Abstract
Many anti-phishing mechanisms currently focus on helping users verify whether a Web site is genuine. However, usability studies have demonstrated that prevention-based approaches alone fail to effectively suppress phishing attacks and protect Internet users from revealing their credentials to phishing sites. In this paper, instead of preventing human users from “biting the bait,” we propose a new approach to protect against phishing attacks with “bogus bites.” We develop BogusBiter, a unique client-side anti-phishing tool, which transparently feeds a relatively large number of bogus credentials into a suspected phishing site. BogusBiter conceals a victim's real credential among bogus credentials, and moreover, it enables a legitimate Web site to identify stolen credentials in a timely manner. Leveraging the power of client-side automatic phishing detection techniques, BogusBiter is complementary to existing preventive anti-phishing approaches. We implemented BogusBiter as an extension to the Firefox 2 Web browser, and evaluated its efficacy through real experiments on both phishing and legitimate Web sites. Our experimental results indicate that it is promising to use BogusBiter to transparently protect against phishing attacks.
- Adida, B. 2007. BeamAuth: Two-factor Web authentication with a bookmark. In Proceedings of the Conference on Computer and Communication Security (CCS). 48--57. Google Scholar
Digital Library
- Ahn, L., Blum, M., Hopper, N., and Langford, J. 2003. CAPTCHA: Using hard AI problems for security. In Proceedings of Eurocrypt. 294--311. Google Scholar
Digital Library
- APWG. 2008. Anti-Phishing Working Group (APWG). http://www.antiphishing.org/.Google Scholar
- APWG-PSTC. 2008. APWG: Phishing Scams by Targeted Company. http://www.millersmiles.co.uk/scams.php.Google Scholar
- Poettering, B. 2008. jssha256. http://point-at-infinity.org/jssha256/.Google Scholar
- Birk, D., Dornseif, M., Gajek, S., and Gröbert, F. 2006. Phishing phishers—tracing identity thieves and money launderer. Tech. rep. Horst-Görtz Institute of Ruhr-University of Bochum.Google Scholar
- Bortz, A., Boneh, D., and Nandy, P. 2007. Exposing private information by timing Web applications. In Proceedings of the International World Wide web Conference (WWW). 621--628. Google Scholar
Digital Library
- Chiasson, S., van Oorschot, P. C., and Biddle, R. 2006. A usability study and critique of two password managers. In Proceedings of the USENIX Security Symposium. 1--16. Google Scholar
Digital Library
- Chou, N., Ledesma, R., Teraguchi, Y., and Mitchell, J. C. 2004. Client-side defense against web-based identity theft. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Dhamija, R. and Tygar, J. D. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 77--88. Google Scholar
Digital Library
- Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 581--590. Google Scholar
Digital Library
- Downs, J. S., Holbrook, M. B., and Cranor, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 79--90. Google Scholar
Digital Library
- EBankingSecurity. 2008. eBanking Security. http://www.ebankingsecurity.com/ebanking_bad_for_your_bank_balance.pdf.Google Scholar
- Egelman, S., Cranor, L. F., and Hong, J. 2008. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 1065--1074. Google Scholar
Digital Library
- Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web Spoofing: An Internet Con Game. In Proceedings of the 20th National Information Systems Security Conference.Google Scholar
- Fette, I., Sadeh, N., and Tomasic, A. 2007. Learning to detect phishing emails. In Proceedings of the International World Wide Web Conference (WWW). 649--656. Google Scholar
Digital Library
- Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1. Google Scholar
Digital Library
- FirefoxPhishingProtection. 2008. Firefox Phishing Protection. http://www.mozilla.com/en-US/firefox/phishing-protection/.Google Scholar
- FirefoxPhishingTest. 2006. Firefox 2 Phishing Protection Effectiveness Testing. http://www.mozilla.org/security/phishing-test.html.Google Scholar
- Florêncio, D. and Herley, C. 2006. Password rescue: A new approach to phishing prevention. In Proceedings of the USENIX Workshop on Hot Topics in Security (HOTSEC). Google Scholar
Digital Library
- Florêncio, D. and Herley, C. 2007. A large-scale study of Web password habits. In Proceedings of the International World Wide Web Conference (WWW). 657--666. Google Scholar
