Browse Prior Art Database

Method for preventing spam and phishing attacks using web link gateway

IP.com Disclosure Number: IPCOM000198696D
Publication Date: 2010-Aug-12
Document File: 5 page(s) / 88K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a system for protecting users against spam and phishing attacks by proxying URLs in outgoing messages through an application.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 5

Method for preventing spam and phishing attacks using web link gateway

Web or cloud applications often send e-mails to their users, such as private messages

or notifications, which often contain content provided by other users. Message or

notification subsystems of such applications are vulnerable to exploitation, in particular

for phishing and spam activity. An attacker can leverage an application's infrastructure

to send multiple messages to its users as well as exploit a user's trust to the system and

its notifications to perform phishing attack. The main requirement for the attack to be

successful is an ability to include custom URLs in the e-mails sent by application, as

they are required to navigate the user to the advertised shop or malicious phishing site. There are several known solutions to prevent against phishing/spam using e-mails

generated by applications, but none provide a good user experience and acceptable

security. The existing main solutions are:
• Not allowing entrance to the URL, removing it, or in other ways making the URLs

unusable. This provides very bad user experience as the ability to enter URLs

can be needed for proper communication. A message with the URL removed

may not be understood by the recipient.
• Checking URLs against a database of malicious sites and then removing them

requires advance knowledge that the site is malicious. This introduces several

problems. Mainly, attackers need to be known before the notification is sent. This

is difficult, especially if the knowledge about the attack is acquired as the result of

attacker's activity on the application (ie. after messages were sent). This

approach is also costly in terms of e-mail infrastructure performance.
• Warning a user that they are about to leave the application and access

third-party page. This solution does not operate in email or instant messaging

context.
• Browser or search engine check for the malicious sites accessed by user. This

solution has limits in terms of understanding the context of a user accessing the

page (user metadata, like organization membership) and implementing policy

based access. It also can not provide enough information for user to decide

whether requested URL is indeed dangerous.

The disclosed system protects against spam and phishing attacks by proxying URLs in

outgoing messages through an application. The core idea is to delay the decision on

whether the URL in the outgoing e-mail is malicious until the user decides to access the

URL, not when message is sent.

Components of the system include:
1. Detecting URLs in outgoing messages

1

Page 2 of 5

2. Altering messages by replacing original links with links to link gateway including:
a. original URL that was included in message
b. metadata (for example identity of the recipient, identity of sender, identity

of sending application)
c. proof that link has not been altered (like digital signa...