WO2019165362A1 - System, method, apparatus, and computer program product to detect page impersonation in phishing attacks - Google Patents

System, method, apparatus, and computer program product to detect page impersonation in phishing attacks Download PDF

Info

Publication number
WO2019165362A1
WO2019165362A1 PCT/US2019/019405 US2019019405W WO2019165362A1 WO 2019165362 A1 WO2019165362 A1 WO 2019165362A1 US 2019019405 W US2019019405 W US 2019019405W WO 2019165362 A1 WO2019165362 A1 WO 2019165362A1
Authority
WO
WIPO (PCT)
Prior art keywords
screenshot
trusted
url
site
domain
Prior art date
Application number
PCT/US2019/019405
Other languages
French (fr)
Inventor
Mucteba Celik
Original Assignee
Mucteba Celik
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mucteba Celik filed Critical Mucteba Celik
Priority to CA3094198A priority Critical patent/CA3094198A1/en
Priority to AU2019223172A priority patent/AU2019223172A1/en
Priority to SG11202007673UA priority patent/SG11202007673UA/en
Priority to GB2012472.3A priority patent/GB2584255A/en
Priority to EP19757930.3A priority patent/EP3759636A4/en
Publication of WO2019165362A1 publication Critical patent/WO2019165362A1/en
Priority to IL276602A priority patent/IL276602A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V30/00Character recognition; Recognising digital ink; Document-oriented image-based pattern recognition
    • G06V30/40Document-oriented image-based pattern recognition
    • G06V30/41Analysis of document content
    • G06V30/418Document matching, e.g. of document images
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/07User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
    • H04L51/08Annexed information, e.g. attachments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/07User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
    • H04L51/18Commands or executable codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V2201/00Indexing scheme relating to image or video recognition or understanding
    • G06V2201/02Recognising information on displays, dials, clocks

