Cristian Bravo-Lillo
Lorrie Cranor
ABSTRACT
When asking users to enter credentials, today's desktop operating systems often use windows that provide scant evidence that a trusted path has been established; evidence that would allow a user to know that a request is genuine and that the password will not be read by untrusted principals. We measure the efficacy of web-based attacks that spoof these operating system credential-entry windows to steal users' device-login passwords. We recruited 504 users of Amazon's Mechanical Turk to evaluate a series of games on third-party websites. The third such website indicated that it needed to install software from the publisher that provided the participants' operating system: Microsoft's Silverlight for Windows Vista/7 users and Apple's QuickTime for Mac OS users. The website then displayed a spoofed replica of a window the participant's client operating system would use to request a user's device credentials. In our most effective attacks, over 20% of participants entered passwords that they later admitted were the genuine credentials used to login to their devices. Even among those who declined to enter their credentials, many participants were oblivious to the spoofing attack. Participants were more likely to confirm that they were worried about the consequences of installing software from a legitimate source than to report that they thought the credential-entry window might have appeared as a result of an attempt to steal their password.
- Adelsbach, A., Gajek, S., and Schwenk, J. Visual spoofing of SSL protected web sites and effective countermeasures. Information Security Practice and Experience (2005), 204--216. Google Scholar
Digital Library
- Bravo-Lillo, C., Cranor, L. F., Downs, J., and Komanduri, S. Bridging the gap in computer security warnings: A mental model approach. IEEE Security & Privacy Magazine 9, 2 (Mar. 2011), 18--26. Google ScholarDigital Library
- Cova, M. Personal corresponence, May 5, 2012.Google Scholar
- Cova, M., Leita, C., Thonnard, O., Keromytis, A. D., and Dacier, M. An analysis of rogue AV campaigns. In Proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010) (Sept. 2010), pp. 442--463. Google ScholarDigital Library
- Dhamija, R., and Tygar, J. D. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security (New York, NY, USA, 2005), SOUPS '05, ACM, pp. 77--88. Google ScholarDigital Library
- Dhamija, R., Tygar, J. D., and Hearst, M. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (New York, NY, USA, 2006), CHI '06, ACM, pp. 581--590. Google ScholarDigital Library
- Downs, J. S., Holbrook, M. B., and Cranor, L. F. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (New York, NY, USA, 2006), SOUPS '06, ACM, pp. 79--90. Google ScholarDigital Library
- Downs, J. S., Holbrook, M. B., Sheng, S., and Cranor, L. F. Are your participants gaming the system?: Screening mechanical turk workers. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (New York, NY, USA, 2010), CHI '10, ACM, pp. 2399--2402. Google ScholarDigital Library
- Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. Web spoofing: An Internet con game. In 20th National Information Systems Security Conference (Oct. 1996).Google Scholar
- Feske, N., and Helmuth, C. A nitpicker's guide to a minimal-complexity secure GUI. In Proceedings of the 21st Annual Computer Security Applications Conference (Washington, DC, USA, 2005), IEEE Computer Society, pp. 85--94. Google ScholarDigital Library
- Herzberg, A., and Gbara, A. Security and identification indicators for browsers against spoofing and phishing attacks. Cryptology ePrint Archive, Report 2004/155, 2004. http://eprint.iacr.org/.Google Scholar
- Initializing Winlogin, 2012. http://msdn.microsoft.com/en-us/library/windows/desktop/aa375994(v=vs.85).aspx.Google Scholar
- Jackson, C., Simon, D. R., Tan, D. S., and Barth, A. An evaluation of extended validation and picture-in-picture phishing attacks. In Proceedings of the 11th International Conference on Financial Cryptography and 1st International Conference on Usable Security (Berlin, Heidelberg, 2007), FC'07/USEC'07, Springer-Verlag, pp. 281--293. Google ScholarDigital Library
- Kerr, K. Defend your apps and critical user info with defensive coding techniques. MSDN Magazine (Nov. 2004). http://msdn.microsoft.com/en-us/magazine/cc163883.aspx.Google Scholar
- Lefranc, S., and Naccache, D. Cut-&-paste attacks with java. In Proceedings of the 5th International Conference on Information Security and Cryptology (Berlin, Heidelberg, 2003), ICISC'02, Springer-Verlag, pp. 1--15. Google ScholarDigital Library
