An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.

Slides:



Advertisements
Similar presentations
Microsoft Expression Web-Illustrated Unit K: Working with Behaviors.
Advertisements

B: STUDENT DRIVE MOVE INSTRUCTIONS. Using Internet Explorer: From your computers desktop, double click on the Internet Explorer icon. (Internet Explorer.
Web Shift Booking System
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
Configuring Windows Internet Explorer 7 Security Lesson 5.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
New Features in Release 10.3 (November 7, 2010). Release 10.3 New Features –Internet Explorer 6 – No longer supported –New Shopping Cart –Improved Checkout.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Open an internet browser such as internet explorer.
Spendvision Approvals Presentation Julie McConnell Spendvision Administrator.
Spoofing Rafael Sabino 10/28/2004. Introduction What is spoofing? Context and Security relevant decisions Phishing Web spoofing Remedies.
1. The VeriSign brand2. Extended Validation SSL
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
SAM: Student Getting Started Guide.
ARCHIBUS Log On Instructions. Log Into ARCHIBUS Web Central Log In Screen 1.Open your Internet browser. 2.Enter the URL to view the ARCHIBUS Login Page.
Windows Internet Explorer 7 – Illustrated Essentials Unit B - Getting the Most from Internet Explorer 7.
STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.
TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.
By: Daniel Krueger ITC 525: Computers for Educators Summer II 2010 Click Here to Begin.
WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.
KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.
© 2011 Delmar, Cengage Learning Chapter 7 Managing a Web Server and Files.
Web Security Tips Li-Chiou Chen & Mary Long Pace University September 1 st, 2010.
Reliability & Desirability of Data
Another Method to Open WebSpace as a Web Folder Alternative Method for Creating Web Folder in WebSpace, Slide 1Copyright © 2004, Jim Schwab, University.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Internet Browsing the world. Browse Internet Course contents Overview: Browsing the world Lesson 1: Internet Explorer Lesson 2: Save a link for future.
An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.
 This guide will cover the process of connecting to VPN Server with the Desktop Client.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
 We live in an information age where it's very easy to publish on the Internet. The average person can write their own blog and add to Wikipedia. Anything.
Phishing A practical case study. What is phishing? Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details.
How Phishing Works Prof. Vipul Chudasama.
Get REAL: How to validate information on the Web Aim: How to Validate Information on the Web.
URL Obscuring COEN 252 Computer Forensics  Thomas Schwarz, S.J
A Matter of Your Personal Security Phishing. Beware of Phishing s Several employees received an that looked legitimate, as if it was being.
A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks Presented by Hui (Henry) Fang Collin Jackson, Daniel R. Simon, Desney S. Tan,
HTML, Third Edition--Illustrated Brief 1 HTML, Third Edition Illustrated Brief Unit A Creating an HTML Document.
A Matter of Your Personal Security Phishing Revised 11/30/15.
Information Security 493. Lab # 4 (Routing table & firewalls) Routing tables is an electronic table (file) or database type object that is stored in a.
1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.
Slide 1 Phishing s CS 142 Lecture Notes: Security Attacks: Phishing.
Return to the PC Security web page Lesson 4: Increasing Web Browser Security.
1 Browser Selection & Setup For Cayuse Browser Performance Firefox - Recommended browser for Cayuse424 with any operating system. Has the fastest.
SNG via Webinar. Where’s Webinar??  Double click Aflac 2000 folder  Highlight “SNGWebCommunicator”  Right Click and “Send To - Desktop”
SAM Challenge 2013 Student Getting Started Guide.
Remove [Browser Hijackers] For more information regarding [Browser Hijackers] Please Visit:
Windows Vista Configuration MCTS : Internet Explorer 7.0.
The Secure Modern Desktop Keeping the Phish in the Sea.
Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.
Setting and Upload Products
4 Criteria for evaluating digital information
How to Check if a site's connection is secure ?
Install DoD CA Certificate Instructions for Chrome
Install DoD CA Certificate Instructions for IE
CS 142 Lecture Notes: Security Attacks: Phishing
CS 142 Lecture Notes: Security Attacks: Phishing
CS 142 Lecture Notes: Security Attacks: Phishing
Teaching you NOT to fall for Phish
Manipulating Text & Links on your website
Internet Vocabulary Beth Felton McKelvey.
Presentation transcript:

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford

Extended Validation Certificates Enhanced Certificates Validate the owner of a domain Also validates that the owner is a legitimate business  Business must be legally incorporated and have a business address

Extended Validation List of sites that use Verisign Extended Validation

Picture-in-Picture Normally, a user can tell the web page they are on or the security of the page by looking at their address bar or looking for a padlock Hackers can get around this by overlaying the browser window with a JPEG that contains a valid URL and security indicators JavaScript can also be used to add functionality to the falsified page

Picture-in-Picture

Study See how people classify web sites as safe or unsafe See if Extended Validation Works See if training on security helps people identify bad web sites

Setup 27 participates were recruited and broken into 3 groups  Trained Group  Untrained Group  Control Group Each user was shown 12 web pages and ask to classify them as legitimate or not

User Classifications Trained group  Shown the Extended Validation bar  Asked to read the Internet Explorer help file on Extended Validation and Phishing Untrained group  Just shown the Extended Validation bar, without an explanation Control Group  Not shown extended validation  Were not asked the do the tasks that included EV

Web Site Classifications Legitimate Real  The correct bank web site Real, but Confusing  A real site that when linked to gives a warning, prompts for a password but not for a login  Looks fake, but it is real

Web Site Classification Illegitimate Homograph attack  Subtly different URL to attack site ( Homograph with suspicious page warning  A known Homograph attack that makes IE change the address bar to yellow Picture-in-Picture attack  Web Browser is overlaid with a JPEG and JavaScript

Web Site Classification Illegitimate Mismatched Picture-in-Picture  A Picture-in-Picture attack where the colors of the browser are different from the users configured colors IP address blocked by Phishing Filter  URL contains IP address that is known the IE phishing filter. This forces IE to highlight the address with Red and browse away from it

Results

Trained Participants  More likely to classify the real confusing site as legitimate  Picture-in-Picture attacks more likely to succeed  More likely to identify real and spoofed sites as legitimate

Results Only 3 participants identified the 3 Picture- in-Picture attacks  Two tried to use an un-implemented browser feature  One did not trust pop-ups

Browser Documentation Authors felt that the trained users did poorly because the browser documentation for extended validation gave a false sense of security

How can I tell if I have a secure connection?w can I tell if I have a secure connection? In Internet Explorer, you will see a lock icon in the Security Status bar. The Security Status bar is located on the right side of the Address bar. The certificate that is used to encrypt the connection also contains information about the identity of the website owner or organization. You can click the lock to view the identity of the website. From the IE Documentation

Extended Validation Did not provide much advantage Untrained and Control groups did not statistically vary in their use of the feature

Homograph Attack Were the browser font distinguished the two v’s in bankofthevvest, it was not effective One certificate pop-up did have a poor font in it, and the user mistakenly accepted it

Phishing Warnings Some users did not even notice them and marked phishing sites as legitimate They give a false sense of security, since they are not 100% accurate

Picture-in-Picture Ways to reduce  Eliminate pop-ups to make address field on the browser more consistent  Make browsers more customizable to generate more mismatched chrome  Teach users to validate that the browser window has focus when it is “bright”  Drag the window or maximize it, since the Picture-in- Picture cannot be resized

Conclusion Extended Validation and Training did not improve the users ability to recognize illegitimate sites The visual clues of Extended Validation, if they catch on, may be countered with Picture-in-picture attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.