SlideShare une entreprise Scribd logo

Why phishing works

Ayaz Shahid
Ayaz Shahid
Technologie
1  sur  34
Télécharger pour lire hors ligne
Why phishing works By Rachna Dhamija , J. D. Tygar & Marti Hearst Ayaz Shahid (aysh1000@student.miun.se)
Overview • Introduction • Why phishing works • Study to support hypothesis • Results of study • Conclusion
Introduction • Directing users to fraudulent websites • The host website acts as the trustworthy or real website • Steals user’s credentials like credit card information , username/passwords and other personal information • Phishing is an opportunistic attack rather than a targeted attack
Why Phishing works 1. Lack of knowledge 2. Visual Deception 3. Bounded Attention
1. Lack of knowledge • Computer system knowledge  Most of the phishers exploit the user’s lack of knowledge of computer, applications, emails, internet etc  Such users does not know about how things work and what are the differences for example: www.ebay-members-security.com & www.ebay.com
Lack of knowledge(cont.) • Knowledge of security & security indicators  Most of the users does not know about the security indicators indicated by the browsers when it detects a phishing website. Example: Padlock Icon
2. Visual Deception • Visual Deceptive Text • Images masking underlying text • Images mimicking windows • Window Masking • Deceptive Look & Feel
Visual Deception Text • Users are fooled using the syntax of the domain name • Phishers substitutes the letters in the domain name that may go un-noticed • Example: www.paypa1.com instead of www.paypal.com Substituted digit ‘1’ instead of letter ‘l’
Images Masking Underlying Text • Phishers use a legitimate image as hyperlink which actually links to the fraudulent website Images mimicking windows • Phishers use an image in the content of the webpage that looks same as a window or a dialog box
Windows Masking Underlying Windows • Placing an illegitimate browser window over or beside a legitimate browser window users can be tricked very easily as both windows look exactly same Deceptive look & feel • Phishers copy the logos, images and other information of the target website having same look and feel and the user could consider it as original website
3. Bounded Attention • Lack of Attention to Security Indicators  User focuses on the main task and forgets the security indicators  They might not pay attention to the warning messages • Lack of Attention to the absence of security indicators  Users do not notice the absence of an indicator  Some times a spoofed indicator image might be inserted by the phishers to fool the users
Study to Access the Accuracy of Hypothesis • Conducted a usability study • Participants were asked to identify legitimate and phishing websites • Selected participants were better and good in knowledge • Around 200 phishing websites were selected
Study Design • A web site was created containing random list of hyperlinks to different websites • Each participant was presented 20 websites • 7 websites were legitimate • 9 phishing websites • 3 special websites(created using additional phishing techniques) • 1 special website (requesting users to accept a self-signed SSL certificate) • All phishing websites were hosted on an Apache web server
Scenario and Procedure • Participants were told that some of the websites are legitimate and some are not • The participants could also interact with the websites • Each participant was told to rate the website on a scale of 1 to 5 and reasoning of their answer • Participants were asked about the knowledge of SSL certified websites and the experience on the phishing websites
Demographics of Participants • A total of 22 participants from a university having sound knowledge of computers, email and web were recruited Gender 13 12 12 11 10 10 9 Male Female
Students/Staff 15 11 11 10 5 0 Student Unv. Staff Staff Students 10 8 8 7 8 6 6 4 4 2 2 2 2 1 2 0 0 Bachelors Masters J.D. Degree Bachelors Masters Ph.D Degree Degree Degree Degree
Web Browser 12 11 10 8 7 6 4 2 2 1 0 Internet Mozilla Mozilla Apple Safari Explorer Firefox Unknown Version Operating System 14 13 12 10 8 6 6 4 2 2 1 0 Win XP MAC OS Win 2K Win Unknown Version
• Participants are aged between 18 to 56 • Usage of computer by users is from 10 to 135 hrs per week • 18 participants uses online banking • 20 participants use online shopping regularly
Results Participants Score and Behavior  The sum of number of correctly identified websites forms the participants score  The score range was between 6 to 18 correctly identified websites Gender  There is no difference between the comparison of scores of male and female participants  The mean score for male and female is 13 & 10.5 respectively
