Patent Grant
12200012
The present application relates to computer security. More particularly, the present application relates to systems and methods of tracking phishing activity associated with at least one webpage hosted as part of a legitimate web site on at least one server.
The continued explosive growth in the number of users of the Internet and electronic messaging (such as email and instant messaging) is also associated with increased criminal and illegal activity through these digital communication technologies. One such fraudulent activity is phishing, which thrives on the internet. As described by Wikipedia, phishing can be defined as a fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of a legitimate site. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.
Approaches have been developed to prevent phishing attacks. For example, spam filters can reduce the number of phishing emails that reach users' inboxes. Another approach to fighting phishing is to maintain a list of known phishing sites and to check websites against the list. One such service is the Safe Browsing service. Web browsers such as Google Chrome, Internet Explorer 7, Mozilla Firefox 2.0, Safari 3.2, and Opera contain this type of anti-phishing measure. Also, many companies offer banks and other organizations likely to suffer from phishing scams round-the-clock services to monitor, analyze and assist in shutting down phishing web sites.
However, there is still a need to be able to track phishing websites and identify offenders associated with the phishing websites. It is also desirable to accomplish tracking of phishing websites in a manner that the offenders are unable to detect that their phishing websites are being tagged with tracking and identification data.
The following embodiments and aspects thereof are described and illustrated in conjunction with systems, tools and methods, which are meant to be exemplary and illustrative, and not limiting in scope. The present application discloses numerous embodiments.
In some embodiments, the present specification discloses a computer-implemented method of tracking phishing activity targeting a webpage that is part of a website which is hosted on at least one server, wherein the at least one server is in data communication with at least one user computing device over a network and wherein the at least one user computing device is configured to initiate a request to the at least one server to download the webpage, the method comprising: receiving, at the at least one server, the request to download the webpage, wherein the request includes identification data pertaining to the at least one user computing device; extracting, at the at least one server, one or more of the identification data from the request; generating, at the at least one server, a unique identifier corresponding to the one or more of the identification data; using, at the at least one server, at least a subset of the one or more of the identification data to generate fingerprint data; storing, at the at least one server, the unique identifier, the one or more of the identification data, and the fingerprint data, wherein the unique identifier is stored in association with the one or more of the identification data and the fingerprint data; encoding, at the at least one server, the fingerprint data into a program code and/or data associated with the webpage to generate a modified webpage; and transmitting the modified webpage with the fingerprint data from the at least one server to the user computing device in response to the request.
Optionally, the one or more of the identification data comprises at least one of an IP address of the user computing device, an IP-based geo-location of the user computing device, TCP/IP fingerprint parameters, HTTP header fields or IP Address Whois data.
Optionally, a size of the fingerprint data ranges from 64 bits to 256 bits.
Optionally, after the encoding, the fingerprint data within the program code and/or data is visually undetectable by humans.
Optionally, the encoding comprises at least one of adding the fingerprint data to the program code and/or data or replacing a portion of the program code and/or data with the fingerprint data.
Optionally, the method further comprises downloading, at the at least one server, the modified webpage from a potentially phishing website; decoding, at the at least one server, the modified webpage to retrieve the fingerprint data; accessing, at the at least one server, the unique identifier associated with the retrieved fingerprint data; accessing, at the at least one server, the one or more of the identification data using the accessed unique identifier; and identifying the user computing device based on the accessed one or more of the identification data.
In some embodiments, the present specification discloses a computing system configured to track phishing activity targeting a webpage that is part of a website comprising: at least one server, wherein the at least one server is in data communication with at least one remotely located user computing device over a network, wherein the at least one server is configured to receive a request from the at least one remotely located user computing device to acquire data indicative of the webpage, and wherein the at least one server comprises at least one processor and programmatic instructions that, when executed by the at least one processor: receives the request to download the webpage, wherein the request includes identification data pertaining to the at least one user computing device; extracts at least a portion of the identification data from the request; generates a unique identifier corresponding to the portion of the identification data; stores the unique identifier and the portion of the identification data, wherein the unique identifier bears an association with said one or more of the plurality of identification data; encodes the unique identifier into a program code and/or data associated with the webpage such that the unique identifier is visually undetectable by a human in the program code of the webpage or in the rendered version of webpage, thereby generating a modified webpage; and transmits the modified webpage from the at least one server to the user computing device in response to the request.
Optionally, the identification data comprises at least one of an IP address of the at least one user computing device, an IP-based geo-location of the at least one user computing device, TCP/IP fingerprint parameters indicative of the at least one user computing device, HTTP header fields indicative of the at least one user computing device and IP Address Whois data indicative of the at least one user computing device.
Optionally, a size of the unique identifier ranges from 64 bits to 256 bits.
Optionally, said encoding comprises at least one of adding the unique identifier to the program code and/or data or replacing a portion of the program code and/or data with the unique identifier.
Optionally, the programmatic instructions, when executed by the at least one processor: downloads the modified webpage from a potentially phishing website; decodes the modified webpage to retrieve the fingerprint data; accesses the unique identifier associated with the retrieved fingerprint data; accesses the one or more of the identification data using the accessed unique identifier; and identifies the user computing device based on the accessed one or more of the identification data.