Definitions

  • the present invention relates to computer security and, more particularly, to computer security systems for detecting and reducing security threats presented through phishing attempts.
  • a system for detecting page impersonation in phishing attacks includes a computer having a processor and a network communication; and a program product comprising machine-readable program code for causing, when executed, the computer to perform process steps.
  • the steps include automatically analyzing the body of an e-mail message to detect an embedded universal resource locator (URL).
  • the embedded URL is automatically extracted and a screenshot of a website referenced by the embedded URL is captured.
  • the captured screenshot is compared with a record screenshot, wherein the record screenshot corresponds to a trusted site. If the captured screenshot does not match the record screenshot, the embedded URL marked as safe.
  • the system determines if a domain of the embedded URL corresponds to a trusted domain. If the domain of the embedded URL corresponds to the trusted domain, the embedded URL is marked as safe. If the domain of the embedded URL does not correspond to the trusted domain, the e-mail message is marked as a page impersonation attempt.
  • the system may also include a page impersonation database storing data associated with the trusted site.
  • the trusted site data includes: a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot.
  • the system may also receive a URL designating a contributed site from a user and the contributed site is stored in the page impersonation database. The system may then automatically capture a screenshot of the contributed site and store the screenshot for the contributed site in the page impersonation database.
  • Other aspects of the invention include a method for detecting a page impersonation phishing attempt presented by an e-mail message.
  • the method includes automatically analyzing the body of an e-mail message to extract an embedded universal resource locator (URL).
  • a screenshot of a website referenced by the embedded URL is automatically captured.
  • the captured screenshot is then compared with a record screenshot, wherein the record screenshot corresponds with a trusted site.
  • the embedded URL is marked as safe. If the captured screenshot matches the record screenshot, the method determines if a domain of the embedded URL corresponds to a trusted domain associated with the trusted site.
  • one or more trusted sites are stored in a page impersonation database.
  • the stored trusted site includes a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot.
  • the method may also include receiving a URL designating a contributed site from a user and storing the contributed site in the page impersonation database.
  • the method may then automatically capture a screenshot of the contributed site and store the screenshot for the contributed site in the page impersonation database.
  • Yet other aspects of the invention include a non-transitory computer-readable memory adapted to detect page impersonation phishing attacks, the non-transitory computer readable memory is used to direct a computer to perform process steps.
  • the process steps include automatically analyzing the body of an e-mail message to extract an embedded universal resource locator (URL). Automatically capturing a screenshot of a website referenced by the embedded URL and automatically comparing the captured screenshot with a record screenshot, wherein the record screenshot corresponds with a trusted site.
  • URL embedded universal resource locator
  • the embedded URL is marked as safe. However, if the captured screenshot matches the record screenshot, the method includes determining if a domain of the embedded URL corresponds to a trusted domain associated with the trusted site.
  • the embedded URL is marked as safe. If the domain of the embedded URL does not correspond to the trusted domain, the e-mail message is marked as a page impersonation attempt.
  • Other aspects of the method include storing one or more trusted site in a page impersonation database, wherein the trusted site includes a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot.
  • the method may also include receiving a URL designating a contributed site from a user. A screenshot of the contributed site and the screenshot of the contributed site may be automatically stored in the page impersonation database.
  • Fig. 1 is a schematic view of the protected list population.
  • FIG. 2 is a schematic view of a typical analysis process.
  • Fig. 3 is a flow chart of the invention.
  • an embodiment of the present invention provides an improved system, method, apparatus, and computer program product that detects page impersonation in phishing attacks.
  • aspects of the invention include a security software 10, which may be included in a gateway appliance, as a plugin, or other application.
  • the system includes a list URLs for a plurality of trusted sites 16 and their respective domains that are to be protected, which are stored in a database 14.
  • the system captures a record screenshot 24 of the trusted sites 16 and services in advance, which is stored with the trusted list 16 in the database 14.
  • a user 12 may also add URLs for services and websites to the protected list, as contributed sites 18.
  • the system is configured to capture a record screenshot of the user contributed sites 18.
  • the system 10 is configured to analyze an e- mail 20 that is received by an e-mail client the user 12.
  • the e-mail is analyzed to detect the presence of one or more embedded URLs 22 within the body of the e- mail.
  • the system 10 extracts the embedded URLs 22 from the e-mail for image impersonation processing.
  • the system captures a screenshot of the site that is linked by the embedded URL 22.
  • the extracted URL 22 is used to obtain a captured screenshot 26 for each extracted URL 22.
  • the image impersonation analysis engine 28 compares the captured screenshot 26 with the record screenshot 24. If the captured screenshot 26 is different from a record screenshot 24, the URL is marked as safe. If the captured screenshot 26 is the same as a record screenshot 24, the extracted URL 22 is then compared to determine if its domain is referencing a protected domain. If the domain of the extracted URL 22 is not from a protected site 16, the e-mail 20 is blocked, or otherwise marked as a phishing attempt 32. If the domain of the extracted URL 22 is the same as the corresponding domain for the matched record screenshot 24, the extracted URL 22 is marked as a safe e-mail 30.
  • the system determines whether there are additional extracted URLs 22 to process. If there are additional extracted URLs to process, the process of image impersonation analysis engine 28 process is repeated. If there are no additional extracted URLs 22 to process, the image impersonation analysis engine 28 marks the e-mail as approved.
  • the system of the present invention may include at least one computer with a user interface.
  • the computer may include any computer including, but not limited to, a desktop, laptop, and smart device, such as, a tablet and smart phone.
  • the computer includes a program product including a machine-readable program code for causing, when executed, the computer to perform steps.
  • the program product may include software which may either be loaded onto the computer or accessed by the computer.
  • the loaded software may include an application on a smart device.
  • the software may be accessed by the computer using a web browser.
  • the computer may access the software via the web browser using the internet, extranet, intranet, host server, internet cloud and the like.
  • the computer-based data processing system and method described above is for purposes of example only, and may be implemented in any type of computer system or programming or processing environment, or in a computer program, alone or in conjunction with hardware.
  • the present invention may also be implemented in software stored on a non-transitory computer-readable medium and executed as a computer program on a general purpose or special purpose computer.
  • a general purpose or special purpose computer For clarity, only those aspects of the system germane to the invention are described, and product details well known in the art are omitted. For the same reason, the computer hardware is not described in further detail. It should thus be understood that the invention is not limited to any specific computer language, program, or computer.
  • the present invention may be run on a stand-alone computer system, or may be run from a server computer system that can be accessed by a plurality of client computer systems interconnected over an intranet network, or that is accessible to clients over the Internet.
  • many embodiments of the present invention have application to a wide range of industries.
  • the present application discloses a system, the method implemented by that system, as well as software stored on a computer-readable medium and executed as a computer program to perform the method on a general purpose or special purpose computer, are within the scope of the present invention.
  • a system of apparatuses configured to implement the method are within the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Multimedia (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A system, method, apparatus, and computer program product to detect page impersonation in phishing attacks. The system detects phishing attempts by extracting an embedded URL from an e-mail message and captures a screenshot image of the referenced site. The captured screenshot is analyzed with an image recognition module that compares the captured screenshot with a record screenshot of one or more trusted sites. If the comparison indicates that the screenshots differ, the embedded URL is marked as safe. If the comparison indicates that the screenshots are the same, the domain of the embedded URL is compared with the domain for the trusted site. When the domains differ, the e-mail is marked as a page impersonation attempt. When the domains correspond, the e-mail is marked as safe. The system includes a page impersonation database of trusted site URLs, domains, and record screenshots.

