An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks Presented by Hui (Henry) Fang Collin Jackson, Daniel R. Simon, Desney S. Tan,

Slides:

Advertisements

Similar presentations

Browser Security Modes Alex Crowell and James Kasten.

Advertisements

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.

Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Internet Phishing Not the kind of Fishing you are used to.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Beware of Finer-Grained Origins

Norman SecureSurf Protect your users when surfing the Internet.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

Reliability & Desirability of Data

Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 9/19/2015Slide 1 (of 32)

Secure Search Engine Ivan Zhou Xinyi Dong. Introduction  The Secure Search Engine project is a search engine that utilizes special modules to test the.

Spoofing Keegan Haukaas, Samuel Robertson, Jack Murdock.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

Phishing Pharming Spam. Phishing: Definition  A method of identity theft carried out through the creation of a website that seems to represent a legitimate.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Stat 100 Jan. 25. To Do Read Chapter 5 Key Terms Observational Study = essentially a survey, investigator does not assign any tasks to participants Randomized.

BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.

Phishing A practical case study. What is phishing? Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details.

Phishing: Trends and Countermeasures Blaine Wilson.

How Phishing Works Prof. Vipul Chudasama.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.

Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.

A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.

Staying Secure Online How do we buy and sell safely on the Internet?

1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

Slide 1 Phishing s CS 142 Lecture Notes: Security Attacks: Phishing.

Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.

WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.

Which is better Avast Free Edition or Avast Pro Version?

Presentation By :- Krishna Sai Mulpuri

Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.

ISYM 540 Current Topics in Information System Management

Defending Against DDoS

How to Check if a site's connection is secure ?

Protect Your Computer Against Harmful Attacks!

How to Protect your Identity Online PIYUSH HARSH

Defending Against DDoS

CS 142 Lecture Notes: Security Attacks: Phishing

Security Essentials for Small Businesses

CS 142 Lecture Notes: Security Attacks: Phishing

CS 142 Lecture Notes: Security Attacks: Phishing

Teaching you NOT to fall for Phish

DDoS Attack and Its Defense

6. Application Software Security

Chapter 9: Configuring Internet Explorer

Presentation transcript:

An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks Presented by Hui (Henry) Fang Collin Jackson, Daniel R. Simon, Desney S. Tan, and Adam Barth Financial Cryptography and Data Security, 2007

Certificates 1. Normal Certificate Domain name 2. Extended Validation Certificate Domain name Identity of a legitimate business

Homograph Attack Similar domain names It may be Https enabled

Picture-in-Picture Attack Mismatched chrome Focus Dragging Maximizing

Experiment Design Before the task – Familiarization (Play with two real web sites)

Experiment Design Real site Real, but confusing, site Homograph attack Homograph with warming Picture-in-Picture attack Mismatched Picture-in-Picture attack IP address blocked by phishing filter During the task – 12 web sites (randomly)

Study Result

Findings Picture-in-Picture attacks were as effective as homograph attacks Extended validation did not help users defend against either attack Extended validation did not help untrained users classify a legitimate site Training caused more real and fraudulent sites to be classified as legitimate site

Appreciation Experiment Design: Participants were divided into three groups for comparison.

Criticism The number of participants was very small – 27 participants only. The task involved 7 types of websites, and 12 websites were tested. But we don’t know the distribution of those 12 websites.

Question Does the Picture-in-Picture attack work in mobile browsers ? What improvements we can make to browsers in order to defend against Picture-in-Picture attack ?