A phishing attack defrauds users' personal information by counterfeiting user interfaces of legitimate websites. With respect to such an attack, important websites will confirm their own authenticity to users. A common method is Sitekey, a technology that prevents phishing based on challenge-response. It comprises the following steps: a user inputs his/her own user name in a login interface of a website without inputting a password; an image or a sentence preset by the user is displayed in the login interface of the website, if the displayed content is not in conformity with the content preset by the user, the user can decide that the website is not real, and if the displayed content is in conformity with the content preset by the user, the user can decide that the website is real; if the user decides that the website is real, the user can input a login password in the login interface of the website; and the website authenticates identity of the user, and allows the user to log in.
With respect to the above-mentioned scheme, hackers can implement the following man-in-the-middle attack: using phishing to counterfeit a login interface so as to acquire a user name, obtaining Sitekey from a real website by using the user name, that is, an image or a sentence preset by the user, counterfeiting the login interface by using the stolen Sitekey, and tricking the user into inputting a login password.