Generally discussed herein are devices, systems, and methods for improving phishing webpage content detection. A method can include instantiating an odometer with a nested privacy filter architecture, the nested privacy filter including privacy filters of different, increasing sizes, training a DL model, maintaining, during training and by a privacy odometer that operates using the nested privacy filter, a running total of privacy loss budget consumed by the training, and responsive to a query for the total privacy loss budget consumed, returning, by the odometer, a size of a smallest privacy filter of the nested privacy filters that is bigger than the running total of the privacy loss budget.

Efficient and effectiveness malware and phishing detection methods select specific objects of a document based on an analysis of associated graphical elements of a document rendering. A received document may include a number of blobs, which can include URLs or code that generates URLs that can present potential risks. The system can score and/or rank each blob and its corresponding URLs based on a size, shape, position, and/or other characteristics of a visual element associated with each blob. The score or rank can be increased for visual elements that are most likely to be selected by a user, such as large visual elements positioned near the center of a document. The system can then test individual URLs selected based a corresponding rank or score. The test can efficiently reveal the presence of malware or phishing tactics by forgoing tests on URLs that are not likely to be selected.

A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory and configured to provide phishing attack protection based on identity provider verification. The at least one processor is further configured to capture an image of a browser web page to which the user has navigated and identify the domain name associated with the browser web page. The at least one processor is further configured to determine that the captured image matches an image of a known identity provider web page. The at least one processor is further configured to detect a phishing attempt in response to the determination that the images match and that the domain name associated with the browser web page differs from the domain name associated with the identity provider web page.

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for validating interactions with false rendered elements. In one aspect, a method includes receiving a rendering notification and a declaration of a rendered element defined in an active window on a client device, detecting interaction with the rendered element at the client device, determining whether the interaction occurred at a declared location of the rendered element within the active window, and processing the interaction including: in response to determining that the interaction occurred: capturing a screenshot of the active window on the client device; verifying a visual appearance of the rendered element in the screenshot with a declared appearance of the rendered element, and generating an interaction attestation, thereby validating the interaction. In response to determining that the interaction did not occur, refraining from generating the interaction attestation.

Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.

Systems and method for URL filtering are provided herein. In some embodiments, a system includes a processor programmed to receive a URL request to access a resource associated with the URL; perform a first layer of URL filtering by comparing the URL to a blocklist of malicious URLs; determine that the URL does not match a URL on the blocklist; perform a second layer of filtering by applying a machine learning algorithm to analyze the URL to predict whether the URL is malicious; and generate and transmit a URL filter determination that the URL is malicious and update the blocklist to include the URL.

There is provided a method to eliminate data-theft through a phishing website by creating a layer of control between the user and the website to be visited that prevents submission of sensitive data to malicious servers. When there is a form submit event in a webpage, the data that is input (by the user or automatically) is modified by a data deception layer in a random manner that disguises the authentic content, while preserving the format of the data. Visual cues are provided to indicate that the data deception is enabled and that fake/generated data is being submitted instead of real data. The generated fake data is sent to unknown (potentially malicious) server while the users' actual private data is preserved (never submitted), with the results of the server response visible to the user.

The concepts and technologies disclosed herein are directed to a website verification service. A system can receive, from a web server that hosts a website, a query for a set of authentication credentials (“credentials”) to be used to verify that the website is trustworthy. The system can generate and provide the credentials to the web server. The web server can, in turn, provide the credentials to a web browser device for presentation to a user via a web browser application executing on the web browser device. The system also can provide the credentials to a verifier device. The verifier device can present the credentials to the user via a verifier application executing on the verifier device. The user can compare the credentials presented via the web browser application to the credentials presented via the verifier application executing on the verifier device to determine whether the website can be trusted.

An inference method includes acquiring similarities between a domain name serving as an analysis object and each domain name indicated in a legitimate domain name list as feature amounts, and inferring a degree that the domain name serving as the analysis object is wrongly recognized as a legitimate domain name based on the feature amounts acquired at the acquiring and a training model that outputs, as a response to input of the feature amounts, a degree that the domain name serving as the analysis object is wrongly recognized as the legitimate domain name, by processing circuitry.

An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes parser circuitry to parse code of a first website, detector circuitry to detect, based on the parsed code, a first website icon and a first Uniform Resource Locator (URL) corresponding to the first website, and hash generator circuitry to generate a first hash of the first website icon, and store the first hash in association with the first URL in a hash entry of an icon hash database, the hash entry to be used for determining that a second website is a phishing website when (a) the first hash matches a second hash of a second website icon corresponding to the second website, and (b) a first portion of the first URL matches a second portion of a second URL corresponding to the second website.