, the truth is not like that in reality.
  • the computer determines falsehood of an address, and the human determines whether the screen shows a real site. Then, the result of checking the address performed by the computer and the result of examining the screen performed by the human are put together so as to correctly determine whether the site displayed on the screen is a phishing site, and this will be the most correct method.
  • a method originated from such an idea is a whitelist based self-determination method, which is applied to the present invention.
  • the whitelist based self- determination method will be described in detail.
  • FIG. 3 is a view showing a basic principle of the present invention.
  • Addresses of popular sites that become a target for phishing attacks are constructed as a database in association with known names of corresponding sites.
  • the addresses are preferably domain names.
  • a phishing client program is installed in a user's computer and monitors whether a key input is generated from the user's computer. If a key input is detected 100, the program extracts a real address of the web page to which the user has connected 110, and confirms whether the address exists in the database (the whitelist) 120.
  • the address exists in the whitelist the name of a corresponding site is displayed on the user's screen 130, and the user self-determines whether the site is a normal site or a phishing site according to whether the genuine site name of the real connection address corresponds to the site that the user views on the screen with his or her own eyes. If the site name, the real connection address of which is registered in the whitelist, corresponds to the site that the user views on the screen with his or her own eyes, the site is a normal site 140, and contrarily, if the site name does not corresponds to the site that the user views, the site is a phishing site 150.
  • Unregistered address is displayed on the user's screen 160, which makes the user suspect the site, thinking that 'If it were a popular site, the address should have been registered.', thereby helping the user not to be deceived by phishing.
  • an interface that allows a user, who desires to confirm directly whether the site shown on the screen is registered in the whitelist, to use a query service on the spot 170. That is, the interface provides a guide message, an input form, and a query button, the guide message indicating that "Unregistered address.
  • the inputted site name actually does not exist in the whitelist, it can be assumed that the site is a simple unpopular site or an attacker is phishing an unpopular site. Therefore, a guide message indicating that "The inputted site is not joined to an anti-phishing service. An operator's e-mail guiding to input personal information can be a phishing attack. Pay attention.” is displayed 190, thereby calling user's attention.
  • the present invention is extremely effective in that all kinds of phishing attacks introduced above can be perfectly prevented, which has never been before by any technique.
  • FIG. 1 is a view showing an example of a phishing attack of a new type
  • FIG. 2 is a view showing an example of a phishing attack of another type
  • FIG. 3 is a view showing a basic principle of the present invention.
  • FIG. 4 is a flowchart illustrating the present invention
  • FIGS. 5 to 11 are views showing examples of speech bubble indications
  • FIG. 12 is a view showing another example of speech bubble indications
  • FIG. 13 is a view showing another embodiment of the present invention.
  • FIG. 14 is a view showing another embodiment of the present invention.
  • An anti-phishing server is provided with a DB where a list of URLs of registered sites and a list of registered programs are stored.
  • An anti-phishing program that communicates with the anti-phishing server and guides users to anti-phishing is a client program which is executed in a user's computer.
  • the anti-phishing program installed and executed in the user's computer continuously monitors whether the user performs a keyboard input.
  • a keyboard input event for example, the mouse is moved into a textbox and the input cursor is activated by pressing a mouse button
  • a keyboard input event manual web pages set the focus in a textbox or the like as a default
  • the program is a web browser
  • whether the URL of the current web page is the URL of a registered site or the URL of an unregistered site is determined by querying the DB and displayed in the form of a speech bubble in the neighborhood of the user's cursor or of a point where the mouse is clicked. In this manner, correct information is provided so that the user can confirm with his or her own eyes whether the current web page is the very site that the user knows when the user is to input personal information.
  • the window that has detected the keyboard input related event is an application program
  • the name of the program is displayed in the form of a speech bubble in the neighborhood of the cursor or of a point where the mouse is clicked.
  • the user can be safely protected from an application program window that disguises as a popup window subordinated to a popular site and steals personal information.
  • the window is floated by a phishing application program, in stead of a guide message indicating that the window is a web page of a popular site into which the user desires to input data, a warning message indicating that "Unknown application program. Beware of phishing.” is displayed, and the user reconfirms the web page.
  • Attribute information of a corresponding program can be obtained through window hooking. Through the attribute information, control types, the title of a corresponding window program, or the like can be identified. In addition, information on mouse actions, focus settings, cursor settings, child window openings, or the like of a corresponding program can be obtained through window message hooking.
  • FIG. 4 is a flowchart illustrating the present invention.
  • FIGS. 5 to 11 are views showing examples of speech bubble indications.
  • the anti-phishing server is provided with a DB where a list of URLs of registered sites and a list of registered programs are stored.
  • [70] 200 The process of installing an anti-phishing program in a user's computer.
  • the anti-phishing program can be a general application program directly installed in a computer, or an ActiveX or a Java applet inserted into a web page.
