Abstract: A computer-implemented method protects a user from phishing attacks by managing commands initiated via a web browser. The method includes determining that a user has initiated a command that will send information to a target website, where the information belongs to a class that may include sensitive user data and the target website lacks a device-local phishing reputation. After this determination, the command is paused before the information is sent. While paused, a new reputation for the target website is obtained, and the command is blocked if the new reputation is deemed not safe, thereby preventing potential phishing threats.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: There is disclosed a method of mitigating phishing, including extracting text from a website under analysis; using a spell check algorithm to compare extracted words or phrases to a language dictionary of words or phrases selected from web pages known to be phishing targets, and using a spell counter to count misspell hits from the spell check algorithm; comparing the extracted words or phrases to a case-sensitive usage reference, and using a usage counter to count mismatched usage hits from the case-sensitive usage reference; combining the spell counter and the usage counter into a combined counter; and using the combined counter to identify the website under analysis as a suspected phishing website and taking a phishing mitigation action.

Abstract: A computer-implemented method provides phishing mitigation. Upon a human user accessing a website, request from a cloud reputation service a reputation for a uniform resource locator (URL) associated with the website; determine that the URL does not have a reliable reputation; determine that the human user has entered data into the website, and that the data comprise sensitive data; log a data packet in a user sensitive information data store, wherein the data packet includes the URL and at least some of the sensitive data; periodically query the cloud reputation service to determine whether the URL has received a reliable reputation; and upon determining that the URL has received a reputation as a phishing website, notify the human user and provide a recommendation for a remedial action to protect the sensitive data.

Abstract: A method includes determining first data stored in a clipboard of an operating system, determining second data is stored in the clipboard, performing a comparison of the second data against malicious data, at least in part based on a determination that the first data has changed to the second data, and performing a first security operation, at least in part based on the comparison.

Abstract: An apparatus, including systems and methods, for detecting ransomware is disclosed herein. For example, in some embodiments, an apparatus includes a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to receive data identifying a process and a plurality of files accessed by the process; identify an access indicator associated with each of the plurality of files accessed by the process, wherein the access indicator includes file type; determine whether the access indicator exceeds a threshold; interrupt, based on a determination that the access indicator exceeds a threshold, the process; and prompt a user to allow or disallow the process to proceed.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a network interface; and a security agent including instructions encoded within the memory to instruct the processor to: identify an unknown software object; query, via the network interface, a global reputation store for a global reputation for the unknown software object; receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation; compute a local reputation for the unknown software object; and share the local reputation for the unknown software object with the global security cache.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; instructions encoded within the memory to instruct the processor to: identify a downloaded file on a file system; inspect a metadata object attached to the downloaded file; parse the metadata object to extract an advertiser identification string from a GET code portion of a uniform resource locator (URL); query a reputation cache for a reputation for the advertiser identification string; receive a deceptive reputation for the advertiser identification string; and take a remedial action against the downloaded file.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: An apparatus, including systems and methods, for detecting ransomware is disclosed herein. For example, in some embodiments, an apparatus includes a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to receive data identifying a process and a plurality of files accessed by the process; identify an access indicator associated with each of the plurality of files accessed by the process, wherein the access indicator includes file type; determine whether the access indicator exceeds a threshold; interrupt, based on a determination that the access indicator exceeds a threshold, the process; and prompt a user to allow or disallow the process to proceed.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and one or more mediums including instructions to instruct the processor to provide a security scanner to: determine that an object to be inspected is an archive including a plurality of bundled files; determine that the archive is encrypted; identify unencrypted data within the encrypted archive that can be made visible to an end user after a failed decryption operation; scan the unencrypted data for a pattern that matches password data; and attempt to decrypt the archive according to the password data.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; instructions encoded within the memory to instruct the processor to: identify a downloaded file on a file system; inspect a metadata object attached to the downloaded file; parse the metadata object to extract an advertiser identification string from a GET code portion of a uniform resource locator (URL); query a reputation cache for a reputation for the advertiser identification string; receive a deceptive reputation for the advertiser identification string; and take a remedial action against the downloaded file.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a network interface; and a security agent including instructions encoded within the memory to instruct the processor to: identify an unknown software object; query, via the network interface, a global reputation store for a global reputation for the unknown software object; receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation; compute a local reputation for the unknown software object; and share the local reputation for the unknown software object with the global security cache.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and one or more mediums including instructions to instruct the processor to provide a security scanner to: determine that an object to be inspected is an archive including a plurality of bundled files; determine that the archive is encrypted; identify unencrypted data within the encrypted archive that can be made visible to an end user after a failed decryption operation; scan the unencrypted data for a pattern that matches password data; and attempt to decrypt the archive according to the password data.