Presentation is loading. Please wait.

Presentation is loading. Please wait.

Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary."— Presentation transcript:

1 Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary

2 Phishers Fraudsters who steal user’s credentials Login: Saul Password HCIisReallyCool Bank Bank of Antarctica Account # 3444 555 6677

3 Phishing Sites Fraudulent web sites used to steal user’s credentials

4 You’ve got mail

5 Image modified from: http://www.briancuban.com/the-science-of-intelligent-design/ I’m way too smart for that!!! Hah

6 Delete

7 You’ve got mail

8 Let me check

9

10 Phishing site?

11

12

13

14

15

16

17 Legitimate www1.royalbank.com

18 Fraudulent www.paypa1.ca

19 Fraudulent www.amazon.ca.checkingoutbookonline.ca

20 Legitimate Websms.fido.page.ca

21 Common URL Obfuscations Similar name amazon.checkingoutbooksonline.ca Letter substitution www.paypa1.com IP addresses 192.168.111.112/login Complex URLs www.login.xyz.flikr.net/config/login/ src-flickr.domain=secure.access 324a568x-pictauthor=frodo…

22 Phishing site?

23 www.sxwrestling.com/e107_lang...

24 Domain name highlighting

25 Does it work?

26 Method 16 legitimate & fraudulent real web pages 4 different obfuscation methods used 22 participants Phase 1. Rate safety of these web pages Phase 2: Look at address bar for additional cues Redo safety ratings.

27 ‘Best case’ for domain highlighting Participants heavy internet users, university educated heightened sense of security rating security, not browsing, was primary task directed to look at address bar (phase 2) BUT not instructed about domain names

28 Phase 1 participants least correct most correct

29 Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect

30 Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Consequence doesn’t enter legitimate site

31 Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Fraudulent pages 25% correct 18% unsure 57% incorrect

32 Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Fraudulent pages 25% correct 18% unsure 57% incorrect Consequence enters site, vulnerable to identity theft

33 Don’t be a fool, look at the address bar!!!

34 Phase 2

35 Phase 1

36 Phase 2 changes Changes more correct unchanged more wrong

37 Phase 2 changes Legitimate pages no significant differences in overall ratings

38 Phase 2 changes Legitimate pages no significant differences in overall ratings Fraudulent pages 25→34 % correct 18→23% unsure 57→44 % incorrect

39 Phase 2 Legitimate pages no significant differences in overall ratings Fraudulent pages 25→34 % correct 18→23% unsure 57→44 % incorrect Consequence Somewhat better, but still vulnerable to identity theft

40 How do people judge legitimacy? Institutional brand some brands considered more ‘trustworthy’ The page content including professional layout reviews suggesting others had visited it security / privacy information Information requested sensitivity, quantity… Address bar URLs security indicators

41 Typology of Users Type A content and brand Type B address bar, security indicators, information requested Type AB mostly like Type A occasionally like Type B

42 participants least correct most correct Type B A AAAA A A A A BBBBB B B AB Type A

43 Summary Good news for phishers! – phishing web sites work – domain name highlighting only works somewhat best case: only ¼ - ⅓ of phishing pages detected Phishers can target specific user groups – Type A & A/B very high risk for perfectly copied pages – Type B you can still fool them domain name obfuscation works even better

44 Summary Good news for anti-phishing researchers! lots to do: the phishing problem isn’t solved Strategies? education UI redesign – to get people to attend domain name – to highlight common spoofing methods within the domain name – …

45 Does Domain Highlighting Help People Identify Phishing Sites? Somewhat, but not enough

Download ppt "Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
Protect Yourself Against Phishing. The good news: The number of US adult victims of identity fraud decreased from 9.3 million in 2005, to 8.4 million.

Protect Yourself Against Phishing. The good news: The number of US adult victims of identity fraud decreased from 9.3 million in 2005, to 8.4 million.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.

1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
PHISHING By, Himanshu Mishra Parrag Mehta. OUTLINE What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques.

PHISHING By, Himanshu Mishra Parrag Mehta. OUTLINE What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.

Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.

Similar presentations

Ads by Google