Why phishing works


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Why phishing works

  1. 1. Why phishing works ByRachna Dhamija , J. D. Tygar & Marti Hearst Ayaz Shahid (aysh1000@student.miun.se)
  2. 2. Overview• Introduction• Why phishing works• Study to support hypothesis• Results of study• Conclusion
  3. 3. Introduction• Directing users to fraudulent websites• The host website acts as the trustworthy or real website• Steals user’s credentials like credit card information , username/passwords and other personal information• Phishing is an opportunistic attack rather than a targeted attack
  4. 4. Why Phishing works1. Lack of knowledge2. Visual Deception3. Bounded Attention
  5. 5. 1. Lack of knowledge• Computer system knowledge  Most of the phishers exploit the user’s lack of knowledge of computer, applications, emails, internet etc  Such users does not know about how things work and what are the differences for example: www.ebay-members-security.com & www.ebay.com
  6. 6. Lack of knowledge(cont.)• Knowledge of security & security indicators  Most of the users does not know about the security indicators indicated by the browsers when it detects a phishing website. Example: Padlock Icon
  7. 7. 2. Visual Deception• Visual Deceptive Text• Images masking underlying text• Images mimicking windows• Window Masking• Deceptive Look & Feel
  8. 8. Visual Deception Text• Users are fooled using the syntax of the domain name• Phishers substitutes the letters in the domain name that may go un-noticed• Example: www.paypa1.com instead of www.paypal.com Substituted digit ‘1’ instead of letter ‘l’
  9. 9. Images Masking Underlying Text• Phishers use a legitimate image as hyperlink which actually links to the fraudulent websiteImages mimicking windows • Phishers use an image in the content of the webpage that looks same as a window or a dialog box
  10. 10. Windows Masking Underlying Windows• Placing an illegitimate browser window over or beside a legitimate browser window users can be tricked very easily as both windows look exactly same Deceptive look & feel • Phishers copy the logos, images and other information of the target website having same look and feel and the user could consider it as original website
  11. 11. 3. Bounded Attention• Lack of Attention to Security Indicators  User focuses on the main task and forgets the security indicators  They might not pay attention to the warning messages• Lack of Attention to the absence of security indicators  Users do not notice the absence of an indicator  Some times a spoofed indicator image might be inserted by the phishers to fool the users
  12. 12. Study to Access the Accuracy of Hypothesis• Conducted a usability study• Participants were asked to identify legitimate and phishing websites• Selected participants were better and good in knowledge• Around 200 phishing websites were selected
  13. 13. Study Design• A web site was created containing random list of hyperlinks to different websites• Each participant was presented 20 websites• 7 websites were legitimate• 9 phishing websites• 3 special websites(created using additional phishing techniques)• 1 special website (requesting users to accept a self-signed SSL certificate)• All phishing websites were hosted on an Apache web server
  14. 14. Scenario and Procedure• Participants were told that some of the websites are legitimate and some are not• The participants could also interact with the websites• Each participant was told to rate the website on a scale of 1 to 5 and reasoning of their answer• Participants were asked about the knowledge of SSL certified websites and the experience on the phishing websites
  15. 15. Demographics of Participants• A total of 22 participants from a university having sound knowledge of computers, email and web were recruited Gender 13 12 12 11 10 10 9 Male Female
  16. 16. Students/Staff 15 11 11 10 5 0 Student Unv. Staff Staff Students10 8 8 7 8 6 6 4 4 2 2 2 2 1 2 0 0 Bachelors Masters J.D. Degree Bachelors Masters Ph.D Degree Degree Degree Degree
  17. 17. Web Browser12 1110 8 7 6 4 2 2 1 0 Internet Mozilla Mozilla Apple Safari Explorer Firefox Unknown Version Operating System14 131210 8 6 6 4 2 2 1 0 Win XP MAC OS Win 2K Win Unknown Version
  18. 18. • Participants are aged between 18 to 56• Usage of computer by users is from 10 to 135 hrs per week• 18 participants uses online banking• 20 participants use online shopping regularly
  19. 19. ResultsParticipants Score and Behavior  The sum of number of correctly identified websites forms the participants score  The score range was between 6 to 18 correctly identified websitesGender  There is no difference between the comparison of scores of male and female participants  The mean score for male and female is 13 & 10.5 respectively
