When a user receives an e-mail or other communication which appears to contain a link to web site “A,” but is redirected to an impersonated version of web site “A,” the user is said to be the subject of a web site “phishing” attack. Users would like to know whether a site that they are visiting is a well-known, legitimate site, or a site that looks like a legitimate site but is not located at the same location as the expected legitimate version of the web site.
A user may initiate a transfer of a web page into a browser by typing the URL, following a link, following a link embedded in an email or an instant messaging session, or via a redirect from another page. As a result, the browser will resolve the protocol to be used to look up the destination page, contact the domain name system (DNS) to resolve the destination host, connect to the internet protocol (IP) address named by the DNS look-up, download the page content, render the page and simultaneously execute any embedded scripts where appropriate. The content of this page can be forged in many ways.
There are known browser tool bars that merely extract the uniform resource locator (URL) from the web browser and normalize it to present to the user the effective site to which he or she is connected. While this may eliminate attacks in which a URL overfills the browser location window by reducing the site name, it does not solve the problem in which two very similar-looking domain names are being used. Since the information about effective sites is fairly coarse, it is possible for an attacker to get a closely looking domain name in the same geography (e.g. United States) and then try to confuse such phishing detectors. Furthermore, with increasing globalization, it is quite likely, for example, that a legitimate site for a U.S.-based bank is located in another country such as, for example, India or Brazil, which makes for several false alarms. Using the known techniques, the user would still be lead to believe that he or she is contacting the correct web site. The known techniques rely on the user to check the domain name for every visited web site. Furthermore, the known techniques only extract the information delivered in the actual URL, and therefore, these techniques are not safe in the case of DNS poisoning attacks, in which the actual domain names are forced to resolve to a subverted site IP address that is different from the target that the user intended when he or she typed the name into the browser location bar.
It would thus be desirable to overcome the limitations in previous approaches.