View All Documents & Correspondence
System And Method For Detection And Prevention Of Data Theft By A Suspected Phishing Website
Abstract: An improved system and method for detection and prevention of data theft by a suspected phishing website. The improved phishing detection and prevention system and method is more accurate for detection and prevention of phishing website. The improved phishing detection and prevention system and method is used for identifying phishing website by analyzing the website referrers in order to prevent phishing incidents by automated reporting of phishing pages to domain administration and phishing blacklist repositories wherein pre-configured secret key matching and JAVASCRIPT is used to detect the phishing page i.e. two fold detection system is employed. Figure 5
Notices, Deadlines & Correspondence
Patent Information
Applicants
Info Edge (India) Limited
Inventors
1. Tirthankar Dutta
2. Sandeep Saxena
Specification
FIELD OF INVENTION
This invention relates to a system and method for detection and prevention of data theft by a suspected phishing website. This invention provides for an improved system and method aimed at internet security of individuals and organizations.
BACKGROUND OF INVENTION
In today's day and age with incremental use of internet for i) conducting various chores such as bill payment, online registration for services, placing orders for groceries ii) applying for school/college admissions; iii) use of interactive websites; iv) applying for jobs; v) online advertisement; vi) online shopping etc., we are facing a scenario where cyber-crime, data theft and data protection have become major issues. As regular use of internet for all the aforesaid activities entails sharing of private classified information, use of net-banking, use of credit card, e-wallets etc., online or internet security has become an area of prime concern for all. Phishing websites are one such area of grave concern for internet users.
"Phishing" may be defined as an attempt or act to obtain private and/or sensitive information such as password, credit card details, etc., from a user for use in fraudulent activities. Phishing is usually performed by using a website which is similar in look to legitimate website, so that the victim enters the private and/or sensitive information on the fraudulent website by thinking it as legitimate website. Further, private and/or sensitive information is obtained by the fraudulent website for illegal and illicit use.
Various systems and methods exist that attempt to identify phishing websites/emails in order to prevent data theft and to safeguard sensitive and confidential information. To protect users from phishing attacks, security applications such as an ti-phishing applications have been developed. These security applications take protective actions when a user attempts to visit a known phishing website. For example, the security
applications block access to the phishing website, or at least provide a notification that the user is connecting with a known phishing website.
Conventional phishing detection system estimate static website information such as HTML code of website to determine if the website is a phishing website or a legitimate website. In traditional phishing detection system, usually phishing scanners are present which evaluate the content present in Uniform Resource Locator (URL) and do not load website which is determined as a phishing website. However, the use of static website is limited in its accuracy and ability to identify phishing website.
US 9,111,090 discloses an anti-phishing system and method wherein the detection of phishing website is carried out using JavaScript (JS) code. When the phishing page causes the JS code to run not in the context of the original page, it generates an indication that a phishing attempt may exist. Further, US2017/0078310 discloses a method for identification of phishing website using DOM (Document Object Model) comprising (i) collecting website information from a variety of websites and web servers connected to the internet, (ii) analyzing the collected data to determine whether the website information is performing phishing, and (iii) mediating websites and other actors that are determined to be performing phishing based on the results of the phishing analysis.
Further, US2009/0300768 discloses a method and apparatus for identifying phishing websites in network traffic using generated regular expressions. It provides for classifying URLs into whitelists and blacklists and creating a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. It also discusses identification of a phishing website to be followed by reporting.
Further, systems and methods are available which are used to identify phishing websites but include single check to protect the legitimate site and detect the phishing websites. However, despite the aforesaid systems/methods, a need is felt for more effective, competent, specific, efficient, and accurate phishing detection system and method to detect and prevent phishing attacks on website.
It is therefore the object of the present invention to provide a phishing detection and prevention system and method for a host protected website from suspected phishing websites.
SUMMARY OF THE INVENTION
The present invention relates to an improved phishing detection and prevention system and method which is more accurate for detection and prevention of phishing website. Further, the present invention overcomes the problems associated with the available phishing detection methods and systems.
The present invention relates to an improved phishing detection and prevention system and method for identifying phishing website by analyzing the website referrers and/or host name in order to prevent phishing incidents/attempts by automated reporting of phishing pages to domain administration and phishing blacklist repositories wherein pre-configured secret key matching and JAVASCRIPT code matching is used to detect the phishing page i.e. two fold detection system is employed. Further, the phishing detection and prevention system can be used to alert the next user on phishing attempt if they are coming from already identified pages thereby preventing such future phishing attempts.
According to another aspect of the invention, in the improved phishing detection and prevention system and method, the pre-configured secret key is an HTML hidden text, images or any preconfigured element present in a legitimate website.
According to another aspect of the present invention, the improved phishing detection and prevention system and method performs a two-fold detection of the suspected phishing site along with reporting and subsequent prevention.
According to another aspect of the present invention, the improved phishing detection and prevention system and method prevents and reports the phishing activity when the legitimate website has been copied in order to perform phishing by a suspect for preparation of a phishing website.
