WO2021251926A1 - Cyber attacker detection method - Google Patents

Cyber attacker detection method Download PDF

Info

Publication number
WO2021251926A1
WO2021251926A1 PCT/TR2021/050373 TR2021050373W WO2021251926A1 WO 2021251926 A1 WO2021251926 A1 WO 2021251926A1 TR 2021050373 W TR2021050373 W TR 2021050373W WO 2021251926 A1 WO2021251926 A1 WO 2021251926A1
Authority
WO
WIPO (PCT)
Prior art keywords
attacker
website
information
cyber
imitation
Prior art date
Application number
PCT/TR2021/050373
Other languages
French (fr)
Inventor
Samet GANAL
Original Assignee
Kuveyt Türk Katilim Bankasi A. Ş.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kuveyt Türk Katilim Bankasi A. Ş. filed Critical Kuveyt Türk Katilim Bankasi A. Ş.
Publication of WO2021251926A1 publication Critical patent/WO2021251926A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Definitions

  • the invention relates to a method that allows the detection of cyber attackers stealing the information of the website owner corporation clients, such as username, password, etc., by means of using the phishing websites developed for fraudulent on the internet environment.
  • the invention relates to a method that allows to detect the information of cyber attackers operating particularly on the finance field with the help of marked data and imitation website.
  • the attackers take the user's information via the phishing websites that they develop and then cause them material and moral damage.
  • the cyber attackers copy the websites of corporations serving to their clients and publish them with the same content by using different domain names.
  • the attackers only make changes in the code section of the website and in this way ensure that the information entered on the user entries is directed to themselves, not to the service provider corporations. Thereby they have the users of their target corporation clients log in to the fake website and aim to steal the combinations of username and password that they use to log in.
  • the cyber attackers enter the real corporation websites with the username and password information that they have obtained and hence access into the user account.
  • TR2017/01866 a system, which provides users with a phishing attack detection and blocking mechanism against phishing messages coming from channels such as e-mail, SMS, instant messaging applications in mobile device environments, is mentioned.
  • the system does not contain a solution that allows the attacker's information to be detected.
  • the present invention relates to the cyber attacker detection method in order to eliminate the above-mentioned disadvantages and to bring new advantages to the related technical field.
  • the main object of the invention is to develop a method that allows the attacker's identification to be detected in the cyber attacks carried out by the phishing method.
  • Another object of the invention is to develop a method that allows the financial loss of the users exposed to cyber attack to be prevented and/or regained by means of the detection of attacker's information.
  • Another object of the invention is to present a deterrent method for the cyber attackers.
  • the focus is on the fake websites that are operating on the finance sector and are used with the aim of phishing.
  • the user accounts are accessed through legal corporate finance websites and the user's tangible assets are transferred to the attackers' accounts.
  • Our invention aims to present people with a safer internet environment by the way of obtaining the attackers' information and transmitting it to the necessary authorities.
  • the present invention in order to realize all the objects which are mentioned above and will emerge from the following detailed description, is a cyber attacker detection method that allows the attacker's information to be obtained in cyber attacks carried out by phishing method over the fake websites that imitate a legal corporate website established to give service to the customers for fraudulent purposes. Accordingly, the method comprises the process steps of • logging into the fake website created by the cyber attacker for fraudulent purposes, with the marked user data,
  • Figure 1 gives a view of an exemplary system in which the method subject to our invention is applied.
  • FIG. 1 gives a view of a system in which the method subject to our invention is applied.
  • Our invention is a cyber attacker detection method that allows the attacker's (S) information to be obtained in cyber attacks carried out by phishing method over the fake websites (1 ) that imitate a legal corporate website (2) established to give service to the customers for fraudulent purposes.
  • the fake websites (1 ) have been focused that are operating in the financial sector.
  • Our invention uses the method of redirecting to the imitation website (4) imitating the corporate website (2) in order to obtain the attacker (S) information.
  • the attacker (S) will see the marked username and password combination as a user data raising to the bait and will log into the corporate website (2).
  • a firewall unit (3) that performs security control on the corporate website (2) will detect that the user information that wants to log in is marked and transfer the attacker's (S) session to the imitation website (4) that enables the detection of the attacker (S) information.
  • the imitation website (4) is an environment designed by security experts (U) to be identical in appearance to the corporate website (2), but imitated in terms of content, user, and account information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method that allows the detection of cyber attackers stealing the information of the website owner corporation clients, such as username, password, etc., by means of using the phishing websites developed for fraud on the internet environment.

