1. Field of the Invention
This invention pertains in general to computer security and in particular to techniques for preventing a fraudulent party from mimicking a legitimate web site without expensive or complex revision of the web site.
2. Background Art
Internet fraud is a serious problem for both businesses and consumers. In particular, Internet users are under constant threat from various computer and network sources. For example, a fraudulent party may send an electronic mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that may be used for identity theft. The electronic mail directs the user to visit a web site where the user is asked to update personal information, such as passwords and credit card, social security, and bank account numbers, which the legitimate enterprise already possesses. The web site, however, is bogus and set up to steal the user's information.
To steal the user's information, the fraudulent party makes the bogus web site look authentic enough that the user will believe that he or she is submitting the information to a legitimate web site. To add extra apparent authenticity to the bogus web site, the fraudulent party may embed a legitimate page from a web site that he or she is trying to mimic within a frame of a fraudulent web page. For example, a fraudulent site may frame a web page in order to display dynamic content (e.g., a picture chosen by the user that is unknown to the fraudulent party) that cannot be copied to the fraudulent site. The fraudulent web site that frames a legitimate page may further induce the user to enter sensitive information into the fraudulent site's form. Alternatively, as the unwitting user logs in and browses through the legitimate web page contained in the child frame, a fraudulent web page residing in the parent window can use a script such as a JavaScript to redirect information that the user enters in the legitimate page to the fraudulent page.
To prevent such fraudulent framing of a web page, web developers have created “frame-busting” scripts that can be embedded in a web page. When a client machine loads a web page, a frame-busting script within the page determines if the web page is within a frameset (i.e., not the outermost frame). If the web page is within a frameset, the frame-busting script reloads the web page in the outermost frame. That is, the script “busts” the framed web page out of the enclosing page by setting the framed page as the parent window.
For a large and complex web site, however, it is difficult and costly to write and test a frame-busting script for each legitimate web page. For example, some web applications include web pages that are intended to legitimately appear within frames of another web page. In a complex web application, determining which web pages are intended to be within legitimate frames and which web pages are not in order to properly insert frame-busting scripts may be a time-intensive and cost-prohibitive task. Web developers have to be careful to avoid breaking existing applications by adding frame-busting scripts to web pages that can legitimately appear within a frame.
Therefore, there is a need for a technique that provides the protection of frame busting to resist a fraudulent web site without expensive or complex modification to a legitimate web application.