Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Do Security Toolbars Actually
Prevent Phishing Attacks
(Written by: Min Wu, Robert C. Miller, Simson
L. Garfinkel)

Pankaj...
Agenda
•
•
•
•
•
•
•

Introduction
Why Phishing works
Types of phishing attacks
One solution: Security toolbars
Initial de...
Introduction
• Phishing attacks typically use legitimatelooking but fake emails and websites to
deceive users into disclos...
Why Phishing works??
•
•
•
•
•

Human Behavior
Lack of knowledge
Lack of attention
Visual deception
…..
Types of phishing attacks
Similar-name attack: One way that users authenticate web sites is by examining the
URL displayed...
One solution: Security Toolbars
•

Security toolbars in a web browser show security related information about a website to...
Initial design issues
•

Secondary goal: Users may not care about the toolbar’s display
even if they do notice about it be...
User Studies
• To simplify the study design, the five existing
toolbars were combined into three categories:
– neutral inf...
User studies….(contd.)
• The studies set up dummy accounts in the name of
“John Smith” at various legitimate e-commerce we...
User studies….(contd.)
• A total of 30 users (all atleast had college
education)
• 14 males and 16 females
• Average age w...
Study 1: Wish list attacks
Results of wish-list attacks
• 17 subjects (85%) were spoofed by the
web content
• 12 subjects (60%) were spoofed by URLs
...
Learning effects of tutorial mail
Paypal attack
• 5 users were spoofed by paypal attack (4
were real life uesrs)
• Reasons:
– psychological thinking of bein...
User study 2
• To check the effectiveness of pop-up
warning messages
• A pop-up is a very aggressive warning,
disrupting t...
Pop up warning message
Pop warning messages: inferences
• 4 users were spoofed
• None of the four spoofed subjects offered that
the content of th...
Conclusion: Toolbars effectiveness
analysis
•

•

•
•

•
•

The neutral information toolbars only provide website informat...
Recommendations
• Active interruption like the popup warnings are far more effective
than the passive warnings displayed i...
Questions??
Thanks!!
Do security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacks
Upcoming SlideShare
Loading in …5
×

Do security toolbars actually prevent phishing attacks

1,403 views

Published on

Analysis of security toolbars in prevention of phishing attacks

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Do security toolbars actually prevent phishing attacks

