Rachna Dhamija
Marti Hearst
ABSTRACT
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.
- Ang, L., C. Dubelaar, & B. Lee. To Trust or Not to Trust? A Model of Internet Trust From the Customer's Point of View. Proc. 14th Bled E-Commerce Conf. (2001), 25--26.]]Google Scholar
- Anti-Phishing Working Group. Phishing Activity Trends Report November 2005 (2005).]]Google Scholar
- Anti-Phishing Working Group Phishing Archive. http://anti-phishing.org/phishing_archive.htm]]Google Scholar
- Ba, S. & P. Pavlov. Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior. MIS Quarterly, 26, 3 (2002), 243--268.]]Google Scholar
- Cheskin Research. E-commerce Trust Study (1999).]]Google Scholar
- Dhamija, R. Authentication for Humans: The Design and Analysis of Usable Security Systems. Ph.D. Thesis, University of California Berkeley (2005).]] Google ScholarDigital Library
- Dhamija, R. & J. D. Tygar. The Battle Against Phishing: Dynamic Security Skins. Proc. SOUPS (2005).]] Google ScholarDigital Library
- Egger, F.N. Affective Design of E-commerce User Interfaces: How to Maximize Perceived Trustworthi-ness. Proc. Intl. Conf. Affective Human Factors De-sign (2001), 317--324.]]Google Scholar
- Fogg, B. J. Stanford Guidelines for Web Credibility. Res. Sum. Stanford Persuasive Tech. Lab. (2002).]]Google Scholar
- Fogg, B. J. et al. How Do Users Evaluate the Credibility of Web Sites?: A Study with Over 2,500 Par-ticipants. Proc. DUX (2003).]] Google ScholarDigital Library
- Fogg, B. J. et al. What Makes Web Sites Credible?: A Report on a Large Quantitative Study. Proc. CHI (2001), 61--68.]] Google ScholarDigital Library
- Franco, R. Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers. IEBlog, Nov. 21, 2005.]]Google Scholar
- Friedman, B. et al. Users' Conceptions of Risks and Harms on the Web: A Comparative Study. Ext. Abs. CHI (2002), 614--615.]] Google ScholarDigital Library
- Friedman, B. et al. Users' Conceptions of Web Security: A Comparative Study. Ext. Abs. CHI (2002), 746--747.]] Google ScholarDigital Library
- Gefen, D. Reflections on the Dimensions of Trust and Trustworthiness Among Online Consumers. ACM SIGMIS Database, 33, 3 (2002), 38--53.]] Google ScholarDigital Library
- Hemphill, T. Electronic Commerce and Consumer Privacy: Establishing Online Trust in the U.S. Digital Economy. Bus. & Soc. Rev., 107, 2 (2002), 331--239.]]Google Scholar
- Jagatic, T., N. Johnson, & M. Jakobsson. Phishing Attacks Using Social Networks (Indiana U. Human Subject Study 05-9892 & 05-9893). (2005).]]Google Scholar
- Kim, D., Y. Song, S. Braynov, & H. Rao. A B-to-C Trust Model for Online Exchange. Proc. Americas Conf. on Inf. Sys. (2001), 784--787.]]Google Scholar
- Lee, M. & E. Turban. A Trust Model for Consumer Internet Shopping. Intl J. Elec. Commerce, 6, 1, (2001), 75--91.]]Google ScholarDigital Library
- Litan, A. Phishing Attack Victims Likely Targets for Identity Theft. Gartner Research (2004).]]Google Scholar
- Loftesness, S. Responding to ""Phishing"" Attacks. Glenbrook Partners (2004).]]Google Scholar
- MailFrontier, MailFrontier Phishing IQ Test II (2005).]]Google Scholar
- Princeton Survey Research Associates, A Matter of Trust. (2002).]]Google Scholar
- Secunia. http://secunia.com/.]]Google Scholar
- Secunia, Internet Explorer URL Spoofing Vulnerability (2004).]]Google Scholar
- Secunia, Multiple Browsers Vulnerable to the IDN Spoofing Vulnerability (2005).]]Google Scholar
- Stone, D. et al. User Interface Design & Evaluation. Elsevier (2005).]] Google ScholarDigital Library
- Wang, Y & H. Emurian. An Overview of Online Trust. Computers in Human Behavior, 21, 1 (2005), 105--125.]]Google ScholarCross Ref
- Wu, M., R. Miller, & S. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks? Posters SOUPS (2005).]]Google Scholar
Index Terms
- Why phishing works
Recommendations
How Experts Detect Phishing Scam Emails
CSCWPhishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...
A Sender-Centric Approach to Detecting Phishing Emails
CYBERSECURITY '12: Proceedings of the 2012 International Conference on Cyber SecurityEmail-based online phishing is a critical security threat on the Internet. Although phishers have great flexibility in manipulating both the content and structure of phishing emails, phishers have much less flexibility in completely concealing the ...
A phishing analysis of web based systems
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & SecurityPhishing is form of identity theft that uses the social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers. It is a kind of attack in which phishers use spoofed emails and fraudulent web ...
Comments