SlideShare ist ein Scribd-Unternehmen logo

Why phishing works

Ayaz Shahid
Ayaz Shahid
Technologie
1 von 34
Downloaden Sie, um offline zu lesen
Why phishing works By Rachna Dhamija , J. D. Tygar & Marti Hearst Ayaz Shahid (aysh1000@student.miun.se)
Overview • Introduction • Why phishing works • Study to support hypothesis • Results of study • Conclusion
Introduction • Directing users to fraudulent websites • The host website acts as the trustworthy or real website • Steals user’s credentials like credit card information , username/passwords and other personal information • Phishing is an opportunistic attack rather than a targeted attack
Why Phishing works 1. Lack of knowledge 2. Visual Deception 3. Bounded Attention
1. Lack of knowledge • Computer system knowledge  Most of the phishers exploit the user’s lack of knowledge of computer, applications, emails, internet etc  Such users does not know about how things work and what are the differences for example: www.ebay-members-security.com & www.ebay.com
Lack of knowledge(cont.) • Knowledge of security & security indicators  Most of the users does not know about the security indicators indicated by the browsers when it detects a phishing website. Example: Padlock Icon
2. Visual Deception • Visual Deceptive Text • Images masking underlying text • Images mimicking windows • Window Masking • Deceptive Look & Feel
Visual Deception Text • Users are fooled using the syntax of the domain name • Phishers substitutes the letters in the domain name that may go un-noticed • Example: www.paypa1.com instead of www.paypal.com Substituted digit ‘1’ instead of letter ‘l’
Images Masking Underlying Text • Phishers use a legitimate image as hyperlink which actually links to the fraudulent website Images mimicking windows • Phishers use an image in the content of the webpage that looks same as a window or a dialog box
Windows Masking Underlying Windows • Placing an illegitimate browser window over or beside a legitimate browser window users can be tricked very easily as both windows look exactly same Deceptive look & feel • Phishers copy the logos, images and other information of the target website having same look and feel and the user could consider it as original website
3. Bounded Attention • Lack of Attention to Security Indicators  User focuses on the main task and forgets the security indicators  They might not pay attention to the warning messages • Lack of Attention to the absence of security indicators  Users do not notice the absence of an indicator  Some times a spoofed indicator image might be inserted by the phishers to fool the users
Study to Access the Accuracy of Hypothesis • Conducted a usability study • Participants were asked to identify legitimate and phishing websites • Selected participants were better and good in knowledge • Around 200 phishing websites were selected
Study Design • A web site was created containing random list of hyperlinks to different websites • Each participant was presented 20 websites • 7 websites were legitimate • 9 phishing websites • 3 special websites(created using additional phishing techniques) • 1 special website (requesting users to accept a self-signed SSL certificate) • All phishing websites were hosted on an Apache web server
Scenario and Procedure • Participants were told that some of the websites are legitimate and some are not • The participants could also interact with the websites • Each participant was told to rate the website on a scale of 1 to 5 and reasoning of their answer • Participants were asked about the knowledge of SSL certified websites and the experience on the phishing websites
Demographics of Participants • A total of 22 participants from a university having sound knowledge of computers, email and web were recruited Gender 13 12 12 11 10 10 9 Male Female
Students/Staff 15 11 11 10 5 0 Student Unv. Staff Staff Students 10 8 8 7 8 6 6 4 4 2 2 2 2 1 2 0 0 Bachelors Masters J.D. Degree Bachelors Masters Ph.D Degree Degree Degree Degree
Web Browser 12 11 10 8 7 6 4 2 2 1 0 Internet Mozilla Mozilla Apple Safari Explorer Firefox Unknown Version Operating System 14 13 12 10 8 6 6 4 2 2 1 0 Win XP MAC OS Win 2K Win Unknown Version
• Participants are aged between 18 to 56 • Usage of computer by users is from 10 to 135 hrs per week • 18 participants uses online banking • 20 participants use online shopping regularly
Results Participants Score and Behavior  The sum of number of correctly identified websites forms the participants score  The score range was between 6 to 18 correctly identified websites Gender  There is no difference between the comparison of scores of male and female participants  The mean score for male and female is 13 & 10.5 respectively