The summary is provided to introduce the system and method of representative concepts in a simplified form that are further described below in the detailed description. This summary is not intended to limit the key essential features of the present invention nor its scope and application.
Other advantages and details about the system and method will become more apparent to a person skilled in the art from the below detailed description of the invention when taken in conjugation with the drawings.
BRIEF DESCRIPTION OF DRAWINGS
The following drawings are illustrative of particular embodiments for enabling system and method of the present invention and are not intended to limit the scope of the invention. The drawings are not to scale (unless so stated) and are intended for use in conjunction with the explanations in the following detailed description.
[FIG. 1] FIG 1. is a schematic representation of a system where the invention may be implemented.
[FIG. 2] FIG 2. is an exemplary representation of the phishing detection and prevention system.
[FIG. 3] FIG 3. is an exemplary representation of a detection unit.
[FIG. 4] FIG 4. is an exemplary representation of a collection unit.
[FIG. 5] FIG 5. is a flowchart to illustrate phishing detection and prevention method.
Persons skilled in the art will appreciate that elements in the figures are illustrated for simplicity and clarity and may represent both hardware/software components of the system. Further, the dimensions of some of the elements in the figure may be exaggerated relative to other elements to help to improve understanding of various exemplary embodiments of the present disclosure.
Throughout the drawings, it should be noted that like reference numbers are used to depict the same or similar elements, features, and structures.
DETAILED DESCRIPTION OF DRAWINGS
The following description with reference to the accompanying drawings is provided to assist in a comprehensive understanding of exemplary embodiments of the invention in respect of which patent protection is being claimed. It includes various specific details to assist in that understanding but these are to be regarded as merely exemplary. Accordingly, persons skilled in the art will recognize that various changes and modifications to the embodiments described herein can be made without departing from the scope and spirit of the invention. In addition, descriptions of well-known functions and constructions are omitted for clarity and conciseness.
TERMS
It is to be understood that the singular forms "a," "an," and "the" include plural
referents unless the context clearly dictates otherwise.
The terms and words used in the following description are to be understood in the manner used by the inventor to enable and describe the invention. For further clarity and to enable better understanding of the invention, certain key terms are being defined hereinunder.
"Website information" include any relevant information related with a host website. Website information may include a URL for website, the HTML code received after contacting the website.
Log includes a detail list of an application information, system performance, or user activities. Log files are provided by the operating system or other control program for such purposes as recording incoming dialogs, error and status messages and certain transaction details.
An "access log" is a list of all the requests for individual files that people have requested from a Web site. It contains:
• IP Address of the users
• The REFERRER of the visitors in terms of their associated server's domain name (for example, visitors from .edu, .com, and .gov sites and from the online services)
• Date/Time
. URL
An event is any identifiable occurrence that has significance for system hardware or software. An event typically represents some message, token, count, pattern, value, or marker that can be recognized within an ongoing stream of monitored inputs, such as network traffic, specific error conditions or signals etc.
Preventive Actions includes the following actions:
• Inform the Information Security Team
• Save the access logs for future reference
• Report the case to online Phishing repositories i.e. phishtank.com so that the 5 Users get a Phishing notification on opening such URLs
'Redirection from phishing website' is performed by a phishing website once confidential/sensitive information and details have been provided by a user. The phishing website then in certain cases are programmed to automatically redirect such 10 users to the legitimate/host protected website, which was copied/mimicked by the phishing website. In such cases, the referrer information is used by the legitimate/host protected website to log and prevent phishing attempts.
In order to tackle cases where the phishing website is not programmed to redirect a 15 user to the legitimate/host protected website, the present system and method uses a detection unit, which checks the access logs of a page that attempts to clone/copy the legitimate/host protected website. In order to protect itself from cloning, the legitimate/host protected website uses a javascript code, which gets activated when the legitimate/host protected website is copied/cloned and an attempt is made to run the 20 same on a browser.
This javascript code will perform the following functions:
(a) When executed, will check the URL using function window.location.href to identify if the URL is of the Protected Domain. 25 (b) If Not, javascript will initiate a request to a secret file on Protected Page's web server i.e. cloningdetection.php which will thereafter add the URL in phishing database and log the event accompanied by preventive action.
8
(c) Hide the name of the Protected page in javascript so that it’s not detected in reverse engineering.
DESCRIPTION
The improved phishing detection and prevention system and method for identifying phishing website is performed by analyzing the website referrers and/or host name in order to prevent phishing incidents by automated reporting of phishing pages to domain administration and phishing blacklist repositories wherein pre-configured secret key matching and JAVASCRIPT code matching is used to detect the phishing page. Further, the phishing detection and prevention system is used to alert the next user about phishing attempt if they are coming from already identified pages. In the improved phishing detection and prevention system and method, the pre-configured secret key is an HTML hidden text, images or any preconfigured element present in legitimate website.