  • the anti-phishing program can be downloaded and installed using a launcher function and periodically smart updated.
  • the anti-phishing program is preferably implemented to be eternally executed in background when the computer is booted.
  • Java applet if the anti-phishing program is not executed, the anti-phishing program is executed through the launcher function.
  • the installed and executed anti-phishing program continuously monitors events generated from the user's computer and detects either preliminary actions for keyboard input or keyboard input operations.
  • [76] 230. The process of determining whether a web browser or an application program.
  • [78] 240. The process of extracting a URL address and determining whether the address is registered in the DB.
  • the window that has detected the keyboard input related event is a web browser
  • the URL address of the current web page is extracted and it is determined whether the URL address is registered by querying DB.
  • the extracted URL is a URL registered in the DB
  • a corresponding site name matched to the DB is guided through a speech bubble 5.
  • the speech bubble 5 is preferably displayed in a space near the input box 3 to be inputted so as to be easily seen when inputting data.
  • the speech bubble 5 is a speech bubble of a symbolic meaning. A variety of displaying techniques that give similar effects should all be included within the scope of the present invention.
  • the window that has detected the keyboard input related event in step 230 is an application program
  • the name of the application program is extracted, and it is determined whether the application program is registered by querying the DB.
  • a warning message 5 indicating that "Unknown application program. Beware of phishing.” is displayed in a speech bubble. The user views the warning message indicating that the window is not a web page of a popular site that the user knows, but an unknown application program, and reconfirms the window, thereby not being attacked by phishing.
  • FIG. 12 is a view showing another example of speech bubble indications.
  • step 240 or 231 i.e., immediately before a speech bubble guide is displayed, it is inquired whether a registered service (a service registered to be protected from an attack pretending to be a corresponding service) is currently operating, and the result is displayed in the speech bubble 5 together with the guide, thereby further solidly preventing a service pretense.
  • a registered service a service registered to be protected from an attack pretending to be a corresponding service
  • whether a corresponding service is currently provided to the computer is determined by querying a registered service server in real-time. That is, the registered service server is queried in real-time, and if the corresponding service is provided, a guide message 'In Service' can be displayed, whereas if the corresponding service is not provided, a guide message 'Out of Service' can be displayed.
  • the registered service server whether or not the service is provided can be reported to the anti-phishing client according to the present invention executed in the user's computer when a service window is opened.
  • the anti-phishing client Upon a speech bubble 5 is displayed, if the anti-phishing client receives a corresponding report, it displays a guide message 'In Service', and if the anti-phishing client does not receive a corresponding report, it displays a guide message 'Out of Service'.
  • FIG. 12 shows an example of a valid site registered in an anti-phishing service that floats a fake electronic payment window and tries to steal user's payment information. Regardless of whether or not the current site is a member of an electronic payment service, the user views a message 'Internet Secure Payment ? Out of Service' displayed in the speech bubble 5 and is not swindled.
  • the DB and the program information may not be constructed in the server, but can be embedded within the anti- phishing program itself.
  • Newly added URLs can be periodically updated on-line. That is, the stand-alone type anti-phishing program processes whether a URL is registered or whether a program is registered without server's assistance, and communicates with the server only when preventing a service pretense.
  • FIG. 13 is a view showing another embodiment of the present invention.
  • a symbolic image 13 of a site is displayed together with a speech bubble guide so that a user can recognize the guide further easily and rapidly.
  • the good point of this method is that a site such as ThirtyBamk' mimicking 'Citibank' can be easily sifted out.
  • it can overcome a problem such that if only text is used as a guide, a lot of fake names, such as 'ThirtyBamk', 'Citibamko', 'Citebank', and the like, should be registered.
  • a symbolic image 13 of a site is added into the whitelist, and text based speech bubbles need to be changed into a method of outputting images.
  • FIG. 14 is a view showing another embodiment of the present invention.
  • an attacker may intentionally hide a target address in order to evade an anti-phishing guide.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Mathematical Physics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Procédé anti-filoutage, à auto-détermination : sur la base d'une liste blanche établie à partir d'URL officiels de sites populaires devenant la cible d'attaques de filoutage, l'adresse d'un site Web auquel un utilisateur est relié est comparée avec la liste, et si l'adresse y figure, le nom du site correspondant est affiché sur l'écran, ce qui permet à l'utilisateur de voir lui-même si le site à l'écran est effectivement un site auquel il souhaite être relié. Sinon, le fait que l'adresse n'y figure pas est affiché à l'écran, ce qui donne des avertissements appropriés pour que l'utilisateur ne puisse pas être victime de filoutage. De plus, si l'adresse n'y figure pas, un service d'interrogation est fourni, et le nom du site affiché à l'écran peut être entré directement, avec possibilité de confirmation immédiate de la présence du site dans la liste : ainsi, l'utilisateur peut suspecter immédiatement un site qui prétend être un site populaire enregistré utilisant une adresse non enregistrée,
PCT/KR2006/002662 2005-07-07 2006-07-07 Procede anti-filoutage WO2007007988A2 (fr)