Description

SYSTEM, METHOD, APPARATUS, AND COMPUTER PROGRAM PRODUCT TO DETECT PAGE IMPERSONATION IN PHISHING ATTACKS
BACKGROUND OF THE INVENTION
[001] The present invention relates to computer security and, more particularly, to computer security systems for detecting and reducing security threats presented through phishing attempts.
[002] In the recent years, hackers create fake login pages and they register similar domain names for the website they are trying to impersonate. The hackers then send phishing URLs to unsuspecting victims via an e-mail message. Currently there is no solution to detect these fake page impersonations and fake login pages.
[003] As can be seen, there is a need for an improved system, method, apparatus, and computer program product that automatically detect phishing URLs that are leveraged through page impersonation attacks.
SUMMARY OF THE INVENTION
[004] In one aspect of the present invention, a system for detecting page impersonation in phishing attacks is disclosed. The system includes a computer having a processor and a network communication; and a program product comprising machine-readable program code for causing, when executed, the computer to perform process steps. The steps include automatically analyzing the body of an e-mail message to detect an embedded universal resource locator (URL). The embedded URL is automatically extracted and a screenshot of a website referenced by the embedded URL is captured. The captured screenshot is compared with a record screenshot, wherein the record screenshot corresponds to a trusted site. If the captured screenshot does not match the record screenshot, the embedded URL marked as safe. [005] If the captured screenshot matches the record screenshot, the system then determines if a domain of the embedded URL corresponds to a trusted domain. If the domain of the embedded URL corresponds to the trusted domain, the embedded URL is marked as safe. If the domain of the embedded URL does not correspond to the trusted domain, the e-mail message is marked as a page impersonation attempt.
[006] The system may also include a page impersonation database storing data associated with the trusted site. The trusted site data includes: a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot. The system may also receive a URL designating a contributed site from a user and the contributed site is stored in the page impersonation database. The system may then automatically capture a screenshot of the contributed site and store the screenshot for the contributed site in the page impersonation database.
[007] Other aspects of the invention include a method for detecting a page impersonation phishing attempt presented by an e-mail message. The method includes automatically analyzing the body of an e-mail message to extract an embedded universal resource locator (URL). A screenshot of a website referenced by the embedded URL is automatically captured. The captured screenshot is then compared with a record screenshot, wherein the record screenshot corresponds with a trusted site.
[008] If the captured screenshot does not match the record screenshot, the embedded URL is marked as safe. If the captured screenshot matches the record screenshot, the method determines if a domain of the embedded URL corresponds to a trusted domain associated with the trusted site.
[009] If the domain of the embedded URL corresponds to the trusted domain, the embedded URL is marked as safe. If the domain of the embedded URL does not correspond to the trusted domain, the e-mail message is marked as a page impersonation attempt. [010] In embodiments of the invention, one or more trusted sites are stored in a page impersonation database. The stored trusted site includes a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot. The method may also include receiving a URL designating a contributed site from a user and storing the contributed site in the page impersonation database.
[01 1] The method may then automatically capture a screenshot of the contributed site and store the screenshot for the contributed site in the page impersonation database.
[012] Yet other aspects of the invention include a non-transitory computer-readable memory adapted to detect page impersonation phishing attacks, the non-transitory computer readable memory is used to direct a computer to perform process steps. The process steps include automatically analyzing the body of an e-mail message to extract an embedded universal resource locator (URL). Automatically capturing a screenshot of a website referenced by the embedded URL and automatically comparing the captured screenshot with a record screenshot, wherein the record screenshot corresponds with a trusted site.
[013] If the captured screenshot does not match the record screenshot, the embedded URL is marked as safe. However, if the captured screenshot matches the record screenshot, the method includes determining if a domain of the embedded URL corresponds to a trusted domain associated with the trusted site.
[014] If the domain of the embedded URL corresponds to the trusted domain, the embedded URL is marked as safe. If the domain of the embedded URL does not correspond to the trusted domain, the e-mail message is marked as a page impersonation attempt.
[015] Other aspects of the method include storing one or more trusted site in a page impersonation database, wherein the trusted site includes a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot. The method may also include receiving a URL designating a contributed site from a user. A screenshot of the contributed site and the screenshot of the contributed site may be automatically stored in the page impersonation database.
