|
 ABSTRACT
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Ang, L., C. Dubelaar, & B. Lee. To Trust or Not to Trust? A Model of Internet Trust From the Customer's Point of View. Proc. 14th Bled E-Commerce Conf. (2001), 25--26.
|
| |
2
|
Anti-Phishing Working Group. Phishing Activity Trends Report November 2005 (2005).
|
| |
3
|
Anti-Phishing Working Group Phishing Archive. http://anti-phishing.org/phishing_archive.htm
|
| |
4
|
Ba, S. & P. Pavlov. Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior. MIS Quarterly, 26, 3 (2002), 243--268.
|
| |
5
|
Cheskin Research. E-commerce Trust Study (1999).
|
| |
6
|
Dhamija, R. Authentication for Humans: The Design and Analysis of Usable Security Systems. Ph.D. Thesis, University of California Berkeley (2005).
|
 |
7
|
|
| |
8
|
Egger, F.N. Affective Design of E-commerce User Interfaces: How to Maximize Perceived Trustworthi-ness. Proc. Intl. Conf. Affective Human Factors De-sign (2001), 317--324.
|
| |
9
|
Fogg, B. J. Stanford Guidelines for Web Credibility. Res. Sum. Stanford Persuasive Tech. Lab. (2002).
|
| |
10
|
B. J. Fogg , Cathy Soohoo , David R. Danielson , Leslie Marable , Julianne Stanford , Ellen R. Tauber, How do users evaluate the credibility of Web sites?: a study with over 2,500 participants, Proceedings of the 2003 conference on Designing for user experiences, June 06-07, 2003, San Francisco, California
[doi> 10.1145/997078.997097]
|
| |
11
|
B. J. Fogg , Jonathan Marshall , Othman Laraki , Alex Osipovich , Chris Varma , Nicholas Fang , Jyoti Paul , Akshay Rangnekar , John Shon , Preeti Swani , Marissa Treinen, What makes Web sites credible?: a report on a large quantitative study, Proceedings of the SIGCHI conference on Human factors in computing systems, p.61-68, March 2001, Seattle, Washington, United States
[doi> 10.1145/365024.365037]
|
| |
12
|
Franco, R. Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers. IEBlog, Nov. 21, 2005.
|
| |
13
|
Batya Friedman , David Hurley , Daniel C. Howe , Helen Nissenbaum , Edward Felten, Users' conceptions of risks and harms on the web: a comparative study, CHI '02 extended abstracts on Human factors in computing systems, April 20-25, 2002, Minneapolis, Minnesota, USA
[doi> 10.1145/506443.506510]
|
| |
14
|
Batya Friedman , David Hurley , Daniel C. Howe , Edward Felten , Helen Nissenbaum, Users' conceptions of web security: a comparative study, CHI '02 extended abstracts on Human factors in computing systems, April 20-25, 2002, Minneapolis, Minnesota, USA
[doi> 10.1145/506443.506577]
|
| |
15
|
|
| |
16
|
Hemphill, T. Electronic Commerce and Consumer Privacy: Establishing Online Trust in the U.S. Digital Economy. Bus. & Soc. Rev., 107, 2 (2002), 331--239.
|
| |
17
|
Jagatic, T., N. Johnson, & M. Jakobsson. Phishing Attacks Using Social Networks (Indiana U. Human Subject Study 05-9892 & 05-9893). (2005).
|
| |
18
|
Kim, D., Y. Song, S. Braynov, & H. Rao. A B-to-C Trust Model for Online Exchange. Proc. Americas Conf. on Inf. Sys. (2001), 784--787.
|
| |
19
|
Lee, M. & E. Turban. A Trust Model for Consumer Internet Shopping. Intl J. Elec. Commerce, 6, 1, (2001), 75--91.
|
| |
20
|
Litan, A. Phishing Attack Victims Likely Targets for Identity Theft. Gartner Research (2004).
|
| |
21
|
Loftesness, S. Responding to ""Phishing"" Attacks. Glenbrook Partners (2004).
|
| |
22
|
MailFrontier, MailFrontier Phishing IQ Test II (2005).