Age  There is no correlation between the score and the age of participants Education Level  There is no relation between the score and the educational level of the participants Usage of Computer  There is no significant correlation between the users score with respect to the amount of computer usage per week  A user who uses computer for 14 hrs weekly judged 18 out of 19 sites correctly on the other hand one judged only 7 sites correctly while he uses computer for 90 hrs per week
Previous use of Browser, OS and Web  There is no significant relation between the use of browser and OS previously by the participant  Even the use of same website previously did not help the participants in differentiating between legitimate and the phishing website
Strategies for Determining Websites Legitimacy • Participants are categorized by the type of the factors they used to make decision  Type1:Security indicators in the website contents  Type2:Content and domain name  Type3:Content and address plus HTTPS  Type4:Padlock icon plus type 1,2 & 3  Type5:Certificates plus type 1,2,3 & 4
Type1: Security indicators in website contents • Participants looked only the contents like images, logos, layouts, graphic designs and the accuracy of information • As the participants in this category did not focus on the URL of the site therefore scored the lowest • 5 (23%) participants used this strategy and their score was (6,7,7,9,9)
Type2: Content & domain name • 8(36%) participants checked the address bar along with the contents of the website • People in this category had the idea of the difference the domain name and IP address
Type3 : Content, address plus HTTPS • Only 2(9%) participants used this strategy to differentiate between phishing and legitimate website • Participants relied on the presence of the HTTPS in the status bar • Users did not notice the padlock icon
Type4: Padlock icon plus type 1,2 & 3 • 5 (23%) participants falls under this category • They checked for all the types discussed above and they also looked for the padlock icon in the address bar • But some participants gave preference to the padlock icon that appears within the content of the web page
Type5: Certificates plus Type 1,2,3 & 4 • Only 2 (9%) of the participants checked the certificates presented by their browser and the other strategies as discussed previously
Websites Difficulty • Users were asked to rate the confidence of their judgment on a score of 1 to 5
Phishing websites
• The website discussed previously used two “V”s instead of “W” to fool the people • 20 participants judged this site as the legitimate website of the Bank of the west • 17 people miss judged due to the contents of the page • 2 participants were fooled due to the animated bear video • 8 participants relied on the link to the other websites for their judgment • 6 participants were tricked due to version logo • 2 participants correctly judged this website as a spoof • Only 1 participant judged this phishing website due to two V’s
Participants Knowledge of Phishing & Security Knowledge & experience of Phishing  7 participants had never heard the term phishing  9 participants were confused about the legitimacy of the websites  5 participants had experienced phishing and web fraudulent Knowledge of Padlock icon & HTTPS  4 participants had no idea regarding padlock icon  5 participants mentioned it as some sort of security but they were not sure  10 mentioned it as the way of securing data sent from user to server  13 participants said that they never pay attention to the HTTPS in the address bar
Knowledge & use of certificates  15 participants selected the okay button without reading the content of the message when the browser presented the self signed certificate  18 participants stated that they did not know the about the certificate  3 participants selected the wrong option from the certificate  Only one participant interpreted the website certificate correctly as he was a system administrator  19 participants stated that they never checked the certificate
Conclusion • The study reveals that even the most knowledge and well informed user can also be fooled and tricked by a good phishing site • Security indicators and warning messages showed by the browser are not understood by the user and go un- noticed • Indicators of trust provided by the browser can even be spoofed by phishers very easily • So the study suggests that some other method or approach is needed to overcome the phishing
Questions & Comments