Digital Library
- Florêncio, D., Herley, C., and Coskun, B. 2007. Do strong web passwords accomplish anything? In Proceedings of the USENIX Workshop on Hot Topics in Security (HOTSEC). Google Scholar
Digital Library
- FSTC-Phishing. 2005. Understanding and countering the phishing threat. The Financial Services Technology Consortium (FSTC) Project White Paper, http://fstc.org/projects/counter_phishing_phase_1/.Google Scholar
- Garera, S., Provos, N., Chew, M., and Rubin, A. D. 2007. A framework for detection and measurement of phishing attacks. In Proceedings of the ACM Workshop On Recuring Malcode (WORM). Google Scholar
Digital Library
- GartnerSurvey. 2006. Gartner, inc.,. http://www.gartner.com/it/page.jsp?id=498245.Google Scholar
- Halderman, J. A., Waters, B., and Felten, E. W. 2005. A convenient method for securely managing passwords. In Proceedings of the International World Wide Web Conference (WWW). 471--479. Google Scholar
Digital Library
- IBM-FairUCE. 2005. IBM set to use spam to attack spammer. http://money.cnn.com/2005/03/22/technology/ibm_spam/index.htm.Google Scholar
- InaccessibilityCAPTCHA. 2008. Inaccessibility of CAPTCHA. http://www.w3.org/TR/turingtest/.Google Scholar
- Jagatic, T. N., Johnson, N. A., Jakobsson, M., and Menczer, F. 2007. Social phishing. Comm. ACM 50, 10, 94--100. Google Scholar
Digital Library
- Jakobsson, M. and Myers, S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience. Google Scholar
Digital Library
- Jakobsson, M. and Ratkiewicz, J. 2006. Designing ethical phishing experiments: A study of (ROT13) rOnl query features. In Proceedings of the International World Wide Web Conference (WWW). 513--522. Google Scholar
Digital Library
- Jakobsson, M. and Young, A. 2005. Distributed phishing attacks. In Proceedings of the Workshop on Resilient Financial Information Systems.Google Scholar
- Kandula, S., Katabi, D., Jacob, M., and Berger, A. W. 2005. Botz-4-Sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of the 2nd Symposium on Networked Systems Design and Implementation (NSDI). 287--300. Google Scholar
Digital Library
- Kirda, E. and Kruegel, C. 2005. Protecting users against phishing attacks with AntiPhish. In Proceedings of the Annual International Computer Software and Applications Conference (COMPSAC). 517--524. Google Scholar
Digital Library
- Klein, D. V. 1990. Foiling the cracker—A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Workshop on Security. 5--14.Google Scholar
- Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., and Nung, E. 2007. Protecting people from phishing: The design and evaluation of an embedded training email system. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 905--914. Google Scholar
Digital Library
- KYE-Phishing. 2008. Know Your Enemy: Phishing. http://www.honeynet.org/papers/phishing/.Google Scholar
- Ludl, C., McAllister, S., Kirda, E., and Kruegel, C. 2007. On the effectiveness of techniques to detect phishing sites. In Proceedings of the International Conference on Detection of Instructions and Malware & Vulnerability Assessment (DIMVA). Google Scholar
Digital Library
- MarkMonitor. 2008. MarkMonitor: Internet Fraud Prevention and Brand Protection. http://www.markmonitor.com/.Google Scholar
- MicrosoftPhishingFilter. 2008. Microsoft Phishing Filter. http://www.microsoft.com/protect/products/yourself/.Google Scholar
- Monrose, F., Reiter, M. K., and Wetzel, S. 1999. Password hardening based on keystroke dynamics. In Proceedings of the Conference on Computer and Communication Security (CCS). 73--82. Google Scholar
Digital Library
- Moore, T. and Clayton, R. 2007. Examining the impact of website take-down on phishing. In Proceedings of the APWG eCrime Researchers Summit. Google Scholar
Digital Library
- Morris, R. and Thompson, K. 1979. Password security: A case history. Comm. ACM 22, 11, 594--597. Google Scholar
Digital Library
- Moshchuk, A., Bragin, T., Deville, D., Gribble, S. D., and Levy, H. M. 2007. Spyproxy: Execution-based detection of malicious web content. In Proceedings of the USENIX Security Symposium. 27--42. Google Scholar
Digital Library
- Parno, B., Kuo, C., and Perrig, A. 2006. Phoolproof phishing prevention. In Proceedings of the Financial Cryptography. 1--19. Google Scholar
Digital Library
- PhishTank. 2008. PhishTank. http://www.phishtank.com/.Google Scholar
