Troy Ronda
Stefan Saroiu
Abstract
Despite the many solutions proposed by industry and the research community to address phishing attacks, this problem continues to cause enormous damage. Because of our inability to deter phishing attacks, the research community needs to develop new approaches to anti-phishing solutions. Most of today's anti-phishing technologies focus on automatically detecting and preventing phishing attacks. While automation makes anti-phishing tools user-friendly, automation also makes them suffer from false positives, false negatives, and various practical hurdles. As a result, attackers often find simple ways to escape automatic detection.
This paper presents iTrustPage - an anti-phishing tool that does not rely completely on automation to detect phishing. Instead, iTrustPage relies on user input and external repositories of information to prevent users from filling out phishing Web forms. With iTrustPage, users help to decide whether or not a Web page is legitimate. Because iTrustPage is user-assisted, iTrustPage avoids the false positives and the false negatives associated with automatic phishing detection. We implemented iTrustPage as a downloadable extension to FireFox. After being featured on the Mozilla website for FireFox extensions, iTrustPage was downloaded by more than 5,000 users in a two week period. We present an analysis of our tool's effectiveness and ease of use based on our examination of usage logs collected from the 2,050 users who used iTrustPage for more than two weeks. Based on these logs, we find that iTrustPage disrupts users on fewer than 2% of the pages they visit, and the number of disruptions decreases over time.
- Anti-Phishing Working Group Website http://www.antiphishing.org/.Google Scholar
- Personal Communication, 2006. Confidential Source, Canadian Banking Sector. Toronto.Google Scholar
- iTrustPage Tool, 2007. http://www.cs.toronto.edu/~ronda/itrustpage/.Google Scholar
- M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar. Can Machine Learning Be Secure? In Proceedings of the ACM Symposium on Information, Computer, and Communication Security (ASIACCS), Taipei, Taiwan, March 2006. Google ScholarDigital Library
- S. Chiasson and P. van Oorchot. A Usability Study and Critique of Two Password Managers. In Proceedings of the USENIX Security Symposium, August, 2006. Google ScholarDigital Library
- CNET News.com. New tool enables sophisticated phishing scams. http://news.com.com/New+tool+enables+sophisticated+phishing+scams/2100-1029_3-6149090.html.Google Scholar
- R. Dhamija, J. D. Tygar, and M. Hearst. Why Phishing Works. In Proceedings of Conference on Human Factors in Computing Systems (CHI), April 2006. Google ScholarDigital Library
- J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In Proceedings of the Symposium on Usable Privacy and Security, July 2006. Google ScholarDigital Library
- I. Fette, N. Sadeh, and A. Tomasic. Learning to Detect Phishing Emails. In Proceedings of the International World Wide Web Conference (WWW), Banff, Alberta, Canada, May 2007. Google ScholarDigital Library
- D. Florêncio and C. Herley. A Large-Scale Study of Web Password Habits. In Proceedings of the International World Wide Web Conference (WWW), Banff, Alberta, Canada, May 2007. Google ScholarDigital Library
- D. Florêncio and C. Herley. Password Rescue: A New Approach to Phishing Prevention. In Proceedings of USENIX Workshop on Hot Topics in Security, July 2006. Google ScholarDigital Library
- R. Franco. Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers, 2005 http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx.Google Scholar
- GeoTrust. TrustWatch Search, 2006. http://www.trustwatch.com/.Google Scholar
- J. Halderman, B.Waters, and E. Felten. A convenient method for securely managing passwords. In Proceedings of the International Conference on World Wide Web, May, 2005. Google ScholarDigital Library
- C. Jackson, D. Boneh, and J. C. Mitchell. Stronger Password Authentication Using Virtual Machines. 2006. http://crypto.stanford.edu/SpyBlock/spyblock.pdf.Google Scholar
- K. Jackson. DNS Gets Anti-Phishing Hook, 2006. http://www.darkreading.com/document.asp?doc_id=99089&WT.svl=news1_1.Google Scholar
- T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. Social Phishing. Communications of the ACM. Vol. 50, No. 10., October, 2007. Google ScholarDigital Library
- W. Liu, X. Deng, G. Huang, and A. Fu. An Antiphishing Strategy Based on Visual Similarity Assessment. IEEE Internet Computing, Vol. 10, No.2. 58--65, March/April, 2005. Google ScholarDigital Library
- Microsoft. Exchange Server, 2006. http://www.microsoft.com/exchange/default.mspx.Google Scholar
- Microsoft.com. Get anti-phishing and spam filters with Outlook SP2, 2005. http://www.microsoft.com/athome/security/email/outlook_sp2_filters.mspx.Google Scholar
- J. Nazario. Phishingcorpus: phishing2. http://monkey.org/~jose/phishing/phishing2.mbox.Google Scholar
- B. Parno, C. Kuo, and A. Perrig. Phoolproof Phishing Prevention. In Proceedings of Financial Cryptography and Data Security (FC), 2006. Google ScholarDigital Library
- B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell. Stronger Password Authentication Using Browser Extensions. In Proceedings of the Usenix Security Symposium, April, 2005. Google ScholarDigital Library
- B. Schneier. Two-Factor Authentication: Too Little, Too Late. Communications of the ACM. Vol. 48, No. 4., April, 2005. Google ScholarDigital Library
- SURBL. Surbl lists, 2006. http://www.surbl.org/lists.html.Google Scholar
- Symantec. Symantec Internet Security Threat Report: Trends for July - December 06. http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xi_03_2007.en-us.pdf.Google Scholar
- M. Wu, R. Miller, and S. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks? In Proceedings of Conference on Human Factors in Computing Systems (CHI April 2006. Google ScholarDigital Library
- M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium on Usable Privacy and Security, July 2006. Google ScholarDigital Library
- K. Yee and K. Sitaker. Passpet: convenient password management and phishing protection. In Proceedings of the Symposium on Usable Privacy and Security, July 2006. Google ScholarDigital Library
- Y. Zhang, S. Egelman, L. Cranor, and J. Hong. Phinding Phish: An Evaluation of Anti-Phishing Toolbars. In Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, February 2007.Google Scholar
- Y. Zhang, J. Hong, and L. Cranor. CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. In Proceedings of the International World Wide Web Conference (WWW), Banff, Alberta, Canada, May 2007. Google ScholarDigital Library
Index Terms
- Itrustpage: a user-assisted anti-phishing tool
Recommendations
Itrustpage: a user-assisted anti-phishing tool
Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008Despite the many solutions proposed by industry and the research community to address phishing attacks, this problem continues to cause enormous damage. Because of our inability to deter phishing attacks, the research community needs to develop new ...
Anti-phishing: A comprehensive perspective
AbstractPhishing is a form of deception technique that attackers often use to acquire sensitive information related to individuals and organizations fraudulently. Although Phishing attacks have been known for more than two decades, and there is ongoing ...
Highlights- Classification and discussion of various phishing attacks, motives, and their types.
- The role of social and cognitive factors in the success of a phishing attack.
- A comprehensive survey of various phishing detection and prevention ...
Classification of Anti-phishing Solutions
AbstractPhishing is an online fraud through which phisher gains unauthorized access to the user system to lure the personal credentials (such as username, password, credit/debit card number, validity, CVV number, and pin) for financial gain. Phishing can ...
Comments