Description

CYBER ATTACKER DETECTION METHOD
Technical Field
The invention relates to a method that allows the detection of cyber attackers stealing the information of the website owner corporation clients, such as username, password, etc., by means of using the phishing websites developed for fraudulent on the internet environment.
The invention relates to a method that allows to detect the information of cyber attackers operating particularly on the finance field with the help of marked data and imitation website.
Present State of the Invention
In today's cyber world, the attackers take the user's information via the phishing websites that they develop and then cause them material and moral damage. The cyber attackers copy the websites of corporations serving to their clients and publish them with the same content by using different domain names. The attackers only make changes in the code section of the website and in this way ensure that the information entered on the user entries is directed to themselves, not to the service provider corporations. Thereby they have the users of their target corporation clients log in to the fake website and aim to steal the combinations of username and password that they use to log in. The cyber attackers enter the real corporation websites with the username and password information that they have obtained and hence access into the user account. If there is a second verification method at the entry of corporation website, the attacker moves quickly and can enter the user information that they have obtained over the fake website into the real corporation website instantaneously. Thus, a second verification message is conveyed from the corporation to the user and the user enter this message to the fake website and consequently, convey this to the attacker again. The attacker will also have full access in the user account with the second verification information that he has obtained. The attacks, which were carried out with the phishing technique described, target especially online banking etc. offered to customers by financial institutions and thus provide access to the bank accounts of the users and in this way, the users suffer a great economic loss. In the present art, if it is detected that a website is phishing, an action is taken to close the website, but no action can be taken by the corporations for the detection of the attacker. This situation results in the attacker continuing to attack. Also, the money account numbers, which the cyber attackers have used to steal the tangible assets of the users, can only be learned as a result of the user complaint and blocked. Until the user complaint reaches the corporation, the money account will be available to the attacker. In the present art, there is no system developed for the detection of attacker information in the cyber attacks carried out by the phishing. Therefore, it brings about the inability to prevent the financial loss experienced through phishing websites.
In the present art, there are systems developed for the detection of frauds carried out over the internet. In TR2017/01866, a system, which provides users with a phishing attack detection and blocking mechanism against phishing messages coming from channels such as e-mail, SMS, instant messaging applications in mobile device environments, is mentioned. The system does not contain a solution that allows the attacker's information to be detected.
Consequently, the problems that are mentioned above and could not be solved in the light of the present art made it necessary to make an innovation in the related technical field.
Summary of the Invention
The present invention relates to the cyber attacker detection method in order to eliminate the above-mentioned disadvantages and to bring new advantages to the related technical field.
The main object of the invention is to develop a method that allows the attacker's identification to be detected in the cyber attacks carried out by the phishing method.
Another object of the invention is to develop a method that allows the financial loss of the users exposed to cyber attack to be prevented and/or regained by means of the detection of attacker's information.
Another object of the invention is to present a deterrent method for the cyber attackers.
In the preferred embodiment of the invention, the focus is on the fake websites that are operating on the finance sector and are used with the aim of phishing. With the information obtained by the attackers through the fake phishing website, the user accounts are accessed through legal corporate finance websites and the user's tangible assets are transferred to the attackers' accounts. Our invention aims to present people with a safer internet environment by the way of obtaining the attackers' information and transmitting it to the necessary authorities.
The present invention, in order to realize all the objects which are mentioned above and will emerge from the following detailed description, is a cyber attacker detection method that allows the attacker's information to be obtained in cyber attacks carried out by phishing method over the fake websites that imitate a legal corporate website established to give service to the customers for fraudulent purposes. Accordingly, the method comprises the process steps of • logging into the fake website created by the cyber attacker for fraudulent purposes, with the marked user data,
• taking the marked data entered on mentioned fake website by the cyber attacker for fraudulent purposes and entering a legally serving corporate website,
• detecting the attacker by determining that the data entered on the corporate website are marked data by a firewall unit that analyzes the entered information,
• redirecting the detected attacker to the imitation website that obtains the attacker information by imitating the corporate website mentioned by the firewall unit,
• transmitting the information of the attacker entering the imitation website and/or the information entered by the attacker on the imitation website to the relevant security units.
The present invention should be evaluated together with the figures explained below, in order that it will be constructed, and its advantages will be understood together with the additional elements in the best way.
Brief Description of The Figures
Figure 1 gives a view of an exemplary system in which the method subject to our invention is applied.
List of the Reference Numbers
1. Fake website
2. Corporate website
3. Firewall unit
4. Imitation website S: Attacker
U: Expert
Detailed Description of the Invention
In this detailed description, the innovation subject to the invention is explained with examples that do not have any limiting effect only for a better understanding of the subject. Figure 1 gives a view of a system in which the method subject to our invention is applied. Our invention is a cyber attacker detection method that allows the attacker's (S) information to be obtained in cyber attacks carried out by phishing method over the fake websites (1 ) that imitate a legal corporate website (2) established to give service to the customers for fraudulent purposes. In the preferred embodiment of our invention, the fake websites (1 ) have been focused that are operating in the financial sector. Our invention uses the method of redirecting to the imitation website (4) imitating the corporate website (2) in order to obtain the attacker (S) information. The process becomes active by means of firstly entering a marked username and password combination by a security expert (U) on the fake website (1) created by the attacker (S). The attacker (S) will see the marked username and password combination as a user data raising to the bait and will log into the corporate website (2). A firewall unit (3) that performs security control on the corporate website (2) will detect that the user information that wants to log in is marked and transfer the attacker's (S) session to the imitation website (4) that enables the detection of the attacker (S) information. The imitation website (4) is an environment designed by security experts (U) to be identical in appearance to the corporate website (2), but imitated in terms of content, user, and account information. When the attacker (S) enters the imitation website (4), while he thinks that he has accessed the stolen user account and that everything is fine for him, the attacker's (S) movements are followed by the security experts (U). As soon as the attacker enters the imitation website (4), the access information such as IP address, country location is delivered to the security experts (U). Again, when the attacker tries to send money to his own bank account from the account he has logged in, he will also have transmitted his account information to the security experts (U). As a result, the security experts (u) will have obtained both the access and the bank account information of the attacker (S). When the obtained data is transmitted to the necessary authorities via the imitation website (4), since the attackers' (S) accounts are canceled, their work will be difficult and the process of catching the attackers (S) by the security forces will be facilitated.

