1 / 11

An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks

An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks. Collin Jackson, Daniel R. Simon, Desney S. Tan, and Adam Barth Financial Cryptography and Data Security , 2007. Presented by Hui (Henry) Fang. Certificates. 1. Normal Certificate Domain name.

melvyn
Download Presentation

An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson, Daniel R. Simon, Desney S. Tan, and Adam Barth Financial Cryptography and Data Security, 2007 Presented by Hui (Henry) Fang

  2. Certificates 1. Normal Certificate • Domain name 2. Extended Validation Certificate • Domain name • Identity of a legitimate business

  3. Homograph Attack • Similar domain names • It may be Https enabled https://www.bankofthevvest.com/

  4. Picture-in-Picture Attack • Mismatched chrome • Focus • Dragging • Maximizing

  5. Experiment Design Before the task – Familiarization (Play with two real web sites)

  6. Experiment Design • Real site • Real, but confusing, site • Homograph attack • Homograph with warming • Picture-in-Picture attack • Mismatched Picture-in-Picture attack • IP address blocked by phishing filter During the task – 12 web sites (randomly)

  7. Study Result

  8. Findings • Picture-in-Picture attacks were as effective as homograph attacks • Extended validation did not help users defend against either attack • Extended validation did not help untrained users classify a legitimate site • Training caused more real and fraudulent sites to be classified as legitimate site

  9. Appreciation • Experiment Design: Participants were divided into three groups for comparison.

  10. Criticism • The number of participants was very small – 27 participants only. • The task involved 7 types of websites, and 12 websites were tested. But we don’t know the distribution of those 12 websites.

  11. Question • Does the Picture-in-Picture attack work in mobile browsers ? • What improvements we can make to browsers in order to defend against Picture-in-Picture attack ?

More Related