Age  There is no correlation between the score and the age of participants Education Level  There is no relation between the score and the educational level of the participants Usage of Computer  There is no significant correlation between the users score with respect to the amount of computer usage per week  A user who uses computer for 14 hrs weekly judged 18 out of 19 sites correctly on the other hand one judged only 7 sites correctly while he uses computer for 90 hrs per week
Previous use of Browser, OS and Web  There is no significant relation between the use of browser and OS previously by the participant  Even the use of same website previously did not help the participants in differentiating between legitimate and the phishing website
Strategies for Determining Websites Legitimacy • Participants are categorized by the type of the factors they used to make decision  Type1:Security indicators in the website contents  Type2:Content and domain name  Type3:Content and address plus HTTPS  Type4:Padlock icon plus type 1,2 & 3  Type5:Certificates plus type 1,2,3 & 4
Type1: Security indicators in website contents • Participants looked only the contents like images, logos, layouts, graphic designs and the accuracy of information • As the participants in this category did not focus on the URL of the site therefore scored the lowest • 5 (23%) participants used this strategy and their score was (6,7,7,9,9)
Type2: Content & domain name • 8(36%) participants checked the address bar along with the contents of the website • People in this category had the idea of the difference the domain name and IP address
Type3 : Content, address plus HTTPS • Only 2(9%) participants used this strategy to differentiate between phishing and legitimate website • Participants relied on the presence of the HTTPS in the status bar • Users did not notice the padlock icon
Type4: Padlock icon plus type 1,2 & 3 • 5 (23%) participants falls under this category • They checked for all the types discussed above and they also looked for the padlock icon in the address bar • But some participants gave preference to the padlock icon that appears within the content of the web page
Type5: Certificates plus Type 1,2,3 & 4 • Only 2 (9%) of the participants checked the certificates presented by their browser and the other strategies as discussed previously
Websites Difficulty • Users were asked to rate the confidence of their judgment on a score of 1 to 5
Phishing websites
• The website discussed previously used two “V”s instead of “W” to fool the people • 20 participants judged this site as the legitimate website of the Bank of the west • 17 people miss judged due to the contents of the page • 2 participants were fooled due to the animated bear video • 8 participants relied on the link to the other websites for their judgment • 6 participants were tricked due to version logo • 2 participants correctly judged this website as a spoof • Only 1 participant judged this phishing website due to two V’s
Participants Knowledge of Phishing & Security Knowledge & experience of Phishing  7 participants had never heard the term phishing  9 participants were confused about the legitimacy of the websites  5 participants had experienced phishing and web fraudulent Knowledge of Padlock icon & HTTPS  4 participants had no idea regarding padlock icon  5 participants mentioned it as some sort of security but they were not sure  10 mentioned it as the way of securing data sent from user to server  13 participants said that they never pay attention to the HTTPS in the address bar
Knowledge & use of certificates  15 participants selected the okay button without reading the content of the message when the browser presented the self signed certificate  18 participants stated that they did not know the about the certificate  3 participants selected the wrong option from the certificate  Only one participant interpreted the website certificate correctly as he was a system administrator  19 participants stated that they never checked the certificate
Conclusion • The study reveals that even the most knowledge and well informed user can also be fooled and tricked by a good phishing site • Security indicators and warning messages showed by the browser are not understood by the user and go un- noticed • Indicators of trust provided by the browser can even be spoofed by phishers very easily • So the study suggests that some other method or approach is needed to overcome the phishing
Questions & Comments

