skip to main content
research-article

BogusBiter: A transparent protection against phishing attacks

Published:10 June 2010Publication History
Skip Abstract Section

Abstract

Many anti-phishing mechanisms currently focus on helping users verify whether a Web site is genuine. However, usability studies have demonstrated that prevention-based approaches alone fail to effectively suppress phishing attacks and protect Internet users from revealing their credentials to phishing sites. In this paper, instead of preventing human users from “biting the bait,” we propose a new approach to protect against phishing attacks with “bogus bites.” We develop BogusBiter, a unique client-side anti-phishing tool, which transparently feeds a relatively large number of bogus credentials into a suspected phishing site. BogusBiter conceals a victim's real credential among bogus credentials, and moreover, it enables a legitimate Web site to identify stolen credentials in a timely manner. Leveraging the power of client-side automatic phishing detection techniques, BogusBiter is complementary to existing preventive anti-phishing approaches. We implemented BogusBiter as an extension to the Firefox 2 Web browser, and evaluated its efficacy through real experiments on both phishing and legitimate Web sites. Our experimental results indicate that it is promising to use BogusBiter to transparently protect against phishing attacks.

References

  1. Adida, B. 2007. BeamAuth: Two-factor Web authentication with a bookmark. In Proceedings of the Conference on Computer and Communication Security (CCS). 48--57. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Ahn, L., Blum, M., Hopper, N., and Langford, J. 2003. CAPTCHA: Using hard AI problems for security. In Proceedings of Eurocrypt. 294--311. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. APWG. 2008. Anti-Phishing Working Group (APWG). http://www.antiphishing.org/.Google ScholarGoogle Scholar
  4. APWG-PSTC. 2008. APWG: Phishing Scams by Targeted Company. http://www.millersmiles.co.uk/scams.php.Google ScholarGoogle Scholar
  5. Poettering, B. 2008. jssha256. http://point-at-infinity.org/jssha256/.Google ScholarGoogle Scholar
  6. Birk, D., Dornseif, M., Gajek, S., and Gröbert, F. 2006. Phishing phishers—tracing identity thieves and money launderer. Tech. rep. Horst-Görtz Institute of Ruhr-University of Bochum.Google ScholarGoogle Scholar
  7. Bortz, A., Boneh, D., and Nandy, P. 2007. Exposing private information by timing Web applications. In Proceedings of the International World Wide web Conference (WWW). 621--628. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Chiasson, S., van Oorschot, P. C., and Biddle, R. 2006. A usability study and critique of two password managers. In Proceedings of the USENIX Security Symposium. 1--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Chou, N., Ledesma, R., Teraguchi, Y., and Mitchell, J. C. 2004. Client-side defense against web-based identity theft. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  10. Dhamija, R. and Tygar, J. D. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 77--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 581--590. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Downs, J. S., Holbrook, M. B., and Cranor, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 79--90. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. EBankingSecurity. 2008. eBanking Security. http://www.ebankingsecurity.com/ebanking_bad_for_your_bank_balance.pdf.Google ScholarGoogle Scholar
  14. Egelman, S., Cranor, L. F., and Hong, J. 2008. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 1065--1074. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web Spoofing: An Internet Con Game. In Proceedings of the 20th National Information Systems Security Conference.Google ScholarGoogle Scholar
  16. Fette, I., Sadeh, N., and Tomasic, A. 2007. Learning to detect phishing emails. In Proceedings of the International World Wide Web Conference (WWW). 649--656. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. FirefoxPhishingProtection. 2008. Firefox Phishing Protection. http://www.mozilla.com/en-US/firefox/phishing-protection/.Google ScholarGoogle Scholar
  19. FirefoxPhishingTest. 2006. Firefox 2 Phishing Protection Effectiveness Testing. http://www.mozilla.org/security/phishing-test.html.Google ScholarGoogle Scholar
  20. Florêncio, D. and Herley, C. 2006. Password rescue: A new approach to phishing prevention. In Proceedings of the USENIX Workshop on Hot Topics in Security (HOTSEC). Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Florêncio, D. and Herley, C. 2007. A large-scale study of Web password habits. In Proceedings of the International World Wide Web Conference (WWW). 657--666. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Florêncio, D., Herley, C., and Coskun, B. 2007. Do strong web passwords accomplish anything? In Proceedings of the USENIX Workshop on Hot Topics in Security (HOTSEC). Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. FSTC-Phishing. 2005. Understanding and countering the phishing threat. The Financial Services Technology Consortium (FSTC) Project White Paper, http://fstc.org/projects/counter_phishing_phase_1/.Google ScholarGoogle Scholar
  24. Garera, S., Provos, N., Chew, M., and Rubin, A. D. 2007. A framework for detection and measurement of phishing attacks. In Proceedings of the ACM Workshop On Recuring Malcode (WORM). Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. GartnerSurvey. 2006. Gartner, inc.,. http://www.gartner.com/it/page.jsp?id=498245.Google ScholarGoogle Scholar
  26. Halderman, J. A., Waters, B., and Felten, E. W. 2005. A convenient method for securely managing passwords. In Proceedings of the International World Wide Web Conference (WWW). 471--479. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. IBM-FairUCE. 2005. IBM set to use spam to attack spammer. http://money.cnn.com/2005/03/22/technology/ibm_spam/index.htm.Google ScholarGoogle Scholar
  28. InaccessibilityCAPTCHA. 2008. Inaccessibility of CAPTCHA. http://www.w3.org/TR/turingtest/.Google ScholarGoogle Scholar
  29. Jagatic, T. N., Johnson, N. A., Jakobsson, M., and Menczer, F. 2007. Social phishing. Comm. ACM 50, 10, 94--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Jakobsson, M. and Myers, S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Jakobsson, M. and Ratkiewicz, J. 2006. Designing ethical phishing experiments: A study of (ROT13) rOnl query features. In Proceedings of the International World Wide Web Conference (WWW). 513--522. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Jakobsson, M. and Young, A. 2005. Distributed phishing attacks. In Proceedings of the Workshop on Resilient Financial Information Systems.Google ScholarGoogle Scholar
  33. Kandula, S., Katabi, D., Jacob, M., and Berger, A. W. 2005. Botz-4-Sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of the 2nd Symposium on Networked Systems Design and Implementation (NSDI). 287--300. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Kirda, E. and Kruegel, C. 2005. Protecting users against phishing attacks with AntiPhish. In Proceedings of the Annual International Computer Software and Applications Conference (COMPSAC). 517--524. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Klein, D. V. 1990. Foiling the cracker—A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Workshop on Security. 5--14.Google ScholarGoogle Scholar
  36. Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., and Nung, E. 2007. Protecting people from phishing: The design and evaluation of an embedded training email system. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 905--914. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. KYE-Phishing. 2008. Know Your Enemy: Phishing. http://www.honeynet.org/papers/phishing/.Google ScholarGoogle Scholar
  38. Ludl, C., McAllister, S., Kirda, E., and Kruegel, C. 2007. On the effectiveness of techniques to detect phishing sites. In Proceedings of the International Conference on Detection of Instructions and Malware & Vulnerability Assessment (DIMVA). Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. MarkMonitor. 2008. MarkMonitor: Internet Fraud Prevention and Brand Protection. http://www.markmonitor.com/.Google ScholarGoogle Scholar
  40. MicrosoftPhishingFilter. 2008. Microsoft Phishing Filter. http://www.microsoft.com/protect/products/yourself/.Google ScholarGoogle Scholar
  41. Monrose, F., Reiter, M. K., and Wetzel, S. 1999. Password hardening based on keystroke dynamics. In Proceedings of the Conference on Computer and Communication Security (CCS). 73--82. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Moore, T. and Clayton, R. 2007. Examining the impact of website take-down on phishing. In Proceedings of the APWG eCrime Researchers Summit. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Morris, R. and Thompson, K. 1979. Password security: A case history. Comm. ACM 22, 11, 594--597. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Moshchuk, A., Bragin, T., Deville, D., Gribble, S. D., and Levy, H. M. 2007. Spyproxy: Execution-based detection of malicious web content. In Proceedings of the USENIX Security Symposium. 27--42. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Parno, B., Kuo, C., and Perrig, A. 2006. Phoolproof phishing prevention. In Proceedings of the Financial Cryptography. 1--19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. PhishTank. 2008. PhishTank. http://www.phishtank.com/.Google ScholarGoogle Scholar
  47. Pinkas, B. and Sander, T. 2002. Securing passwords against dictionary attacks. In Proceedings of the Conference on Computer and Communication Security (CCS). 161--170. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. Browsershield: Vulnerability-driven filtering of dynamic html. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 61--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Robichaux, P. and Ganger, D. L. 2006. Gone phishing: Evaluating anti-phishing tools for Windows. http://www.3sharp.com/projects/antiphishing/gone-phishing.pdf.Google ScholarGoogle Scholar
  50. Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. C. 2005. Stronger password authentication using browser extensions. In Proceedings of the USENIX Security Symposium. 17--32. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. RSA. 2008. Home - RSA, The Security Division of EMC. http://www.rsa.com/.Google ScholarGoogle Scholar
  52. Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. 2007. The emperor's new security indicators: An evaluation of Website authentication and the effect of role playing on usability studies. In Proceedings of the IEEE Symposium on Security and Privacy. 51--65. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. 2007. Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 88--99. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Tcpmon. 2008. tcpmon: An open-source utility to Monitor A TCP Connection. https://tcpmon.dev.java.net/.Google ScholarGoogle Scholar
  55. VirtualKeyboard. 2007. Hacker demos how to defeat Citibanks virtual keyboard. http://blogs.zdnet.com/security/?p=195.Google ScholarGoogle Scholar
  56. Whalen, T. and Inkpen, K. M. 2005. Gathering evidence: use of visual security cues in web browsers. In Proceedings of the Conference on Graphics Interface. 137--144. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Wu, M. 2006. Fighting Phishing at the User Interface. Ph.D. thesis, MIT. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Wu, M., Miller, R. C., and Garfinkel, S. L. 2006a. Do security toolbars actually prevent phishing attacks? In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 601--610. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Wu, M., Miller, R. C., and Little, G. 2006b. Web Wallet: Preventing phishing attacks by revealing user intentions. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 102--113. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Wu, T. 1998. The secure remote password protocol. In Proceedings of the Network and Distributed System. Security Symposium (NDSS).Google ScholarGoogle Scholar
  61. XMLHttpRequest. 2008. http://www.w3.org/TR/XMLHttpRequest/.Google ScholarGoogle Scholar
  62. Ye, Z. E. and Smith, S. 2002. Trusted paths for browsers. In Proceedings of the USENIX Security Symposium. 263--279. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Yee, K.-P. and Sitaker, K. 2006. Passpet: Convenient password management and phishing protection. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 32--43. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Yue, C. and Wang, H. 2008. Anti-phishing in offense and defense. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). 345--354. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Zhang, Y., Egelman, S., Cranor, L. F., and Hong, J. 2007a. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  66. Zhang, Y., Hong, J., and Cranor, L. 2007b. CANTINA: A content-based approach to detecting phishing web sites. In Proceedings of the International World Wide Web Conference (WWW). 639--648. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. BogusBiter: A transparent protection against phishing attacks

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM Transactions on Internet Technology
                  ACM Transactions on Internet Technology  Volume 10, Issue 2
                  May 2010
                  123 pages
                  ISSN:1533-5399
                  EISSN:1557-6051
                  DOI:10.1145/1754393
                  Issue’s Table of Contents

                  Copyright © 2010 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 10 June 2010
                  • Accepted: 1 November 2009
                  • Revised: 1 October 2009
                  • Received: 1 January 2009
                  Published in toit Volume 10, Issue 2

                  Permissions

                  Request permissions about this article.

                  Request Permissions

                  Check for updates

                  Qualifiers

                  • research-article
                  • Research
                  • Refereed

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!