	US 12,355,810 B2
	Phishing detection and targeted remediation system and method
Matthew David Cohen, Irvine, CA (US); Daniel W. Ray, Irvine, CA (US); and Paul S. Hethmon, Irvine, CA (US)
Assigned to CORELOGIC SOLUTIONS, LLC, Irvine, CA (US)
Filed by Corelogic Solutions, LLC, Irvine, CA (US)
Filed on Jul. 19, 2019, as Appl. No. 16/516,727.
Claims priority of provisional application 62/701,343, filed on Jul. 20, 2018.
Prior Publication US 2020/0028876 A1, Jan. 23, 2020
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/1483 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1425 (2013.01)]

19 Claims

1. A computer-implemented method of protecting user accounts potentially compromised by a common phishing attack based on logon activity in at least two accounts, comprising:

detecting a first device fingerprint and a first behavioral biometric signature of a first remote computer during a logon activity of the first remote computer using first logon credentials of a first account, of the at least two accounts, on an internet accessible access page of a hosted web application;

for a second account, of the at least two accounts, on the internet accessible access page of the hosted web application, the second account being different than the first account. detecting a second device fingerprint and a second behavioral biometric signature of a second computer during logon activity using second logon credentials that are different than the first logon credentials;

measuring a time difference between the logon activity of the first computer with respect to the logon activity of the second computer to determine whether the time difference is within a predetermined time period of logon activity in the at least two accounts as an indication whether the first logon credentials and the second logon credentials have been potentially compromised in a common phishing attack on the at least two accounts;

creating a pattern for a phishing detection event and storing the pattern in a secure storage medium along with at least one of the first logon credentials and the second logon credentials, the pattern including any difference between the first device fingerprint with respect to the second device fingerprint, as well as any difference between the first behavioral biometric signature and the second behavioral biometric signature;

determining the at least two accounts are part of the phishing detection event by matching and confirming that (1) the first device fingerprint matches the second device fingerprint, (2) the first behavioral biometric signature matches the second behavioral biometric signature, and (3) the time difference is within the predetermined time period of logon activity, and

in response to determining the at least two accounts are part of the phishing detection event, blocking access to the at least two accounts of the hosted web application for any subsequent logon attempt to the first account with the first logon credentials and to the second account with the second logon credentials, and unblocking access to at least the first account after establishing a different authentication process for new logon credentials to access the first account, the different authentication process including an additional authentication step than an initial authentication process used to establish the first logon credentials for the first account.