Empfohlen

Phishing-Powerpoint
Phishing-PowerpointPhishing-Powerpoint
Phishing-PowerpointMafaldaa Oliveira
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptSanjay Kumar
 
Phishing
PhishingPhishing
PhishingAlka Falwaria
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
DIGITAL FOOTPRINTS
DIGITAL FOOTPRINTSDIGITAL FOOTPRINTS
DIGITAL FOOTPRINTSOodit Jethwa
 
citibank.com for Older Adults
citibank.com for Older Adultscitibank.com for Older Adults
citibank.com for Older AdultsShruthi Padala
 
Strategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingStrategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingTechWell
 

Empfohlen

Phishing-Powerpoint
Phishing-PowerpointPhishing-Powerpoint
Phishing-PowerpointMafaldaa Oliveira
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptSanjay Kumar
 
Phishing
PhishingPhishing
PhishingAlka Falwaria
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
DIGITAL FOOTPRINTS
DIGITAL FOOTPRINTSDIGITAL FOOTPRINTS
DIGITAL FOOTPRINTSOodit Jethwa
 
citibank.com for Older Adults
citibank.com for Older Adultscitibank.com for Older Adults
citibank.com for Older AdultsShruthi Padala
 
Strategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingStrategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingTechWell
 
Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Hinni Hreinsson
 
RA21: An Update on RA21
RA21: An Update on RA21RA21: An Update on RA21
RA21: An Update on RA21National Information Standards Organization (NISO)
 
RA21 Charleston Library Conference Presentation
RA21 Charleston Library Conference Presentation RA21 Charleston Library Conference Presentation
RA21 Charleston Library Conference Presentation National Information Standards Organization (NISO)
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distancelinoleumjet
 
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignHow Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignNew York Technology Council
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slidesJim Kaplan CIA CFE
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
UX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachUX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachSarah Khan
 
Softcademy School Management Apps
Softcademy School Management Apps Softcademy School Management Apps
Softcademy School Management Apps Prionto Abdullah
 
The importance of UX for Developers
The importance of UX for DevelopersThe importance of UX for Developers
The importance of UX for DevelopersSarah Dutkiewicz
 
From User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatFrom User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatDesign for Drupal, Boston
 
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityTCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityRaymond Rose
 
Evaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todayEvaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todaySimeon Bala
 
CUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallCUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallSmart Chicago Collaborative
 
Class 1-become-an-online-sleuth
Class 1-become-an-online-sleuthClass 1-become-an-online-sleuth
Class 1-become-an-online-sleuthWheeler School
 
11.m3 cms objectives
11.m3 cms objectives11.m3 cms objectives
11.m3 cms objectivestarensi
 
Data All the Way Down
Data All the Way DownData All the Way Down
Data All the Way DownJeni Tennison
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Weitere ähnliche Inhalte

Ähnlich wie Why phishing works

Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Hinni Hreinsson
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distancelinoleumjet
 
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignHow Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignNew York Technology Council
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slidesJim Kaplan CIA CFE
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
UX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachUX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachSarah Khan
 
Softcademy School Management Apps
Softcademy School Management Apps Softcademy School Management Apps
Softcademy School Management Apps Prionto Abdullah
 
The importance of UX for Developers
The importance of UX for DevelopersThe importance of UX for Developers
The importance of UX for DevelopersSarah Dutkiewicz
 
From User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatFrom User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatDesign for Drupal, Boston
 
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityTCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityRaymond Rose
 
Evaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todayEvaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todaySimeon Bala
 
CUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallCUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallSmart Chicago Collaborative
 
Class 1-become-an-online-sleuth
Class 1-become-an-online-sleuthClass 1-become-an-online-sleuth
Class 1-become-an-online-sleuthWheeler School
 
11.m3 cms objectives
11.m3 cms objectives11.m3 cms objectives
11.m3 cms objectivestarensi
 
Data All the Way Down
Data All the Way DownData All the Way Down
Data All the Way DownJeni Tennison
 

Ähnlich wie Why phishing works (20)

Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013Csun 2013 wcag what about the users-slideshare-2013
Csun 2013 wcag what about the users-slideshare-2013
 
RA21: An Update on RA21
RA21: An Update on RA21RA21: An Update on RA21
RA21: An Update on RA21
 
RA21 Charleston Library Conference Presentation
RA21 Charleston Library Conference Presentation RA21 Charleston Library Conference Presentation
RA21 Charleston Library Conference Presentation
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distance
 
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignHow Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote Research
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote Research
 
CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slides
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)
 
UX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused ApproachUX for Higher-Ed: Web Renewal with a User-Focused Approach
UX for Higher-Ed: Web Renewal with a User-Focused Approach
 
Softcademy School Management Apps
Softcademy School Management Apps Softcademy School Management Apps
Softcademy School Management Apps
 
The importance of UX for Developers
The importance of UX for DevelopersThe importance of UX for Developers
The importance of UX for Developers
 
From User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards BehatFrom User Personas to Testing: A Project Manager's Journey Towards Behat
From User Personas to Testing: A Project Manager's Journey Towards Behat
 
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital AccessibilityTCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
TCEA Virtual Learning SIG Lunch and Learn: Understanding Digital Accessibility
 
Evaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media todayEvaluating the use of search engines and social Media today
Evaluating the use of search engines and social Media today
 
CUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective CallCUTGroup Detroit Slides for CUTGroup Collective Call
CUTGroup Detroit Slides for CUTGroup Collective Call
 
Class 1-become-an-online-sleuth
Class 1-become-an-online-sleuthClass 1-become-an-online-sleuth
Class 1-become-an-online-sleuth
 
11.m3 cms objectives
11.m3 cms objectives11.m3 cms objectives
11.m3 cms objectives
 
Data All the Way Down
Data All the Way DownData All the Way Down
Data All the Way Down
 

Kürzlich hochgeladen

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Kürzlich hochgeladen (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Why phishing works

  • 1. Why phishing works By Rachna Dhamija , J. D. Tygar & Marti Hearst Ayaz Shahid (aysh1000@student.miun.se)
  • 2. Overview • Introduction • Why phishing works • Study to support hypothesis • Results of study • Conclusion
  • 3. Introduction • Directing users to fraudulent websites • The host website acts as the trustworthy or real website • Steals user’s credentials like credit card information , username/passwords and other personal information • Phishing is an opportunistic attack rather than a targeted attack
  • 4. Why Phishing works 1. Lack of knowledge 2. Visual Deception 3. Bounded Attention
  • 5. 1. Lack of knowledge • Computer system knowledge  Most of the phishers exploit the user’s lack of knowledge of computer, applications, emails, internet etc  Such users does not know about how things work and what are the differences for example: www.ebay-members-security.com & www.ebay.com
  • 6. Lack of knowledge(cont.) • Knowledge of security & security indicators  Most of the users does not know about the security indicators indicated by the browsers when it detects a phishing website. Example: Padlock Icon
  • 7. 2. Visual Deception • Visual Deceptive Text • Images masking underlying text • Images mimicking windows • Window Masking • Deceptive Look & Feel
  • 8. Visual Deception Text • Users are fooled using the syntax of the domain name • Phishers substitutes the letters in the domain name that may go un-noticed • Example: www.paypa1.com instead of www.paypal.com Substituted digit ‘1’ instead of letter ‘l’
  • 9. Images Masking Underlying Text • Phishers use a legitimate image as hyperlink which actually links to the fraudulent website Images mimicking windows • Phishers use an image in the content of the webpage that looks same as a window or a dialog box
  • 10. Windows Masking Underlying Windows • Placing an illegitimate browser window over or beside a legitimate browser window users can be tricked very easily as both windows look exactly same Deceptive look & feel • Phishers copy the logos, images and other information of the target website having same look and feel and the user could consider it as original website
  • 11. 3. Bounded Attention • Lack of Attention to Security Indicators  User focuses on the main task and forgets the security indicators  They might not pay attention to the warning messages • Lack of Attention to the absence of security indicators  Users do not notice the absence of an indicator  Some times a spoofed indicator image might be inserted by the phishers to fool the users
  • 12. Study to Access the Accuracy of Hypothesis • Conducted a usability study • Participants were asked to identify legitimate and phishing websites • Selected participants were better and good in knowledge • Around 200 phishing websites were selected
  • 13. Study Design • A web site was created containing random list of hyperlinks to different websites • Each participant was presented 20 websites • 7 websites were legitimate • 9 phishing websites • 3 special websites(created using additional phishing techniques) • 1 special website (requesting users to accept a self-signed SSL certificate) • All phishing websites were hosted on an Apache web server
  • 14. Scenario and Procedure • Participants were told that some of the websites are legitimate and some are not • The participants could also interact with the websites • Each participant was told to rate the website on a scale of 1 to 5 and reasoning of their answer • Participants were asked about the knowledge of SSL certified websites and the experience on the phishing websites
  • 15. Demographics of Participants • A total of 22 participants from a university having sound knowledge of computers, email and web were recruited Gender 13 12 12 11 10 10 9 Male Female
  • 16. Students/Staff 15 11 11 10 5 0 Student Unv. Staff Staff Students 10 8 8 7 8 6 6 4 4 2 2 2 2 1 2 0 0 Bachelors Masters J.D. Degree Bachelors Masters Ph.D Degree Degree Degree Degree
  • 17. Web Browser 12 11 10 8 7 6 4 2 2 1 0 Internet Mozilla Mozilla Apple Safari Explorer Firefox Unknown Version Operating System 14 13 12 10 8 6 6 4 2 2 1 0 Win XP MAC OS Win 2K Win Unknown Version