  20. 20. Age  There is no correlation between the score and the age of participantsEducation Level  There is no relation between the score and the educational level of the participantsUsage of Computer  There is no significant correlation between the users score with respect to the amount of computer usage per week  A user who uses computer for 14 hrs weekly judged 18 out of 19 sites correctly on the other hand one judged only 7 sites correctly while he uses computer for 90 hrs per week
  21. 21. Previous use of Browser, OS and Web  There is no significant relation between the use of browser and OS previously by the participant  Even the use of same website previously did not help the participants in differentiating between legitimate and the phishing website
  22. 22. Strategies for Determining Websites Legitimacy• Participants are categorized by the type of the factors they used to make decision  Type1:Security indicators in the website contents  Type2:Content and domain name  Type3:Content and address plus HTTPS  Type4:Padlock icon plus type 1,2 & 3  Type5:Certificates plus type 1,2,3 & 4
  23. 23. Type1: Security indicators in websitecontents• Participants looked only the contents like images, logos, layouts, graphic designs and the accuracy of information• As the participants in this category did not focus on the URL of the site therefore scored the lowest• 5 (23%) participants used this strategy and their score was (6,7,7,9,9)
  24. 24. Type2: Content & domain name• 8(36%) participants checked the address bar along with the contents of the website• People in this category had the idea of the difference the domain name and IP address
  25. 25. Type3 : Content, address plus HTTPS• Only 2(9%) participants used this strategy to differentiate between phishing and legitimate website• Participants relied on the presence of the HTTPS in the status bar• Users did not notice the padlock icon
  26. 26. Type4: Padlock icon plus type 1,2 & 3• 5 (23%) participants falls under this category• They checked for all the types discussed above and they also looked for the padlock icon in the address bar• But some participants gave preference to the padlock icon that appears within the content of the web page
  27. 27. Type5: Certificates plus Type 1,2,3 & 4• Only 2 (9%) of the participants checked the certificates presented by their browser and the other strategies as discussed previously
  28. 28. Websites Difficulty• Users were asked to rate the confidence of their judgment on a score of 1 to 5
  29. 29. Phishing websites
  30. 30. • The website discussed previously used two “V”s instead of “W” to fool the people• 20 participants judged this site as the legitimate website of the Bank of the west• 17 people miss judged due to the contents of the page• 2 participants were fooled due to the animated bear video• 8 participants relied on the link to the other websites for their judgment• 6 participants were tricked due to version logo• 2 participants correctly judged this website as a spoof• Only 1 participant judged this phishing website due to two V’s
  31. 31. Participants Knowledge of Phishing & SecurityKnowledge & experience of Phishing  7 participants had never heard the term phishing  9 participants were confused about the legitimacy of the websites  5 participants had experienced phishing and web fraudulentKnowledge of Padlock icon & HTTPS  4 participants had no idea regarding padlock icon  5 participants mentioned it as some sort of security but they were not sure  10 mentioned it as the way of securing data sent from user to server  13 participants said that they never pay attention to the HTTPS in the address bar
  32. 32. Knowledge & use of certificates  15 participants selected the okay button without reading the content of the message when the browser presented the self signed certificate  18 participants stated that they did not know the about the certificate  3 participants selected the wrong option from the certificate  Only one participant interpreted the website certificate correctly as he was a system administrator  19 participants stated that they never checked the certificate
  33. 33. Conclusion• The study reveals that even the most knowledge and well informed user can also be fooled and tricked by a good phishing site• Security indicators and warning messages showed by the browser are not understood by the user and go un- noticed• Indicators of trust provided by the browser can even be spoofed by phishers very easily• So the study suggests that some other method or approach is needed to overcome the phishing
  34. 34. Questions& Comments