Computer users are often victimized by phishing attacks, in which they unknowingly provide personal and confidential information to malicious websites. Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are commonly made by sending fraudulent emails or instant messages, and enticing users to click on a link and submit personal information to what appears to be a legitimate website.
Phishing websites are often crafted so as to appear to be well known, trusted websites (e.g., the website of a legitimated e-merchant or financial institution with which targeted users conduct business). DNS, attacks, browser flaws, and/or careless user behavior are then exploited to direct users to these “cloned” sites. Since a phishing site is constructed as a visual copy of the original, legitimate site, the user believes it is “real,” and interacts with it, often disclosing personal information.
Many legitimate websites use distinctive and non-trivial design elements, such as javascript and flash objects, to create a more unique appearance and thereby attempt to make their sites harder to clone. Unfortunately, phishers have become very adept at capturing these graphic elements, and imbedding them in their phishing websites, thereby making them appear to be the legitimate originals. It would be desirable to be able to protect users from these phishing attack strategies.