  • 18. • Participants are aged between 18 to 56 • Usage of computer by users is from 10 to 135 hrs per week • 18 participants uses online banking • 20 participants use online shopping regularly
  • 19. Results Participants Score and Behavior  The sum of number of correctly identified websites forms the participants score  The score range was between 6 to 18 correctly identified websites Gender  There is no difference between the comparison of scores of male and female participants  The mean score for male and female is 13 & 10.5 respectively
  • 20. Age  There is no correlation between the score and the age of participants Education Level  There is no relation between the score and the educational level of the participants Usage of Computer  There is no significant correlation between the users score with respect to the amount of computer usage per week  A user who uses computer for 14 hrs weekly judged 18 out of 19 sites correctly on the other hand one judged only 7 sites correctly while he uses computer for 90 hrs per week
  • 21. Previous use of Browser, OS and Web  There is no significant relation between the use of browser and OS previously by the participant  Even the use of same website previously did not help the participants in differentiating between legitimate and the phishing website
  • 22. Strategies for Determining Websites Legitimacy • Participants are categorized by the type of the factors they used to make decision  Type1:Security indicators in the website contents  Type2:Content and domain name  Type3:Content and address plus HTTPS  Type4:Padlock icon plus type 1,2 & 3  Type5:Certificates plus type 1,2,3 & 4
  • 23. Type1: Security indicators in website contents • Participants looked only the contents like images, logos, layouts, graphic designs and the accuracy of information • As the participants in this category did not focus on the URL of the site therefore scored the lowest • 5 (23%) participants used this strategy and their score was (6,7,7,9,9)
  • 24. Type2: Content & domain name • 8(36%) participants checked the address bar along with the contents of the website • People in this category had the idea of the difference the domain name and IP address
  • 25. Type3 : Content, address plus HTTPS • Only 2(9%) participants used this strategy to differentiate between phishing and legitimate website • Participants relied on the presence of the HTTPS in the status bar • Users did not notice the padlock icon
  • 26. Type4: Padlock icon plus type 1,2 & 3 • 5 (23%) participants falls under this category • They checked for all the types discussed above and they also looked for the padlock icon in the address bar • But some participants gave preference to the padlock icon that appears within the content of the web page
  • 27. Type5: Certificates plus Type 1,2,3 & 4 • Only 2 (9%) of the participants checked the certificates presented by their browser and the other strategies as discussed previously
  • 28. Websites Difficulty • Users were asked to rate the confidence of their judgment on a score of 1 to 5
  • 30. • The website discussed previously used two “V”s instead of “W” to fool the people • 20 participants judged this site as the legitimate website of the Bank of the west • 17 people miss judged due to the contents of the page • 2 participants were fooled due to the animated bear video • 8 participants relied on the link to the other websites for their judgment • 6 participants were tricked due to version logo • 2 participants correctly judged this website as a spoof • Only 1 participant judged this phishing website due to two V’s
  • 31. Participants Knowledge of Phishing & Security Knowledge & experience of Phishing  7 participants had never heard the term phishing  9 participants were confused about the legitimacy of the websites  5 participants had experienced phishing and web fraudulent Knowledge of Padlock icon & HTTPS  4 participants had no idea regarding padlock icon  5 participants mentioned it as some sort of security but they were not sure  10 mentioned it as the way of securing data sent from user to server  13 participants said that they never pay attention to the HTTPS in the address bar
  • 32. Knowledge & use of certificates  15 participants selected the okay button without reading the content of the message when the browser presented the self signed certificate  18 participants stated that they did not know the about the certificate  3 participants selected the wrong option from the certificate  Only one participant interpreted the website certificate correctly as he was a system administrator  19 participants stated that they never checked the certificate
  • 33. Conclusion • The study reveals that even the most knowledge and well informed user can also be fooled and tricked by a good phishing site • Security indicators and warning messages showed by the browser are not understood by the user and go un- noticed • Indicators of trust provided by the browser can even be spoofed by phishers very easily • So the study suggests that some other method or approach is needed to overcome the phishing