 
                 Patent Application
 Patent Application
                     20070130327
 20070130327
                    The disclosed embodiments relate generally to online security and, more particularly, to alerting online users to potentially fraudulent websites.
Today, users of the Internet face many threats to their online security. One of the fastest growing of these security threats is the phenomenon of phishing. Phishing involves the fraudulent acquisition of sensitive information, such as login information or financial information, by a perpetrator masquerading as a trustworthy source.
One attempt to reduce the damage caused by phishing involves warning a user if a webpage visited by the user is determined to be potentially fraudulent. The warning may be in the form of a pop-up window. However, many users have developed an aversion to pop-up windows due to their association with unsolicited advertisements. These users may end up ignoring and closing the pop-up warning windows, not knowing that the pop-up windows contain genuine security warnings rather than unsolicited advertisements. As a result, the users are left vulnerable to the threat posed by potentially fraudulent webpages. It may be noted that warning messages conveyed by system dialog windows are also regularly ignored by many users, sometimes to their detriment.
Accordingly, it is desirable to provide a more effective manner of warning users of potentially fraudulent websites.
In accordance with some embodiments, a method of alerting a user to a potentially fraudulent document includes determining that a document requested by a user is potentially fraudulent; displaying a non-interactive rendering of the document; displaying a warning icon; and displaying a warning message corresponding to the warning icon.
In accordance with some embodiments, instructions for the aforementioned method may be included in a computer program product.
  
  
  
  
  
Like reference numerals refer to corresponding parts throughout the drawings.
  
The hosts 104 store documents and provide the documents to the clients 102 or the server 106. A document stored at a host 104 may include text, graphics, multimedia, or any combination thereof. In some embodiments, the document is a webpage written in Hypertext Markup Language (HTML) or any other language suitable for coding webpages. Each document may be located and/or identified by a locator or address. In some embodiments, the locator is the Uniform Resource Locator (URL) of the document. In other embodiments, other addressing formats may be used.
The client 102 may include a browser 110, a client assistant 112, and a blacklist 114. From the browser 110 (or other application, such as an email client), a user of the client 102 may request a document at a specified URL. The document is downloaded to the client 102 and rendered in the browser 110 for display. The client assistant 112 performs operations, such as document rendering or document request operations, in conjunction with the browser 110. In some embodiments, the client assistant 112 is a browser extension. In some other embodiments, the client assistant 112 is a plug-in or toolbar add-on to the browser 110.
 A window of the browser 110, when displayed at the client 102 via an output device such as a display 412 (
The blacklist 114 includes a list of URLs and/or groups of URLs (e.g., specified by URL patterns) of documents that are known to be fraudulent. The blacklist may include URLs, or URL patterns (e.g., www.badoperator.com/*) that are suspected to be fraudulent (e.g., on the basis of unconfirmed user reports), and which therefore may be considered to be potentially fraudulent. A document with a URL that is in the blacklist 114 may be determined to be potentially fraudulent. The blacklist 114 may specify particular documents or groups of documents under specified domains or paths. In some embodiments, the blacklist 114 at the client 102 is a copy of a “master” blacklist 114 that is stored at the server 106. A copy of the blacklist 114 may be downloaded periodically (e.g., daily) or episodically (e.g., when the client 102 performs a specific action, such as logging into a particular service, or connecting to the Internet), from the server 106 and stored locally at the client 102. Optionally, a user may create a customized blacklist 114, for example by modifying a blacklist downloaded from the server 106 or other source, or by creating a new blacklist.
In some embodiments, when a user requests a document from a host 104, the client assistant 112 determines whether the document is potentially fraudulent, by comparing the URL of the document to the blacklist 114 or by other methods, such as by heuristic evaluation. Such heuristics may include heuristics that take into account the age of the domain (e.g., domains less than N days old may be more likely to contain fraudulent web pages than older domains; N may be a number between 1 and 30), the physical location (e.g., the country) of the domain name owner, similarity of the URL to a legitimate URL that is often targeted, PageRank status of the URL, and so on. Other heuristics include comparing a fingerprint of a document's content or document structure with the fingerprints of known targets, and identifying documents that contains the logos of known targets. If the URL of the document matches an entry in the blacklist 114 and/or if the document is heuristically evaluated to be potentially fraudulent, the document is determined to be potentially fraudulent. The client assistant 112 may perform operations to warn the user that the document is potentially fraudulent, further details of which are described below.
The server 106 includes a server application 116 and a blacklist 114. In some embodiments, the blacklist 114 at the server 106 is the master copy. The blacklist 114 may be updated by the server application 116 periodically or whenever a new report of a potentially fraudulent document is received. Clients 102 may download a copy of the master blacklist 114 from the server 106 for local storage and use.
In some embodiments, the determination of whether a document is potentially fraudulent may be performed at the server 106, by the server application 116. Whenever a user requests a document at a client 102, the client assistant 112 may transmit the URL of the requested document to the server 106. The server application 116 may compare the URL with the blacklist 114, or it may download the document from the host 104 and perform a heuristic evaluation to determine if the document is potentially fraudulent. If the document is determined to be potentially fraudulent, the server application 116 may instruct the client assistant 112 to perform operations toward warning the user that the document is potentially fraudulent, further details of which are described below.
  