[016] These and other features, aspects and advantages of the present invention will become better understood with reference to the following drawings, description and claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[017] Fig. 1 is a schematic view of the protected list population.
[018] Fig. 2 is a schematic view of a typical analysis process.
[019] Fig. 3 is a flow chart of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[020] The following detailed description is of the best currently contemplated modes of carrying out exemplary embodiments of the invention. The description is not to be taken in a limiting sense, but is made merely for the purpose of illustrating the general principles of the invention, since the scope of the invention is best defined by the appended claims.
[021] Broadly, an embodiment of the present invention provides an improved system, method, apparatus, and computer program product that detects page impersonation in phishing attacks.
[022] As seen in reference to FIG. 1 , aspects of the invention include a security software 10, which may be included in a gateway appliance, as a plugin, or other application. The system includes a list URLs for a plurality of trusted sites 16 and their respective domains that are to be protected, which are stored in a database 14. The system captures a record screenshot 24 of the trusted sites 16 and services in advance, which is stored with the trusted list 16 in the database 14. [023] A user 12 may also add URLs for services and websites to the protected list, as contributed sites 18. The system is configured to capture a record screenshot of the user contributed sites 18.
[024] As seen in reference to FIG. 2, the system 10 is configured to analyze an e- mail 20 that is received by an e-mail client the user 12. The e-mail is analyzed to detect the presence of one or more embedded URLs 22 within the body of the e- mail. The system 10 extracts the embedded URLs 22 from the e-mail for image impersonation processing.
[025] Using an image impersonation analysis engine, shown in FIG. 3, the system captures a screenshot of the site that is linked by the embedded URL 22. The extracted URL 22 is used to obtain a captured screenshot 26 for each extracted URL 22.
[026] The image impersonation analysis engine 28 compares the captured screenshot 26 with the record screenshot 24. If the captured screenshot 26 is different from a record screenshot 24, the URL is marked as safe. If the captured screenshot 26 is the same as a record screenshot 24, the extracted URL 22 is then compared to determine if its domain is referencing a protected domain. If the domain of the extracted URL 22 is not from a protected site 16, the e-mail 20 is blocked, or otherwise marked as a phishing attempt 32. If the domain of the extracted URL 22 is the same as the corresponding domain for the matched record screenshot 24, the extracted URL 22 is marked as a safe e-mail 30.
[027] The system then determines whether there are additional extracted URLs 22 to process. If there are additional extracted URLs to process, the process of image impersonation analysis engine 28 process is repeated. If there are no additional extracted URLs 22 to process, the image impersonation analysis engine 28 marks the e-mail as approved.
[028] The system of the present invention may include at least one computer with a user interface. The computer may include any computer including, but not limited to, a desktop, laptop, and smart device, such as, a tablet and smart phone. The computer includes a program product including a machine-readable program code for causing, when executed, the computer to perform steps. The program product may include software which may either be loaded onto the computer or accessed by the computer. The loaded software may include an application on a smart device. The software may be accessed by the computer using a web browser. The computer may access the software via the web browser using the internet, extranet, intranet, host server, internet cloud and the like.
[029] The computer-based data processing system and method described above is for purposes of example only, and may be implemented in any type of computer system or programming or processing environment, or in a computer program, alone or in conjunction with hardware. The present invention may also be implemented in software stored on a non-transitory computer-readable medium and executed as a computer program on a general purpose or special purpose computer. For clarity, only those aspects of the system germane to the invention are described, and product details well known in the art are omitted. For the same reason, the computer hardware is not described in further detail. It should thus be understood that the invention is not limited to any specific computer language, program, or computer. It is further contemplated that the present invention may be run on a stand-alone computer system, or may be run from a server computer system that can be accessed by a plurality of client computer systems interconnected over an intranet network, or that is accessible to clients over the Internet. In addition, many embodiments of the present invention have application to a wide range of industries. To the extent the present application discloses a system, the method implemented by that system, as well as software stored on a computer-readable medium and executed as a computer program to perform the method on a general purpose or special purpose computer, are within the scope of the present invention. Further, to the extent the present application discloses a method, a system of apparatuses configured to implement the method are within the scope of the present invention. [030] It should be understood, of course, that the foregoing relates to exemplary embodiments of the invention and that modifications may be made without departing from the spirit and scope of the invention as set forth in the following claims.