Claims

1. A cyber attacker detection method that allows the attacker's (S) information to be obtained in cyber attacks carried out by phishing method over the fake websites (1) that imitate a legal corporate website (2) established to give service to the customers for fraudulent purposes, characterized by comprising the process steps of
• logging into the fake website (1) created by the cyber attacker (S) for fraudulent purposes, with the marked user data,
• taking the marked data entered on mentioned fake website (1) by the cyber attacker (S) for fraudulent purposes and entering a legally serving corporate website (2),
• detecting the attacker (2) by determining that the data entered on the corporate website (2) are marked data by a firewall unit (3) that analyzes the entered information,
• redirecting the detected attacker (S) to the imitation website (4) that obtains the attacker (S) information by imitating the corporate website (2) mentioned by the firewall unit (3),
• transmitting the information of the attacker (S) entering the imitation website (4) and/or the information entered by the attacker (S) on the imitation website (4) to the relevant security units.
2. The cyber attacker detection method according to claim 1 , characterized by comprising the process step of logging into the fake website (1) created by the cyber attacker (S) for fraudulent purposes, with the marked user data.
3. The cyber attacker detection method according to claim 1 , characterized by comprising the process step of transmitting the IP information and/or country location information of the attacker (S) logging into the imitation website (4) and/or the account information entered on the imitation website (4) by the attacker (S) to the relevant security units.
PCT/TR2021/050373 2020-06-09 2021-04-22 Cyber attacker detection method WO2021251926A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR2020/08876A TR202008876A1 (en) 2020-06-09 2020-06-09 CYBER ATTACK DETECTION METHOD
TR2020/08876 2020-06-09

