Abstract
In this usability study of phishing attacks and browser anti-phishing defenses, 27 users each classified 12 web sites as fraudulent or legitimate. By dividing these users into three groups, our controlled study measured both the effect of extended validation certificates that appear only at legitimate sites and the effect of reading a help file about security features in Internet Explorer 7. Across all groups, we found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack. Extended validation did not help users identify either attack. Additionally, reading the help file made users more likely to classify both real and fake web sites as legitimate when the phishing warning did not appear.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-77366-5_37
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web Spoofing: An Internet Con Game. In: 20th National Information Systems Security Conference (October 1997)
Anti-phishing working group: http://www.antiphishing.org
Loftesness, S.: Responding to ”Phishing” Attacks” (2004), http://www.glenbrook.com/opinions/phishing.htm
Franco, R.: Better Website Identification and Extended Validation Certificates in IE and Other Browsers, IEBlog (November 2005)
Gabrilovich, E., Gontmakher, A.: The Homograph Attack. The Homograph Attack 45(2) (2002)
Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.: Client-side defense against web-based identity theft. In: NDSS. Proceedings of Network and Distributed Systems Security (2004)
Google, Inc.: Google safe browsing for firefox (2006), http://www.google.com/tools/firefox/safebrowsing/
Netcraft: Netcraft Anti-Phishing Toolbar (2006), http://toolbar.netcraft.com/
GeoTrust, Inc.: TrustWatch Toolbar (2006), http://toolbar.trustwatch.com/
Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding Phish: Evaluating Anti-Phishing Tools. In: NDSS. Proceedings of the 14th Annual Network and Distributed System Security Symposium (2007)
Whalen, T., Inkpen, K.M.: Gathering evidence: Use of visual security cues in web browsers. In: GI 2005. Proceedings of the 2005 conference on Graphics interface, School of Computer Science, University of Waterloo, Waterloo, Ontario, Canada, pp. 137–144. Canadian Human-Computer Communications Society (2005)
Dhamija, R., Tygar, J., Hearst, M.: Why Phishing Works. In: Proc. CHI. (2006)
Netcraft: Cardholders targetted by Phishing attack using visa-secure.com (October 2004), http://news.netcraft.com/
Inc., V.: VeriSign Certification Practice Statement (November 2006), http://www.verisign.com/repository/CPS/VeriSignCPSv3.3.pdf
Whitten, A., Tygar, J.: Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In: 8th Usenix Security Symposium, pp. 169–184 (1999)
Wu, M., Miller, R., Garfinkel, S.: Do Security Toolbars Actually Prevent Phishing Attacks? In: Proc. CHI. (2006)
Passmark, http://www.passmarksecurity.com
Ye, Z.E., Smith, S., Anthony, D.: Trusted Paths for Browsers. ACM Transactions on Information and System Security 8(2), 153–186 (2005)
Dhamija, R., Tygar, J.: The Battle Against Phishing: Dynamic Security Skins. In: SOUPS 2005. Proceedings of the Symposium on Usable Privacy and Security (2005)
Dierks, T., Allen, C.: The TLS Protocol — Version 1.0. IETF RFC 2246 (January 1999)
Parno, B., Kuo, C., Perrig, A.: Authentication and Fraud Detection: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, Springer, Heidelberg (2006)
Chappell, D.: Introducing Windows CardSpace (2006), http://msdn2.microsoft.com/en-us/library/aa480189.aspx
Halderman, J.A., Waters, B., Felten, E.: A convenient method for securely managing passwords. In: WWW 2005. Proceedings of the 14th International World Wide Web Conference (2005)
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.: Stronger Password Authentication Using Browser Extensions. In: Proceedings of the 14th Usenix Security Symposium (2005)
Yee, K., Sitaker, K.: Passpet: Convenient password management and phishing protection. In: SOUPS 2006. Proceedings of the second symposium on Usable privacy and security, pp. 32–43. ACM Press, New York (2006)
Wu, M., Miller, R.C., Little, G.: Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In: SOUPS 2006. Proceedings of the Symposium on Usable Privacy and Security (2006)
Chiasson, S., van Oorschot, P., Biddle, R.: A Usability Study and Critique of Two Password Managers. In: Proc. 15th USENIX Security Symposium (2006)
Juels, A., Jakobsson, M., Stamm, S.: Active Cookies for Browser Authentication. In: NDSS. Proceedings of the 14th Annual Network and Distributed System Security Symposium (2007)
Fu, A.Y., Deng, X., Wenyin, L., Little, G.: The methodology and an application to fight against unicode attacks. In: SOUPS 2006. Proceedings of the second symposium on Usable privacy and security, pp. 91–101. ACM Press, New York (2006)
Nielsen, J.: The top ten web design mistakes of 1999 (May 1999), http://www.useit.com/alertbox/990530.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jackson, C., Simon, D.R., Tan, D.S., Barth, A. (2007). An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In: Dietrich, S., Dhamija, R. (eds) Financial Cryptography and Data Security. FC 2007. Lecture Notes in Computer Science, vol 4886. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77366-5_27
Download citation
DOI: https://doi.org/10.1007/978-3-540-77366-5_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77365-8
Online ISBN: 978-3-540-77366-5
eBook Packages: Computer ScienceComputer Science (R0)