Claims

What is claimed is:
1. A system for detecting page impersonation in phishing attacks, comprising:
a computer having a processor and a network communication; and a program product comprising machine-readable program code for causing, when executed, the computer to perform the following process steps:
automatically analyzing the body of an e-mail message to detect an embedded universal resource locator (URL);
automatically extracting the embedded URL;
automatically capturing a screenshot of a website referenced by the embedded URL; and
automatically comparing the captured screenshot with a record screenshot, wherein the record screenshot corresponds a trusted site;
if the captured screenshot does not match the record screenshot, marking the embedded URL as safe.
2. The system of claim 1 , further comprising:
if the captured screenshot matches the record screenshot, determining if a domain of the embedded URL corresponds to a trusted domain.
3. The system of claim 2, further comprising:
if the domain of the embedded URL corresponds to the trusted domain, marking the embedded URL as safe.
4. The system of claim 3, further comprising:
if the domain of the embedded URL does not correspond to the trusted domain, marking the e-mail message as a page impersonation attempt.
5. The system of claim 1 , further comprising:
a page impersonation database storing data associated with the trusted site, wherein the trusted site data includes: a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot.
6. The system of claim 5, further comprising:
receiving a URL designating a contributed site from a user; and storing the contributed site in the page impersonation database.
7. The system of claim 6, further comprising:
automatically capturing a screenshot of the contributed site; and storing the screenshot for the contributed site in the page impersonation database.
8. A method for detecting a page impersonation phishing attempt presented by an e-mail message, comprising:
automatically analyzing the body of an e-mail message to extract an embedded universal resource locator (URL);
automatically capturing a screenshot of a website referenced by the embedded URL;
automatically comparing the captured screenshot with a record screenshot, wherein the record screenshot corresponds with a trusted site; and if the captured screenshot does not match the record
screenshot, marking the embedded URL as safe.
9. The method of claim 8, further comprising:
if the captured screenshot matches the record screenshot, determining if a domain of the embedded URL corresponds to a trusted domain associated with the trusted site.
10. The method of claim 9, further comprising:
if the domain of the embedded URL corresponds to the trusted domain, marking the embedded URL as safe.
1 1. The method of claim 10, further comprising:
if the domain of the embedded URL does not correspond to the trusted domain, marking the e-mail message as a page impersonation attempt.
12. The method of claim 9, further comprising:
storing the trusted site in a page impersonation database, wherein the trusted site includes a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot.
13. The method of claim 12, further comprising:
receiving a URL designating a contributed site from a user; and storing the contributed site in the page impersonation database.
14. The method of claim 13, further comprising:
automatically capturing a screenshot of the contributed site; and storing the screenshot for the contributed site in the page impersonation database.
15. A non-transitory computer-readable memory adapted to detect page impersonation phishing attacks, the non-transitory computer readable memory used to direct a computer to perform process steps, comprising:
automatically analyzing the body of an e-mail message to extract an embedded universal resource locator (URL);
automatically capturing a screenshot of a website referenced by the embedded URL;
automatically comparing the captured screenshot with a record screenshot, wherein the record screenshot corresponds with a trusted site; and if the captured screenshot does not match the record
screenshot, marking the embedded URL as safe.
16. The non-transitory computer-readable memory of claim 15, wherein the process steps further comprise:
if the captured screenshot matches the record screenshot, determining if a domain of the embedded URL corresponds to a trusted domain associated with the trusted site.
17. The non-transitory computer-readable memory of claim 9, wherein the process steps further comprise:
if the domain of the embedded URL corresponds to the trusted domain, marking the embedded URL as safe.
18. The non-transitory computer-readable memory of claim 17, wherein the process steps further comprise:
if the domain of the embedded URL does not correspond to the trusted domain, marking the e-mail message as a page impersonation attempt.
19. The non-transitory computer-readable memory of claim 18, wherein the process steps further comprise:
storing the trusted site in a page impersonation database, wherein the trusted site includes a trusted URL, a trusted domain corresponding to the trusted URL, and the record screenshot.
20. The non-transitory computer-readable memory of claim 19, wherein the process steps further comprise:
receiving a URL designating a contributed site from a user;
automatically capturing a screenshot of the contributed site; and storing the contributed site and the screenshot of the contributed site in the page impersonation database.
PCT/US2019/019405 2018-02-26 2019-02-25 System, method, apparatus, and computer program product to detect page impersonation in phishing attacks WO2019165362A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
CA3094198A CA3094198A1 (en) 2018-02-26 2019-02-25 System, method, apparatus, and computer program product to detect page impersonation in phishing attacks
AU2019223172A AU2019223172A1 (en) 2018-02-26 2019-02-25 System, method, apparatus, and computer program product to detect page impersonation in phishing attacks
SG11202007673UA SG11202007673UA (en) 2018-02-26 2019-02-25 System, method, apparatus, and computer program product to detect page impersonation in phishing attacks
GB2012472.3A GB2584255A (en) 2018-02-26 2019-02-25 System, method, apparatus, and computer program product to detect page impersonation in phishing attacks
EP19757930.3A EP3759636A4 (en) 2018-02-26 2019-02-25 System, method, apparatus, and computer program product to detect page impersonation in phishing attacks
IL276602A IL276602A (en) 2018-02-26 2020-08-09 System, method, apparatus and computer program product to detect page impersonation in phishing attacks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/904,923 US20190268373A1 (en) 2018-02-26 2018-02-26 System, method, apparatus, and computer program product to detect page impersonation in phishing attacks
US15/904,923 2018-02-26

