SGarza.Aslams5Pages History

Hide minor edits - Show changes to output - Cancel

Added lines 1-59:
WHY PHISHING WORKS
---ASLAM SHAIK

ABSTRACT
Internet is a pervasive force working its way into all aspects of our life. One could spend countless hours on debating and studying the implication and its influence on education etc.However it is important to remain cautious and analyze the security measures while studying this medium. This paper aims at building systems shielding users from fraudulent or phishing websites. Web designers need to know which phishing strategies work and why. This paper provides evidence about which malicious strategies are successful in deceiving internet users. The results of the experiments done in this paper illustrate that the present security indicators are not effective for substantial fraction of users and suggest alternative approaches needed.
Some security terms and their explanation:
Phishing: Pishing can be defined as a fraud whereby a criminal attempts to trick the victim into accepting a false identity presented by the criminal, to steal valuable information like credit cards, social security numbers, user and passwords. A fake website is created that is a look alike of the legitimate organization, typically a financial organization such as a bank or insurance company. The common approach is to send fake e-mails (e-mail spoofing) to a victim purporting to come from legitimate source and requesting information (such as credit card number and PINs?) or directing the victim to a fake website where the information can be captured (webpage spoofing).
Certificate(digital or public key certificate): It uses a digital signature to bind a public key with an identity.If the browser encounters a certificate not being digitally signed by a trusted authority,it issues a warning on the computer screen.It depends upon the user weather to accept the certificate or not. Certificate authority(CA):It is an authority which issues certificates and attests a public key belonging to a particular authority.A list of some trusted are stored in the browser.A fraudulent website can attain a certificate from CA without a rigorous verification.
HTTPS: Web browsers commonly use HTTPS rather than HTTP as a prefix to the URL indicating that HTTP is sent over SSL/TLS. Secure Socket Layers(SSL) and Transport Layer Security(TLS):These are cryptographic protocols used to provide authentication and secure communications over the internet.It authenticates a server by verifying that the server hold a certificate that has been signed digitally by a trusted certificate authority. INTRODUCTION: This paper discuss about what makes a bogus website credible?In past few years there has been a rapid growth in the number of pishing attacks,the practice of directing users to fraudulent websites.The questions is a dilemma for most user interface designers because both pishers and anti pishers battle in the same web space.Sucessful phishers create a presence that is so impressive that it causes the victim ,fail to recognize security measures installed on the browsers.

This paper addresses that why phishing works.Depending on the survey results of 22 participants.The study primed participants to look for spoofs.Thus,these participants are more likely better than real world users(unprimed)users at detecting fraudulent sites.Fooling these participants means anyone with the knowledge can be fooled with spoofed websites.Some of the key findings of the survey done on these key participants.
1 .Sucessful phishing attacks fooled more than 90% of the participants. 2.The prevailing anti phishing browsing cues are ineffective. 3.Pop up warnings about spoofed certificates were ineffective. 4.The users proved to be vulnerable to the phishing attacks.
Phishing works because of the following: --Lack Of Knowledge: a)Lack of computer system knowledge:Many users lack the knowledge of how operating systems,applications ,e-mail and web work and how to distinguish among these.
b)Lack of knowledge of security and security indicators:attackers exploit users lack of understanding of the verification certificates.Most users do not check the certificates before proceeding into the webpage.
--Visual Deception a)Visually deceptive text:Phishers use visual deception tricks mimicing legitimate webspages. b)Images mask under text:Common technique used by phishers to use image of a legitimate huperlink.While the image itself serving a hyperlink to a different rouge site. c)Images mimicking windowsCommon technique using images with a hidden URL to deceive the user. d)Window mask underlying windows e)Deceptive look and feel:If the images and logos are copied perfectly,sometimes even a professional cannot distinguish about the original site --Bounded attention a)lack of attention to security indicators:Sometimes when users are focused on their primary task and ignore a security warning. b)lack of attention to absence of security indicators :Users do not reliably notice absence of security certificate.

