Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
.
......
Why phishing works[Dhamija et al, 2006]
Tim Coen
Technische Universität Berlin, Security in Telecommunications
January 28, 2015
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionOverview
...1 What is PhishingDefinitionRelevanceRelated Definitions
...2 Usability Study: Why phishing worksHypothesisProcedureDemographicsResultsDetermining Website Legitimacy
...3 Study Limitations, Protection
...4 Discussion
Tim Coen 2 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDefinition
.Phishing..
......
"[Users are convinced to] visit a fraudulent website atwhich they are tricked into divulging sensitiveinformation (e.g., passwords, financial accountinformation, and social security numbers)."[Ramzan, 2010].When is a scam considered a phishingattack?[Ramzan, 2010]..
......
spoofed1 branda website is involvedsensitive information is requested
1Spoof: fraudulent copyTim Coen 3 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionWhy do we care?
Phishing attacks incorrect user behavior, not softwarevulnerabilities.1
Usability is relevant. Security without usability willfail (see e.g. PGP [Whitten and Tygar, 1999])economic loss ($1.2 billion for U.S. banks in 2003[Dhamija et al, 2006])123.000 unique phishing attacks identified in 2014[Aaron and Rasmussen, 2014]-> Discussion
1ignoring phishing via XSS, etc.Tim Coen 4 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionNotable Phishing Attacks
2011: RSA worker phished → SecureID master keyslost → attempted break-in at Lockheed2013: Iranian Gmail Users phished2013: AP reporters Twitter account phished → Stockmarket temporarily drops by $136.5 billion2014: Home Depot phished → 100 million creditcard numbers lost
Tim Coen 5 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionRelated Definitions
.HTTPS..
......URI scheme that signals the use of SSL/TLS
.SSL/TLS..
......
SSL (Secure Sockets Layer) is predecessor of TLS(Transport Layer Security)cryptographic protocoluses asymmetric encryption (e.g. RSA) toauthenticate and exchange symmetric key (e.g.AES)uses public key infrastructure to verify thatcertificate belongs to ownerthus, certificate authorities are a weak point
Tim Coen 6 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDefinition: Security Indicator
Figure : Security Indicator [Dhamija et al, 2006]
Tim Coen 7 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection Discussion2006 Usability Study [Dhamija et al, 2006]
2006 Usability Study by Dhamija et al
22 participants were asked to determine which of 20websites were fraudulent.
Tim Coen 8 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionHypothesis: Attack Strategies I
.Lack of Knowledge..
......
Computer Knowledge (eg how URLs1 or emailheader2 work)Security and Security indicators (confusion on whatis part of the browser and what is part of thewebpage, or how SSL indicators work)
1e.g which belongs to paypal.com: paypal-login.com,login-paypal.com, paypal.login.com, login.paypal.com,paypal.com/login
2Sender addresses are easily spoofedTim Coen 9 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionHypothesis: Attack Strategies II
.Visual Deception..
......
Text: typejacking (e.g. paypa1.com vs paypal.com)Images as linksImages mimicking windows (example: see nextslide)Windows masking underlying windowscopying Look and Feel of original site
Tim Coen 10 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionHypothesis: Attack Strategies II: Images mimicking windows
Figure : Image mimicking a window [Hong, 2012]Tim Coen 11 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionHypothesis: Attack Strategies III
.Bounded Attention..
......
Attention to security indicatorsAttention to absence of security indicators
Tim Coen 12 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionProcedure
participants were asked to look for phishingwebsitesfocus on identifying website authenticity, notidentifying phishing emailsMozilla Firefox browser20 fully functioning websites (7 legitimate, 9representative phishing, 3 constructed usingadditional phishing techniques, 1 with self-signedSSL certificate)
Tim Coen 13 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDemographics
22 Participantshalf students and half staff of a universityall familiar with use of computer, email, and theWeb45.5% male18-56 years old86% in non-technical fields32% use Firefox as primary browser
Tim Coen 14 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionResults: Phishing does work
90% were fooled by good phishing sitescurrent anti-phishing cues are ineffective40% error rate on average68% ignored warnings about certificatesage, sex, experience, education level, hours ofcomputer use, and primary browser and OS did notcorrelate with vulnerability to phishing
Tim Coen 15 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionExample Reasoning: Bank of the West I
Figure : Bank of the West (Phishing) [Dhamija et al, 2006]Tim Coen 16 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionExample Reasoning: Bank of the West II
90% failure rate for bankofthevvest.com:design ("cute", detailed; complicated animations)little information requestedlinks to other websitesVerisign logo + linkcorrectness of URL
Tim Coen 17 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy
.Type 1: Security indicators in website content (used by23%)..
......
using logos, layout, graphic design, functioninglinks and images, or type and accuracy ofinformation to determine legitimacyoften, a certain type of content is usedsystematically (e.g. padlock icon in websitecontent, contact information, copyright information)
Tim Coen 18 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy II
.Type 2: Content and Domain Name (used by 36%)..
......type 1 + domain name in address bar
.Type 3: Content, Domain Name, and HTTPS (used by9%)..
......
type 2 + HTTPS in address barsome participants favored favicons over HTTPS
Figure : Padlock and Favicon [Dhamija et al, 2006]
Tim Coen 19 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy II
.Type 2: Content and Domain Name (used by 36%)..
......type 1 + domain name in address bar
.Type 3: Content, Domain Name, and HTTPS (used by9%)..