- Pinkas, B. and Sander, T. 2002. Securing passwords against dictionary attacks. In Proceedings of the Conference on Computer and Communication Security (CCS). 161--170. Google Scholar
Digital Library
- Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. Browsershield: Vulnerability-driven filtering of dynamic html. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 61--74. Google Scholar
Digital Library
- Robichaux, P. and Ganger, D. L. 2006. Gone phishing: Evaluating anti-phishing tools for Windows. http://www.3sharp.com/projects/antiphishing/gone-phishing.pdf.Google Scholar
- Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. C. 2005. Stronger password authentication using browser extensions. In Proceedings of the USENIX Security Symposium. 17--32. Google Scholar
Digital Library
- RSA. 2008. Home - RSA, The Security Division of EMC. http://www.rsa.com/.Google Scholar
- Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. 2007. The emperor's new security indicators: An evaluation of Website authentication and the effect of role playing on usability studies. In Proceedings of the IEEE Symposium on Security and Privacy. 51--65. Google Scholar
Digital Library
- Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. 2007. Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 88--99. Google Scholar
Digital Library
- Tcpmon. 2008. tcpmon: An open-source utility to Monitor A TCP Connection. https://tcpmon.dev.java.net/.Google Scholar
- VirtualKeyboard. 2007. Hacker demos how to defeat Citibanks virtual keyboard. http://blogs.zdnet.com/security/?p=195.Google Scholar
- Whalen, T. and Inkpen, K. M. 2005. Gathering evidence: use of visual security cues in web browsers. In Proceedings of the Conference on Graphics Interface. 137--144. Google Scholar
Digital Library
- Wu, M. 2006. Fighting Phishing at the User Interface. Ph.D. thesis, MIT. Google Scholar
Digital Library
- Wu, M., Miller, R. C., and Garfinkel, S. L. 2006a. Do security toolbars actually prevent phishing attacks? In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 601--610. Google Scholar
Digital Library
- Wu, M., Miller, R. C., and Little, G. 2006b. Web Wallet: Preventing phishing attacks by revealing user intentions. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 102--113. Google Scholar
Digital Library
- Wu, T. 1998. The secure remote password protocol. In Proceedings of the Network and Distributed System. Security Symposium (NDSS).Google Scholar
- XMLHttpRequest. 2008. http://www.w3.org/TR/XMLHttpRequest/.Google Scholar
- Ye, Z. E. and Smith, S. 2002. Trusted paths for browsers. In Proceedings of the USENIX Security Symposium. 263--279. Google Scholar
Digital Library
- Yee, K.-P. and Sitaker, K. 2006. Passpet: Convenient password management and phishing protection. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 32--43. Google Scholar
Digital Library
- Yue, C. and Wang, H. 2008. Anti-phishing in offense and defense. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). 345--354. Google Scholar
Digital Library
- Zhang, Y., Egelman, S., Cranor, L. F., and Hong, J. 2007a. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Zhang, Y., Hong, J., and Cranor, L. 2007b. CANTINA: A content-based approach to detecting phishing web sites. In Proceedings of the International World Wide Web Conference (WWW). 639--648. Google Scholar
Digital Library
Index Terms
BogusBiter: A transparent protection against phishing attacks
Recommendations
Effective protection against phishing and web spoofing
CMS'05: Proceedings of the 9th IFIP TC-6 TC-11 international conference on Communications and Multimedia SecurityPhishing and Web spoofing have proliferated and become a major nuisance on the Internet. The attacks are difficult to protect against, mainly because they target non-cryptographic components, such as the user or the user-browser interface. This means ...
Security and identification indicators for browsers against spoofing and phishing attacks
In spite of the use of standard Web security measures (SSL/TLS), users enter sensitive information such as passwords into fake Web sites. Such fake sites cause substantial damages to individuals and corporations. In this work, we identify several ...
Exposing private information by timing web applications
WWW '07: Proceedings of the 16th international conference on World Wide WebWe show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as ...






Comments