Publications (1)

Publication Number Publication Date
WO2021251926A1 true WO2021251926A1 (en) 2021-12-16

Family

ID=78846330

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2021/050373 WO2021251926A1 (en) 2020-06-09 2021-04-22 Cyber attacker detection method

Country Status (2)

Country Link
TR (1) TR202008876A1 (en)
WO (1) WO2021251926A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060161989A1 (en) * 2004-12-13 2006-07-20 Eran Reshef System and method for deterring rogue users from attacking protected legitimate users
US20130145462A1 (en) * 2011-12-02 2013-06-06 Institute For Information Industry Phishing Processing Method and System and Computer Readable Storage Medium Applying the Method
US20130312081A1 (en) * 2012-05-18 2013-11-21 Estsecurity Co., Ltd. Malicious code blocking system
US10511628B1 (en) * 2019-03-07 2019-12-17 Lookout, Inc. Detecting realtime phishing from a phished client or at a security server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060161989A1 (en) * 2004-12-13 2006-07-20 Eran Reshef System and method for deterring rogue users from attacking protected legitimate users
US20130145462A1 (en) * 2011-12-02 2013-06-06 Institute For Information Industry Phishing Processing Method and System and Computer Readable Storage Medium Applying the Method
US20130312081A1 (en) * 2012-05-18 2013-11-21 Estsecurity Co., Ltd. Malicious code blocking system
US10511628B1 (en) * 2019-03-07 2019-12-17 Lookout, Inc. Detecting realtime phishing from a phished client or at a security server

Also Published As

Publication number Publication date
TR202008876A1 (en) 2021-12-21

Similar Documents

Publication Publication Date Title
Kaur et al. Dark web: A web of crimes
Brody et al. PHISHING, PHARMING AND IDENTITY THEFT.
Jakobsson et al. Phishing and countermeasures: understanding the increasing problem of electronic identity theft
Al-Musib et al. Business email compromise (BEC) attacks
Banday et al. Phishing-A growing threat to e-commerce
Blanco Hache et al. ’Tis the season to (be jolly?) wise-up to online fraudsters. Criminals on the Web lurking to scam shoppers this Christmas: 1 a critical analysis of the United Kingdom's legislative provisions and policies to tackle online fraud
Kumar et al. Detection of phishing attack using visual cryptography in ad hoc network
Sonowal et al. Introduction to phishing
Stevenson Plugging the" Phishing" Hole: Legislation Versus Technology
Jakobsson The rising threat of launchpad attacks
Bhardwaj et al. Types of hacking attack and their countermeasure
Tundis et al. The role of Information and Communication Technology (ICT) in modern criminal organizations
WO2021251926A1 (en) Cyber attacker detection method
Greer The growth of cybercrime in the United States
Bhati et al. Prevention approach of phishing on different websites
Hegt Analysis of current and future phishing attacks on internet banking services
Berghel et al. Phish phactors: Offensive and defensive strategies
Ayub et al. Trends, Patterns and Consequences of Cybercrime in Nigeria
Cassim Addressing the spectre of phishing: are adequate measures in place to protect victims of phishing?
Dhanalakshmi et al. Fraud and Identity Theft Issues
Nemane et al. An Anti-Phishing Strategy Based on Visual Cryptography
Butler Investigation of phishing to develop guidelines to protect the Internet consumer's identity against attacks by phishers
Tanvir Phishing-An Analysis About Types, Causes, Preventives and Case Research in The Modern-Day Situation
Mihai Overview on phishing attacks
Ceesay Mitigating phishing attacks: a detection, response and evaluation framework

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21821496

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21821496

Country of ref document: EP

Kind code of ref document: A1