Recommandé

Phishing-Powerpoint
Phishing-PowerpointPhishing-Powerpoint
Phishing-PowerpointMafaldaa Oliveira
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptSanjay Kumar
 
Phishing
PhishingPhishing
PhishingAlka Falwaria
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
DIGITAL FOOTPRINTS
DIGITAL FOOTPRINTSDIGITAL FOOTPRINTS
DIGITAL FOOTPRINTSOodit Jethwa
 
citibank.com for Older Adults
citibank.com for Older Adultscitibank.com for Older Adults
citibank.com for Older AdultsShruthi Padala
 
Strategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingStrategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingTechWell
 

Recommandé

Phishing-Powerpoint
Phishing-PowerpointPhishing-Powerpoint
Phishing-PowerpointMafaldaa Oliveira
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptSanjay Kumar
 
Phishing
PhishingPhishing
PhishingAlka Falwaria
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
DIGITAL FOOTPRINTS
DIGITAL FOOTPRINTSDIGITAL FOOTPRINTS
DIGITAL FOOTPRINTSOodit Jethwa
 
citibank.com for Older Adults
citibank.com for Older Adultscitibank.com for Older Adults
citibank.com for Older AdultsShruthi Padala
 
Strategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingStrategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingTechWell
 
Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Hinni Hreinsson
 
RA21: An Update on RA21
RA21: An Update on RA21RA21: An Update on RA21
RA21: An Update on RA21National Information Standards Organization (NISO)
 
RA21 Charleston Library Conference Presentation
RA21 Charleston Library Conference Presentation RA21 Charleston Library Conference Presentation
RA21 Charleston Library Conference Presentation National Information Standards Organization (NISO)
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distancelinoleumjet
 
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignHow Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignNew York Technology Council
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slidesJim Kaplan CIA CFE
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
UX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachUX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachSarah Khan
 
Softcademy School Management Apps
Softcademy School Management Apps Softcademy School Management Apps
Softcademy School Management Apps Prionto Abdullah
 
The importance of UX for Developers
The importance of UX for DevelopersThe importance of UX for Developers
The importance of UX for DevelopersSarah Dutkiewicz
 
From User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatFrom User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatDesign for Drupal, Boston
 
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityTCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityRaymond Rose
 
Evaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todayEvaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todaySimeon Bala
 
CUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallCUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallSmart Chicago Collaborative
 
Class 1-become-an-online-sleuth
Class 1-become-an-online-sleuthClass 1-become-an-online-sleuth
Class 1-become-an-online-sleuthWheeler School
 
11.m3 cms objectives
11.m3 cms objectives11.m3 cms objectives
11.m3 cms objectivestarensi
 
Data All the Way Down
Data All the Way DownData All the Way Down
Data All the Way DownJeni Tennison
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Contenu connexe

Similaire à Why phishing works

Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Hinni Hreinsson
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distancelinoleumjet
 
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignHow Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignNew York Technology Council
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slidesJim Kaplan CIA CFE
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
UX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachUX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachSarah Khan
 
Softcademy School Management Apps
Softcademy School Management Apps Softcademy School Management Apps
Softcademy School Management Apps Prionto Abdullah
 
The importance of UX for Developers
The importance of UX for DevelopersThe importance of UX for Developers
The importance of UX for DevelopersSarah Dutkiewicz
 
From User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatFrom User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatDesign for Drupal, Boston
 
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityTCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityRaymond Rose
 
Evaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todayEvaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todaySimeon Bala
 
CUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallCUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallSmart Chicago Collaborative
 
Class 1-become-an-online-sleuth
Class 1-become-an-online-sleuthClass 1-become-an-online-sleuth
Class 1-become-an-online-sleuthWheeler School
 
11.m3 cms objectives
11.m3 cms objectives11.m3 cms objectives
11.m3 cms objectivestarensi
 
Data All the Way Down
Data All the Way DownData All the Way Down
Data All the Way DownJeni Tennison
 

Similaire à Why phishing works (20)

Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013
 
RA21: An Update on RA21
RA21: An Update on RA21RA21: An Update on RA21
RA21: An Update on RA21
 
RA21 Charleston Library Conference Presentation
RA21 Charleston Library Conference Presentation RA21 Charleston Library Conference Presentation
RA21 Charleston Library Conference Presentation
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distance
 
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignHow Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote Research
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote Research
 
CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slides
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)
 
UX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachUX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused Approach
 
Softcademy School Management Apps
Softcademy School Management Apps Softcademy School Management Apps
Softcademy School Management Apps
 
The importance of UX for Developers
The importance of UX for DevelopersThe importance of UX for Developers
The importance of UX for Developers
 
From User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatFrom User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards Behat
 
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityTCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
 
Evaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todayEvaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media today
 
CUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallCUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective Call
 
Class 1-become-an-online-sleuth
Class 1-become-an-online-sleuthClass 1-become-an-online-sleuth
Class 1-become-an-online-sleuth
 
11.m3 cms objectives
11.m3 cms objectives11.m3 cms objectives
11.m3 cms objectives
 
Data All the Way Down
Data All the Way DownData All the Way Down
Data All the Way Down
 

Dernier

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Dernier (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Why phishing works

  • 1. Why phishing works By Rachna Dhamija , J. D. Tygar & Marti Hearst Ayaz Shahid (aysh1000@student.miun.se)
  • 2. Overview • Introduction • Why phishing works • Study to support hypothesis • Results of study • Conclusion
  • 3. Introduction • Directing users to fraudulent websites • The host website acts as the trustworthy or real website • Steals user’s credentials like credit card information , username/passwords and other personal information • Phishing is an opportunistic attack rather than a targeted attack
  • 4. Why Phishing works 1. Lack of knowledge 2. Visual Deception 3. Bounded Attention
  • 5. 1. Lack of knowledge • Computer system knowledge  Most of the phishers exploit the user’s lack of knowledge of computer, applications, emails, internet etc  Such users does not know about how things work and what are the differences for example: www.ebay-members-security.com & www.ebay.com
  • 6. Lack of knowledge(cont.) • Knowledge of security & security indicators  Most of the users does not know about the security indicators indicated by the browsers when it detects a phishing website. Example: Padlock Icon
  • 7. 2. Visual Deception • Visual Deceptive Text • Images masking underlying text • Images mimicking windows • Window Masking • Deceptive Look & Feel
  • 8. Visual Deception Text • Users are fooled using the syntax of the domain name • Phishers substitutes the letters in the domain name that may go un-noticed • Example: www.paypa1.com instead of www.paypal.com Substituted digit ‘1’ instead of letter ‘l’
  • 9. Images Masking Underlying Text • Phishers use a legitimate image as hyperlink which actually links to the fraudulent website Images mimicking windows • Phishers use an image in the content of the webpage that looks same as a window or a dialog box
  • 10. Windows Masking Underlying Windows • Placing an illegitimate browser window over or beside a legitimate browser window users can be tricked very easily as both windows look exactly same Deceptive look & feel • Phishers copy the logos, images and other information of the target website having same look and feel and the user could consider it as original website
  • 11. 3. Bounded Attention • Lack of Attention to Security Indicators  User focuses on the main task and forgets the security indicators  They might not pay attention to the warning messages • Lack of Attention to the absence of security indicators  Users do not notice the absence of an indicator  Some times a spoofed indicator image might be inserted by the phishers to fool the users
  • 12. Study to Access the Accuracy of Hypothesis • Conducted a usability study • Participants were asked to identify legitimate and phishing websites • Selected participants were better and good in knowledge • Around 200 phishing websites were selected
  • 13. Study Design • A web site was created containing random list of hyperlinks to different websites • Each participant was presented 20 websites • 7 websites were legitimate • 9 phishing websites • 3 special websites(created using additional phishing techniques) • 1 special website (requesting users to accept a self-signed SSL certificate) • All phishing websites were hosted on an Apache web server
  • 14. Scenario and Procedure • Participants were told that some of the websites are legitimate and some are not • The participants could also interact with the websites • Each participant was told to rate the website on a scale of 1 to 5 and reasoning of their answer • Participants were asked about the knowledge of SSL certified websites and the experience on the phishing websites
  • 15. Demographics of Participants • A total of 22 participants from a university having sound knowledge of computers, email and web were recruited Gender 13 12 12 11 10 10 9 Male Female
  • 16. Students/Staff 15 11 11 10 5 0 Student Unv. Staff Staff Students 10 8 8 7 8 6 6 4 4 2 2 2 2 1 2 0 0 Bachelors Masters J.D. Degree Bachelors Masters Ph.D Degree Degree Degree Degree
  • 17. Web Browser 12 11 10 8 7 6 4 2 2 1 0 Internet Mozilla Mozilla Apple Safari Explorer Firefox Unknown Version Operating System 14 13 12 10 8 6 6 4 2 2 1 0 Win XP MAC OS Win 2K Win Unknown Version
  • 18. • Participants are aged between 18 to 56 • Usage of computer by users is from 10 to 135 hrs per week • 18 participants uses online banking • 20 participants use online shopping regularly
