Description Whitepaper Download Quick Start Project Staff


SpoofGuard is a tool to help prevent a form of malicious attack called "web spoofing" or "phishing."  Phishing attacks usually involve deceptive e-mail that appears to come from a popular commercial site. The email explains that the recipient has an account problem, or some other reason to visit the commercial site and log in. However, the link in the email sends the user to a malicious "spoof" site that collects user information such as account names, passwords, and credit card numbers. Once your user information is collected by a "spoof:" site, criminals may log into your account or cause other damage.

SpoofGuard is a browser plug in that is compatible with Microsoft Internet Explore. SpoofGuard places a traffic light in your browser toolbar that turns from green to yellow to red as you navigate to a spoof site. If you try to enter sensitive information into a form from a spoof site, SpoofGuard will save your data and warn you. SpoofGuard warnings occur when alarm indicators reach a level that depends on parameters that are set by the user.

Sample Spoofs        Sample Spoof 1    Sample Spoof 2      Sample Spoof 3



Quick start: Using SpoofGuard

The toolbar

The SpoofGuard Toolbar has three buttons.  The first, the Settings Button, brings up the Settings dialog.  The second, the Status Button, displays the current domain (in case it is otherwise obscured) and a brief representation of the status (as a green, yellow or red light). The Status Button brings up a status message when pressed.  The third, the Reset Button, removes all data collected by SpoofGuard (image hashes and password hashes), but  will not clear the user's Internet Explorer History.

Setting the parameters

Whenever the browser navigates to a new page, SpoofGuard will perform five checks in two rounds. The results of each check are added together. You can adjust the weights assigned to each check to make one check count more and another count less. You can also set the threshold for warning the user.

 Each check returns a boolean result.  A new site is flagged if the sum of the weights of all of the activated checks, that is, the checks that notice a problem, is greater than or equal to the Total Alert Level selected.  If a site is flagged, a red light will be displayed next to the domain name in the toolbar when (and if) the new site is navigated to.  If you select, in the Settings dialog, to be stopped before visiting a suspicious site, a flagged site will trigger a pop-up window that will warn you either before or after the browser navigates to a new page, depending on whether the site can be flagged with only the first round of checks, which occurs before navigation.

The first round of checks occurs before the browser attempts to navigate to a new page.  At this point, the only information available to the browser (and the SpoofGuard Toolbar) is the URL that it will attempt to navigate to.  The two checks done in the first round are the Domain Name check and URL check.  If the results of the Domain Name check and URL check are enough to flag a site, you will be warned before the page is loaded and be given the option not to navigate to the attempted page.

Domain Name Check

This compares the domain name of the attempted url to the domains in the most recent browser history entries.  If the attempted domain is similar to one such history entry, the Domain Name check is activated.  This is to call attention to possibly misleading links like (paypai with a capital i).  Similarity is determined by the Edit Distance between the two domains.  The Edit Distance is the number of characters that need to be inserted or deleted in order to transform one domain into another.  You can adjust the sensitivity of this check by adjusting the maximum edit distance such that the two domains would be considered similar.  You can also select how many history entries the Domain Name check will compare the current domain to.

URL Check

The URL Check will check the rest of the attempted URL for problems.  This will perform three different checks on the attempted URL.  First, it checks if there is a suspicious embedded username in the URL:  a suspicious embedded username would be one that contains “www.”, “.com” or any of a list of similar terms.  Second, it checks if the domain name looks obscured, which, similarly, would be a domain name that does not contain “www.”, “.com” or any of the same list of similar terms.  A careless user attempting to visit may think he’s visiting  Third, the URL check will check the attempted port number and will raise a problem if the attempted port is not a standard port (http, https, ftp, gopher, socks).  If any of the three checks suggests up a problem, the URL check will be activated

Email Check

Similarly, the Email Check will attempt to determine if the browser has been directed to the current URL by email.  It will check for either an empty referral field or one that indicates referral from a known web-based email site such as or

If the three first round checks are sufficient to flag an attempted site, meaning the sum of the weights of the activated checks is greater than or equal to the Total Alert Level, you may be presented the option not to navigate to the attempted page.


If a page is actually navigated to, the second round checks will be performed once the entire document has loaded.  At this point, the browser has access to all of the information represented on the document, including the body of the HTML and the images displayed.  The three second round checks that work on this data are the checks on Passwords, Links and Images.

Password Field Check

The Password Field Check searches the body of the document, which is parsed by the browser, and is activated when for input fields of type “password” are found.  This, in itself, does not suggest that a particular page is a spoof, but you may be more concerned about the other checks that SpoofGuard performs.  Effectively, this lowers the Total Alert Level for pages that contain password fields, which are, presumably, the pages that you are most concerned about.

If a password field is found in a page (or in a frame within a page) which is not encrypted, an additional message will appear, warning the user.

Link Check

The Link Check searches the body of the document for suspicious links.  A suspicious link is a link that references a suspicious URL.  A suspicious URL is one such that the sum of the weights of the activated first round checks, both of which work on only a URL, is greater than the Total Alert Level.  This means that attempting to visit the URL will trigger a warning.

Image Check

The Image Check compares images on a new site to images on previous sites.  This is done by retrieving every image from the current page out of the cache (so that no extra traffic is created), hashing it and comparing it to previous hash values.  If performance is an issue, you can select not to hash new images.

After all the checks are done, the sum of the weights of all the activated checks from both the first and second round is computed and, if it’s greater than the Total Alert Level, a Post-Navigation Warning may be raised.  It will not come up if you select not to display pop-up warnings or if you have already been warned before navigating to the page.  Either way, you can click on the button that displays the domain name to display the status of the current site, that is, messages from all of the checks that were activated.


Password Tracking:

If selected, the Password Tracking feature will interrupt the user before typing the same username and password into more than one site.  This is done by storing the hash of a user's username and password whenever something resembling a username and password is submitted to a web site.

Project Staff:

Stanford Security Lab