|
| |
23
|
Princeton Survey Research Associates, A Matter of Trust. (2002).
|
| |
24
|
Secunia. http://secunia.com/.
|
| |
25
|
Secunia, Internet Explorer URL Spoofing Vulnerability (2004).
|
| |
26
|
Secunia, Multiple Browsers Vulnerable to the IDN Spoofing Vulnerability (2005).
|
| |
27
|
Stone, D. et al. User Interface Design & Evaluation. Elsevier (2005).
|
| |
28
|
Wang, Y & H. Emurian. An Overview of Online Trust. Computers in Human Behavior, 21, 1 (2005), 105--125.
|
| |
29
|
Wu, M., R. Miller, & S. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks? Posters SOUPS (2005).
|
CITED BY 54
|
|
|
|
|
|
|
|
Steve Sheng , Bryant Magnien , Ponnurangam Kumaraguru , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Nathaniel S. Good , Jens Grossklags , Deirdre K. Mulligan , Joseph A. Konstan, Noticing notice: a large-scale experiment on the timing of software license agreements, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA
|
|
|
Ponnurangam Kumaraguru , Yong Rhee , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Protecting people from phishing: the design and evaluation of an embedded training email system, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA
|
|
|
Frederik De Keukelaere , Sumeer Bhola , Michael Steiner , Suresh Chari , Sachiko Yoshihama, SMash: secure component model for cross-domain mashups on unmodified browsers, Proceeding of the 17th international conference on World Wide Web, April 21-25, 2008, Beijing, China
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Yuan Niu , Francis Hsu , Hao Chen, iPhish: phishing vulnerabilities on consumer electronics, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-8, April 14-14, 2008, San Francisco, California
|
|
|
Maritza L. Johnson , Chaitanya Atreya , Adam Aviv , Mariana Raykova , Steven M. Bellovin , Gail Kaiser, RUST: a retargetable usability testbed for website authentication technologies, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-7, April 14-14, 2008, San Francisco, California
|
|
|
Chris Karlof , J. D. Tygar , David Wagner, A user study design for comparing the security of registration protocols, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-14, April 14-14, 2008, San Francisco, California
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ponnurangam Kumaraguru , Yong Rhee , Steve Sheng , Sharique Hasan , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong, Getting users to pay attention to anti-phishing education: evaluation of retention and transfer, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.70-81, October 04-05, 2007, Pittsburgh, Pennsylvania
|
|
|
Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
|
|
|
|
|
|
Sebastian Gajek , Mark Manulis , Ahmad-Reza Sadeghi , Jörg Schwenk, Provably secure browser-based user-aware mutual authentication over TLS, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
|
|
|
Tim Kindberg , Eamonn O'Neill , Chris Bevan , Vassilis Kostakos , Danaë Stanton Fraser , Tim Jay, Measuring trust in wi-fi hotspots, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
|
|
|
Sujata Garera , Niels Provos , Monica Chew , Aviel D. Rubin, A framework for detection and measurement of phishing attacks, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ponnurangam Kumaraguru , Alessandro Acquisti , Lorrie Faith Cranor, Trust modelling for online transactions: a phishing scenario, Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, October 30-November 01, 2006, Markham, Ontario, Canada
|
|
|
|
|
|
|
|
|
Konstantin Beznosov , Philip Inglesant , Jorge Lobo , Rob Reeder , Mary Ellen Zurko, Usability meets access control: challenges and research opportunities, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
|
|
|
Ponnurangam Kumaraguru , Justin Cranshaw , Alessandro Acquisti , Lorrie Cranor , Jason Hong , Mary Ann Blair , Theodore Pham, School of phish: a real-world evaluation of anti-phishing training, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California
|
|
|
Predrag Klasnja , Sunny Consolvo , Jaeyeon Jung , Benjamin M. Greenstein , Louis LeGrand , Pauline Powledge , David Wetherall, "When I am on Wi-Fi, I am fearless": privacy concerns & practices in eeryday Wi-Fi use, Proceedings of the 27th international conference on Human factors in computing systems, April 04-09, 2009, Boston, MA, USA
|
|
|
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
H.1