The improved phishing detection and prevention system according to this invention provides a more accurate method for detection of phishing website or fraudulent website followed by prevention of the same. This is achieved by performing a two-fold detection of the suspected phishing website by using pre-configured secret key matching and JAVASCRIPT code matching which provides a more precise result for detection of phishing website which is subsequently used to alert the next user and prevent further phishing attempts. This two fold detection system and method prevent phishing attempts in both scenarios i.e. i) when the phishing website redirects a user to the legitimate/host protected website; and ii) when the phishing website is in the initial stages of development and may not be programmed to redirect a user to the legitimate/host protected website.
9
The improved phishing detection and prevention system (110) contains a detection unit (112), an information unit (113) and a collection unit (114).
A schematic representation of a system where the present invention may be implemented is illustrated in Figure 1. In accordance with one embodiment of the present invention, a user (100) accesses internet (101) and attempts to open a website which may be either a phishing website (103) or a host protected website (104). Every website which can be accessed is connected/hosted by way of its respective server. i.e. website server 1 (105), website server 2 (106), website server 3 (107) etc. Further, the Blacklisted Repository (108) which stores the information of the known phishing website (103) is also connected by way of internet and can be accessed by the phishing detection and prevention system for reporting.
Figure 2 is an exemplary representation of the phishing detection and prevention system (110). The phishing detection and prevention system (110) comprises of three components which are Detection Unit (DU) 112, Information Unit (IU) 113 and Collection Unit (CU) 114.
The detection unit (112) of phishing detection and prevention system (110) comprises of a cloning detection module (112a) and a secret key matching module (112b). The cloning detection module (112a) obtains the URL (Uniform Resource Locater) information/details of a phishing website by using JAVASCRIPT code of host protected or legitimate website and the secret key matching module (112b) uses secret key, which may include unique sixteen digit numeric value specific to the host protected or legitimate website, unique image specific to the host protected or legitimate website or other element specific to the host protected or legitimate website, to obtain URL information/details of a phishing website. Thus, the cloning detection module (112a) and the secret key matching module(112b) assist in detecting if the
10
website attempted to be logged on by a user is a phishing website or not. Further, use of both the cloning detection module (112a) and the secret key matching module (112b) results in achieving an improved phishing detection system (110) wherein the output received from such modules is used subsequently to report and prevent phishing 5 attempts in future not only for the same user but also for the next user by use of collection unit (114) and information unit (113).
The detection unit (DU) 112 is used to detect a phishing website using website information (115) also called as website referrer and/or host name when such website 10 information is not available in the collection unit (CU) 114.
The inventive detection unit (DU) (112) is capable of detecting phishing activity at the initial stage itself when a legitimate/host protected website is being copied/cloned by use of “cloning detection module (112a)”. In order to prevent such attempts at cloning,
15 which is being performed to create a phishing website, the legitimate/host protected website uses a javascript code. Accordingly, when a suspect copies a legitimate/host protected website then the suspect along with the host protected website information (115) also copies the javascript code as present in the host protected website. Thereafter, when the suspect attempts to open or run the copied/cloned phishing
20 website in a browser, then the javascript code as copied along with the host protected information activates the cloning detection module. When the cloning detection module (CDM-112a) is activated, it compares the host name with that of the legitimate/host protected website, and in case of a mis-match i.e. if the host name is not that of the legitimate/host protected website, CDM (112a) sends an automated call
25 to the legitimate/host protected website. Upon receipt of such call, which is initiated by the CDM (112a), the legitimate/host protected website server checks access logs of the cloning detection page so as to extract the URL appearing in the referrer header. Thereafter, such extracted URL is added by the collection unit (114) to the Phishing
11
database (114a) along with logging the event and taking preventive action as detailed herein.
The inventive Detection unit (112) also detects and prevents phishing attempts when 5 the phishing website is programmed to redirect a user to the legitimate/host protected website, after sensitive or confidential information is extracted. In order to prevent such phishing attempts, the legitimate/host protected website uses a secret key. Accordingly, when a suspect copies the website information of the legitimate/host protected website, the secret key is also copied. In the present scenario, the Detection
10 unit (112) uses the “secret key matching module (112b)” to detect phishing attempts. In such a scenario, when the legitimate/host protected website receives an access request, the secret key matching module (112b), immediately checks the access logs of the login page of legitimate/host protected website in order to extract the URL appearing in the referrer for every request. This URL is then checked to see if it exists
15 in the ‘phishing database (114a)’ or ‘whitelisted database (114b)’ of the collection unit (114).
The collection unit (114) of the phishing detection and prevention system (110) includes two databases which are phishing database (114a) and whitelisted database 20 (114b). The phishing database (114a) maintains a PHISHTANK which stores the details and information related to phishing websites or fraudulent websites with a view to avoid any future attack by the same phishing websites. Also, the whitelisted database (114b) collects and maintains website information from authentic/legitimate host page protected website.
