Microsoft files anti-phishing patent-but will this work?

New in my Outlook Express this morning: a warning from a bank I have never heard of that I really really need to update my account info- like right now.You too?
Written by Russell Shaw, Contributor on

New in my Outlook Express this morning: a warning from a bank I have never heard of that I really really need to update my account info- like right now.

You too?

Well, I'm growing tired of this jive and I know you are as well. That's why I am kind of breaking format here to tell you all about a newly published Patent application from Microsoft entitled "Anti-phishing protection."

Colleague Ryan Naraine had this first. But maybe because being phished this morning is making me a bit irritable, I am going to join in on this discussion with a detailed look at what is being proposed here.

I've just linked you to a page on the Patent Office website where you can read this patent and see some diagrams as well.

Here's the Patent Abstract:

Anti-Phishing protection assists in protecting against phishing attacks. Any links that are contained within a message that has been identified as a phishing message are disabled. A warning message is shown when the phishing message is accessed. The first time a disabled link within the phishing message is selected a dismissible dialog box is displayed containing information about how to enable links in the message. After the user dismisses the dialog, clicking on a disabled link causes the warning message to flash drawing the user's attention to the potential severity of the problem. The links may be enabled by the user by selecting the warning message and choosing the appropriate option. Once the user enables the links, future displays of the message show the links as enabled.

Figure 2 of this Patent application is especially illustrative of what is going on here. After the jump I will show you Figure 2, and provide you with as much info as you need to interpret this diagram.


OK, now here's what's going on in the above diagram: 

FIG. 2 illustrates an anti-phishing protection system, in accordance with aspects of the invention. As illustrated, system 200 includes message 210, filter 220 including phishing filter 230 and spam filter 240, messaging program 250 including phishing protection 250 and phishing settings 260 and junk mail folder 270 and inbox 280. This system may be implemented using a computing device, or computing devices, such as the one described in conjunction with FIG. 1.

While receiving spam messages may be inconvenient, it is not typically harmful or costly to a user. Generally, the worst that can happen with a spam message is that the user needs to delete the unsolicited mail. Most spam messages are relatively easy for the user to identify since it's easy to take a quick look at the message and make a judgment.

Phishing attacks, however, can result in a user divulging sensitive information including financial information that can result in a loss of privacy and/or money. An unsuspecting user following a phishing link (URL) within a message can result in many harmful situations. The user can be directed to a site that mimics a legitimate site where they are prompted to enter confidential financial information. The user may be directed to a site that downloads malicious code onto their machine. These situations are much more dangerous than the effects of spam. Phishing messages are therefore treated differently from spam messages.

Message 210 may be any message. According to one embodiment, message 210 is an email message. A determination is initially made as to whether a message (210) is a phishing message. A phishing message is any message that could be classified as a potential phishing attack. 

Message 210 is filtered by a phishing filter (230) to indicate whether or not the message is a phishing message. Any phishing detection method may be used to determine whether or not a message is a phishing message. One method that may be used to determine phishing messages is examining the formatting of the URLs contained within the message. For example, some URLS may be numeric URLs which may raise suspicion of the message. According to one embodiment, the phishing filter (230) primarily looks at certain characteristics in URLs (within the <a/> tags) to determine the likelihood that a message is a phishing message while ignoring the rest of the message content. As mentioned above, any phishing detectin method may be used as long as it provides an indicator that identifies the message as a phishing message. According to one embodiment, phishing filter 230 provides a suspicious level and a neutral level. Any message that is marked as suspicious is considered a phishing message. Any message that is marked as neutral by phishing filter 230 is not considered a phishing message.

Every incoming message is filtered to determine if the message is a phishing message. Each message is filtered whether or not the message comes from an individual considered to be safe. For example, a message may come from a user that is included on a safe senders list. According to one embodiment, although not recommended, a user may turn off disabling of the links even if a message is considered to be a phishing message. Even when this option is turned off, every message is still filtered and marked when appropriate as a phishing message such that if the user turns this option back on the message will be displayed with the links disabled.

Once the message (210) has been filtered, messaging program 250 receives the message with the indication of whether the message is a phishing message. Phishing protection 250 marks the message and disables any links within any message that has been determined to be a phishing message. The message is then delivered to a junk mail folder (270) or an inbox (280) depending on whether the message was determined by spam filter 240 to be spam. Messages determined to be spam are delivered to the junk mail folder. A message that is not considered spam, but is considered to be a phishing message, is delivered to the inbox (280).

Instead of disabling links and images together, the links and images contained within a message are disabled independently. Generally, images are blocked from external sources to prevent someone from identifying an active e-mail account.

Identifying whether or not an account is active is less dangerous than a user clicking on a phishing link.

Any message that has been marked as a phishing message will have the links within it disabled. This is true regardless of whether the phishing message is delivered to a junk mail folder (270) or an inbox (280). According to one embodiment, any message considered spam will have its links disabled. Should this message be moved to the inbox, the links will remain disabled depending on the results produced by the phishing filter.  

Take that, you phisher-spreadin' slimeballs. 

                                                [poll id=44] 

Editorial standards