In some embodiments, the present specification discloses a computer readable non-transitory medium comprising a plurality of executable programmatic instructions wherein, when said plurality of executable programmatic instructions are executed by a processor, a process is performed for tracking phishing activity targeting a webpage that is part of a website which is hosted on at least one server, wherein the at least one server is in data communication with at least one user computing device over a network, and wherein the at least one server is configured to receive a request to the access the webpage from the at least one user computing device, said plurality of executable programmatic instructions comprising: programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, receive the request to access the webpage, wherein the request includes identification data related to the at least one user computing device; programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, obtain one or more of the identification data from the request; programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, generate a unique key corresponding to the one or more of the identification data; programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, generate fingerprint data, wherein the fingerprint data is a function of at least a portion of the one or more of the identification data; programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, store the unique identifier, the one or more of the identification data and the fingerprint data; programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, encodes the fingerprint data into a program code and/or data associated with the webpage such that the unique identifier is visually or audially concealed in the program code of the webpage or in the rendered version of webpage, thereby generating to generate a modified webpage; and programmatic instructions, stored in said computer readable non-transitory medium, that, when executed, transmit the modified webpage from the at least one server to the user computing device in response to the request.
Optionally, the identification data comprises at least one of an IP address of the at least one user computing device, an IP-based geo-location of the at least one user computing device, TCP/IP fingerprint parameters indicative of the at least one user computing device, HTTP header fields indicative of the at least one user computing device and IP Address Whois data indicative of the at least one user computing device.
Optionally, a size of the fingerprint data ranges from 64 bits to 256 bits.
Optionally, the computer readable non-transitory medium further comprises downloading and decoding, at the at least one server, the modified webpage to retrieve the fingerprint data, the modified webpage being downloaded from a phishing website; accessing, at the at least one server, the unique identifier associated with the retrieved fingerprint data; accessing, at the at least one server, said one or more of the plurality of identification data using the accessed unique identifier; and identifying the user computing device based on said accessed one or more of the plurality of identification data.
Optionally, said encoding comprises at least one of adding the unique identifier to the program code and/or data or replacing a portion of the program code and/or data with the unique identifier.
Optionally, the computer readable non-transitory medium further comprises programmatic instructions, stored in the computer readable non-transitory medium, that, when executed: download the modified webpage from a potentially phishing website; decode the modified webpage to retrieve the fingerprint data; access the unique identifier associated with the retrieved fingerprint data; access the one or more of the identification data using the accessed unique identifier; and identify the user computing device based on the accessed one or more of the identification data.
Optionally, the computer readable non-transitory medium further comprises programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, applies a cryptographic hash function is applied to the portion of the one or more of the identification data in order to generate the fingerprint data.
Optionally, the computer readable non-transitory medium further comprises programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, generates the fingerprint data using the portion of the one or more of the identification data and at least a portion of the unique identifier.
Optionally, the computer readable non-transitory medium further comprises programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, generates the fingerprint data by applying a cryptographic hash function to the portion of the one or more of the identification data and at least a portion of the unique identifier.
Optionally, the computer readable non-transitory medium further comprises programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, encode the fingerprint data by using a tab instead of a space at one or more locations within the program code and/or textual data associated with the webpage.
Optionally, the computer readable non-transitory medium further comprises programmatic instructions, stored in the computer readable non-transitory medium, that, when executed encode the fingerprint data by modifying at least one of a resolution or a color depth of image data in the webpage.
Optionally, the computer readable non-transitory medium further comprises programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, encode the fingerprint data by modifying the audio data in the webpage.
Optionally, the computer readable non-transitory medium further comprises programmatic instructions, stored in the computer readable non-transitory medium, that, when executed, modifies the audio data by adding noise indicative of the fingerprint data.
The aforementioned and other embodiments of the present specification shall be described in greater depth in the drawings and detailed description provided below.
These and other features and advantages of the present specification will be further appreciated, as they become better understood by reference to the following detailed description when considered in connection with the accompanying drawings:
The term “module or engine” used in this disclosure may refer to computer logic utilized to provide a desired functionality, service, or operation by programming or controlling a general purpose processor. In various embodiments, a module can be implemented in hardware, firmware/software or any combination thereof. The module may be interchangeably used with unit, logic, logical block, component, or circuit, for example. The module may be the minimum unit, or part thereof, which performs one or more particular functions.
The term “server” used in this disclosure should be understood to refer to a service point which provides processing, database, and communication facilities. As such, therefore, the term “server” may refer to a single, physical processor with associated communications and data storage and database facilities, or it may refer to a networked or clustered complex of processors and associated network and storage devices, as well as operating software and one or more database systems and applications software which support the services provided by the server.
In various embodiments, a “computing device” includes an input/output controller, at least one communications interface and system memory. In various embodiments, the computing device includes conventional computer components such as a processor, necessary non-transient memory or storage devices such as a RAM (Random Access Memory) and disk drives, monitor or display and one or more user input devices such as a keyboard and a mouse. In embodiments, the user input devices allow a user to select objects, icons, and text that appear on the display via a command such as a click of a button on a mouse or keyboard or alternatively by touch in embodiments where the display is a touch-enabled screen. The computing device may also include software that enables wireless or wired communications over a network such as the HTTP, TCP/IP, and RTP/RTSP protocols. These elements are in communication with a central processing unit (CPU) to enable operation of the computing device. In various embodiments, the computing device may be a conventional standalone computer, a mobile phone, a tablet or a laptop. In some embodiments, the functions of the computing device may be distributed across multiple computer systems and architectures.
In some embodiments, execution of a plurality of sequences of programmatic instructions or code enables or causes the CPU of the computing device to perform various functions and processes. In alternate embodiments, hard-wired circuitry may be used in place of, or in combination with, software instructions for implementation of the processes of systems and methods described in this application. Thus, the systems and methods described are not limited to any specific combination of hardware and software.
The present specification is directed towards multiple embodiments. The following disclosure is provided in order to enable a person having ordinary skill in the art to practice the invention. Language used in this specification should not be interpreted as a general disavowal of any one specific embodiment or used to limit the claims beyond the meaning of the terms used therein. The general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the invention. Also, the terminology and phraseology used is for the purpose of describing exemplary embodiments and should not be considered limiting. Thus, the present invention is to be accorded the widest scope encompassing numerous alternatives, modifications and equivalents consistent with the principles and features disclosed. For purpose of clarity, details relating to technical material that is known in the technical fields related to the invention have not been described in detail so as not to unnecessarily obscure the present invention.