  1. 1. Do Security Toolbars Actually Prevent Phishing Attacks (Written by: Min Wu, Robert C. Miller, Simson L. Garfinkel) Pankaj Saharan Helsinki University of Technology
  2. 2. Agenda • • • • • • • Introduction Why Phishing works Types of phishing attacks One solution: Security toolbars Initial design issues User studies Conclusions and recommendations
  3. 3. Introduction • Phishing attacks typically use legitimatelooking but fake emails and websites to deceive users into disclosing personal or financial information to the attacker • A significant threat to Internet users today • Phishing is a model problem for illustrating usability concerns of privacy and security
  4. 4. Why Phishing works?? • • • • • Human Behavior Lack of knowledge Lack of attention Visual deception …..
  5. 5. Types of phishing attacks Similar-name attack: One way that users authenticate web sites is by examining the URL displayed in the address bar, attackers can use a hostname that bears a superficial similarity to the imitated site’s hostname. For example, www.bestbuy.com.ww2.us to spoof bestbuy.com. IP-address attack: Another way to obscure a server’s identity is to display it as an IP address, e.g., http://212.85.153.6/ to spoof bestbuy.com. Hijacked-server attack: Attackers sometimes hijack a server at a legitimate company and then use the server to host phishing attacks. For example, hijacked site www.btinternet.com to spoof bestbuy.com. Popup-window attack: A popup-window attack displays the real site in the browser but puts a borderless window from the phishing site on top to request the user’s personal information. PayPal attack: Unlike the other attacks, which simulate man-in-the-middle behavior while displaying the real web site, this attack requests not only a PayPal username and password, but credit card and bank account information.
  6. 6. One solution: Security Toolbars • Security toolbars in a web browser show security related information about a website to help users detect phishing attacks Some commonly used security toolbars are: • Spoofstick: It displays the website’s real domain name in order to expose phishing sites that obscure their domain name e.g for spoof site www.paypal.com.wws2.us, Spoofstick would display this domain as wws2.us • Netcraft toolbar: It displays information about the site including the domain’s registration date, hosting country and popularity among other toolbar users. • Trustbar: It makes secure web connections (SSL) more visible by displaying the logos of the website and its certificate authority (CA). This is useful against phishing because many legitimate websites use SSL to encrypt the user’s sensitive data transimission, but most phishing sites do not. • eBAY’s Account Guard: It shows a green icon to indicate that the current site belongs to eBay or PayPal, a red icon to indicate a known phishing site found on a blacklist maintained by eBay and a gray for all other sites. • Spoofguard: It calculates a spoof score for the current web page using a set of heuristics derived from previous phishing attacks. Then it shows a particular color to indicate the site’s legitimacy on the basis of the score.
  7. 7. Initial design issues • Secondary goal: Users may not care about the toolbar’s display even if they do notice about it because security toolbar shows security related information which is generally not the primary goal of user in web browsing. • Small area: A toolbar is a small display in the peripheral area of the browser, compared to the large main window that displays the web content. Users may not pay enough attention to the toolbar at the right times to notice an attack. • False Alarms: If a toolbar sometimes makes mistakes and identifies legitimate sites as phishing sites, users may learn to distrust the toolbar. Then, when the toolbar correctly identifies a phishing site, the user may not believe it.
  8. 8. User Studies • To simplify the study design, the five existing toolbars were combined into three categories: – neutral information toolbar (Spoofstick and Netcraft) – SSL-verification toolbar (Trustbar) – system-decision toolbar (eBay Account Guard and Spoofguard) • Users in the studies interacted with a simulated Internet Explorer built inside an HTML application running in full screen mode
  9. 9. User studies….(contd.) • The studies set up dummy accounts in the name of “John Smith” at various legitimate e-commerce websites • Users were asked to work as his personal assistants and protect his passwords • The task was to process 20 mail messages, most of which were requests by John to handle a forwarded message from an e-commerce site • The attacks were divided into wish-list attacks and paypal attack • A tutorial mail appeared in the middle of the study, as 11th of the 20 mails.
  10. 10. User studies….(contd.) • A total of 30 users (all atleast had college education) • 14 males and 16 females • Average age was 27 (ranging from 18-50) • All of them had previous experience of online shopping via one or the other ecommerce sites Risk: Care for the security of the person.
  11. 11. Study 1: Wish list attacks
  12. 12. Results of wish-list attacks • 17 subjects (85%) were spoofed by the web content • 12 subjects (60%) were spoofed by URLs • 9 subjects (45%) were doing their primary tasks at hand • 5 subjects (25%) did not notice the toolbar display at all for some attacks • 1 subject clicked on the links to check for authenticity
  13. 13. Learning effects of tutorial mail
  14. 14. Paypal attack • 5 users were spoofed by paypal attack (4 were real life uesrs) • Reasons: – psychological thinking of being familiar – checking content for authenticity – Requirement!
  15. 15. User study 2 • To check the effectiveness of pop-up warning messages • A pop-up is a very aggressive warning, disrupting the user’s task – So it must be accurate or would be disabled • 20 users aged 19 to 37 (average 23) • 18 were college students and 13 were male
  16. 16. Pop up warning message
  17. 17. Pop warning messages: inferences • 4 users were spoofed • None of the four spoofed subjects offered that the content of the page was convincing as a reason that they were spoofed • Two subjects believed the warning and knew the site was phishing, but still wanted to complete the task. • The other two subjects did not trust the blocking warning box. One said that he had never seen such a warning before. The other thought that the warning was wrong.
  18. 18. Conclusion: Toolbars effectiveness analysis • • • • • • The neutral information toolbars only provide website information such as domain name, hostname, registration date, hosting country etc. With this information, users must use their own judgment and experience to decide whether a site is legitimate or phishing. The system decision toolbars show warning signal for a fraudulent site. This display is easy for the user to interpret but it requires the user to trust the toolbar’s decision process which is generally hidden from the user. Similar is the case with SSL verification toolbars. Generally the security toolbars are not clearly interpreted by the user. Mostly the toolbar looks like an advertisement banner, so it becomes unclear whether it is put there by the browser or the website. Many users depend on the web content to authenticate the site’s identity. Even though they are cautious and notice suspicious signs from the browser’s security indicators, since these signals are weak compared to the strong signals from convincing web content, the users tend to ignore or explain away the security indicators. Poor web practices on the part of e-commerce firms make phishing attacks even more likely to succeed. For example, many legitimate companies do not use SSL to protect their login page (serious problem with SSL verification toolbar). The security indicators generally prove too much for the user whose primary goal is to finish of his task in any way.
  19. 19. Recommendations • Active interruption like the popup warnings are far more effective than the passive warnings displayed in the toolbars. • Warnings that propose an alternative path (e.g. directing users to the real intended site) allowing users to finish the task safely would probably be more effective. • If users have to make security critical decisions, it is best to integrate the security concerns into the critical path of their tasks so that they have to deal with it and can’t simply ignore it. • Finally, internet companies should need to follow some standard practices to better distinguish their sites from malicious phishing attacks. For example, using single domain name that matches company’s brand name rather than using IP addresses or multiple domain names for servers.
  20. 20. Questions?? Thanks!!

×