Publications (1)

Publication Number Publication Date
WO2019165362A1 true WO2019165362A1 (en) 2019-08-29

Family

ID=67686298

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/019405 WO2019165362A1 (en) 2018-02-26 2019-02-25 System, method, apparatus, and computer program product to detect page impersonation in phishing attacks

Country Status (8)

Country Link
US (1) US20190268373A1 (en)
EP (1) EP3759636A4 (en)
AU (1) AU2019223172A1 (en)
CA (1) CA3094198A1 (en)
GB (1) GB2584255A (en)
IL (1) IL276602A (en)
SG (1) SG11202007673UA (en)
WO (1) WO2019165362A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11275867B1 (en) * 2018-02-28 2022-03-15 Amazon Technologies, Inc. Content integrity processing
US11528297B1 (en) * 2019-12-12 2022-12-13 Zimperium, Inc. Mobile device security application for malicious website detection based on representative image
US11677758B2 (en) * 2020-03-04 2023-06-13 Cisco Technology, Inc. Minimizing data flow between computing infrastructures for email security
US11595435B2 (en) 2020-03-09 2023-02-28 EC-Council International Limited Methods and systems for detecting phishing emails using feature extraction and machine learning
CN114916473B (en) * 2022-05-23 2023-03-28 大连理工大学 Overlook fish body length monitoring method and device used in farm