In the description and claims of the application, each of the words “comprise” “include” and “have”, and forms thereof, are not necessarily limited to members in a list with which the words may be associated. It should be noted herein that any feature or component described in association with a specific embodiment may be used and implemented with any other embodiment unless clearly indicated otherwise.
As used herein, the indefinite articles “a” and “an” mean “at least one” or “one or more” unless the context clearly dictates otherwise.
In various embodiments, the one or more user computing devices 105 and the at least one criminal computing device 115 may implement one or more applications such as, but not limited to, a web browsing application to generate a web browser user interface, and a messaging application such as, for example, an email, instant messaging and/or social networking application to generate a messaging user interface. In embodiments, the one or more applications are configured to communicate with at least one website 120 hosted on the at least one server 102.
In embodiments, the at least one website 120 is representative of a legitimate website that a user computing device 105 may access for logging-in using his confidential information (hereinafter referred to as ‘user data’) such as, for example, user credentials for online access (for example, username, password, and login verification code), personal information (for example, mobile number, birth date, mother's and maiden name, registered email) and/or financial information (for example, credit card details, bank account number, and bank customer ID). In embodiments, the at least one criminal computing device 115 hosts a fake or phishing website 125 that impersonates the legitimate website 120.
The criminal computing device 115 may carry out a phishing attack by sending an electronic message such as, for example, an email to the user computing device 105. The email may contain a link to the phishing website 125 causing the user of the computing device 105 to unsuspectingly click on the link and visit the phishing website 125. Consequently, the phishing website 125 harvests the user's confidential information when the user (victim) unknowingly signs in using his credentials (for the legitimate website 120) at the phishing website 125.
Phishing websites (such as the website 125) are characterized by their striking similarity with legitimate websites (such as the website 120) so much so that a victimized user interacts with the phishing website under a false impression that he is interacting with the legitimate website. In other words, for phishing to be successful a criminal ensures that the look and feel of his phishing website closely resembles that of the legitimate website. In order to achieve such resemblance or similarity, the present specification recognizes that a criminal is motivated to download a target webpage or interface (that is, the webpage or interface that needs to be target for a phishing operation) of a legitimate web site (such as the website 120) and modify the target webpage to generate a fake webpage (or phishing webpage) to capture user data—thereby ensuring that the look and feel of the fake webpage resembles that of the original target webpage.
In embodiments, the target webpage may be a login webpage, a homepage with navigation to a login webpage (in which case there are two target webpages that need to be impersonated—a homepage and a login webpage) or any other landing webpage or GUI (graphical user interface) that enables the user to either input his user data or navigate to another webpage or interface to input his user data in order to access a website. In other words, the target webpage is one that is likely to be a target of a phishing attack and wherein users are required to input their credentials or user data. It should be appreciated that the number of target webpages that the criminal may need to fake would depend at least on how the legitimate website must be navigated to reach to the login webpage.
Referring back to
In accordance with aspects of the present specification, the at least one server 102 implements a tracking module or engine 130 to track and identify a criminal computing device. In embodiments, the tracking module 130 executes a plurality of sequences of programmatic instructions or code to enable or cause at least one CPU of the at least one server 102 to: receive a request from a computing device 105 or 115 to download at least one target webpage (of the legitimate website 120) using a browsing application on the computing device 105 or 115; extract one or more of a plurality of identification data pertaining to the computing device 105 or 115 from the received request and store the one or more of the plurality of identification data along with an auto-generated unique identifier or primary key associated with the identification data; use at least a sub-set or portion of the extracted identification data to generate fingerprint data of size ‘n’ bits or use the auto-generated unique identifier or primary key as fingerprint data; encode the fingerprint data into the program code (such as, for example, HTML code, XML code, CSS code, and JavaScript code) and/or data (textual, image, audio and/or video data) associated with the at least one target webpage to generate at least one modified webpage and transmit the modified webpage to the browsing application of the requesting computing device 105 or 115. As a non-limiting example, the fingerprint data may be encoded into the program code. In embodiments, fingerprint data may be encoded or embedded using invisible characters such as spaces or tabs. In various embodiments, the size of the fingerprint data depends at least on the type of data into which the fingerprint data is encoded.
To access the target webpage the browser application of the computing device 105 or 115 typically initiates a TCP connection with the at least one server 102 using a TCP/IP three-way handshake. Once a TCP connection is established for data transmission, the browser application sends a GET (HTTP) request to the at least one server 102 asking it to send a copy of the at least one target webpage. The GET request also contains the plurality of identification data (related to the requesting computing device 105 or 115) such as, for example, IP address, IP-based geo-location (such as, country, state/region, city, Internet Service Provider, time zone, latitude/longitude), TCP/IP fingerprint parameters (to infer the operating system and configuration attributes), HTTP header fields providing information such as browser identification (User-Agent header) and IP Address Whois information.
In some embodiments, the tracking module 130 extracts one or more of the plurality of identification data, from the GET request, in real-time and stores the extracted identification data in a database 135 associated with the at least one server 102. In embodiments, the extracted identification data is tagged or associated with an auto-generated unique identifier or key for storing in the database 135. In embodiments, the unique identifier or key is a numeric, character or an alpha-numeric string. In some embodiments, the unique identifier has a size ranging from 64 bits to 256 bits. In some embodiments, the unique identifier has a size of ‘n’ bits wherein the bit size is large enough to ensure that the identifier is unique.
