Does domain highlighting help people identify phishing sites
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

Does Domain Highlighting Help People Identify Phishing Sites? PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on
  • Presentation posted in: General

Does Domain Highlighting Help People Identify Phishing Sites?. Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary. Phishers. Fraudsters who steal user’s credentials . Login: Saul Password HCIisReallyCool Bank Bank of Antarctica

Download Presentation

Does Domain Highlighting Help People Identify Phishing Sites?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Does domain highlighting help people identify phishing sites

Does Domain Highlighting Help People Identify Phishing Sites?

Eric Lin, Saul GreenbergEileah Trotter, David Ma & John Aycock

University of Calgary


Phishers

Phishers

Fraudsters who steal user’s credentials

Login: Saul

Password HCIisReallyCool

Bank Bank of Antarctica

Account # 3444 555 6677


Phishing sites

Phishing Sites

Fraudulent web sites used to steal user’s credentials


Does domain highlighting help people identify phishing sites

You’ve got mail


Does domain highlighting help people identify phishing sites

I’m way too smart for that!!!

Hah

Image modified from: http://www.briancuban.com/the-science-of-intelligent-design/


Does domain highlighting help people identify phishing sites

Delete


Does domain highlighting help people identify phishing sites

You’ve got mail


Does domain highlighting help people identify phishing sites

Let me check


Does domain highlighting help people identify phishing sites

Phishing site?


Does domain highlighting help people identify phishing sites

www1.royalbank.com

Legitimate


Does domain highlighting help people identify phishing sites

www.paypa1.ca

Fraudulent


Does domain highlighting help people identify phishing sites

www.amazon.ca.checkingoutbookonline.ca

Fraudulent


Does domain highlighting help people identify phishing sites

Websms.fido.page.ca

Legitimate


Common url obfuscations

Common URL Obfuscations

Similar name amazon.checkingoutbooksonline.ca

Letter substitution www.paypa1.com

IP addresses 192.168.111.112/login

Complex URLs www.login.xyz.flikr.net/config/login/ src-flickr.domain=secure.access 324a568x-pictauthor=frodo…


Does domain highlighting help people identify phishing sites

Phishing site?


Does domain highlighting help people identify phishing sites

www.sxwrestling.com/e107_lang...


Domain name highlighting

Domain name highlighting


Does domain highlighting help people identify phishing sites

Does it work?


Method

Method

16 legitimate & fraudulent real web pages

4 different obfuscation methods used

22 participants

Phase 1. Rate safety of these web pages

Phase 2: Look at address bar for additional cues Redo safety ratings.


Best case for domain highlighting

‘Best case’ for domain highlighting

Participants

  • heavy internet users, university educated

  • heightened sense of security

  • rating security, not browsing, was primary task

  • directed to look at address bar (phase 2)

    BUT

  • not instructed about domain names


Phase 1

Phase 1

mostcorrect

leastcorrect

participants


Phase 11

Phase 1

Legitimate pages

54% correct

31% unsure

15% incorrect


Phase 12

Phase 1

Legitimate pages

54% correct

31% unsure

15% incorrect

Consequence

doesn’t enter legitimate site


Phase 13

Phase 1

Legitimate pages

54% correct

31% unsure

15% incorrect

Fraudulent pages

25% correct

18% unsure

57% incorrect


Phase 14

Phase 1

Legitimate pages

54% correct

31% unsure

15% incorrect

Fraudulent pages

25% correct

18% unsure

57% incorrect

Consequence

enters site, vulnerable to identity theft


Does domain highlighting help people identify phishing sites

Don’t be a fool,

look at the address bar!!!


Phase 2

Phase 2


Phase 15

Phase 1


Phase 2 changes

Phase 2 changes

Changes

more correct

unchanged

more wrong


Phase 2 changes1

Phase 2 changes

Legitimate pages

no significantdifferences in overall ratings


Phase 2 changes2

Phase 2 changes

Legitimate pages

no significantdifferences in overall ratings

Fraudulent pages

25→34 % correct

18→23% unsure

57→44 % incorrect


Phase 21

Phase 2

Legitimate pages

no significantdifferences in overall ratings

Fraudulent pages

25→34 % correct

18→23% unsure

57→44 % incorrect

Consequence

Somewhat better, but stillvulnerable to identity theft


How do people judge legitimacy

How do people judge legitimacy?

Institutional brand

  • some brands considered more ‘trustworthy’

    The page

  • content including professional layout

  • reviews suggesting others had visited it

  • security / privacy information

    Information requested

  • sensitivity, quantity…

    Address bar

  • URLs

  • security indicators


Typology of users

Typology of Users

Type A

  • content and brand

    Type B

  • address bar, security indicators, information requested

    Type AB

  • mostly like Type A

  • occasionally like Type B


Does domain highlighting help people identify phishing sites

mostcorrect

leastcorrect

participants

Type B

A

B

B

B

B

B

A

A

AB

B

AB

A

A

A

A

A

A

B

AB

AB

AB

AB

Type A


Summary

Summary

Good news for phishers!

  • phishing web sites work

  • domain name highlighting only works somewhat

    • best case: only ¼ - ⅓ of phishing pages detected

      Phishers can target specific user groups

  • Type A & A/B

    • very high risk for perfectly copied pages

  • Type B

    • you can still fool them

    • domain name obfuscation works even better


Summary1

Summary

Good news for anti-phishing researchers!

  • lots to do: the phishing problem isn’t solved

    Strategies?

  • education

  • UI redesign

    • to get people to attend domain name

    • to highlight common spoofing methods within the domain name


Does domain highlighting help people identify phishing sites1

Does Domain Highlighting Help People Identify Phishing Sites?

Somewhat, but not enough


  • Login