25
Accordingly, when the extracted URL in the aforesaid scenario already exists in the phishing data base, the secret key matching module (DU) logs the event along with taking preventive action. Whereas, when the extracted URL in the aforesaid scenario
12
exists in the whitelist database (114b), the secret key matching module (SKMM-112b) does not initiate any action. In cases, when the extracted URL does not exists in the collection unit (114), the secret key matching module (112b) accesses the URL and procures the HTML data of the suspected phishing website. Thereafter, if the secret 5 key is present in the HTML code, the secret key matching module (112b) adds such a URL to the collection unit (114) in the Phishing Database (114a) along with logging the event and taking preventive steps. Whereas, if the secret key is not present in the HTML code, the secret key matching module (112b) confirms that the referrer doesn’t relate to a phishing website and adds the extracted URL in the collection unit (114) to 10 the Whitelist Database (114b).
The information unit (113) of the phishing detection and prevention system (110) is used to send information and details about the fraudulent website or phishing website to a domain owner or repositories (116). Thus, the detection unit (DU) 112, 15 Information Unit (IU) 113 and Collection Unit (CU) 114 which are present in phishing detection and prevention system (110) work together to achieve improved phishing detection, prevention and reporting.
Figure 3 is a representation of the detection unit (DU) 112 consisting of two 20 components which are cloning detection module (CDM) 112a and Secret key matching module (SKMM) 112b.
Figure 4 represents the collection unit (CU) 114 of the phishing detection and prevention system (110) which includes two databases wherein, one database is the 25 phishing database 114 (a) and other is the whitelisted database 114 (b).
Figure 5 is a flowchart illustrating the phishing detection and prevention method using the phishing detection and prevention system (110). At step 501, a user (100) attempts
13
to access a host protected website during which process it is possible that the user (100) is directed to a phishing website. As detailed hereinabove, the inventive and improved phishing detection and prevention system, detects and prevents phishing attempts related to the legitimate/host protected website when: 5
i) A phishing website has just been created and is being run on a browser;
ii) An existing phishing website redirects a user to the legitimate/host protected website after procuring sensitive/confidential data of a user;
10 At step 502, the detection unit (112) of the host protected website server in order to prevent phishing attempts in both the aforesaid scenarios, checks the access logs of the following:
1. Cloning detection page
15 2. Protected Login Page
In one instance and at step 503, the Cloning Detection Module (112a) will access and check logs of the cloning detection page of the suspected website URL, which are send by the javascript code.
20
This procedure will safeguard a user against cases where a suspect has just created a phishing website after cloning/copying legitimate/host protected website and is about to host it on the internet or attempts to host it on the internet. In order to protect itself from cloning, the legitimate/host protected website uses a javascript code, which gets
25 activated when the legitimate/host protected website is copied/cloned and an attempt is made to run the same on a browser. This javascript code accordingly sends a message to the legitimate/host protected website.
14
Thereafter, after receiving the hit from the phishing website through the javascript code, at step 504, the URL appearing in referrer header of every request will be extracted from the access logs of cloning detection page.
5 As, the legitimate/host protected website is accessed by javascript code only in
instances when a phishing website attempts to clone or copy the host protected
website, thus at step 505 the extracted URL is added to the Phishing database 114(a)
maintained at the Collection unit (114). Then at step 506a, the phishing event is logged
and preventive action is taken at step 506b.
10
Thereafter, as part of the dual protection system, in another instance when a phishing
website after extracting sensitive/confidential information, redirects a user to the
legitimate/host protected website, then at step 507, secret key matching module (112b)
checks the access logs of the login page of the protected website.
15
Then at step 508, website information (URL) will be extracted from the referrer and
checked.
In steps 509-511, if the website information (URL) already exists in Phistank i.e. the 20 phishing database (114a) of the collection unit (114), the phishing detection and
prevention system (110) will log the event and subsequently take preventive action.
Thus, the phishing detection and prevention system (110) will identify the suspected
website as a phishing website on the basis of information already contained in the
collection unit (114). 25
In step 512-513, if the website information (URL) already exists in the whitelisted
database (114b) of the collection unit (114), then the phishing detection and prevention
system (110) will take no preventive action/steps.
15
In steps 514-515, if the website information (URL) neither exists in whitelisted database 114(b) nor in phishing database 114(a) of the collection unit (114), the phishing detection and prevention system (110) will send an automatic request to the suspected website URL i.e. will open the suspected website.
5
At step 516, server of suspected website (Suspected server) will send the HTML code of the said website to the phishing detection and prevention system (110). Further, at step 517, a search will be conducted by the secret key matching module (112b) to detect for the presence of secret key in the suspected referrer code (suspected HTML 10 code).
This procedure will safeguard a user against cases where a phishing website is programmed to redirect a user to the legitimate/host protected website, after sensitive or confidential information is extracted. In order to prevent such phishing attempts, 15 the legitimate/host protected website uses a secret key. Accordingly, when a suspect copies/clones the website information of the legitimate/host protected website, the secret key is also copied.