In some embodiments, the tracking module 130 uses at least a subset or portion of the extracted identification data to generate fingerprint data in real-time. The generated fingerprint data is also tagged or associated with the unique identifier or key and stored in the database 135. Thus, in accordance with some aspects of the present specification, the fingerprint data is a function of at least a subset or portion of the extracted identification data and therefore of the computing device 105 or 115 requesting the at least one target webpage. In some embodiments, the fingerprint data is a function of a) at least a subset or portion of the extracted identification data and/or b) at least a portion of the unique identifier or key. In some embodiments, the fingerprint data is a function of at least a portion of the unique identifier or key. In some embodiments, a cryptographic hash function, such as, for example, MD5 or SHA-1 (Secure Hash Algorithm 1) may be applied on at least a subset or portion of the extracted identification data and/or at least a portion of the unique identifier in order to generate the fingerprint data. In some embodiments, the fingerprint data corresponds to the unique identifier or key. In embodiments, the fingerprint data is a numeric, character or an alpha-numeric string. In some embodiments, the fingerprint data has a size ranging from 64 bits to 256 bits. In some embodiments, the fingerprint data has a size of ‘n’ bits wherein the size is large enough to ensure that the identifier is unique.
In some embodiments, the tracking module 130 encodes the fingerprint data, in real-time, into the program code and/or data (textual, image, audio and/or video data) associated with the at least one target webpage to generate at least one corresponding modified webpage. In some embodiments, the tracking module 130 encodes the unique identifier or key, in real-time, into the program code and/or data (textual, image, audio and/or video data) associated with the at least one target webpage to generate at least one corresponding modified webpage. The at least one modified webpage is then transmitted to the browsing application of the requesting computing device 105 or 115.
In accordance with aspects of the present specification, the encoding of the fingerprint data or the unique identifier (also referred to as ‘encoded data’) is implemented such that the encoded data is substantially concealed, masked or hidden within the program code and/or data (textual, image, audio and/or video data) associated with the at least one modified webpage such that the encoded data is practically invisible or indiscernible to the requesting user and his computing device. Thus, the at least one modified webpage is rendered for viewing on a display of the user's computing device without any human perceptible difference from the at least one target webpage. In various embodiments, the tracking module 130 uses at least one or a combination of the following steganographic methods for encoding:
At step 202, the at least one user computing device initiates a request to the at least one server to download the at least one webpage. At step 204, the tracking module receives the request to download the webpage. The request also includes a plurality of identification data pertaining to the at least one user computing device. In various embodiments, the plurality of identification data includes IP address, IP-based geo-location, TCP/IP fingerprint parameters, HTTP header fields and IP Address Whois data. At step 206, the tracking module extracts or obtains one or more of the plurality of identification data from the request.
At step 208, the tracking module generates a unique identifier corresponding to the extracted identification data. In various embodiments, the unique identifier is a numeric, character or an alphanumeric string. At step 210, in some embodiments, the tracking module uses at least a subset or portion of the extracted identification data to generate fingerprint data. In some embodiments, the tracking module uses a) at least a subset or portion of the extracted identification data and/or b) at least a portion of the unique identifier or key in order to generate fingerprint data. In some embodiments, the tracking module uses at least a portion of the unique identifier portion of the unique identifier or key in order to generate fingerprint data. In some embodiments, a cryptographic hash function, such as, for example, MD5 or SHA-1 (Secure Hash Algorithm 1) may be applied on at least a subset or portion of the extracted identification data in order to generate fingerprint data. In some embodiments, the cryptographic hash function may be applied on at least a subset or portion of the extracted identification data and at least a portion of the unique identifier or key in order to generate fingerprint data. In some embodiments, the cryptographic hash function may be applied on at least a portion of the unique identifier or key in order to generate fingerprint data.
In various embodiments, a size of the fingerprint data ranges from 64 bits to 256 bits. At step 212, the tracking module stores the unique identifier, the extracted identification data and the fingerprint data in a storage system such as, for example, a database system associated with the at least one server. In embodiments, the stored unique identifier bears an association with the extracted identification data and the fingerprint data.
At step 214, the tracking module encodes the fingerprint data into a program/source code and/or data associated with the webpage to generate a modified webpage. In various embodiments, the data includes textual, image, audio and/or video data. In embodiments, the encoding ensures that the fingerprint data is undetectable or concealed within the program code and/or data. In embodiments, the encoding comprises at least one of a) adding the fingerprint data to the program code and/or data, and b) replacing a portion of the program code and/or data with the fingerprint data. At step 216, the modified webpage is transmitted from the at least one server to the user computing device in response to the request.
At step 217, if it is discovered that the user computing device is hosting the modified webpage for phishing activity on a fake website, the tracking module analyzes the modified webpage in accordance with the following steps (else the method flow ends at step 226): at step 218, the tracking module downloads the modified webpage from the fake website and decodes the modified webpage to retrieve the fingerprint data. At step 220, the tracking module accesses the unique identifier associated with the retrieved fingerprint data from the storage system. At step 222, the tracking module also accesses the identification data (from the storage system) using the accessed unique identifier. Finally, at step 224, the tracking module identifies the user computing device (that is, the criminal computing device) based on the accessed identification data.
At step 230, the at least one user computing device initiates a request to the at least one server to download the at least one webpage. At step 232, the tracking module receives the request to download the webpage. The request also includes a plurality of identification data pertaining to the at least one user computing device. In various embodiments, the plurality of identification data includes IP address, IP-based geo-location, TCP/IP fingerprint parameters, HTTP header fields and IP Address Whois data. At step 234, the tracking module extracts or obtains one or more of the plurality of identification data from the request.