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050015626A1 (en) * 2003-07-15 2005-01-20 Chasin C. Scott System and method for identifying and filtering junk e-mail messages or spam based on URL content
US20090300768A1 (en) * 2008-05-30 2009-12-03 Balachander Krishnamurthy Method and apparatus for identifying phishing websites in network traffic using generated regular expressions
US20140215626A1 (en) * 2004-08-20 2014-07-31 Ebay Inc. Method and system for tracking fraudulent activity
CN104143008A (en) * 2014-08-11 2014-11-12 北京奇虎科技有限公司 Method and device for detecting phishing webpage based on picture matching

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI462523B (en) * 2011-10-18 2014-11-21 Inst Information Industry Phishing detecting method, network apparatus applying thereof and computer readable storage medium storing thereof
US9621566B2 (en) * 2013-05-31 2017-04-11 Adi Labs Incorporated System and method for detecting phishing webpages
EP3125147B1 (en) * 2015-07-27 2020-06-03 Swisscom AG System and method for identifying a phishing website
US20170237753A1 (en) * 2016-02-15 2017-08-17 Microsoft Technology Licensing, Llc Phishing attack detection and mitigation
US10805346B2 (en) * 2017-10-01 2020-10-13 Fireeye, Inc. Phishing attack detection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050015626A1 (en) * 2003-07-15 2005-01-20 Chasin C. Scott System and method for identifying and filtering junk e-mail messages or spam based on URL content
US20140215626A1 (en) * 2004-08-20 2014-07-31 Ebay Inc. Method and system for tracking fraudulent activity
US20090300768A1 (en) * 2008-05-30 2009-12-03 Balachander Krishnamurthy Method and apparatus for identifying phishing websites in network traffic using generated regular expressions
CN104143008A (en) * 2014-08-11 2014-11-12 北京奇虎科技有限公司 Method and device for detecting phishing webpage based on picture matching

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3759636A4 *

Also Published As

Publication number Publication date
GB202012472D0 (en) 2020-09-23
EP3759636A1 (en) 2021-01-06
SG11202007673UA (en) 2020-09-29
US20190268373A1 (en) 2019-08-29
EP3759636A4 (en) 2021-01-06
GB2584255A (en) 2020-11-25
CA3094198A1 (en) 2019-08-29
IL276602A (en) 2020-09-30
AU2019223172A1 (en) 2020-08-27

Similar Documents

Publication Publication Date Title
US20190268373A1 (en) System, method, apparatus, and computer program product to detect page impersonation in phishing attacks
US11683330B2 (en) Network anomaly data detection method and device as well as computer equipment and storage medium
US10375102B2 (en) Malicious web site address prompt method and router
US9191411B2 (en) Protecting against suspect social entities
JP6624771B2 (en) Client-based local malware detection method
US9027134B2 (en) Social threat scoring
US8533328B2 (en) Method and system of determining vulnerability of web application
US9055097B1 (en) Social network scanning
US10721245B2 (en) Method and device for automatically verifying security event
EP3417590B1 (en) Phishing attack detection and mitigation
US20140337973A1 (en) Social risk management
US20170034203A1 (en) Method and apparatus for detecting website security
US20130263263A1 (en) Web element spoofing prevention system and method
US20160063541A1 (en) Method for detecting brand counterfeit websites based on webpage icon matching
CN107612926B (en) One-sentence speech WebShell interception method based on client recognition
CN105635064B (en) CSRF attack detection method and device
CN106713318B (en) WEB site safety protection method and system
CN107332804B (en) Method and device for detecting webpage bugs
US20190132356A1 (en) Systems and Methods to Detect and Notify Victims of Phishing Activities
WO2013131237A1 (en) System and method for detecting and preventing attacks against a server in a computer network
Kirchner A framework for detecting anomalies in http traffic using instance-based learning and k-nearest neighbor classification
US20210006592A1 (en) Phishing Detection based on Interaction with End User
CN108322420B (en) Method and device for detecting backdoor file
US20210176275A1 (en) System and method for page impersonation detection in phishing attacks
Roopak et al. On effectiveness of source code and SSL based features for phishing website detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19757930

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 202012472

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20190225

ENP Entry into the national phase

Ref document number: 2019223172

Country of ref document: AU

Date of ref document: 20190225

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 3094198

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2019757930

Country of ref document: EP

Effective date: 20200928