itrustpage: pretty good phishing protection stefan saroiu, troy ronda, and alec wolman university of...

iTrustPage: Pretty Good Phishing Protection

iTrustPage: Pretty Good Phishing Protection

Stefan Saroiu, Troy Ronda, and Alec WolmanStefan Saroiu, Troy Ronda, and Alec WolmanUniversity of Toronto and Microsoft ResearchUniversity of Toronto and Microsoft Research

Phishing Attacks Cost Real Phishing Attacks Cost Real Money!Money!

Hundreds of millions of $$$ cost to U.S. Hundreds of millions of $$$ cost to U.S. economyeconomy

Affects 1+ million Internet users in U.S. aloneAffects 1+ million Internet users in U.S. alone

Real cost:Real cost: Erosion of trust in Web as e-commerce Erosion of trust in Web as e-commerce

platformplatform 40% of people not banking online do not trust 40% of people not banking online do not trust

Web!!! Web!!!

Myriad of Solutions ProposedMyriad of Solutions Proposed

Spam filters [CMU ‘06, SpamAssassin, Spam filters [CMU ‘06, SpamAssassin, Outlook]Outlook]

Browser blacklists [IE7, FF 2.0, Opera]Browser blacklists [IE7, FF 2.0, Opera] Password managers [Princeton ‘05, Stanford Password managers [Princeton ‘05, Stanford

‘06, Berkeley ‘06]‘06, Berkeley ‘06] Out-of-band authentication [CMU ‘06, Out-of-band authentication [CMU ‘06,

Stanford ‘06]Stanford ‘06] User-created labels, warnings [Stanford ‘06]User-created labels, warnings [Stanford ‘06] Automatic fillers [MIT ‘06]Automatic fillers [MIT ‘06] Centralized approaches [MSR ‘06]Centralized approaches [MSR ‘06]

Yet… the Problem is Growing!Yet… the Problem is Growing!

Number of phishing sites grew Number of phishing sites grew 10X10X in 18 in 18 monthsmonths 2004 -- mid 20062004 -- mid 2006

Banks claim phishing becoming #1 source Banks claim phishing becoming #1 source of fraudof fraud

Phishing e-mails becoming personalizedPhishing e-mails becoming personalized sophisticated and hard-to-filtersophisticated and hard-to-filter

Must look into new anti-phishing Must look into new anti-phishing approaches!approaches!

OutlineOutline

Motivating the need for new approachesMotivating the need for new approaches Lessons learned from current approachesLessons learned from current approaches iTrustPage demoiTrustPage demo Design and implementationDesign and implementation EvaluationEvaluation ConclusionsConclusions

Current Approaches’ Current Approaches’ ShortcomingsShortcomings Spam filters + blacklists imperfect and too Spam filters + blacklists imperfect and too

slowslow Phishing sites’ average uptime is 4.5 days Phishing sites’ average uptime is 4.5 days

Password managers have usability Password managers have usability problemsproblems Based on hard-to-grasp concepts, uncommon Based on hard-to-grasp concepts, uncommon

taskstasks

Personalized visual cluesPersonalized visual clues Rely on users to be diligentRely on users to be diligent

Automatic password fillersAutomatic password fillers Easy to fool + they create local password Easy to fool + they create local password

repositoryrepository

Lessons LearnedLessons Learned

Anti-phishing tools must be intuitive + easy-Anti-phishing tools must be intuitive + easy-to-useto-use Users must perform very simple, common tasksUsers must perform very simple, common tasks

Relying on users to be diligent unlikely to Relying on users to be diligent unlikely to workwork

Phishing is becoming personalizedPhishing is becoming personalized Can’t rely on static filtersCan’t rely on static filters

Anti-phishing tools must re-act quickly to Anti-phishing tools must re-act quickly to attacksattacks Cannot wait for updates or new filtersCannot wait for updates or new filters

Our Approach: iTrustPageOur Approach: iTrustPage

Prevents users from filling out phishing Prevents users from filling out phishing formsforms

Does not rely on static filtersDoes not rely on static filters

Users perform simple, common, and intuitive Users perform simple, common, and intuitive taskstasks

Doesn’t rely on users to stay vigilentDoesn’t rely on users to stay vigilent

Harder-to-foolHarder-to-fool Stops users whenever key is pressed on any site Stops users whenever key is pressed on any site

whether a form is present or notwhether a form is present or not

High-Level View of Our ToolHigh-Level View of Our Tool

If user fills suspicious form, user asked for If user fills suspicious form, user asked for input:input:

