Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.

Published byAubrie Clark Modified over 8 years ago

Similar presentations

Presentation on theme: "An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford."— Presentation transcript:

1 An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford

2 Extended Validation Certificates Enhanced Certificates Validate the owner of a domain Also validates that the owner is a legitimate business  Business must be legally incorporated and have a business address

3 Extended Validation List of sites that use Verisign Extended Validation http://www.verisign.com/ssl/ssl-information-center/ssl-case-studies/ev-ssl-customers/index.html

4 Picture-in-Picture Normally, a user can tell the web page they are on or the security of the page by looking at their address bar or looking for a padlock Hackers can get around this by overlaying the browser window with a JPEG that contains a valid URL and security indicators JavaScript can also be used to add functionality to the falsified page

5 Picture-in-Picture

6 http://www.technicalinfo.net/papers/images/WP.ImageOverlays.png

7 Study See how people classify web sites as safe or unsafe See if Extended Validation Works See if training on security helps people identify bad web sites

8 Setup 27 participates were recruited and broken into 3 groups  Trained Group  Untrained Group  Control Group Each user was shown 12 web pages and ask to classify them as legitimate or not

9 User Classifications Trained group  Shown the Extended Validation bar  Asked to read the Internet Explorer help file on Extended Validation and Phishing Untrained group  Just shown the Extended Validation bar, without an explanation Control Group  Not shown extended validation  Were not asked the do the tasks that included EV

10 Web Site Classifications Legitimate Real  The correct bank web site Real, but Confusing  A real site that when linked to gives a warning, prompts for a password but not for a login  Looks fake, but it is real

11 Web Site Classification Illegitimate Homograph attack  Subtly different URL to attack site (www.bankofthevvest.com) Homograph with suspicious page warning  A known Homograph attack that makes IE change the address bar to yellow Picture-in-Picture attack  Web Browser is overlaid with a JPEG and JavaScript

12 Web Site Classification Illegitimate Mismatched Picture-in-Picture  A Picture-in-Picture attack where the colors of the browser are different from the users configured colors IP address blocked by Phishing Filter  URL contains IP address that is known the IE phishing filter. This forces IE to highlight the address with Red and browse away from it

13 Results

14 Trained Participants  More likely to classify the real confusing site as legitimate  Picture-in-Picture attacks more likely to succeed  More likely to identify real and spoofed sites as legitimate

15 Results Only 3 participants identified the 3 Picture- in-Picture attacks  Two tried to use an un-implemented browser feature  One did not trust pop-ups

16 Browser Documentation Authors felt that the trained users did poorly because the browser documentation for extended validation gave a false sense of security

17 How can I tell if I have a secure connection?w can I tell if I have a secure connection? In Internet Explorer, you will see a lock icon in the Security Status bar. The Security Status bar is located on the right side of the Address bar. The certificate that is used to encrypt the connection also contains information about the identity of the website owner or organization. You can click the lock to view the identity of the website. From the IE Documentation

18 Extended Validation Did not provide much advantage Untrained and Control groups did not statistically vary in their use of the feature

19 Homograph Attack Were the browser font distinguished the two v’s in bankofthevvest, it was not effective One certificate pop-up did have a poor font in it, and the user mistakenly accepted it

20 Phishing Warnings Some users did not even notice them and marked phishing sites as legitimate They give a false sense of security, since they are not 100% accurate

21 Picture-in-Picture Ways to reduce  Eliminate pop-ups to make address field on the browser more consistent  Make browsers more customizable to generate more mismatched chrome  Teach users to validate that the browser window has focus when it is “bright”  Drag the window or maximize it, since the Picture-in- Picture cannot be resized

22 Conclusion Extended Validation and Training did not improve the users ability to recognize illegitimate sites The visual clues of Extended Validation, if they catch on, may be countered with Picture-in-picture attacks

Download ppt "An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford."

Similar presentations

Microsoft Expression Web-Illustrated Unit K: Working with Behaviors.

Microsoft Expression Web-Illustrated Unit K: Working with Behaviors.
B: STUDENT DRIVE MOVE INSTRUCTIONS. Using Internet Explorer: From your computers desktop, double click on the Internet Explorer icon. (Internet Explorer.

B: STUDENT DRIVE MOVE INSTRUCTIONS. Using Internet Explorer: From your computers desktop, double click on the Internet Explorer icon. (Internet Explorer.
Web Shift Booking System

Web Shift Booking System
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
Configuring Windows Internet Explorer 7 Security Lesson 5.

Configuring Windows Internet Explorer 7 Security Lesson 5.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
New Features in Release 10.3 (November 7, 2010). Release 10.3 New Features –Internet Explorer 6 – No longer supported –New Shopping Cart –Improved Checkout.

New Features in Release 10.3 (November 7, 2010). Release 10.3 New Features –Internet Explorer 6 – No longer supported –New Shopping Cart –Improved Checkout.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Open an internet browser such as internet explorer.

Open an internet browser such as internet explorer.
Spendvision Approvals Presentation Julie McConnell Spendvision Administrator.

Spendvision Approvals Presentation Julie McConnell Spendvision Administrator.
Spoofing Rafael Sabino 10/28/2004. Introduction What is spoofing? Context and Security relevant decisions Phishing Web spoofing Remedies.

Spoofing Rafael Sabino 10/28/2004. Introduction What is spoofing? Context and Security relevant decisions Phishing Web spoofing Remedies.
1. The VeriSign brand2. Extended Validation SSL www.secure128.com.

1. The VeriSign brand2. Extended Validation SSL
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
SAM: Student Getting Started Guide.

SAM: Student Getting Started Guide.
ARCHIBUS Log On Instructions. Log Into ARCHIBUS Web Central Log In Screen 1.Open your Internet browser. 2.Enter the URL to view the ARCHIBUS Login Page.

ARCHIBUS Log On Instructions. Log Into ARCHIBUS Web Central Log In Screen 1.Open your Internet browser. 2.Enter the URL to view the ARCHIBUS Login Page.

Similar presentations

Ads by Google