Phishing By: Joanna Georgiou Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works. Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017). The Password Reset MitM Attack.
What is Phishing?
Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works.
- Provided fi first empirical evidence about which malicious strategies are successful at deceiving users. - Studied large set of captured Contributions phishing attacks. - Usability study which 22 participants were shown 20 websites.
Phishing - Successful Phishers: Present a high-credibility webpage → the user to fail to recognize security measures installed in web browsers. - Phishers exploit: Lack of Knowledge: - Lack of computer system knowledge (eg. Some users do not understand the meaning of the syntax of domain names and cannot distinguish legitimate versus fake URLs) - Lack of knowledge of security and security indicators
Lack of knowledge of security and security indicators - Do not know that a closed padlock icon in the browser indicates that the page they are viewing was delivered securely by SSL - Even if they understand it they can be fooled by its placement within the body of a web page. - Do not understand SSL certifi ficates
Visual Deception - Visually Deceptive Text: Syntax of a domain name (typejacking attacks) eg. www.paypa1.com instead of www.paypal.com , or using non-printing / non-ASCII characters. - Images masking underlying text: Use an image of a legitimate hyperlink to serve as a hyperlink to a rogue site. - Images mimicking windows: Use images in the content of a web page that mimic browser windows / dialog windows. - Windows masking underlying windows: Place an illegitimate browser window on top of / next to a legitimate window. (if they have the same look and feel the user may mistakenly believe that are from the same source / may not even notice that a second window exists)
Bounded Attention - Lack of attention to the absence of security identucators - Lack of attention on security identucators - When users are too focused on their primary task
Study: Distinguish Legitimate Websites - Collected appr. 200 unique phishing websites (including all related links, images and web pages) - Anticipated that the results would be better than it would be in real life - Created 3 phishing websites - Every participant saw every website, but in randomized order.
Study - Study scenario: giving instructions, a randomized list of hyperlinks to websites labeled “Website 1”, “Website 2”. - Participants had no expectations about each website. - Each website that we presented was fully functioning.
Study Presented participants with 20 websites; the first 19 were in random order: - 7 legitimate websites - 9 representative phishing websites - 3 phishing websites constructed by the authors using additional phishing techniques - 1 website requiring users to accept a self-signed SSL certifi ficate (this website was presented last to segue into an interview about SSL and certificates). - Self-Signed SSL Certifi ficate: Users are exposed to a risk that a third party could intercept traffic to the website using the third-party's own self-signed certificate.
Study: Participants
Study: Participants
Study: Participants - Most participants regularly use more than one type of browser and operating system.
Study: Participants - Hours of computer usage per week ranged from 10 to 135 hours - 18 participants regularly use online banking - 20 participants said they regularly shop online
Results - Good phishing websites fooled 90% of participants. - 23% did not look at browser-based cues (address bar, status bar, security indicators) - On Average: 40% incorrect choices of the time. - 15 out of 22 participants proceeded without hesitation when popup warning about fraudulent certifi ficates were shown. - Neither education, age, sex, previous experience, hours of computer use showed a statistically significant correlation with vulnerability to phishing.
Strategies for Determining Website Legitimacy - Type 1: Security indicators in website content only - Type 2: Content and domain name only - Type 3: Content and address, plus HTTPS - Type 4: All of the above, plus padlock icon - Type 5: All of above, plus certificates
Additional Strategies - 2 participants stated: they would only question a website’s legitimacy if more than the username and password was requested. - 1 participant actually submitted her username and password to some websites in order to verify if it was a site at which she had an account. - 1 participant: - Opened up another browser window, typed in all URLs by hand to compare these pages to every website presented in the study. - Occasionally used Yahoo to search for the organization in question, then click on the top search result and compare it to the website presented in the study.
Phishing Websites - Hosted at “www.bankofthevvest.com”, with 2 “v”s instead of a “w” in the domain name. - 20 participants incorrectly judged this to be the legitimate Bank of the West website - 17 participants mentioned the content of the page as one reason for their decision. - 8 participants relied on links to other sites - 6 participants clicked on the Verisign logo(displaying an SSL protected webpage, hosted at Verisign, shows the SSL certificate status of the www.bankofthewest.com.) - 3 participants said the correctness of the URL was the primary factor in deciding.
Conclusions: - Even when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate website from a spoofed website. - Indicators that are designed to signal trustworthiness were not understood (or even noticed) by many participants. - 5 out of 22 participants only used the content of the website to evaluate its authenticity. - A number of participants incorrectly said a padlock icon is more important when it is displayed within the page than if presented by the browser. - Other participants were more persuaded by animated graphics, pictures, and design touches such as favicons (icons in the URL bar) than SSL indicators.
Conclusions: - Phishers can create and fully functioning site with images, links, logos and images of security indicators to persuade the users that the spoofed websites were legitimate. - Legitimate organizations that follow security precautions are penalized and were judged by some of the participants to be less trustworthy. Confused the participants by hosting secure pages with third parties, where the domain name does not match the brand name. - It is not suffi fficient for security indicators to appear only under trusted conditions, it is important to alert users to the untrusted state. - Security interface designers must consider that indicators placed outside of the user’s periphery or focus of attention (e.g., using colors in the address bar to indicate suspicious and trusted sites) may be ignored entirely by some users
Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017). The Password Reset MitM Attack.
- Introduce the PRMitM attack - Evaluate the PRMitM attack on Google and Facebook. - Explore further and identify similar Contributions vulnerabilities in popular mobile applications. - Design secure password reset processes using SMS and phone calls, and evaluate of them on Google and Facebook users. - List recommendations for the secure design of the password reset process.
Introduction
The Password Reset Man in the Middle Attack (PRMitM) - It exploits the similarity of the registration and password reset processes to launch a man in the middle (MitM) attack at the application level. - The attacker initiates a password reset process with a website and forwards every challenge to the victim who either wishes to register in the attacking site or to access a particular resource on it.
To Launch PRMitM, the attacker: - Only needs to control a website; no MitM or eavesdropping capabilities are required. - Attacks visitors of his website and takes over their accounts in other websites. - Needs basic pieces of information (eg. username, email, or phone number). This information can be extracted from the victim by the attacker during a registration process to the attacking website or before some operations like file download, when the victim is required to identify themselves using their phone.
PRMitM Example
Survey - Survey: “if they would agree to either register to a website or prove they are human using their phone or both, in order to use common online services such as fi file downloads for free”. - Students ranged between 18 and 35. - Among 138 participants: 1) They would never register for unknown websites or give their phone number, no matter what free services are offered. 2) Said they would agree to use both options. 3) Would only agree to register. 4) Would only agree to identify themselves using their phone
Recommend
More recommend