Embed Size (px)
Citation preview
• Introduction
• Why phishing works
• Study to support hypothesis
• Results of study
• Conclusion
Overview
Introduction
• Directing users to fraudulent websites
• The host website acts as the trustworthy or
real website
• Steals user’s credentials like credit card
information , username/passwords and
other personal information
• Phishing is an opportunistic attack rather
than a targeted attack
Why Phishing works
1. Lack of knowledge
2. Visual Deception
3. Bounded Attention
1. Lack of knowledge
• Computer system knowledge
Most of the phishers exploit the user’s lack of
knowledge of computer, applications, emails,
internet etc
Such users does not know about how things work
and what are the differences for example:
www.ebay-members-security.com &
www.ebay.com
Lack of knowledge(cont.)
• Knowledge of security & security indicators
Most of the users does not know about the
security indicators indicated by the browsers
when it detects a phishing website.
Example: Padlock Icon
2. Visual Deception
• Visual Deceptive Text
• Images masking underlying text
• Images mimicking windows
• Window Masking
• Deceptive Look & Feel
Visual Deception Text
• Users are fooled using the syntax of the domain
name
• Phishers substitutes the letters in the domain name
that may go un-noticed
• Example:
www.paypa1.com instead of www.paypal.com
Substituted digit ‘1’ instead of letter ‘l’
Images Masking Underlying Text
• Phishers use a legitimate image as hyperlink
which actually links to the fraudulent website
Images mimicking windows
• Phishers use an image in the content of the
webpage that looks same as a window or a dialog
box
Windows Masking Underlying Windows
• Placing an illegitimate browser window over or
beside a legitimate browser window users can be
tricked very easily as both windows look exactly
same
Deceptive look & feel
• Phishers copy the logos, images and other
information of the target website having same
look and feel and the user could consider it as
original website
3. Bounded Attention
• Lack of Attention to Security Indicators
User focuses on the main task and forgets the security
indicators
They might not pay attention to the warning
messages
• Lack of Attention to the absence of security
indicators
Users do not notice the absence of an indicator
Some times a spoofed indicator image might be
inserted by the phishers to fool the users
Study to Access the Accuracy of Hypothesis
• Conducted a usability study
• Participants were asked to identify legitimate and
phishing websites
• Selected participants were better and good in
knowledge
• Around 200 phishing websites were selected
Study Design
• A web site was created containing random list of
hyperlinks to different websites
• Each participant was presented 20 websites
• 7 websites were legitimate
• 9 phishing websites
• 3 special websites(created using additional phishing
techniques)
• 1 special website (requesting users to accept a self-signed
SSL certificate)
• All phishing websites were hosted on an Apache web
server
Scenario and Procedure
• Participants were told that some of the websites
are legitimate and some are not
• The participants could also interact with the
websites
• Each participant was told to rate the website on
a scale of 1 to 5 and reasoning of their answer
• Participants were asked about the knowledge of
SSL certified websites and the experience on the
phishing websites
Demographics of Participants
• A total of 22 participants from a university
having sound knowledge of computers, email
and web were recruited
10
12
9
10
11
12
13
Male Female
Gender
11 11
0
5
10
15
Student Unv. Staff
Students/Staff
8
21
0
2
4
6
8
10
Bachelors Degree
Masters Degree
J.D. Degree
Staff
7
2 2
0
2
4
6
8
Bachelors Degree
Masters Degree
Ph.D
Students
11
7
2 1
02468
1012
Internet Explorer
Mozilla Firefox
Mozilla Unknown Version
Apple Safari
Web Browser
13
6
21
02468
101214
Win XP MAC OS Win 2K Win Unknown Version
Operating System
• Participants are aged between 18 to 56
• Usage of computer by users is from 10 to 135
hrs per week
• 18 participants uses online banking
• 20 participants use online shopping regularly
Results
Participants Score and Behavior
The sum of number of correctly identified websites
forms the participants score
The score range was between 6 to 18 correctly
identified websites
Gender
There is no difference between the comparison of
scores of male and female participants
The mean score for male and female is 13 & 10.5
respectively
Age
There is no correlation between the score and the age
of participants
Education Level
There is no relation between the score and the
educational level of the participants
Usage of Computer
There is no significant correlation between the users
score with respect to the amount of computer usage
per week
A user who uses computer for 14 hrs weekly judged
18 out of 19 sites correctly on the other hand one
judged only 7 sites correctly while he uses computer
for 90 hrs per week
Previous use of Browser, OS and Web
There is no significant relation between the use of
browser and OS previously by the participant
Even the use of same website previously did not help
the participants in differentiating between legitimate
and the phishing website
Strategies for Determining Websites Legitimacy
• Participants are categorized by the type of the
factors they used to make decision
Type1:Security indicators in the website contents
Type2:Content and domain name
Type3:Content and address plus HTTPS
Type4:Padlock icon plus type 1,2 & 3
Type5:Certificates plus type 1,2,3 & 4
Type1: Security indicators in website contents
• Participants looked only the contents like images,
logos, layouts, graphic designs and the accuracy
of information
• As the participants in this category did not focus
on the URL of the site therefore scored the
lowest
• 5 (23%) participants used this strategy and their
score was (6,7,7,9,9)
Type2: Content & domain name
• 8(36%) participants checked the address bar
along with the contents of the website
• People in this category had the idea of the
difference the domain name and IP address
Type3 : Content, address plus HTTPS
• Only 2(9%) participants used this strategy to
differentiate between phishing and legitimate
website
• Participants relied on the presence of the
HTTPS in the status bar
• Users did not notice the padlock icon
Type4: Padlock icon plus type 1,2 & 3
• 5 (23%) participants falls under this category
• They checked for all the types discussed above
and they also looked for the padlock icon in the
address bar
• But some participants gave preference to the
padlock icon that appears within the content of
the web page
Type5: Certificates plus Type 1,2,3 & 4
• Only 2 (9%) of the participants checked the
certificates presented by their browser and the
other strategies as discussed previously
Websites Difficulty• Users were asked to rate the confidence of their
judgment on a score of 1 to 5
Phishing websites
• The website discussed previously used two “V”s instead of
“W” to fool the people
• 20 participants judged this site as the legitimate website of
the Bank of the west
• 17 people miss judged due to the contents of the page
• 2 participants were fooled due to the animated bear video
• 8 participants relied on the link to the other websites for
their judgment
• 6 participants were tricked due to version logo
• 2 participants correctly judged this website as a spoof
• Only 1 participant judged this phishing website due to two
V’s
Participants Knowledge of Phishing & Security
Knowledge & experience of Phishing
7 participants had never heard the term phishing
9 participants were confused about the legitimacy of the websites
5 participants had experienced phishing and web fraudulent
Knowledge of Padlock icon & HTTPS
4 participants had no idea regarding padlock icon
5 participants mentioned it as some sort of security but they were not sure
10 mentioned it as the way of securing data sent from user to server
13 participants said that they never pay attention to the
HTTPS in the address bar
Knowledge & use of certificates
15 participants selected the okay button without reading
the content of the message when the browser presented
the self signed certificate
18 participants stated that they did not know the about
the certificate
3 participants selected the wrong option from the
certificate
Only one participant interpreted the website certificate
correctly as he was a system administrator
19 participants stated that they never checked the
certificate
Conclusion
• The study reveals that even the most knowledge and well
informed user can also be fooled and tricked by a good
phishing site
• Security indicators and warning messages showed by the
browser are not understood by the user and go un-
noticed
• Indicators of trust provided by the browser can even be
spoofed by phishers very easily
• So the study suggests that some other method or
approach is needed to overcome the phishing
Questions
& Comments