Applications Claiming Priority (10)

Application Number Priority Date Filing Date Title
KR20050061357 2005-07-07
KR10-2005-0061357 2005-07-07
KR10-2005-0070857 2005-08-03
KR20050070857 2005-08-03
KR10-2005-0104821 2005-11-03
KR20050104821 2005-11-03
KR10-2006-0017130 2006-02-22
KR20060017130 2006-02-22
KR10-2006-0053310 2006-06-14
KR20060053310 2006-06-14

Publications (2)

Publication Number Publication Date
WO2007007988A2 true WO2007007988A2 (fr) 2007-01-18
WO2007007988A3 WO2007007988A3 (fr) 2007-03-08

Family

ID=37637605

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/002662 WO2007007988A2 (fr) 2005-07-07 2006-07-07 Procede anti-filoutage

Country Status (2)

Country Link
KR (1) KR20070006559A (fr)
WO (1) WO2007007988A2 (fr)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102110210A (zh) * 2009-12-24 2011-06-29 英特尔公司 用于移动设备上的安全浏览的可信图形渲染
US8091118B2 (en) * 2007-12-21 2012-01-03 At & T Intellectual Property I, Lp Method and system to optimize efficiency when managing lists of untrusted network sites
US8528079B2 (en) 2008-08-12 2013-09-03 Yahoo! Inc. System and method for combating phishing
US9038171B2 (en) 2008-10-20 2015-05-19 International Business Machines Corporation Visual display of website trustworthiness to a user
WO2015156640A1 (fr) * 2014-04-11 2015-10-15 Samsung Electronics Co., Ltd. Procédé et dispositif de commande d'un écran de sécurité dans un dispositif électronique
KR20150118041A (ko) * 2014-04-11 2015-10-21 삼성전자주식회사 전자장치에서 보안화면을 제어하는 방법 및 장치
US9621566B2 (en) 2013-05-31 2017-04-11 Adi Labs Incorporated System and method for detecting phishing webpages
US11381597B2 (en) * 2019-07-19 2022-07-05 Mcafee, Llc Expedition of web phishing detection for suspicious sites

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100904311B1 (ko) * 2006-09-15 2009-06-23 인포섹(주) 트러스티드 네트워크를 이용한 파밍 방지 방법
KR100929693B1 (ko) * 2007-10-10 2009-12-03 김진우 라우팅 포인트를 활용한 피싱 방지 방법
WO2010090357A1 (fr) * 2009-02-04 2010-08-12 주식회사 이스트소프트 Système et procédé pour vérifier une adresse de site web
KR101436495B1 (ko) * 2013-02-25 2014-09-02 주식회사 안랩 컴퓨터시스템 및 컴퓨터시스템의 악성사이트 여부 판단 방법
KR102131943B1 (ko) 2013-09-11 2020-07-08 삼성전자주식회사 Url 분석 방법 및 그 전자 장치

