Does Domain Highlighting Help People Identify Phishing Sites?

1. Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul GreenbergEileah Trotter, David Ma & John Aycock University of Calgary

2. Phishers Fraudsters who steal user’s credentials Login: Saul Password HCIisReallyCool Bank Bank of Antarctica Account # 3444 555 6677

3. Phishing Sites Fraudulent web sites used to steal user’s credentials

4. You’ve got mail

5. I’m way too smart for that!!! Hah Image modified from: http://www.briancuban.com/the-science-of-intelligent-design/

6. Delete

7. You’ve got mail

8. Let me check

10. Phishing site?

17. www1.royalbank.com Legitimate

18. www.paypa1.ca Fraudulent

19. www.amazon.ca.checkingoutbookonline.ca Fraudulent

20. Websms.fido.page.ca Legitimate

21. Common URL Obfuscations Similar name amazon.checkingoutbooksonline.ca Letter substitution www.paypa1.com IP addresses 192.168.111.112/login Complex URLs www.login.xyz.flikr.net/config/login/ src-flickr.domain=secure.access 324a568x-pictauthor=frodo…

22. Phishing site?

23. www.sxwrestling.com/e107_lang...

24. Domain name highlighting

25. Does it work?

26. Method 16 legitimate & fraudulent real web pages 4 different obfuscation methods used 22 participants Phase 1. Rate safety of these web pages Phase 2: Look at address bar for additional cues Redo safety ratings.

27. ‘Best case’ for domain highlighting Participants • heavy internet users, university educated • heightened sense of security • rating security, not browsing, was primary task • directed to look at address bar (phase 2) BUT • not instructed about domain names

28. Phase 1 mostcorrect leastcorrect participants

29. Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect

30. Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Consequence doesn’t enter legitimate site

31. Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Fraudulent pages 25% correct 18% unsure 57% incorrect

32. Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Fraudulent pages 25% correct 18% unsure 57% incorrect Consequence enters site, vulnerable to identity theft

33. Don’t be a fool, look at the address bar!!!

34. Phase 2

35. Phase 1

36. Phase 2 changes Changes more correct unchanged more wrong

37. Phase 2 changes Legitimate pages no significantdifferences in overall ratings

38. Phase 2 changes Legitimate pages no significantdifferences in overall ratings Fraudulent pages 25→34 % correct 18→23% unsure 57→44 % incorrect

39. Phase 2 Legitimate pages no significantdifferences in overall ratings Fraudulent pages 25→34 % correct 18→23% unsure 57→44 % incorrect Consequence Somewhat better, but stillvulnerable to identity theft

40. How do people judge legitimacy? Institutional brand • some brands considered more ‘trustworthy’ The page • content including professional layout • reviews suggesting others had visited it • security / privacy information Information requested • sensitivity, quantity… Address bar • URLs • security indicators

41. Typology of Users Type A • content and brand Type B • address bar, security indicators, information requested Type AB • mostly like Type A • occasionally like Type B

42. mostcorrect leastcorrect participants Type B A B B B B B A A AB B AB A A A A A A B AB AB AB AB Type A

43. Summary Good news for phishers! • phishing web sites work • domain name highlighting only works somewhat • best case: only ¼ - ⅓ of phishing pages detected Phishers can target specific user groups • Type A & A/B • very high risk for perfectly copied pages • Type B • you can still fool them • domain name obfuscation works even better

44. Summary Good news for anti-phishing researchers! • lots to do: the phishing problem isn’t solved Strategies? • education • UI redesign • to get people to attend domain name • to highlight common spoofing methods within the domain name • …

45. Does Domain Highlighting Help People Identify Phishing Sites? Somewhat, but not enough