450 likes | 623 Vues
Does Domain Highlighting Help People Identify Phishing Sites?. Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary. Phishers. Fraudsters who steal user’s credentials . Login: Saul Password HCIisReallyCool Bank Bank of Antarctica
E N D
Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul GreenbergEileah Trotter, David Ma & John Aycock University of Calgary
Phishers Fraudsters who steal user’s credentials Login: Saul Password HCIisReallyCool Bank Bank of Antarctica Account # 3444 555 6677
Phishing Sites Fraudulent web sites used to steal user’s credentials
I’m way too smart for that!!! Hah Image modified from: http://www.briancuban.com/the-science-of-intelligent-design/
www1.royalbank.com Legitimate
www.paypa1.ca Fraudulent
www.amazon.ca.checkingoutbookonline.ca Fraudulent
Websms.fido.page.ca Legitimate
Common URL Obfuscations Similar name amazon.checkingoutbooksonline.ca Letter substitution www.paypa1.com IP addresses 192.168.111.112/login Complex URLs www.login.xyz.flikr.net/config/login/ src-flickr.domain=secure.access 324a568x-pictauthor=frodo…
Method 16 legitimate & fraudulent real web pages 4 different obfuscation methods used 22 participants Phase 1. Rate safety of these web pages Phase 2: Look at address bar for additional cues Redo safety ratings.
‘Best case’ for domain highlighting Participants • heavy internet users, university educated • heightened sense of security • rating security, not browsing, was primary task • directed to look at address bar (phase 2) BUT • not instructed about domain names
Phase 1 mostcorrect leastcorrect participants
Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect
Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Consequence doesn’t enter legitimate site
Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Fraudulent pages 25% correct 18% unsure 57% incorrect
Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Fraudulent pages 25% correct 18% unsure 57% incorrect Consequence enters site, vulnerable to identity theft
Don’t be a fool, look at the address bar!!!
Phase 2 changes Changes more correct unchanged more wrong
Phase 2 changes Legitimate pages no significantdifferences in overall ratings
Phase 2 changes Legitimate pages no significantdifferences in overall ratings Fraudulent pages 25→34 % correct 18→23% unsure 57→44 % incorrect
Phase 2 Legitimate pages no significantdifferences in overall ratings Fraudulent pages 25→34 % correct 18→23% unsure 57→44 % incorrect Consequence Somewhat better, but stillvulnerable to identity theft
How do people judge legitimacy? Institutional brand • some brands considered more ‘trustworthy’ The page • content including professional layout • reviews suggesting others had visited it • security / privacy information Information requested • sensitivity, quantity… Address bar • URLs • security indicators
Typology of Users Type A • content and brand Type B • address bar, security indicators, information requested Type AB • mostly like Type A • occasionally like Type B
mostcorrect leastcorrect participants Type B A B B B B B A A AB B AB A A A A A A B AB AB AB AB Type A
Summary Good news for phishers! • phishing web sites work • domain name highlighting only works somewhat • best case: only ¼ - ⅓ of phishing pages detected Phishers can target specific user groups • Type A & A/B • very high risk for perfectly copied pages • Type B • you can still fool them • domain name obfuscation works even better
Summary Good news for anti-phishing researchers! • lots to do: the phishing problem isn’t solved Strategies? • education • UI redesign • to get people to attend domain name • to highlight common spoofing methods within the domain name • …
Does Domain Highlighting Help People Identify Phishing Sites? Somewhat, but not enough