1. Field of the Invention
This invention pertains in general to computer security and in particular to techniques for preventing a fraudulent party from mimicking a legitimate web site.
2. Background Art
Internet fraud is a serious problem for both businesses and consumers. In particular, Internet users are under constant threat from various computer and network sources. For example, a fraudulent party may send an electronic mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that may be used for identity theft. The electronic mail directs the user to visit a web site where the user is asked to update personal information, such as passwords and credit card, social security, and bank account numbers, which the legitimate enterprise already possesses. The web site, however, is bogus and set up to steal the user's information. To steal the user's information, the fraudulent party makes the bogus web site look authentic enough that the user will believe that he or she is submitting the information to a legitimate web site.
One approach to prevent a fraudulent web site from imitating a legitimate site is to add non-deceivable content to a legitimate web page. For example, if a user creates an account with a legitimate site (e.g., hosted by a bank), the legitimate site may ask the user to choose a picture that is displayed if the user visits the legitimate site. In this case, bogus sites are not able to display the chosen picture on their web pages because they do not know which picture the user chose. As a result, if the user visits a web site that claims to be legitimate but does not display the chosen picture, the user is able to identify the web site as bogus.
This approach, however, can be circumvented by embedding a legitimate page from a web site that an attacker is trying to mimic within a frame of a fraudulent web page. For example, a fraudulent site may frame a web page in order to display dynamic content (e.g., a picture chosen by the user that is unknown to the fraudulent party) that cannot be copied to the fraudulent site. The fraudulent web site that frames a legitimate page may further induce the user to enter sensitive information into the fraudulent site's form. Alternatively, if the unwitting user logs in and browses through the legitimate web page contained in the child frame, a fraudulent web page residing in the parent window can use a script such as a JavaScript to harvest information entered into the legitimate web page and redirect it back to the fraudulent site.
Therefore, there is a need for a technique that effectively protects a user from a fraudulent web site that embeds a legitimate web page within a frame of a fraudulent web page.