	US 12,316,671 B2
	Detection of impersonated web pages and other impersonation methods for web-based cyber threats
Meni Farjon, Tel Aviv (IL); Yossi Sara, Rishon Le'Tsiyon (IL); Boris Vaynberg, Netanya (IL); Roi Panai, Ramat Gan (IL); Ido Bukra, Netanya (IL); Tomasz Kojm, Torun (PL); and Jackie Maylor, London (GB)
Assigned to Mimecast Israel Ltd, Tel Aviv (IL)
Filed by Mimecast Israel Ltd., Tel Aviv (IL)
Filed on May 5, 2021, as Appl. No. 17/308,323.
Claims priority of provisional application 63/119,678, filed on Dec. 1, 2020.
Prior Publication US 2022/0174092 A1, Jun. 2, 2022
Int. Cl. H04L 9/40 (2022.01); G06F 40/221 (2020.01)

CPC H04L 63/1483 (2013.01) [G06F 40/221 (2020.01); H04L 63/0823 (2013.01)]

19 Claims

10. A method for identifying a malicious web page that impersonates a web page of a legitimate owner, comprising:

extracting HMTL source and a certificate of a web page intended for access by a user via a web browser;

statically and lexically tokenizing the extracted HTML source to identify (i) at least one of objects, forms, links and templates embedded in the HTML source, and (ii) at least one of images and logos embedded in the HTML source;

determining whether or not the HTML source harvests user credentials, based on the at least one of the objects, forms, links and templates identified by said tokenizing;

validating the extracted certificate, to determine a possibility of an impersonation attempt;

matching the at least one of the images and logos identified by said tokenizing, with known images and brand logos of legitimate owners; and

comparing a known certificate associated with the legitimate owner with the extracted certificate, for each image or logo matched by said matching.