- Li, T.-Y., and Wu, Y. Trust on web browser: Attack vs. defense. In Applied Cryptography and Network Security, J. Zhou, M. Yung, and Y. Han, Eds., vol. 2846 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2003, pp. 241--253. 10.1007/978-3-540-45203-4 19.Google Scholar
- Libonati, A., McCune, J. M., and Reiter, M. K. Usability testing a malware-resistant input mechanism. In Proceedings of the 18th Annual Network & Distributed System Security Symposium (NDSS11) (Feb. 2011).Google Scholar
- Microsoft Corporation. What is user account control? http://windows.microsoft.com/en-US/windows-vista/What-is-User-Account-Control.Google Scholar
- Nodder, C. Users and trust: A microsoft case study. In Security and Usability: Designing Secure Systems That People Can Use, L. F. Cranor and S. L. Garfinkel, Eds., first ed., Theory in practice. O'Reilly Media, Inc., Sebastopol, CA, USA, 2005, ch. 29, pp. 589--606.Google Scholar
- Parno, B., Kuo, C., and Perrig, A. Phoolproof phishing prevention. In Proceedings of the Financial Cryptography and Data Security 10th International Conference (2006), FC'06. Google ScholarDigital Library
- Rajab, M. A., Ballard, L., Mavrommatis, P., Provos, N., and Zhao, X. The nocebo* effect on the web: An analysis of fake anti-virus distribution. In Proceedings of the 3rd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (Berkeley, CA, USA, 2010), LEET'10, USENIX Association, pp. 3--3. Google ScholarDigital Library
- Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. C. Stronger password authentication using browser extensions. In Proceedings of the Proceedings of the 14th Usenix Security Symposium (Aug. 2005). Google ScholarDigital Library
- Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. The emperor's new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2007), IEEE Computer Society, pp. 51--65. Google ScholarDigital Library
- "Security-on-a-Stick" to protect consumers and banks from the most sophisticated hacker attacks, October 2008. http://www.zurich.ibm.com/news/08/ztic.html.Google Scholar
- Shapiro, J. S., Vanderburgh, J., Northup, E., and Chizmadia, D. Design of the EROS trusted window system. In Proceedings of the 13th Conference on USENIX Security Symposium (Berkeley, CA, USA, 2004), SSYM'04, USENIX Association, pp. 12--12. Google ScholarDigital Library
- Stone-Gross, B., Abman, R., Kemmerer, R. A., Kruegel, C., Steigerwald, D. G., and Vigna, G. The underground economy of fake antivirus software. In Workshop on Economics of Information Security (WEIS) (June 2011).Google Scholar
- Symantec Corporation. Symantec report on rogue security software, Oct. 2009.Google Scholar
- Tygar, J. D., and Whitten, A. WWW electronic commerce and Java trojan horses. In Proceedings of the Second USENIX Workshop on Electronic Commerce (Berkeley, CA, USA, 1996), vol. 2, USENIX Association, pp. 15--15. Google ScholarDigital Library
- Ye, E., Yuan, Y., and Smith, S. Web spoofing revisited: SSL and beyond. Tech. Rep. TR2002-417, Dartmouth College, 2002.Google Scholar
- Ye, Z. E., Smith, S., and Anthony, D. Trusted paths for browsers. In Proceedings of the 11th USENIX Security Symposium (2002), pp. 263--279. Google ScholarDigital Library
- Yee, K.-P. User interaction design for secure systems. In Proceedings of the 4th International Conference on Information and Communications Security (London, UK, 2002), ICICS '02, Springer-Verlag, pp. 278--290. Google ScholarDigital Library
Index Terms
- Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs
Recommendations
SGXIO: Generic Trusted I/O Path for Intel SGX
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyApplication security traditionally strongly relies upon security of the underlying operating system. However, operating systems often fall victim to software attacks, compromising security of applications as well. To overcome this dependency, Intel SGX ...
Spoofing and countermeasures for speaker verification
While biometric authentication has advanced significantly in recent years, evidence shows the technology can be susceptible to malicious spoofing attacks. The research community has responded with dedicated countermeasures which aim to detect and ...
Anti-spoofing for text-independent speaker verification: an initial database, comparison of countermeasures, and human performance
In this paper, we present a systematic study of the vulnerability of automatic speaker verification to a diverse range of spoofing attacks. We start with a thorough analysis of the spoofing effects of five speech synthesis and eight voice conversion ...
Comments