  • 19. Results Participants Score and Behavior  The sum of number of correctly identified websites forms the participants score  The score range was between 6 to 18 correctly identified websites Gender  There is no difference between the comparison of scores of male and female participants  The mean score for male and female is 13 & 10.5 respectively
  • 20. Age  There is no correlation between the score and the age of participants Education Level  There is no relation between the score and the educational level of the participants Usage of Computer  There is no significant correlation between the users score with respect to the amount of computer usage per week  A user who uses computer for 14 hrs weekly judged 18 out of 19 sites correctly on the other hand one judged only 7 sites correctly while he uses computer for 90 hrs per week
  • 21. Previous use of Browser, OS and Web  There is no significant relation between the use of browser and OS previously by the participant  Even the use of same website previously did not help the participants in differentiating between legitimate and the phishing website
  • 22. Strategies for Determining Websites Legitimacy • Participants are categorized by the type of the factors they used to make decision  Type1:Security indicators in the website contents  Type2:Content and domain name  Type3:Content and address plus HTTPS  Type4:Padlock icon plus type 1,2 & 3  Type5:Certificates plus type 1,2,3 & 4
  • 23. Type1: Security indicators in website contents • Participants looked only the contents like images, logos, layouts, graphic designs and the accuracy of information • As the participants in this category did not focus on the URL of the site therefore scored the lowest • 5 (23%) participants used this strategy and their score was (6,7,7,9,9)
  • 24. Type2: Content & domain name • 8(36%) participants checked the address bar along with the contents of the website • People in this category had the idea of the difference the domain name and IP address
  • 25. Type3 : Content, address plus HTTPS • Only 2(9%) participants used this strategy to differentiate between phishing and legitimate website • Participants relied on the presence of the HTTPS in the status bar • Users did not notice the padlock icon
  • 26. Type4: Padlock icon plus type 1,2 & 3 • 5 (23%) participants falls under this category • They checked for all the types discussed above and they also looked for the padlock icon in the address bar • But some participants gave preference to the padlock icon that appears within the content of the web page
  • 27. Type5: Certificates plus Type 1,2,3 & 4 • Only 2 (9%) of the participants checked the certificates presented by their browser and the other strategies as discussed previously
  • 28. Websites Difficulty • Users were asked to rate the confidence of their judgment on a score of 1 to 5
  • 30. • The website discussed previously used two “V”s instead of “W” to fool the people • 20 participants judged this site as the legitimate website of the Bank of the west • 17 people miss judged due to the contents of the page • 2 participants were fooled due to the animated bear video • 8 participants relied on the link to the other websites for their judgment • 6 participants were tricked due to version logo • 2 participants correctly judged this website as a spoof • Only 1 participant judged this phishing website due to two V’s
  • 31. Participants Knowledge of Phishing & Security Knowledge & experience of Phishing  7 participants had never heard the term phishing  9 participants were confused about the legitimacy of the websites  5 participants had experienced phishing and web fraudulent Knowledge of Padlock icon & HTTPS  4 participants had no idea regarding padlock icon  5 participants mentioned it as some sort of security but they were not sure  10 mentioned it as the way of securing data sent from user to server  13 participants said that they never pay attention to the HTTPS in the address bar
  • 32. Knowledge & use of certificates  15 participants selected the okay button without reading the content of the message when the browser presented the self signed certificate  18 participants stated that they did not know the about the certificate  3 participants selected the wrong option from the certificate  Only one participant interpreted the website certificate correctly as he was a system administrator  19 participants stated that they never checked the certificate
  • 33. Conclusion • The study reveals that even the most knowledge and well informed user can also be fooled and tricked by a good phishing site • Security indicators and warning messages showed by the browser are not understood by the user and go un- noticed • Indicators of trust provided by the browser can even be spoofed by phishers very easily • So the study suggests that some other method or approach is needed to overcome the phishing