At steps 518-520, if the secret key of suspected website matches with the 20 legitimate/host protected website’s secret key, the phishing detection and prevention system (110) realizes that the website is indeed a phishing website and thus logs the event and subsequently takes preventive action.
At steps 521-522, if the secret key of suspected website does not match with the 25 legitimate/host protected website’s secret key, the phishing detection and prevention system (110) realizes that the website is not a phishing website which has copied or cloned the legitimate/host protected website. Accordingly, the website information (URL) is added to the whitelist database and no preventive action/steps are taken.
16
Accordingly, the phishing detection method prevents phishing incidents by automated reporting of phishing websites to domain administration and phishing blacklist repositories. Thus, pre-configured secret key matching and JAVASCRIPT code matching are used as two-fold detection method for detecting a phishing website and thereafter preventing further phishing attacks by adding information to PHISHTANK and also to blacklisted repositories. As a result of above, the user (100) will be prevented from the phishing attempts.
It should be understood that any of the embodiments of the present system can be implemented by using hardware or by use of combination of hardware and software. Based on the disclosure and teaching provided herein, a person of ordinary skill in the art will know and appreciate other ways and/or methods to implement embodiments of the present invention using ASICs, specialized processors.
Further, any of the methods describes herein may be totally or partially performed using a computer, including one or more processors, which is configured to perform the steps described herein above. Thus, embodiments are directed towards computer system including specific components to perform specific steps of any of the methods described herein above. Additionally, any of the steps of any of the methods can be performed using specific circuits.
For better understanding, aspects of the invention are described in terms of sequences of steps/arrangements that can be performed by, for example, components of a programmable computer system. It will be recognized that various steps could be performed by specialized circuits (e.g., distinct logic gates interconnected to perform a specialized function or application-specific integrated circuits), by list of steps executed by one or more processors, or by a combination of both.
Compared to the prior art, the phishing detection and prevention method is applicable to plurality of websites and enables a technically advanced hardware components of the programmable computer system to support the present invention. Those skilled in the art will recognize that JAVASCRIPT code and secret key as specified above are used for two fold phishing detection and prevention. Thus, joint determination using JAVASCRIPT code and secret key are used to provide two-fold prevention from phishing attempts by any suspected website.
It would be obvious to those skilled in the art that, based on the concepts, ideas and issues described herein, several variations of the proposed method being considered as well as for phishing detection and prevention system with distinctly different steps and process, are possible without deviating from the scope of this invention.
In conclusion, the present invention provides an improved solution to attempt to stop online fraud. While detailed descriptions of one or more embodiments of the invention have been given above, various alternatives, modifications will be known to the person skilled in the art. Thus, the above description should not be taken as limiting the scope of the invention.
We claim
1. An improved phishing detection and prevention system (110) for identifying
phishing website by analyzing the website referrers and/or host name, in order to
prevent phishing attempts, the system (110) comprises:
a detection unit (112) to detect a phishing website using website information or
website referrer by application of two-fold detection logic;
an information unit (113) to send information about the fraudulent website to a
domain owner or repositories; and
a collection unit (114) to store details and information related to phishing websites or
fraudulent websites as well as authentic or legitimate host page protected website.
2. The improved phishing detection and prevention system (110) as claimed in claim 1, wherein the detection unit (112) comprises of a cloning detection module (CDM) (112a) and a secret key matching module (SKMM) (112b), which perform two-fold detection analysis in order to assists in detecting, preventing and reporting phishing attempts related to legitimate/host protected website.
3. The improved phishing detection and prevention system (110) as claimed in claim 2, wherein the cloning detection module (112a) is activated by the JAVASCRIPT code of the legitimate/host protected website.
4. The improved phishing detection and prevention system (110) as claimed in claim 2, wherein the cloning detection module (112a) compares host name with the legitimate/host protected website and in case of mis-match automatically calls the legitimate/host protected website in order to obtain URL of the phishing website.
5. The improved phishing detection and prevention system (110) as claimed in claim 4, wherein the a host protected website server will access and check access logs of the cloning detection page of the suspected website to extract URL appearing in the
referrer header and thereafter coordinate with the collection unit (114) and the information unit (113) for reporting and preventive action.
6. The improved phishing detection and prevention system (110) as claimed in claim 2, wherein the secret key matching module (112b) uses secret key which may include unique sixteen-digit numeric value specific to the host protected or legitimate website, unique image code specific to the host protected or legitimate website.
7. The improved phishing detection and prevention system (110) as claimed in claim 6, wherein the secret key matching module (112b) will access and check access logs of the login page of the protected website in order to extract URL appearing in the referrer for every request when a phishing website after extracting sensitive/confidential information redirects a user to the legitimate/host protected website.
8. The improved phishing detection and prevention system (110) as claimed in claim 7, wherein the secret key matching module (112b) will coordinate with the collection unit (114) and ascertain if the URL is already present in the Whitelist Database (114b) or Phishing Database (114a).