At step 236, the tracking module generates a unique identifier corresponding to the extracted identification data. In various embodiments, the unique identifier is a numeric, character or an alphanumeric string. At step 238, the tracking module stores the unique identifier and the extracted identification data in a storage system such as, for example, a database system associated with the at least one server. In embodiments, the stored unique identifier bears an association with the extracted identification data. In various embodiments, a size of the unique identifier ranges from 64 bits to 256 bits.
At step 240, the tracking module encodes the unique identifier into a program/source code and/or data associated with the webpage to generate a modified webpage. In various embodiments, the data includes textual, image, audio and/or video data. In embodiments, the encoding ensures that the unique identifier is undetectable or concealed within the program code and/or data. In embodiments, the encoding comprises at least one of a) adding the unique identifier to the program code and/or data, and b) replacing a portion of the program code and/or data with the unique identifier. At step 242, the modified webpage is transmitted from the at least one server to the user computing device in response to the request.
At step 244, if it is discovered that the user computing device is hosting the modified webpage for phishing activity on a fake website, the tracking module analyzes the modified webpage in accordance with the following steps (else the method flow ends at step 252): at step 246, the tracking module downloads the modified webpage from the fake website and decodes the modified webpage to retrieve the unique identifier. At step 248, the tracking module accesses the identification data (from the storage system) using the retrieved unique identifier. Finally, at step 250, the tracking module identifies the user computing device (that is, the criminal computing device) based on the accessed identification data.
The above examples are merely illustrative of the many applications of the methods and systems of present specification. Although only a few embodiments of the present invention have been described herein, it should be understood that the present invention might be embodied in many other specific forms without departing from the spirit or scope of the invention. Therefore, the present examples and embodiments are to be considered as illustrative and not restrictive, and the invention may be modified within the scope of the appended claims.
The present application is a continuation application of U.S. patent application Ser. No. 17/118,112, titled “Systems and Methods for Tracking and Identifying Phishing Website Authors” and filed on Dec. 10, 2020, which relies on, for priority, U.S. Patent Provisional Application No. 62/954,048, of the same title and filed on Dec. 27, 2019. The above-referenced applications are herein incorporated by reference in their entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5530796 | Wang | Jun 1996 | A |
| 5561736 | Moore | Oct 1996 | A |
| 5563946 | Cooper | Oct 1996 | A |
| 5685775 | Bakoglu | Nov 1997 | A |
| 5706507 | Schloss | Jan 1998 | A |
| 5708764 | Borrel | Jan 1998 | A |
| 5736985 | Lection | Apr 1998 | A |
| 5737416 | Cooper | Apr 1998 | A |
| 5745678 | Herzberg | Apr 1998 | A |
| 5768511 | Galvin | Jun 1998 | A |
| 5825877 | Dan | Oct 1998 | A |
| 5835692 | Cragun | Nov 1998 | A |
| 5878233 | Schloss | Mar 1999 | A |
| 5883628 | Mullaly | Mar 1999 | A |
| 5900879 | Berry | May 1999 | A |
| 5903266 | Berstis | May 1999 | A |
| 5903271 | Bardon | May 1999 | A |
| 5911045 | Leyba | Jun 1999 | A |
| 5920325 | Morgan | Jul 1999 | A |
| 5923324 | Berry | Jul 1999 | A |
| 5969724 | Berry | Oct 1999 | A |
| 5977979 | Clough | Nov 1999 | A |
| 5990888 | Blades | Nov 1999 | A |
| 6014145 | Bardon | Jan 2000 | A |
| 6025839 | Schell | Feb 2000 | A |
