In stateful page evaluation, the browser history file and additional history stored by SpoofGuard are used to evaluate the referring page. Since it is important to minimize the number of false alarms, SpoofGuard does not issue any warnings for visiting a site that is in the user’s history file. The rationale for this is that if the user is warned the first time, and decides to proceed, the user is assumed to have sufficient reason to trust the site.
Domain check : If the domain of a page closely resembles a standard or previously visited domain, the page may be part of a spoof. Although crude, we currently compare domains by Hamming (edit) distance. For example example.com will raise the domain check if example.com is in the file of commonly spoofed sites or in the user history. Clearly, it is possible to improve our comparison algorithm by studying the way people are fooled; this is a significant direction for future work.
A related issue is that some businesses outsource some of their web operations to contractors with different domain names. This poses an interesting challenge that we believe can be addressed. However, outsourced web activity leads to false alarms in the current version of
Referring page When a user follows a link, the browser maintains a record of the referring page. Since the typical web spoofing attack begins with an email message, a referring page from a web site where the user may have been reading email (such as Hotmail) raises
the level of suspicion. One complication associated with Hotmail, for example, is that Hotmail uses numeric IP addresses instead of symbolic host names. Therefore, when a user clicks on a link in a Hotmail message, the browser provides a numeric IP address to SpoofGuard as the referring page. In this situation, SpoofGuard uses reverse DNS to find the domain name associated with a numeric address, allowing us to identify Hotmail as the referring site.
Image-domain associations The image check described on database associating images such as corporate logos with domains.
The initial static database can be assembled using a web crawler or other tool, or it can be augmented using an individual’s browsing history. An early version of SpoofGuard used a fixed database; the current SpoofGuard implementation uses a hashed image history file.