......
type 2 + HTTPS in address barsome participants favored favicons over HTTPS
Figure : Padlock and Favicon [Dhamija et al, 2006]
Tim Coen 19 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy III
.Type 4: Content, Domain Name, HTTPS, and Padlockicon (used by 23%)..
......
type 3 + Padlock iconsome participants still considered a padlock in thecontent as more important than a padlock in thebrowser
.Type 5: Content, Domain Name, HTTPS, Padlock icon,and Certificates (used by 9%)........type 4 + checking of certificate
Tim Coen 20 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDetermining Website Legitimacy: Additional Strategies
.Submitting Username and Password..
......
submit username + password → know if site isauthenticused in addition to type 1. result: 7 out of 19websites correct
.Type URL by hand or search by name..
......
type URL or use search engine → compareused in addition to type 4. result: 18 out of 19websites correct
Tim Coen 21 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionResults by Type
Figure : Results by Type [Dhamija et al, 2006]
Tim Coen 22 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionResults by Site
Figure : Results by Site [Dhamija et al, 2006]Tim Coen 23 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionPrevious Knowledge of Phishing
Previous knowledge of the 22 participants:7 have not heard of phishingall have received phishing emails in the past, 15sometimes open them, and 5 of these click on links4 did not know what the padlock is5 knew that the padlock concerns security15 never look at padlock13 never look at HTTPS5 never look at address bar15 clicked OK on self signed certificate withoutreading warning
Tim Coen 24 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionStudy Results: Summary
users:lack knowledge (technical and security)are focused on their task, not securitydo not detect the absence of indicatorsignore warnings
Tim Coen 25 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionLimitations of laboratory usable security studies
Study by [Sotirakopoulos et al, 2011]:10% dropped out because of privacy concerns1/3 reported that they ignored warnings because ofthe Study Environment
Tim Coen 26 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionRevisited: Security Indicator [Nagunwa, 2014]
HTTPS ProtocolPadlockExtended Validation SSL Certificate (since 2007)
Tim Coen 27 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionPhishing Tips in Practice (2014)
Figure : https://www.sparkasse.de/privatkunden/sicherheit-im-internet/phishing.html
"conclusive signs of phishing:""Look for the Padlock in your browser""Check the encryption in the URL (https instead ofhttp)"
Tim Coen 28 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionPhishing Prevention
highlight domain namereduce low-risk warnings to combat click throughsyndrom [Akhawe et al, 2013]identify and block phishing sites. but: averageuptime only 32 hours [Aaron and Rasmussen, 2014]hash domain names (eg paypal.com -> c5,paypa1.com -> d5) [Dittmann et al, 2005]browser notifies user if new website is visitedSSL/TLS client side authentication[Alsaid and Mitchell, 2006]Visual Server Authentication: User chooses animage upon registration, which is then displayed foreach login [Dhamija and Tygar, 2005]use short, non-technical terms and explanations
Tim Coen 29 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionVisual Server Authentication: Example
Figure : https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/sitekey.go
Tim Coen 30 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionLong, Technical Terms: Example
Tim Coen 31 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionLong, Technical Terms: Example
Tim Coen 31 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionReferences
Greg Aaron and Rod Rasmussen (2014)
Global Phishing Survey 1H2014: Trends and Domain Name Use
APWG
Devdatta Akhawe, Bernhard Amann, and Matthias Vallentin (2013)Here's my cert, so trust me, maybe?: understanding TLS errors on the web
Proceedings of the 22nd international conference on World Wide Web pp. 59-70.
Adil Alsaid and Chris Mitchell (2006)Preventing phishing attacks using trusted computing technology
Proceedings of INC 2006, Sixth International Network Conference, July 2006. pp. 221-228.
Rachna Dhamija and J. D. Tygar (2005)
The battle against phishing: Dynamic Security Skins
SOUPS '05 pp. 77-88.
Rachna Dhamija, J. D. Tygar, and Marti Hearst (2006)
Why phishing works
CHI '06 pp. 581-590.
Jana Dittmann, Stefan Katzenbeisser, and Andreas Uhl (2005)
Effective Protection Against Phishing and Web Spoofing
Communications and Multimedia Security, Lecture Notes in Computer Science pp. 32-41.
Jason Hong (2012)
The state of phishing attacks
ACM 55, 1 (January 2012) pp. 74-81.
Thomas Nagunwa (2014)
Examining Usage of Web Browser Security Indicators in e-banking: A Case Study
IJARCSSE '14 pp. 195-202.
Zulfikar Ramzan (2010)Phishing Attacks and Countermeasures
Handbook of Information and Communication Security pp. 433-448.
Andreas Sotirakopoulos, Kirstie Hawkey, and Konstantin Beznosov (2011)
On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings
SOUPS '11 pp. 1-18.
Alma Whitten and J. D. Tygar (1999)
Why Johnny can't encrypt: a usability evaluation of PGP 5.0
SSYM'99, Vol 8 pp. 14-14.
Tim Coen 32 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection Discussion
The End
Tim Coen 33 / 34
What is Phishing Usability Study: Why phishing works Study Limitations, Protection DiscussionDiscussion
Do we care? Is this a legitimate security issue?Who is responsible? Do we need better users,browser creators, website creators, certificateauthorities, spam filters, law enforcment, orstandards?Solutions?
Tim Coen 34 / 34