| 6059842 | Dumarot | May 2000 | A |
| 6069632 | Mullaly | May 2000 | A |
| 6081270 | Berry | Jun 2000 | A |
| 6081271 | Bardon | Jun 2000 | A |
| 6091410 | Lection | Jul 2000 | A |
| 6094196 | Berry | Jul 2000 | A |
| 6098056 | Rusnak | Aug 2000 | A |
| 6104406 | Berry | Aug 2000 | A |
| 6111581 | Berry | Aug 2000 | A |
| 6134588 | Guenthner | Oct 2000 | A |
| 6144381 | Lection | Nov 2000 | A |
| 6148328 | Cuomo | Nov 2000 | A |
| 6185614 | Cuomo | Feb 2001 | B1 |
| 6201881 | Masuda | Mar 2001 | B1 |
| 6222551 | Schneider | Apr 2001 | B1 |
| 6271842 | Bardon | Aug 2001 | B1 |
| 6271843 | Lection | Aug 2001 | B1 |
| 6282547 | Hirsch | Aug 2001 | B1 |
| 6311206 | Malkin | Oct 2001 | B1 |
| 6334141 | Varma | Dec 2001 | B1 |
| 6336134 | Varma | Jan 2002 | B1 |
| 6337700 | Kinoe | Jan 2002 | B1 |
| 6353449 | Gregg | Mar 2002 | B1 |
| 6356297 | Cheng | Mar 2002 | B1 |
| 6411312 | Sheppard | Jun 2002 | B1 |
| 6426757 | Smith | Jul 2002 | B1 |
| 6445389 | Bossen | Sep 2002 | B1 |
| 6452593 | Challener | Sep 2002 | B1 |
| 6462760 | Cox, Jr. | Oct 2002 | B1 |
| 6469712 | Hilpert, Jr. | Oct 2002 | B1 |
| 6473085 | Brock | Oct 2002 | B1 |
| 6499053 | Marquette | Dec 2002 | B1 |
| 6505208 | Kanevsky | Jan 2003 | B1 |
| 6525731 | Suits | Feb 2003 | B1 |
| 6549933 | Barrett | Apr 2003 | B1 |
| 6567109 | Todd | May 2003 | B1 |
| 6618751 | Challenger | Sep 2003 | B1 |
| RE38375 | Herzberg | Dec 2003 | E |
| 6657617 | Paolini | Dec 2003 | B2 |
| 6657642 | Bardon | Dec 2003 | B1 |
| 6684255 | Martin | Jan 2004 | B1 |
| 6717600 | Dutta | Apr 2004 | B2 |
| 6734884 | Berry | May 2004 | B1 |
| 6765596 | Lection | Jul 2004 | B2 |
| 6781607 | Benham | Aug 2004 | B1 |
| 6819669 | Rooney | Nov 2004 | B2 |
| 6832239 | Kraft | Dec 2004 | B1 |
| 6836480 | Basso | Dec 2004 | B2 |
| 6886026 | Hanson | Apr 2005 | B1 |
| 6948168 | Kuprionas | Sep 2005 | B1 |
| RE38865 | Dumarot | Nov 2005 | E |
| 6993596 | Hinton | Jan 2006 | B2 |
| 7028296 | Irfan | Apr 2006 | B2 |
| 7062533 | Brown | Jun 2006 | B2 |
| 7143409 | Herrero | Nov 2006 | B2 |
| 7209137 | Brokenshire | Apr 2007 | B2 |
| 7230616 | Taubin | Jun 2007 | B2 |
| 7249123 | Elder | Jul 2007 | B2 |
| 7263511 | Bodin | Aug 2007 | B2 |
| 7287053 | Bodin | Oct 2007 | B2 |
| 7305438 | Christensen | Dec 2007 | B2 |
| 7308476 | Mannaru | Dec 2007 | B2 |
| 7404149 | Fox | Jul 2008 | B2 |
| 7426538 | Bodin | Sep 2008 | B2 |
| 7427980 | Partridge | Sep 2008 | B1 |
| 7428588 | Berstis | Sep 2008 | B2 |
| 7429987 | Leah | Sep 2008 | B2 |
| 7436407 | Doi | Oct 2008 | B2 |
| 7439975 | Hsu | Oct 2008 | B2 |
| 7443393 | Shen | Oct 2008 | B2 |
| 7447996 | Cox | Nov 2008 | B1 |
| 7467181 | McGowan | Dec 2008 | B2 |
| 7475354 | Guido | Jan 2009 | B2 |
| 7478127 | Creamer | Jan 2009 | B2 |
| 7484012 | Hinton | Jan 2009 | B2 |
| 7503007 | Goodman | Mar 2009 | B2 |
| 7506264 | Polan | Mar 2009 | B2 |
| 7515136 | Kanevsky | Apr 2009 | B1 |
| 7525964 | Astley | Apr 2009 | B2 |
| 7552177 | Kessen | Jun 2009 | B2 |
| 7565650 | Bhogal | Jul 2009 | B2 |
| 7571224 | Childress | Aug 2009 | B2 |
| 7571389 | Broussard | Aug 2009 | B2 |
| 7580888 | Ur | Aug 2009 | B2 |
| 7596596 | Chen | Sep 2009 | B2 |
| 7640587 | Fox | Dec 2009 | B2 |
| 7667701 | Leah | Feb 2010 | B2 |
| 7698656 | Srivastava | Apr 2010 | B2 |
| 7702784 | Berstis | Apr 2010 | B2 |
| 7714867 | Doi | May 2010 | B2 |
| 7719532 | Schardt | May 2010 | B2 |
| 7719535 | Tadokoro | May 2010 | B2 |
| 7734691 | Creamer | Jun 2010 | B2 |
| 7737969 | Shen | Jun 2010 | B2 |
| 7743095 | Goldberg | Jun 2010 | B2 |
| 7747679 | Galvin | Jun 2010 | B2 |
| 7765478 | Reed | Jul 2010 | B2 |
| 7768514 | Pagan | Aug 2010 | B2 |
| 7773087 | Fowler | Aug 2010 | B2 |
| 7774407 | Daly | Aug 2010 | B2 |
| 7782318 | Shearer | Aug 2010 | B2 |
| 7792263 | D'Amora et al. | Sep 2010 | B2 |
| 7792801 | Hamilton, II | Sep 2010 | B2 |
| 7796128 | Radzikowski | Sep 2010 | B2 |
| 7808500 | Shearer | Oct 2010 | B2 |
| 7814152 | McGowan | Oct 2010 | B2 |