1.1. Describe search terms for questionable Describe search terms for questionable formform i.e., Is the user visiting an well-established i.e., Is the user visiting an well-established

site?site? If yes, site is unlikely to phish If yes, site is unlikely to phish

2.2. Visual comparison of questionable Web Visual comparison of questionable Web form with Web forms arrived at via Google form with Web forms arrived at via Google resultresult i.e., Do these two forms look visually the i.e., Do these two forms look visually the

same?same? If yes, site is likely to phishIf yes, site is likely to phish

Live Demonstration – Trusted Live Demonstration – Trusted PagePage Navigate to Google and perform a searchNavigate to Google and perform a search

Live Demonstration – Untrusted Live Demonstration – Untrusted PagePage

Live Demonstration – Phishing Live Demonstration – Phishing PagePage

Our Two Key ObservationsOur Two Key Observations

Rely on user input to help disambiguate Rely on user input to help disambiguate between legit and fake sitesbetween legit and fake sites Certain decision making tasks are hard to Certain decision making tasks are hard to

automate reliably, yet very easy for people to automate reliably, yet very easy for people to decidedecide

e.g., deciding when 2 Web sites appear visually e.g., deciding when 2 Web sites appear visually similarsimilar

Use external Web information repositoriesUse external Web information repositories Use Internet sources to help determine Use Internet sources to help determine

legitimacy of particular Web site or formlegitimacy of particular Web site or form e.g., many attacks target well-known, popular e.g., many attacks target well-known, popular

Web sites + search engines can identify such Web sites + search engines can identify such sitessites

OutlineOutline


Automatic ClassificationAutomatic Classification

iTrustPage stores locally previously visited iTrustPage stores locally previously visited formsforms No need to re-validate formNo need to re-validate form

Two additional conservative heuristicsTwo additional conservative heuristics Google’s PageRank >= 5Google’s PageRank >= 5 Must be verified by TrustWatchMust be verified by TrustWatch

Heuristics could be exploited by attackersHeuristics could be exploited by attackers Fundamental trade-off between usability & Fundamental trade-off between usability &

securitysecurity

ValidationValidation

Web form is validated if:Web form is validated if:1.1. Our conservative heuristics validate it Our conservative heuristics validate it

(automatically)(automatically)

2.2. Form’s domain in top 10 domains from GoogleForm’s domain in top 10 domains from Google Based on user-input keywordsBased on user-input keywords

3.3. Repeat step 2 k-times, refining search Repeat step 2 k-times, refining search keywordskeywords Where k is variable depending on form’s PageRankWhere k is variable depending on form’s PageRank Higher PageRank means lower kHigher PageRank means lower k

4.4. When everything else fails, raise flashy When everything else fails, raise flashy warning boxwarning box Fundamental corner-case, common to all toolsFundamental corner-case, common to all tools

ImplementationImplementation

5,200 lines of code for Firefox extension5,200 lines of code for Firefox extension Tested with Linux, Mac, WindowsTested with Linux, Mac, Windows Open-source, freely availableOpen-source, freely available

900 downloads in one month900 downloads in one month

Recently released ver. 2.0 with better Recently released ver. 2.0 with better interfaceinterface It still needs lots of work thoughIt still needs lots of work though

Circumventing iTrustPageCircumventing iTrustPage

Create phishing page on site with high Create phishing page on site with high PageRankPageRank1.1. Break into popular siteBreak into popular site

2.2. ““Google bomb” attackGoogle bomb” attack

Compromise user’s Web browserCompromise user’s Web browser In this case, all bets are off (spyware!)In this case, all bets are off (spyware!)

OutlineOutline


Evaluation StrategyEvaluation Strategy

1.1. Performance evaluationPerformance evaluation

2.2. Evaluating iTrustPage’s effectivenessEvaluating iTrustPage’s effectiveness

3.3. Usability studyUsability study

MethodologyMethodology

Would users notice a performance Would users notice a performance degradation?degradation? iTrustPage prefetches PageRank and iTrustPage prefetches PageRank and

TrustWatchTrustWatch

Load pages of randomly chosen 115 US Load pages of randomly chosen 115 US banksbanks

Average PC: P III, 256MB RAM, U of T Average PC: P III, 256MB RAM, U of T networknetwork

Compare page loading times of Compare page loading times of unmodified browser to unmodified browser to browser+iTrustPagebrowser+iTrustPage

Very Little Additional OverheadVery Little Additional Overhead

0

20

40

60

80

100

0 0.5 1 1.5 2 2.5 3Ratio of Load Times

Percentage of Web sites

(Browser + iTrustPage) over stock Browser

stock Browser 1st time over

stock Browser 2nd time

Average site has 27ms extra overheadAverage site has 27ms extra overhead

QuestionsQuestions

Are automatic validation heuristics Are automatic validation heuristics correct?correct?

