Does Domain Highlighting Help People Identify Phishing Sites?

Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock

University of Calgary

Phishers

Fraudsters who steal user’s credentials

Login: SaulPassword HCIisReallyCoolBank Bank of Antarctica Account # 3444 555 6677

Phishing SitesFraudulent web sites used to steal user’s credentials

You’ve got mail

Image modified from: http://www.briancuban.com/the-science-of-intelligent-design/

I’m way too smart for that!!!

Hah

Delete

You’ve got mail

Let me check

Phishing site?

Legitimate

www1.royalbank.com

Fraudulent

www.paypa1.ca

Fraudulent

www.amazon.ca.checkingoutbookonline.ca

Legitimate

Websms.fido.page.ca

Common URL Obfuscations

Similar name amazon.checkingoutbooksonline.ca

Letter substitution www.paypa1.com

IP addresses 192.168.111.112/login

Complex URLs www.login.xyz.flikr.net/config/login/ src-flickr.domain=secure.access 324a568x-pictauthor=frodo…

Phishing site?

www.sxwrestling.com/e107_lang...

Domain name highlighting

Does it work?

Method

16 legitimate & fraudulent real web pages 4 different obfuscation methods used

22 participants

Phase 1. Rate safety of these web pages

Phase 2: Look at address bar for additional cues Redo safety ratings.

‘Best case’ for domain highlighting

Participants • heavy internet users, university educated• heightened sense of security• rating security, not browsing, was primary task • directed to look at address bar (phase 2)

BUT• not instructed about domain names

Phase 1

participants

leastcorrect

mostcorrect

Phase 1

Legitimate pages54% correct31% unsure15% incorrect

Phase 1

Legitimate pages54% correct31% unsure15% incorrect

Consequence

doesn’t enter legitimate site

Phase 1

Legitimate pages54% correct31% unsure15% incorrect

Fraudulent pages25% correct18% unsure57% incorrect

Phase 1

Legitimate pages54% correct31% unsure15% incorrect

Fraudulent pages25% correct18% unsure57% incorrect

Consequenceenters site,

vulnerable to identity theft

Don’t be a fool, look at the address bar!!!

Phase 2

Phase 1

Phase 2 changes

Changes

more correct

unchanged

more wrong

Phase 2 changes

Legitimate pagesno significantdifferences in overall ratings

Phase 2 changes

Legitimate pagesno significantdifferences in overall ratings

Fraudulent pages25→34 % correct

18→23% unsure

57→44 % incorrect

Phase 2

Legitimate pagesno significantdifferences in overall ratings

Fraudulent pages25→34 % correct

18→23% unsure

57→44 % incorrect

ConsequenceSomewhat better, but still vulnerable

to identity theft

How do people judge legitimacy?

Institutional brand• some brands considered more ‘trustworthy’

The page• content including professional layout• reviews suggesting others had visited it• security / privacy information

Information requested• sensitivity, quantity…

Address bar • URLs• security indicators

Typology of Users

Type A • content and brand

Type B• address bar, security indicators, information requested

Type AB• mostly like Type A• occasionally like Type B

participants leastcorrect

mostcorrect

Type B

A A A A A A A A A

B B B B B B B

AB AB AB AB AB AB

Type A

Summary

Good news for phishers!– phishing web sites work– domain name highlighting only works somewhat

• best case: only ¼ - ⅓ of phishing pages detected

Phishers can target specific user groups– Type A & A/B

• very high risk for perfectly copied pages– Type B

• you can still fool them • domain name obfuscation works even better

Summary

Good news for anti-phishing researchers! • lots to do: the phishing problem isn’t solved

Strategies?• education• UI redesign

– to get people to attend domain name– to highlight common spoofing methods within the domain name– …

Does Domain Highlighting Help People Identify Phishing Sites?

Somewhat, but not enough