9. The improved phishing detection and prevention system (110) as claimed in claim 8, wherein the secret key matching module (112b) thereafter coordinate with the information unit (113) for preventive action.
10. The improved phishing detection and prevention system (110) as claimed in claim 7, wherein in case where URL doesn't exist in the collection unit (114), the secret key matching module (112b) will procure HTML code of the suspected phishing website in order to ascertain if secret key of the legitimate/host-protected website is present.
11. The improved phishing detection and prevention system (110) as claimed in claim 10, wherein in case of presence of the secret key, the secret key will coordinate with the collection unit (114) and the information unit (113) for reporting and preventive action.
12. The improved phishing detection and prevention system (110) as claimed in claim 1, wherein the collection unit (114) includes a phishing database (114a) and a whitelisted database (114b).
13. The improved phishing detection and prevention system (110) as claimed in claim
12, wherein the phishing database (114a) maintains a PHISHTANK which collects
and stores details and information related to the phishing websites or fraudulent
websites with a view to avoid any future attack by the same phishing websites and
also to warn a user about a phishing or fraudulent website.
14. The improved phishing detection and prevention system (110) as claimed in claim
13, wherein the whitelisted database (114b) collects and maintains website
information from authentic/legitimate host page protected website.
15. The improved phishing detection and prevention system (110) as claimed in claim 1, wherein the information unit (113) sends information and details about the fraudulent website or phishing website to a domain owner or repositories (116).
16. An improved phishing detection and prevention method for identifying phishing website by analyzing the website referrers and/or host name, in order to prevent phishing attempts, the said method comprises:
checking access logs to assess if a phishing website has just been created and is being run on a browser or there has been a redirection from a phishing website, with the use of a detection unit (112), employs a two-fold detection logic using pre-configured secret key matching and JAVASCRIPT code matching;
applying first detection logic by checking logs of the cloning detection page of a
suspected website URL, when a suspect has just created a phishing website after
cloning/copying legitimate/host protected website and is about to host it on the
internet or attempts to host it on the internet;
applying second detection logic by checking protected login page by checking
suspected website URL when a phishing website after extracting
sensitive/confidential information, redirects a user to the legitimate/host protected
website; and
automated reporting of the phishing websites to domain administration and phishing
database by an information unit (113) and subsequent prevention from phishing
attempts.
17. The improved method as claimed in claim 16, wherein in first detection logic, the access logs of cloning detection page of protected website will be checked and URL appearing in referrer header from access logs of every request will be extracted.
18. The improved method as claimed in claim 17, wherein in first detection logic, the access logs of cloning detection page of protected website will be accessed and checked by a Cloning Detection Module (112a).
19. The improved method as claimed in claim 18, wherein in first detection logic, the cloning detection module (112a) is activated by the JAVASCRIPT code of the legitimate/host protected website.
20. The improved method as claimed in claim 19, wherein in first detection logic, host name will be compared by the cloning detection module (112a) with the legitimate/host protected website and in case of mis-match automatically call will be send to the legitimate/host protected website in order to obtain the URL of the phishing website.
21. The improved method as claimed in claim 20, wherein in first detection logic, the host protected website server will access and check access logs of the cloning detection page of the suspected website to extract URL appearing in the referrer header and thereafter coordinate with the collection unit (114) and the information unit (113) for reporting and preventive action.
22. The improved method as claimed in claim 16, wherein in second instance of second detection logic, access logs of Login Page of protected website will be checked when a user is redirected to the legitimate/host protected website after extracting sensitive/confidential information through phishing website.
23. The improved method as claimed in claim 22, wherein in second detection logic, the access logs of login page of protected website will be accessed and checked by a secret key matching module (112b).
24. The improved method as claimed in claim 23, wherein in second detection logic, the secret key matching module (112b) will coordinate with the collection unit (114) and ascertain if the URL is already present in the Whitelist Database (114b) or Phishing Database (114a).
25. The improved method as claimed in claim 24, wherein in second detection logic, the secret key matching module (112b) thereafter coordinate with the information unit (113) for preventive action.
26. The improved method as claimed in claim 22, wherein in second detection logic, in case where URL doesn't exist in the collection unit (114), the secret key matching module (112b) will procure HTML code of the suspected phishing website in order to ascertain if secret key of the legitimate/host-protected website is present.
27. The improved method as claimed in claim 26, wherein in second detection logic, wherein in case of presence of secret key, the secret key will coordinate with the collection unit (114) and the information unit (113) for reporting and preventive action.
28. The improved method as claimed in claim 26, wherein if the secret key of suspected website does not matches with the host protected website's secret key, then information of the website referrer will be added in whitelist database (114b).