| 7827318 | Hinton | Nov 2010 | B2 |
| 7843471 | Doan | Nov 2010 | B2 |
| 7844663 | Boutboul | Nov 2010 | B2 |
| 7847799 | Taubin | Dec 2010 | B2 |
| 7856469 | Chen | Dec 2010 | B2 |
| 7873485 | Castelli | Jan 2011 | B2 |
| 7882222 | Dolbier | Feb 2011 | B2 |
| 7882243 | Ivory | Feb 2011 | B2 |
| 7884819 | Kuesel | Feb 2011 | B2 |
| 7886045 | Bates | Feb 2011 | B2 |
| 7890623 | Bates | Feb 2011 | B2 |
| 7893936 | Shearer | Feb 2011 | B2 |
| 7904829 | Fox | Mar 2011 | B2 |
| 7921128 | Hamilton, II | Apr 2011 | B2 |
| 7940265 | Brown | May 2011 | B2 |
| 7945620 | Bou-Ghannam | May 2011 | B2 |
| 7945802 | Hamilton, II | May 2011 | B2 |
| 7970837 | Lyle | Jun 2011 | B2 |
| 7970840 | Cannon | Jun 2011 | B2 |
| 7985138 | Acharya | Jul 2011 | B2 |
| 7990387 | Hamilton, II | Aug 2011 | B2 |
| 7996164 | Hamilton, II | Aug 2011 | B2 |
| 8001161 | Finn | Aug 2011 | B2 |
| 8004518 | Fowler | Aug 2011 | B2 |
| 8005025 | Bodin | Aug 2011 | B2 |
| 8006182 | Bates | Aug 2011 | B2 |
| 8013861 | Hamilton, II | Sep 2011 | B2 |
| 8018453 | Fowler | Sep 2011 | B2 |
| 8018462 | Bhogal | Sep 2011 | B2 |
| 8019797 | Hamilton, II | Sep 2011 | B2 |
| 8019858 | Bauchot | Sep 2011 | B2 |
| 8022948 | Garbow | Sep 2011 | B2 |
| 8022950 | Brown | Sep 2011 | B2 |
| 8026913 | Garbow | Sep 2011 | B2 |
| 8028021 | Reisinger | Sep 2011 | B2 |
| 8028022 | Brownholtz | Sep 2011 | B2 |
| 8037416 | Bates | Oct 2011 | B2 |
| 8041614 | Bhogal | Oct 2011 | B2 |
| 8046700 | Bates | Oct 2011 | B2 |
| 8051462 | Hamilton, II | Nov 2011 | B2 |
| 8055656 | Cradick | Nov 2011 | B2 |
| 8056121 | Hamilton, II | Nov 2011 | B2 |
| 8057307 | Berstis | Nov 2011 | B2 |
| 8062130 | Smith | Nov 2011 | B2 |
| 8063905 | Brown | Nov 2011 | B2 |
| 8070601 | Acharya | Dec 2011 | B2 |
| 8082245 | Bates | Dec 2011 | B2 |
| 8085267 | Brown | Dec 2011 | B2 |
| 8089481 | Shearer | Jan 2012 | B2 |
| 8092288 | Theis | Jan 2012 | B2 |
| 8095881 | Reisinger | Jan 2012 | B2 |
| 8099338 | Betzler | Jan 2012 | B2 |
| 8099668 | Garbow | Jan 2012 | B2 |
| 8102334 | Brown | Jan 2012 | B2 |
| 8103640 | Lo | Jan 2012 | B2 |
| 8103959 | Cannon | Jan 2012 | B2 |
| 8105165 | Karstens | Jan 2012 | B2 |
| 8108774 | Finn | Jan 2012 | B2 |
| 8113959 | De Judicibus | Feb 2012 | B2 |
| 8117551 | Cheng | Feb 2012 | B2 |
| 8125485 | Brown | Feb 2012 | B2 |
| 8127235 | Haggar | Feb 2012 | B2 |
| 8127236 | Hamilton, II | Feb 2012 | B2 |
| 8128487 | Hamilton, II | Mar 2012 | B2 |
| 8131740 | Cradick | Mar 2012 | B2 |
| 8132235 | Bussani | Mar 2012 | B2 |
| 8134560 | Bates | Mar 2012 | B2 |
| 8139060 | Brown | Mar 2012 | B2 |
| 8139780 | Shearer | Mar 2012 | B2 |
| 8140340 | Bhogal | Mar 2012 | B2 |
| 8140620 | Creamer | Mar 2012 | B2 |
| 8140978 | Betzler | Mar 2012 | B2 |
| 8140982 | Hamilton, II | Mar 2012 | B2 |
| 8145676 | Bhogal | Mar 2012 | B2 |
| 8145725 | Dawson | Mar 2012 | B2 |
| 8149241 | Do | Apr 2012 | B2 |
| 8151191 | Nicol, II | Apr 2012 | B2 |
| 8156184 | Kurata | Apr 2012 | B2 |
| 8165350 | Fuhrmann | Apr 2012 | B2 |
| 8171407 | Huang | May 2012 | B2 |
| 8171408 | Dawson | May 2012 | B2 |
| 8171559 | Hamilton, II | May 2012 | B2 |
| 8174541 | Greene | May 2012 | B2 |
| 8176421 | Dawson | May 2012 | B2 |
| 8176422 | Bergman | May 2012 | B2 |
| 8184092 | Cox | May 2012 | B2 |
| 8184116 | Finn | May 2012 | B2 |
| 8185450 | Mcvey | May 2012 | B2 |
| 8185829 | Cannon | May 2012 | B2 |
| 8187067 | Hamilton, II | May 2012 | B2 |
| 8199145 | Hamilton, II | Jun 2012 | B2 |
| 8203561 | Carter | Jun 2012 | B2 |
| 8214335 | Hamilton, II | Jul 2012 | B2 |
| 8214433 | Dawson | Jul 2012 | B2 |
| 8214750 | Hamilton, II | Jul 2012 | B2 |
| 8214751 | Dawson | Jul 2012 | B2 |
| 8217953 | Comparan | Jul 2012 | B2 |
| 8219616 | Dawson | Jul 2012 | B2 |
| 8230045 | Kawachiya | Jul 2012 | B2 |
| 8230338 | Dugan | Jul 2012 | B2 |
| 8233005 | Finn | Jul 2012 | B2 |
| 8234234 | Shearer | Jul 2012 | B2 |
| 8234579 | Do | Jul 2012 | B2 |
| 8239775 | Beverland | Aug 2012 | B2 |
