does domain highlighting help people identify phishing sites?
DESCRIPTION
Does Domain Highlighting Help People Identify Phishing Sites?. Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary. Phishers. Fraudsters who steal user’s credentials . Login: Saul Password HCIisReallyCool Bank Bank of Antarctica - PowerPoint PPT PresentationTRANSCRIPT
Does Domain Highlighting Help People Identify Phishing Sites?
Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock
University of Calgary
Phishers
Fraudsters who steal user’s credentials
Login: SaulPassword HCIisReallyCoolBank Bank of Antarctica Account # 3444 555 6677
Phishing SitesFraudulent web sites used to steal user’s credentials
You’ve got mail
Image modified from: http://www.briancuban.com/the-science-of-intelligent-design/
I’m way too smart for that!!!
Hah
Delete
You’ve got mail
Let me check
Phishing site?
Legitimate
www1.royalbank.com
Fraudulent
www.paypa1.ca
Fraudulent
www.amazon.ca.checkingoutbookonline.ca
Legitimate
Websms.fido.page.ca
Common URL Obfuscations
Similar name amazon.checkingoutbooksonline.ca
Letter substitution www.paypa1.com
IP addresses 192.168.111.112/login
Complex URLs www.login.xyz.flikr.net/config/login/ src-flickr.domain=secure.access 324a568x-pictauthor=frodo…
Phishing site?
www.sxwrestling.com/e107_lang...
Domain name highlighting
Does it work?
Method
16 legitimate & fraudulent real web pages 4 different obfuscation methods used
22 participants
Phase 1. Rate safety of these web pages
Phase 2: Look at address bar for additional cues Redo safety ratings.
‘Best case’ for domain highlighting
Participants • heavy internet users, university educated• heightened sense of security• rating security, not browsing, was primary task • directed to look at address bar (phase 2)
BUT• not instructed about domain names
Phase 1
participants
leastcorrect
mostcorrect
Phase 1
Legitimate pages54% correct31% unsure15% incorrect
Phase 1
Legitimate pages54% correct31% unsure15% incorrect
Consequence
doesn’t enter legitimate site
Phase 1
Legitimate pages54% correct31% unsure15% incorrect
Fraudulent pages25% correct18% unsure57% incorrect
Phase 1
Legitimate pages54% correct31% unsure15% incorrect
Fraudulent pages25% correct18% unsure57% incorrect
Consequenceenters site,
vulnerable to identity theft
Don’t be a fool, look at the address bar!!!
Phase 2
Phase 1
Phase 2 changes
Changes
more correct
unchanged
more wrong
Phase 2 changes
Legitimate pagesno significantdifferences in overall ratings
Phase 2 changes
Legitimate pagesno significantdifferences in overall ratings
Fraudulent pages25→34 % correct
18→23% unsure
57→44 % incorrect
Phase 2
Legitimate pagesno significantdifferences in overall ratings
Fraudulent pages25→34 % correct
18→23% unsure
57→44 % incorrect
ConsequenceSomewhat better, but still vulnerable
to identity theft
How do people judge legitimacy?
Institutional brand• some brands considered more ‘trustworthy’
The page• content including professional layout• reviews suggesting others had visited it• security / privacy information
Information requested• sensitivity, quantity…
Address bar • URLs• security indicators
Typology of Users
Type A • content and brand
Type B• address bar, security indicators, information requested
Type AB• mostly like Type A• occasionally like Type B
participants leastcorrect
mostcorrect
Type B
A A A A A A A A A
B B B B B B B
AB AB AB AB AB AB
Type A
Summary
Good news for phishers!– phishing web sites work– domain name highlighting only works somewhat
• best case: only ¼ - ⅓ of phishing pages detected
Phishers can target specific user groups– Type A & A/B
• very high risk for perfectly copied pages– Type B
• you can still fool them • domain name obfuscation works even better
Summary
Good news for anti-phishing researchers! • lots to do: the phishing problem isn’t solved
Strategies?• education• UI redesign
– to get people to attend domain name– to highlight common spoofing methods within the domain name– …
Does Domain Highlighting Help People Identify Phishing Sites?
Somewhat, but not enough