Documents
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 201711035036-Annexure [08-04-2025(online)].pdf | 2025-04-08 |
| 1 | 201711035036-STATEMENT OF UNDERTAKING (FORM 3) [03-10-2017(online)].pdf | 2017-10-03 |
| 1 | 201711035036-US(14)-HearingNotice-(HearingDate-25-03-2025).pdf | 2025-02-13 |
| 2 | 201711035036-CLAIMS [21-10-2021(online)].pdf | 2021-10-21 |
| 2 | 201711035036-FORM 3 [08-04-2025(online)].pdf | 2025-04-08 |
| 2 | 201711035036-PROVISIONAL SPECIFICATION [03-10-2017(online)].pdf | 2017-10-03 |
| 3 | 201711035036-DRAWING [21-10-2021(online)].pdf | 2021-10-21 |
| 3 | 201711035036-POWER OF AUTHORITY [03-10-2017(online)].pdf | 2017-10-03 |
| 3 | 201711035036-Written submissions and relevant documents [08-04-2025(online)].pdf | 2025-04-08 |
| 4 | 201711035036-FORM 1 [03-10-2017(online)].pdf | 2017-10-03 |
| 4 | 201711035036-FER_SER_REPLY [21-10-2021(online)].pdf | 2021-10-21 |
| 4 | 201711035036-Correspondence to notify the Controller [21-03-2025(online)].pdf | 2025-03-21 |
| 5 | 201711035036-US(14)-HearingNotice-(HearingDate-25-03-2025).pdf | 2025-02-13 |
| 5 | 201711035036-OTHERS [21-10-2021(online)].pdf | 2021-10-21 |
| 5 | 201711035036-DRAWINGS [03-10-2017(online)].pdf | 2017-10-03 |
| 6 | 201711035036-PETITION UNDER RULE 137 [21-10-2021(online)].pdf | 2021-10-21 |
| 6 | 201711035036-DECLARATION OF INVENTORSHIP (FORM 5) [03-10-2017(online)].pdf | 2017-10-03 |
| 6 | 201711035036-CLAIMS [21-10-2021(online)].pdf | 2021-10-21 |
| 7 | 201711035036-FORM-26 [16-10-2017(online)].pdf | 2017-10-16 |
| 7 | 201711035036-FER.pdf | 2021-10-17 |
| 7 | 201711035036-DRAWING [21-10-2021(online)].pdf | 2021-10-21 |
| 8 | 201711035036-FER_SER_REPLY [21-10-2021(online)].pdf | 2021-10-21 |
| 8 | 201711035036-NBA Approval Submission [03-02-2020(online)].pdf | 2020-02-03 |
| 8 | 201711035036-Power of Attorney-161017.pdf | 2017-10-24 |
| 9 | 201711035036-Correspondence-161017.pdf | 2017-10-24 |
| 9 | 201711035036-FORM 18 [17-06-2019(online)].pdf | 2019-06-17 |
| 9 | 201711035036-OTHERS [21-10-2021(online)].pdf | 2021-10-21 |
| 10 | 201711035036-Correspondence-051118.pdf | 2018-11-15 |
| 10 | 201711035036-PETITION UNDER RULE 137 [21-10-2021(online)].pdf | 2021-10-21 |
| 10 | abstract.jpg | 2018-01-10 |
| 11 | 201711035036-DRAWING [27-09-2018(online)].pdf | 2018-09-27 |
| 11 | 201711035036-FER.pdf | 2021-10-17 |
| 11 | 201711035036-OTHERS-051118-.pdf | 2018-11-15 |
| 12 | 201711035036-CORRESPONDENCE-OTHERS [27-09-2018(online)].pdf | 2018-09-27 |
| 12 | 201711035036-NBA Approval Submission [03-02-2020(online)].pdf | 2020-02-03 |
| 12 | 201711035036-OTHERS-051118.pdf | 2018-11-15 |
| 13 | 201711035036-Power of Attorney-051118.pdf | 2018-11-15 |
| 13 | 201711035036-FORM 18 [17-06-2019(online)].pdf | 2019-06-17 |
| 13 | 201711035036-COMPLETE SPECIFICATION [27-09-2018(online)].pdf | 2018-09-27 |
| 14 | 201711035036-Correspondence-051118.pdf | 2018-11-15 |
| 14 | 201711035036-FORM-26 [30-10-2018(online)].pdf | 2018-10-30 |
| 14 | 201711035036-Proof of Right (MANDATORY) [30-10-2018(online)].pdf | 2018-10-30 |
| 15 | 201711035036-FORM-26 [30-10-2018(online)].pdf | 2018-10-30 |
| 15 | 201711035036-OTHERS-051118-.pdf | 2018-11-15 |
| 15 | 201711035036-Proof of Right (MANDATORY) [30-10-2018(online)].pdf | 2018-10-30 |
| 16 | 201711035036-COMPLETE SPECIFICATION [27-09-2018(online)].pdf | 2018-09-27 |
| 16 | 201711035036-OTHERS-051118.pdf | 2018-11-15 |