This figure shows visual security indicators in mozilla firefox browser v1.0.1 for MAC OS X.
In the study all the phishing data was collected from various sources mainly from APWG(anti phishing working grouop) statistics.The participants were presented with 20 websites in random order.Some of the websites being legitimate ,others included phishing or spoofed and websites requiring to accept a self signed SSL ceritificate.Each website presented was fully functioning with images,links and sub pages that user could interact with as they normally would with any website.
About 50% of the participants were Microsoft internet explorer users ,41% used mozilla fiefox and 4.5% used apple safari.The basic operating system for about 59% participants was windows XP,27% uses MAC OS X and about 13.5% used windows 2000 operating system.The participants used internet regularly and were used to internet.
Results:
The sum of the number of correctly identified legitimate and spoofed website forms the score.Scored ranged from 6 to 18 correctly identified responses out of 19 websites.
The results showed that there was no significant difference when comparing the mean scores of males and females.Also no significant correlation between participants scores and ages.Younger participants did not performed better than older participants.Even no significant correlation was found among the educational levels of the participants and their scores.Previous use of browser and number of hours of surfing internet previously did had any correlation among the scores of the participants.
In summary the participants did not observed a relationship between scores and sex,age,educational level or experience.


Stratergies for determining website legitimacy
Participants used a variety of stratergies to determine the website legitimacy.Participants depending on the way they decided the website to be legitimate are being divided in different categories.The results are interpreted as follows:
Type 1:Security indicators in website content only.
About 23% of the participants used only the content of the webpage to determine the legitimacy of the website.The contents included logos,layout , graphic design ,presence of functioning links and images on the webpage.None of these 23% participants used the address bar at the top of the webpage in making decision about the legitimacy of the website.For example,when the phishing page page linked to the privacy policy hosted on a original site ,this group of participants confused the legitimate and bogus sites.
Type 2:Content and domain name only
About 36% of the participants used the address bar at the top of the web browser to identify the legitimacy of the website.This set of participants did not looked for any SSL indicator like HTTPS at the address bar.However most of the participants in this category had their suspicions heightened when they saw an IP address instead of a domain name.

Type 3 Padlock Icon
32% of participants in the group relied on all of the above factors and in addition to these they also looked for a padlock icon in the browser chrome.These group gave more credence to the padlock icon that appeared within the content of the page.
Type 4:All of the above plus certificates
The remaining 9% of the participants relied on all of the above factors and also checked for the security certificate.For example a certificate presenting a warning about certain website.
Below is an example of a spoofed website.

The figure shows the Bank of west Phishing site
The figure shows the phishing website that fooled the most participants is an exact replica of the bank of west homepage.A keen notice on the webaddress shows that the website is hosted at www.bankofvvest.com,with instead of in the domain name.


REFERENCES:
1. Ang,L.,C.& B. Lee. To trust or no to Trust? A Model of Internet Trust From the Customer's
2. Anti-Phishing Working Group. Phishing Activity (2005)
3. Anti-Phishing Working Group Phishing Archive. http://anti-phishing.org/phishing_archive.htm
4. Dhamija, R. Authentication for Humans: The Design and Analysis of Usable Security Systems. Ph.D. Thesis, University of California Berkeley (2005).
5. Dhamija, R. & J. D. Tygar. The Battle Against Phishing: Dynamic Security Skins.
6. Fogg, B. J. et al. What Makes Web Sites Credible?: A Report on a Large Quantitative Study.
7. Franco, R. Better Website Identification and Extended Validation Certificates in IE7? and other web browsers . 8. Friedman, B. et al. Conceptions of Risks and Harms on the Web: A Comparative Study
9. Lit an, A. Pishing attact Victims Likely teagets for identity theft
10. Loftesness, S. Responding to "Phishing"Attacks. Glenbrook Partners.
11. Mail Frontier, MailFrontier? Phishing IQ Test II (2005).
12. Princeton Survey Research Associates, A Matter of Trust. (2002).
13. Secunia. http://secunia.com/.
14. Secunia, Internet Explorer URL Spoofing Vulnerability
15. Wu, M., R. Miller, & S. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks? .