| 8241131 | Bhogal | Aug 2012 | B2 |
| 8245241 | Hamilton, II | Aug 2012 | B2 |
| 8245283 | Dawson | Aug 2012 | B2 |
| 8265253 | D'Amora | Sep 2012 | B2 |
| 8310497 | Comparan | Nov 2012 | B2 |
| 8334871 | Hamilton, II | Dec 2012 | B2 |
| 8360886 | Karstens | Jan 2013 | B2 |
| 8364804 | Childress | Jan 2013 | B2 |
| 8425326 | Chudley | Apr 2013 | B2 |
| 8442946 | Hamilton, II | May 2013 | B2 |
| 8506372 | Chudley | Aug 2013 | B2 |
| 8514249 | Hamilton, II | Aug 2013 | B2 |
| 8554841 | Kurata | Oct 2013 | B2 |
| 8607142 | Bergman | Dec 2013 | B2 |
| 8607356 | Hamilton, II | Dec 2013 | B2 |
| 8624903 | Hamilton, II | Jan 2014 | B2 |
| 8626836 | Dawson | Jan 2014 | B2 |
| 8692835 | Hamilton, II | Apr 2014 | B2 |
| 8721412 | Chudley | May 2014 | B2 |
| 8827816 | Bhogal | Sep 2014 | B2 |
| 8838640 | Bates | Sep 2014 | B2 |
| 8849917 | Dawson | Sep 2014 | B2 |
| 8911296 | Chudley | Dec 2014 | B2 |
| 8992316 | Smith | Mar 2015 | B2 |
| 9083654 | Dawson | Jul 2015 | B2 |
| 9152914 | Haggar | Oct 2015 | B2 |
| 9205328 | Bansi | Dec 2015 | B2 |
| 9286731 | Hamilton, II | Mar 2016 | B2 |
| 9299080 | Dawson | Mar 2016 | B2 |
| 9364746 | Chudley | Jun 2016 | B2 |
| 9525746 | Bates | Dec 2016 | B2 |
| 9583109 | Kurata | Feb 2017 | B2 |
| 9682324 | Bansi | Jun 2017 | B2 |
| 9764244 | Bansi | Sep 2017 | B2 |
| 9789406 | Marr | Oct 2017 | B2 |
| 9808722 | Kawachiya | Nov 2017 | B2 |
| 20090113448 | Smith | Apr 2009 | A1 |
| 20130086550 | Epstein | Apr 2013 | A1 |
| 20140344725 | Bates | Nov 2014 | A1 |
| 20160191671 | Dawson | Jun 2016 | A1 |
| 20190132356 | Vargas Gonzalez | May 2019 | A1 |
| 20210075833 | Harrison | Mar 2021 | A1 |
| Number | Date | Country |
|---|---|---|
| 768367 | Mar 2004 | AU |
| 2005215048 | Oct 2011 | AU |
| 2143874 | Jun 2000 | CA |
| 2292678 | Jul 2005 | CA |
| 2552135 | Jul 2013 | CA |
| 1334650 | Feb 2002 | CN |
| 1202652 | Oct 2002 | CN |
| 1141641 | Mar 2004 | CN |
| 1494679 | May 2004 | CN |
| 1219384 | Sep 2005 | CN |
| 1307544 | Mar 2007 | CN |
| 100407675 | Jul 2008 | CN |
| 100423016 | Oct 2008 | CN |
| 100557637 | Nov 2009 | CN |
| 101001678 | May 2010 | CN |
| 101436242 | Dec 2010 | CN |
| 101801482 | Dec 2014 | CN |
| 668583 | Aug 1995 | EP |
| 0627728 | Sep 2000 | EP |
| 0717337 | Aug 2001 | EP |
| 0679977 | Oct 2002 | EP |
| 0679978 | Mar 2003 | EP |
| 0890924 | Sep 2003 | EP |
| 1377902 | Aug 2004 | EP |
| 0813132 | Jan 2005 | EP |
| 1380133 | Mar 2005 | EP |
| 1021021 | Sep 2005 | EP |
| 0930584 | Oct 2005 | EP |
| 0883087 | Aug 2007 | EP |
| 1176828 | Oct 2007 | EP |
| 2076888 | Jul 2015 | EP |
| 2339938 | Oct 2002 | GB |
| 2352154 | Jul 2003 | GB |
| 3033956 | Apr 2000 | JP |
| 3124916 | Jan 2001 | JP |
| 3177221 | Jun 2001 | JP |
| 3199231 | Aug 2001 | JP |
| 3210558 | Sep 2001 | JP |
| 3275935 | Feb 2002 | JP |
| 3361745 | Jan 2003 | JP |
| 3368188 | Jan 2003 | JP |
| 3470955 | Sep 2003 | JP |
| 3503774 | Dec 2003 | JP |
| 3575598 | Jul 2004 | JP |
| 3579823 | Jul 2004 | JP |
| 3579154 | Oct 2004 | JP |
| 3701773 | Oct 2005 | JP |
| 3777161 | Mar 2006 | JP |
| 3914430 | Feb 2007 | JP |
| 3942090 | Apr 2007 | JP |
| 3962361 | May 2007 | JP |
| 4009235 | Sep 2007 | JP |
| 4225376 | Dec 2008 | JP |
| 4653075 | Dec 2010 | JP |
| 5063698 | Aug 2012 | JP |
| 5159375 | Mar 2013 | JP |
| 5352200 | Nov 2013 | JP |
| 5734566 | Jun 2015 | JP |
| 117864 | Aug 2004 | MY |
| 55396 | Dec 1998 | SG |
| 2002073457 | Sep 2002 | WO |
| 20020087156 | Oct 2002 | WO |
| 2004086212 | Oct 2004 | WO |
| 2005079538 | Sep 2005 | WO |
| 2007101785 | Sep 2007 | WO |
| 2008037599 | Apr 2008 | WO |
| 2008074627 | Jun 2008 | WO |
| 2008095767 | Aug 2008 | WO |
| 2009037257 | Mar 2009 | WO |
| 2009104564 | Aug 2009 | WO |
| 2010096738 | Aug 2010 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20230208878 A1 | Jun 2023 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62954048 | Dec 2019 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 17118112 | Dec 2020 | US |
| Child | 18145381 | US |