How often do users need to validate How often do users need to validate forms?forms?

For hard-to-validate forms, how often do For hard-to-validate forms, how often do users need to revise search terms? users need to revise search terms?

QuestionsQuestions

Are automatic validation heuristics Are automatic validation heuristics correct?correct?

How often do users need to validate How often do users need to validate forms?forms?

For hard-to-validate forms, how often do For hard-to-validate forms, how often do users need to revise search terms?users need to revise search terms?


Can’t measure from iTrustPage’s Can’t measure from iTrustPage’s deploymentdeployment We do not record number of forms visited by We do not record number of forms visited by

usersusers

Use previously collected traces of Use previously collected traces of WebsitesWebsites Research log: 14 research lab users over 3.5 Research log: 14 research lab users over 3.5

monthsmonths IRCache log: 8,714 users over 6.5 monthsIRCache log: 8,714 users over 6.5 months

Assume all pages have formsAssume all pages have forms

40% Sites are Automatically 40% Sites are Automatically ValidatedValidated

40.47% 37.24%

59.53% 62.76%

0%

20%

40%

60%

80%

100%

Research Sites IRCache Sites

Must Use iTrustPage

iTrustPageRemains

Transparent

Users are Disrupted Less over Users are Disrupted Less over TimeTime

0%

20%

40%

60%

1 day 2 days 3 days 4 days 5 days 6 days 1 week 2 wks. 3 wks.

iTrustPage's Cache Hit Rate

This data is from iTrustPage’s deploymentThis data is from iTrustPage’s deployment


4-step study:4-step study: Fill-out preliminary survey to gather Fill-out preliminary survey to gather

background infobackground info Present tutorial on iTrustPagePresent tutorial on iTrustPage Ask users to perform six steps, including:Ask users to perform six steps, including:

Visit popular legit formVisit popular legit form Visit unpopular legit form, could be easily found on Visit unpopular legit form, could be easily found on

GoogleGoogle Visit phishing siteVisit phishing site Visit unpopular legit form, can’t be found on GoogleVisit unpopular legit form, can’t be found on Google

Post-study questionnairePost-study questionnaire

15 participants15 participants

More disruptions, less easy to More disruptions, less easy to use!use!

1

2

3

4

5

Commontask

Commonlogin

Lesscommon

task

Lesscommon

login

Phishingform

Login onunpopular

form

Ease of UseFeel Safe

Easy / Safe

Hard / Unsafe

Security vs. UsabilitySecurity vs. Usability

1

2

3

4

5

Overall ease-of-use

Overall sense ofsecurity

Phishingprotection is

important

Anti-phishingtools importanteven when not

easy to use

Give up onlinebanking ifphishingbecomesprevalent

Agree

Disagree

ConclusionsConclusions

New anti-phishing tool based on two New anti-phishing tool based on two insightsinsights User input can be used to distinguish legit User input can be used to distinguish legit

from fake sites, as long as interaction is from fake sites, as long as interaction is simple and intuitivesimple and intuitive

Internet information repositories can be used Internet information repositories can be used to assist user with their decisionto assist user with their decision

Our evaluation has shown:Our evaluation has shown: Negligible performance overheadNegligible performance overhead Automatic classification heuristics correct and Automatic classification heuristics correct and

usefuluseful Tool becomes less disruptive over timeTool becomes less disruptive over time User like tool when few disruptions onlyUser like tool when few disruptions only

Works Surprisingly WellWorks Surprisingly Well

Download iTrustPage (Firefox Download iTrustPage (Firefox Extension)Extension) www.cs.toronto.edu/~ronda/www.cs.toronto.edu/~ronda/

itrustpage/itrustpage/

itrustpage: pretty good phishing protection stefan saroiu, troy ronda, and alec wolman university of...

Documents

new antiphishing approaches

phishing attacks

new approaches lessons

personalized phishing

current approaches lessons

centralized approaches

new filters sli

implementation design