A download of the document to the client is initiated (204). The URL of the document is compared to the blacklist (206). In some embodiments, the client assistant 112 performs the comparison of the document URL to the blacklist.
If the URL of the document is not in the blacklist (208—no), the document is determined to be not potentially fraudulent. The document is rendered in the browser window and displayed normally (210).
 While 
If the URL of the document is in the blacklist (208—yes), the document is determined to be potentially fraudulent. The document is rendered and displayed in the browser window with an image superimposed (or overlaid) on top of the document (212). In some embodiments, the image is superimposed on top of the document by the client assistant 112.
In some embodiments, the superimposed image may be a semitransparent image that is entirely of a gray color. When the gray image is superimposed onto the document, it gives the visual effect that the document is “grayed out.” In some other embodiments, the image may be a “no” sign (e.g., an enclosure, such as a circle, with a strikethrough or an X inside) superimposed on top of the document. The superimposition of the image makes any links in the rendered document inaccessible to the user; in effect, the rendered document is made non-interactive. By making the links in the document inaccessible to the user, the user is prevented from performing potentially insecure actions, such as submitting personal information, via those links. In some embodiments, making a document non-interactive also prevents keystroke or other user input of information into any input fields of the document. Furthermore, in some embodiments, making a document non-interactive prevents the execution of any scripts or other executable instructions in the document. It should be appreciated, however, that the aforementioned examples of the image to be superimposed over the document described above are merely exemplary. The image may take on forms other than what is described above. 6
A warning icon is displayed in a privileged display region, such as the browser chrome, of the browser window (216). In some embodiments, the warning icon is displayed in an area of the chrome of the browser window reserved for displaying objects associated with the client assistant 112, sometimes called a toolbar (if above the document display region) or tray (if below the document display region). The icon may take on any suitable form, such as a stop sign, an exclamation mark inside an enclosure, or the like. In some embodiments, more than one warning icon may be displayed in order to better get the user's attention.
 A warning message is displayed (218). The warning message is displayed such that it overlays and partially overlaps the document region (e.g., 310 in 
 Process flow 230, as shown in 
If the URL is in the blacklist (208—yes), the document with a superimposed image is downloaded (211). As described above, the image may be a gray, semitransparent image or a “no” sign. The client 102 may download the document with the image from the server 106. The client 102 (or more particularly, the client assistant 112) sends a request to the server 106 for the document with the image superimposed. The server 106 downloads the document from the host 104 of the document, superimposes the image onto the document, and sends the document and the image to the client 102.
After the client 102 receives the document with the superimposed image, the document and the image are rendered and displayed in the browser window (212). The warning icon is displayed in the privileged display region of the browser (216). The warning message is displayed (218). Corresponding links or scripts in the warning message are followed if selected by the user (220).
 Process flow 240, as shown in 
After the client 102 receives the snapshot of the document, the snapshot is rendered and displayed in the browser window (214). The warning icon is displayed in the privileged display region of the browser (216). The warning message is displayed (218). Corresponding links or scripts are followed if selected by the user (220).
 Process flow 250, as shown in 
In some embodiments, both operation 206 and operation 242 are performed, thereby performing both a blacklist comparison (202) and a heuristic analysis of the document (242). Alternately, the heuristic analysis (242) is performed only if the document's URL is not found in the blacklist. If the document passes both tests, it is rendered in the browse window (210); otherwise, operations 212-220 are performed, as described above.
 Process flow 260, as shown in 
If the document is determined to be not potentially fraudulent (244—no), the document is sent to the client 102 (268). The client 102 receives the document (270) and the document is rendered and displayed in the browser window (210).
 If the document is determined to be potentially fraudulent (244—yes), a snapshot of the document is generated by the server application 116 (272, 
  
 The document region 310 is the region where a rendered document or a snapshot of a document may be displayed. In 
  
 In some embodiments, memory 406 stores the following programs, modules and data structures, or a subset thereof: 
The client assistant 112 includes a fraud determination module 420 and a document snapshot/overlay module 422. The fraud determination module 420 determines if a document is potentially fraudulent, by comparing the URL of the document to the blacklist 114 and/or performing a heuristic evaluation of the document. The document snapshot/overlay module 422 generates snapshots of documents or superimposes documents with images that disable the links in the documents. The document snapshot/overlay module may also render documents with images superimposed or snapshots of documents, in conjunction with the browser application 110. In other embodiments, as described above, the client assistant 112 may send the URL of a document to a server for evaluation.
Each of the above identified elements may be stored in one or more of the previously mentioned memory devices, and corresponds to a set of instructions for performing a function described above. The above identified modules or programs (i.e., sets of instructions) need not be implemented as separate software programs, procedures or modules, and thus various subsets of these modules may be combined or otherwise re-arranged in various embodiments. In some embodiments, memory 406 may store a subset of the modules and data structures identified above. Furthermore, memory 406 may store additional modules and data structures not described above.
  
The server application 116 may optionally include a fraud determination module 516 and a document snapshot/overlay module 518. The fraud determination module 516 determines if a document is potentially fraudulent, by comparing the URL of the document to the blacklist 114 and/or performing a heuristic evaluation of the document. The document snapshot/overlay module 518 generates snapshots of documents or superimposes documents with images that disable the links in the documents. These snapshots of documents or documents with superimposed images may be sent to the client 102.
Each of the above identified elements may be stored in one or more of the previously mentioned memory devices, and corresponds to a set of instructions for performing a function described above. The above identified modules or programs (i.e., sets of instructions) need not be implemented as separate software programs, procedures or modules, and thus various subsets of these modules may be combined or otherwise re-arranged in various embodiments. In some embodiments, memory 506 may store a subset of the modules and data structures identified above. Furthermore, memory 506 may store additional modules and data structures not described above.
 Although 
The foregoing description, for purpose of explanation, has been described with reference to specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations are possible in view of the above teachings. The embodiments were chosen and described in order to best explain the principles of the invention and its practical applications, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated.