.

......

Why phishing works[Dhamija et al, 2006]

Tim Coen

Technische Universität Berlin, Security in Telecommunications

January 28, 2015

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionOverview

...1 What is PhishingDefinitionRelevanceRelated Definitions

...2 Usability Study: Why phishing worksHypothesisProcedureDemographicsResultsDetermining Website Legitimacy

...3 Study Limitations, Protection

...4 Discussion

Tim Coen 2 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDefinition

.Phishing..

......

"[Users are convinced to] visit a fraudulent website atwhich they are tricked into divulging sensitiveinformation (e.g., passwords, financial accountinformation, and social security numbers)."[Ramzan, 2010].When is a scam considered a phishingattack?[Ramzan, 2010]..

......

spoofed1 branda website is involvedsensitive information is requested

1Spoof: fraudulent copyTim Coen 3 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionWhy do we care?

Phishing attacks incorrect user behavior, not softwarevulnerabilities.1

Usability is relevant. Security without usability willfail (see e.g. PGP [Whitten and Tygar, 1999])economic loss ($1.2 billion for U.S. banks in 2003[Dhamija et al, 2006])123.000 unique phishing attacks identified in 2014[Aaron and Rasmussen, 2014]-> Discussion

1ignoring phishing via XSS, etc.Tim Coen 4 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionNotable Phishing Attacks

2011: RSA worker phished → SecureID master keyslost → attempted break-in at Lockheed2013: Iranian Gmail Users phished2013: AP reporters Twitter account phished → Stockmarket temporarily drops by $136.5 billion2014: Home Depot phished → 100 million creditcard numbers lost

Tim Coen 5 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionRelated Definitions

.HTTPS..

......URI scheme that signals the use of SSL/TLS

.SSL/TLS..

......

SSL (Secure Sockets Layer) is predecessor of TLS(Transport Layer Security)cryptographic protocoluses asymmetric encryption (e.g. RSA) toauthenticate and exchange symmetric key (e.g.AES)uses public key infrastructure to verify thatcertificate belongs to ownerthus, certificate authorities are a weak point

Tim Coen 6 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDefinition: Security Indicator

Figure : Security Indicator [Dhamija et al, 2006]

Tim Coen 7 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection Discussion2006 Usability Study [Dhamija et al, 2006]

2006 Usability Study by Dhamija et al

22 participants were asked to determine which of 20websites were fraudulent.

Tim Coen 8 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionHypothesis: Attack Strategies I

.Lack of Knowledge..

......

Computer Knowledge (eg how URLs1 or emailheader2 work)Security and Security indicators (confusion on whatis part of the browser and what is part of thewebpage, or how SSL indicators work)

1e.g which belongs to paypal.com: paypal-login.com,login-paypal.com, paypal.login.com, login.paypal.com,paypal.com/login

2Sender addresses are easily spoofedTim Coen 9 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionHypothesis: Attack Strategies II

.Visual Deception..

......

Text: typejacking (e.g. paypa1.com vs paypal.com)Images as linksImages mimicking windows (example: see nextslide)Windows masking underlying windowscopying Look and Feel of original site

Tim Coen 10 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionHypothesis: Attack Strategies II: Images mimicking windows

Figure : Image mimicking a window [Hong, 2012]Tim Coen 11 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionHypothesis: Attack Strategies III

.Bounded Attention..

......

Attention to security indicatorsAttention to absence of security indicators

Tim Coen 12 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionProcedure

participants were asked to look for phishingwebsitesfocus on identifying website authenticity, notidentifying phishing emailsMozilla Firefox browser20 fully functioning websites (7 legitimate, 9representative phishing, 3 constructed usingadditional phishing techniques, 1 with self-signedSSL certificate)

Tim Coen 13 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDemographics

22 Participantshalf students and half staff of a universityall familiar with use of computer, email, and theWeb45.5% male18-56 years old86% in non-technical fields32% use Firefox as primary browser

Tim Coen 14 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionResults: Phishing does work

90% were fooled by good phishing sitescurrent anti-phishing cues are ineffective40% error rate on average68% ignored warnings about certificatesage, sex, experience, education level, hours ofcomputer use, and primary browser and OS did notcorrelate with vulnerability to phishing

Tim Coen 15 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionExample Reasoning: Bank of the West I

Figure : Bank of the West (Phishing) [Dhamija et al, 2006]Tim Coen 16 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionExample Reasoning: Bank of the West II

90% failure rate for bankofthevvest.com:design ("cute", detailed; complicated animations)little information requestedlinks to other websitesVerisign logo + linkcorrectness of URL

Tim Coen 17 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy

.Type 1: Security indicators in website content (used by23%)..

......

using logos, layout, graphic design, functioninglinks and images, or type and accuracy ofinformation to determine legitimacyoften, a certain type of content is usedsystematically (e.g. padlock icon in websitecontent, contact information, copyright information)

Tim Coen 18 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy II

.Type 2: Content and Domain Name (used by 36%)..

......type 1 + domain name in address bar

.Type 3: Content, Domain Name, and HTTPS (used by9%)..

......

type 2 + HTTPS in address barsome participants favored favicons over HTTPS

Figure : Padlock and Favicon [Dhamija et al, 2006]

Tim Coen 19 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy II

.Type 2: Content and Domain Name (used by 36%)..

......type 1 + domain name in address bar

.Type 3: Content, Domain Name, and HTTPS (used by9%)..

......

type 2 + HTTPS in address barsome participants favored favicons over HTTPS

Figure : Padlock and Favicon [Dhamija et al, 2006]

Tim Coen 19 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy III

.Type 4: Content, Domain Name, HTTPS, and Padlockicon (used by 23%)..

......

type 3 + Padlock iconsome participants still considered a padlock in thecontent as more important than a padlock in thebrowser

.Type 5: Content, Domain Name, HTTPS, Padlock icon,and Certificates (used by 9%)........type 4 + checking of certificate

Tim Coen 20 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy: Additional Strategies

.Submitting Username and Password..

......

submit username + password → know if site isauthenticused in addition to type 1. result: 7 out of 19websites correct

.Type URL by hand or search by name..

......

type URL or use search engine → compareused in addition to type 4. result: 18 out of 19websites correct

Tim Coen 21 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionResults by Type

Figure : Results by Type [Dhamija et al, 2006]

Tim Coen 22 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionResults by Site

Figure : Results by Site [Dhamija et al, 2006]Tim Coen 23 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionPrevious Knowledge of Phishing

Previous knowledge of the 22 participants:7 have not heard of phishingall have received phishing emails in the past, 15sometimes open them, and 5 of these click on links4 did not know what the padlock is5 knew that the padlock concerns security15 never look at padlock13 never look at HTTPS5 never look at address bar15 clicked OK on self signed certificate withoutreading warning

Tim Coen 24 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionStudy Results: Summary

users:lack knowledge (technical and security)are focused on their task, not securitydo not detect the absence of indicatorsignore warnings

Tim Coen 25 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionLimitations of laboratory usable security studies

Study by [Sotirakopoulos et al, 2011]:10% dropped out because of privacy concerns1/3 reported that they ignored warnings because ofthe Study Environment

Tim Coen 26 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionRevisited: Security Indicator [Nagunwa, 2014]

HTTPS ProtocolPadlockExtended Validation SSL Certificate (since 2007)

Tim Coen 27 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionPhishing Tips in Practice (2014)

Figure : https://www.sparkasse.de/privatkunden/sicherheit-im-internet/phishing.html

"conclusive signs of phishing:""Look for the Padlock in your browser""Check the encryption in the URL (https instead ofhttp)"

Tim Coen 28 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionPhishing Prevention

highlight domain namereduce low-risk warnings to combat click throughsyndrom [Akhawe et al, 2013]identify and block phishing sites. but: averageuptime only 32 hours [Aaron and Rasmussen, 2014]hash domain names (eg paypal.com -> c5,paypa1.com -> d5) [Dittmann et al, 2005]browser notifies user if new website is visitedSSL/TLS client side authentication[Alsaid and Mitchell, 2006]Visual Server Authentication: User chooses animage upon registration, which is then displayed foreach login [Dhamija and Tygar, 2005]use short, non-technical terms and explanations

Tim Coen 29 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionVisual Server Authentication: Example

Figure : https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/sitekey.go

Tim Coen 30 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionLong, Technical Terms: Example

Tim Coen 31 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionLong, Technical Terms: Example

Tim Coen 31 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionReferences

Greg Aaron and Rod Rasmussen (2014)

Global Phishing Survey 1H2014: Trends and Domain Name Use

APWG

Devdatta Akhawe, Bernhard Amann, and Matthias Vallentin (2013)Here's my cert, so trust me, maybe?: understanding TLS errors on the web

Proceedings of the 22nd international conference on World Wide Web pp. 59-70.

Adil Alsaid and Chris Mitchell (2006)Preventing phishing attacks using trusted computing technology

Proceedings of INC 2006, Sixth International Network Conference, July 2006. pp. 221-228.

Rachna Dhamija and J. D. Tygar (2005)

The battle against phishing: Dynamic Security Skins

SOUPS '05 pp. 77-88.

Rachna Dhamija, J. D. Tygar, and Marti Hearst (2006)

Why phishing works

CHI '06 pp. 581-590.

Jana Dittmann, Stefan Katzenbeisser, and Andreas Uhl (2005)

Effective Protection Against Phishing and Web Spoofing

Communications and Multimedia Security, Lecture Notes in Computer Science pp. 32-41.

Jason Hong (2012)

The state of phishing attacks

ACM 55, 1 (January 2012) pp. 74-81.

Thomas Nagunwa (2014)

Examining Usage of Web Browser Security Indicators in e-banking: A Case Study

IJARCSSE '14 pp. 195-202.

Zulfikar Ramzan (2010)Phishing Attacks and Countermeasures

Handbook of Information and Communication Security pp. 433-448.

Andreas Sotirakopoulos, Kirstie Hawkey, and Konstantin Beznosov (2011)

On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings

SOUPS '11 pp. 1-18.

Alma Whitten and J. D. Tygar (1999)

Why Johnny can't encrypt: a usability evaluation of PGP 5.0

SSYM'99, Vol 8 pp. 14-14.

Tim Coen 32 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection Discussion

The End

Tim Coen 33 / 34

What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDiscussion

Do we care? Is this a legitimate security issue?Who is responsible? Do we need better users,browser creators, website creators, certificateauthorities, spam filters, law enforcment, orstandards?Solutions?

Tim Coen 34 / 34