Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

Advertisements

How to protect yourself, your computer, and others on the internet

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

SECURITY CHECK Protecting Your System and Yourself Source:

1 Identity Theft and Phishing: What You Need to Know.

Protect Yourself Against Phishing. The good news: The number of US adult victims of identity fraud decreased from 9.3 million in 2005, to 8.4 million.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

PHISHING By, Himanshu Mishra Parrag Mehta. OUTLINE What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

Internet Phishing Not the kind of Fishing you are used to.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.

The OWASP Foundation OWASP Chennai Phishing.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

How It Applies In A Virtual World

Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,

WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

Reliability & Desirability of Data

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Phishing, Spoofing, Spamming and Security How To Protect Yourself Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation,

Phishing Pharming Spam. Phishing: Definition  A method of identity theft carried out through the creation of a website that seems to represent a legitimate.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

CCT355H5 F Presentation: Phishing November Jennifer Li.

Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.

Phishing A practical case study. What is phishing? Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details.

Phishing: Trends and Countermeasures Blaine Wilson.

How Phishing Works Prof. Vipul Chudasama.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

A Matter of Your Personal Security Phishing. Beware of Phishing s Several employees received an that looked legitimate, as if it was being.

A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.

A Matter of Your Personal Security Phishing Revised 11/30/15.

Testing External Survey Automatic Credit Granting Shepherd University Department of Psychology.

Portaportal Portaportal is a web based bookmarking utility that lets you store links to your favorite websites online. Now your bookmarks are no longer.

1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.

PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.

Phishing & Pharming Methods and Safeguards Baber Aslam and Lei Wu.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Yes, it’s the holidays... A time of joy, a time of good cheer, a time of celebration... From the Office of the Chief Human Capital Officer (CHCO ) Privacy.

How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.

The Secure Modern Desktop Keeping the Phish in the Sea.

Fall Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity.

Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.

PHISHING A Melbourne Athenaeum Library Cybersafety Information Guide

Take the Quiz and find out more!

Important Information Provided by Information Technology Center

PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.

Simple Authentication for the Web

Phishing, what you should know

Phishing is a form of social engineering that attempts to steal sensitive information.

Cybersecurity Awareness

Information Security Session October 24, 2005

Company Name | Phone Number | Website | Address

Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.

Presentation transcript:

Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary

Phishers Fraudsters who steal user’s credentials Login: Saul Password HCIisReallyCool Bank Bank of Antarctica Account #

Phishing Sites Fraudulent web sites used to steal user’s credentials

You’ve got mail

Image modified from: I’m way too smart for that!!! Hah

Delete

You’ve got mail

Let me check

Phishing site?

Legitimate www1.royalbank.com

Fraudulent

Fraudulent

Legitimate Websms.fido.page.ca

Common URL Obfuscations Similar name amazon.checkingoutbooksonline.ca Letter substitution IP addresses /login Complex URLs src-flickr.domain=secure.access 324a568x-pictauthor=frodo…

Phishing site?

Domain name highlighting

Does it work?

Method 16 legitimate & fraudulent real web pages 4 different obfuscation methods used 22 participants Phase 1. Rate safety of these web pages Phase 2: Look at address bar for additional cues Redo safety ratings.

‘Best case’ for domain highlighting Participants heavy internet users, university educated heightened sense of security rating security, not browsing, was primary task directed to look at address bar (phase 2) BUT not instructed about domain names

Phase 1 participants least correct most correct

Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect

Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Consequence doesn’t enter legitimate site

Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Fraudulent pages 25% correct 18% unsure 57% incorrect

Phase 1 Legitimate pages 54% correct 31% unsure 15% incorrect Fraudulent pages 25% correct 18% unsure 57% incorrect Consequence enters site, vulnerable to identity theft

Don’t be a fool, look at the address bar!!!

Phase 2

Phase 1

Phase 2 changes Changes more correct unchanged more wrong

Phase 2 changes Legitimate pages no significant differences in overall ratings

Phase 2 changes Legitimate pages no significant differences in overall ratings Fraudulent pages 25→34 % correct 18→23% unsure 57→44 % incorrect

Phase 2 Legitimate pages no significant differences in overall ratings Fraudulent pages 25→34 % correct 18→23% unsure 57→44 % incorrect Consequence Somewhat better, but still vulnerable to identity theft

How do people judge legitimacy? Institutional brand some brands considered more ‘trustworthy’ The page content including professional layout reviews suggesting others had visited it security / privacy information Information requested sensitivity, quantity… Address bar URLs security indicators

Typology of Users Type A content and brand Type B address bar, security indicators, information requested Type AB mostly like Type A occasionally like Type B

participants least correct most correct Type B A AAAA A A A A BBBBB B B AB Type A

Summary Good news for phishers! – phishing web sites work – domain name highlighting only works somewhat best case: only ¼ - ⅓ of phishing pages detected Phishers can target specific user groups – Type A & A/B very high risk for perfectly copied pages – Type B you can still fool them domain name obfuscation works even better

Summary Good news for anti-phishing researchers! lots to do: the phishing problem isn’t solved Strategies? education UI redesign – to get people to attend domain name – to highlight common spoofing methods within the domain name – …

Does Domain Highlighting Help People Identify Phishing Sites? Somewhat, but not enough