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GEER D.: 'Security Technologies Go Phishing' IEEE COMPUTER vol. 38, no. 6, June 2005, pages 18 - 21, XP011134755 *
SPRING T.: 'SpamSlayer: New Tools Fight Fraud and Phishing' PC WORLD 25 April 2005, XP003008910 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8091118B2 (en) * 2007-12-21 2012-01-03 At & T Intellectual Property I, Lp Method and system to optimize efficiency when managing lists of untrusted network sites
US8528079B2 (en) 2008-08-12 2013-09-03 Yahoo! Inc. System and method for combating phishing
US9038171B2 (en) 2008-10-20 2015-05-19 International Business Machines Corporation Visual display of website trustworthiness to a user
CN102110210A (zh) * 2009-12-24 2011-06-29 英特尔公司 用于移动设备上的安全浏览的可信图形渲染
US20110161667A1 (en) * 2009-12-24 2011-06-30 Rajesh Poornachandran Trusted graphics rendering for safer browsing on mobile devices
EP2348442A1 (fr) * 2009-12-24 2011-07-27 Intel Corporation Rendu graphique sécurisé pour navigation sécurisée sur des dispositifs mobiles
US8650653B2 (en) 2009-12-24 2014-02-11 Intel Corporation Trusted graphics rendering for safer browsing on mobile devices
US9621566B2 (en) 2013-05-31 2017-04-11 Adi Labs Incorporated System and method for detecting phishing webpages
KR20150118041A (ko) * 2014-04-11 2015-10-21 삼성전자주식회사 전자장치에서 보안화면을 제어하는 방법 및 장치
CN106164925A (zh) * 2014-04-11 2016-11-23 三星电子株式会社 在电子设备中控制安全性屏幕的方法和设备
WO2015156640A1 (fr) * 2014-04-11 2015-10-15 Samsung Electronics Co., Ltd. Procédé et dispositif de commande d'un écran de sécurité dans un dispositif électronique
EP3129910A4 (fr) * 2014-04-11 2017-08-30 Samsung Electronics Co., Ltd. Procédé et dispositif de commande d'un écran de sécurité dans un dispositif électronique
US10002255B2 (en) 2014-04-11 2018-06-19 Samsung Electronics Co., Ltd. Method and device for controlling security screen in electronic device
CN106164925B (zh) * 2014-04-11 2020-06-09 三星电子株式会社 在电子设备中控制安全性屏幕的方法和设备
KR102348217B1 (ko) 2014-04-11 2022-01-10 삼성전자 주식회사 전자장치에서 보안화면을 제어하는 방법 및 장치
US11381597B2 (en) * 2019-07-19 2022-07-05 Mcafee, Llc Expedition of web phishing detection for suspicious sites

Also Published As

Publication number Publication date
KR20070006559A (ko) 2007-01-11
WO2007007988A3 (fr) 2007-03-08

Similar Documents

Publication Publication Date Title
WO2007007988A2 (fr) Procede anti-filoutage
US7770002B2 (en) Multi-factor authentication
EP1863240B1 (fr) Procédé et système de détection d'hameçonnage
Wu et al. Effective defense schemes for phishing attacks on mobile computing platforms
US8019689B1 (en) Deriving reputation scores for web sites that accept personally identifiable information
US8291065B2 (en) Phishing detection, prevention, and notification
US7698442B1 (en) Server-based universal resource locator verification service
Kirda et al. Protecting users against phishing attacks
US8701165B2 (en) Credentials phishing prevention protocol
US7802298B1 (en) Methods and apparatus for protecting computers against phishing attacks
US7634810B2 (en) Phishing detection, prevention, and notification
CN101304418B (zh) 一种客户端侧经由提交者核查来防止偷渡式域欺骗的方法及系统
Kirda et al. Protecting users against phishing attacks with antiphish
US8079087B1 (en) Universal resource locator verification service with cross-branding detection
US8893243B2 (en) Method and system protecting against identity theft or replication abuse
US8381289B1 (en) Communication-based host reputation system
US20160036849A1 (en) Method, Apparatus and System for Detecting and Disabling Computer Disruptive Technologies
US20080092242A1 (en) Method and system for determining a probability of entry of a counterfeit domain in a browser
US20060123478A1 (en) Phishing detection, prevention, and notification
US20060070126A1 (en) A system and methods for blocking submission of online forms.
EP2447878A1 (fr) Détection de programmes malveillants à distance par Internet
Shrivastava et al. XSS vulnerability assessment and prevention in web application
WO2019095856A1 (fr) Procédé et système d'authentification d'identité de réseau, et dispositif d'agent utilisateur utilisé
WO2008146292A2 (fr) Système et procédé de sécurisation d'informations sensibles dans une connexion réseau
WO2006056992A2 (fr) Obtention et evaluation de donnees objectives relatives a des ressources de reseau

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06769204

Country of ref document: EP

Kind code of ref document: A2

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS EPO FORM 1205A DATED 18.04.2008.

122 Ep: pct application non-entry in european phase

Ref document number: 06769204

Country of ref document: EP

Kind code of ref document: A2