| 16 | 201711035036-Power of Attorney-051118.pdf | 2018-11-15 |
| 17 | 201711035036-CORRESPONDENCE-OTHERS [27-09-2018(online)].pdf | 2018-09-27 |
| 17 | 201711035036-OTHERS-051118.pdf | 2018-11-15 |
| 17 | 201711035036-Power of Attorney-051118.pdf | 2018-11-15 |
| 18 | 201711035036-DRAWING [27-09-2018(online)].pdf | 2018-09-27 |
| 18 | 201711035036-FORM-26 [30-10-2018(online)].pdf | 2018-10-30 |
| 18 | 201711035036-OTHERS-051118-.pdf | 2018-11-15 |
| 19 | 201711035036-Correspondence-051118.pdf | 2018-11-15 |
| 19 | 201711035036-Proof of Right (MANDATORY) [30-10-2018(online)].pdf | 2018-10-30 |
| 19 | abstract.jpg | 2018-01-10 |
| 20 | 201711035036-COMPLETE SPECIFICATION [27-09-2018(online)].pdf | 2018-09-27 |
| 20 | 201711035036-Correspondence-161017.pdf | 2017-10-24 |
| 20 | 201711035036-FORM 18 [17-06-2019(online)].pdf | 2019-06-17 |
| 21 | 201711035036-Power of Attorney-161017.pdf | 2017-10-24 |
| 21 | 201711035036-NBA Approval Submission [03-02-2020(online)].pdf | 2020-02-03 |
| 21 | 201711035036-CORRESPONDENCE-OTHERS [27-09-2018(online)].pdf | 2018-09-27 |
| 22 | 201711035036-DRAWING [27-09-2018(online)].pdf | 2018-09-27 |
| 22 | 201711035036-FER.pdf | 2021-10-17 |
| 22 | 201711035036-FORM-26 [16-10-2017(online)].pdf | 2017-10-16 |
| 23 | 201711035036-DECLARATION OF INVENTORSHIP (FORM 5) [03-10-2017(online)].pdf | 2017-10-03 |
| 23 | 201711035036-PETITION UNDER RULE 137 [21-10-2021(online)].pdf | 2021-10-21 |
| 23 | abstract.jpg | 2018-01-10 |
| 24 | 201711035036-OTHERS [21-10-2021(online)].pdf | 2021-10-21 |
| 24 | 201711035036-DRAWINGS [03-10-2017(online)].pdf | 2017-10-03 |
| 24 | 201711035036-Correspondence-161017.pdf | 2017-10-24 |
| 25 | 201711035036-FER_SER_REPLY [21-10-2021(online)].pdf | 2021-10-21 |
| 25 | 201711035036-FORM 1 [03-10-2017(online)].pdf | 2017-10-03 |
| 25 | 201711035036-Power of Attorney-161017.pdf | 2017-10-24 |
| 26 | 201711035036-DRAWING [21-10-2021(online)].pdf | 2021-10-21 |
| 26 | 201711035036-FORM-26 [16-10-2017(online)].pdf | 2017-10-16 |
| 26 | 201711035036-POWER OF AUTHORITY [03-10-2017(online)].pdf | 2017-10-03 |
| 27 | 201711035036-CLAIMS [21-10-2021(online)].pdf | 2021-10-21 |
| 27 | 201711035036-DECLARATION OF INVENTORSHIP (FORM 5) [03-10-2017(online)].pdf | 2017-10-03 |
| 27 | 201711035036-PROVISIONAL SPECIFICATION [03-10-2017(online)].pdf | 2017-10-03 |
| 28 | 201711035036-DRAWINGS [03-10-2017(online)].pdf | 2017-10-03 |
| 28 | 201711035036-STATEMENT OF UNDERTAKING (FORM 3) [03-10-2017(online)].pdf | 2017-10-03 |
| 28 | 201711035036-US(14)-HearingNotice-(HearingDate-25-03-2025).pdf | 2025-02-13 |
| 29 | 201711035036-Correspondence to notify the Controller [21-03-2025(online)].pdf | 2025-03-21 |
| 29 | 201711035036-FORM 1 [03-10-2017(online)].pdf | 2017-10-03 |
| 30 | 201711035036-POWER OF AUTHORITY [03-10-2017(online)].pdf | 2017-10-03 |
| 30 | 201711035036-Written submissions and relevant documents [08-04-2025(online)].pdf | 2025-04-08 |
| 31 | 201711035036-FORM 3 [08-04-2025(online)].pdf | 2025-04-08 |
| 31 | 201711035036-PROVISIONAL SPECIFICATION [03-10-2017(online)].pdf | 2017-10-03 |
| 32 | 201711035036-STATEMENT OF UNDERTAKING (FORM 3) [03-10-2017(online)].pdf | 2017-10-03 |
| 32 | 201711035036-Annexure [08-04-2025(online)].pdf | 2025-04-08 |
| 33 | 201711035036-PatentCertificate14-10-2025.pdf | 2025-10-14 |
| 34 | 201711035036-IntimationOfGrant14-10-2025.pdf | 2025-10-14 |
Search Strategy
| 1 | searchstrategyE_19-04-2021.pdf |