iTrustPage: Pretty Good Phishing Protection
Download
Report
Transcript iTrustPage: Pretty Good Phishing Protection
iTrustPage: Pretty Good Phishing
Protection
Stefan Saroiu, Troy Ronda, and Alec Wolman
University of Toronto and Microsoft Research
Phishing Attacks Cost Real Money!
Hundreds of millions of $$$ cost to U.S. economy
Affects 1+ million Internet users in U.S. alone
Real cost:
Erosion of trust in Web as e-commerce platform
40% of people not banking online do not trust Web!!!
Myriad of Solutions Proposed
Spam filters [CMU ‘06, SpamAssassin, Outlook]
Browser blacklists [IE7, FF 2.0, Opera]
Password managers [Princeton ‘05, Stanford ‘06,
Berkeley ‘06]
Out-of-band authentication [CMU ‘06, Stanford ‘06]
User-created labels, warnings [Stanford ‘06]
Automatic fillers [MIT ‘06]
Centralized approaches [MSR ‘06]
Yet… the Problem is Growing!
Number of phishing sites grew 10X in 18 months
2004 -- mid 2006
Banks claim phishing becoming #1 source of fraud
Phishing e-mails becoming personalized
sophisticated and hard-to-filter
Must look into new anti-phishing approaches!
Outline
Motivating the need for new approaches
Lessons learned from current approaches
iTrustPage demo
Design and implementation
Evaluation
Conclusions
Outline
Motivating the need for new approaches
Lessons learned from current approaches
iTrustPage demo
Design and implementation
Evaluation
Conclusions
Current Approaches’ Shortcomings
Spam filters + blacklists imperfect and too slow
Password managers have usability problems
Based on hard-to-grasp concepts, uncommon tasks
Personalized visual clues
Phishing sites’ average uptime is 4.5 days
Rely on users to be diligent
Automatic password fillers
Easy to fool + they create local password repository
Lessons Learned
Anti-phishing tools must be intuitive + easy-to-use
Users must perform very simple, common tasks
Relying on users to be diligent unlikely to work
Phishing is becoming personalized
Can’t rely on static filters
Anti-phishing tools must re-act quickly to attacks
Cannot wait for updates or new filters
Our Approach: iTrustPage
Prevents users from filling out phishing forms
Does not rely on static filters
Users perform simple, common, and intuitive tasks
Doesn’t rely on users to stay vigilent
Harder-to-fool
Stops users whenever key is pressed on any site whether a
form is present or not
High-Level View of Our Tool
If user fills suspicious form, user asked for input:
1.
Describe search terms for questionable form
i.e., Is the user visiting an well-established site?
2.
If yes, site is unlikely to phish
Visual comparison of questionable Web form with
Web forms arrived at via Google result
i.e., Do these two forms look visually the same?
If yes, site is likely to phish
Live Demonstration – Trusted Page
Navigate to Google and perform a search
Live Demonstration – Untrusted Page
Live Demonstration – Phishing Page
Our Two Key Observations
Rely on user input to help disambiguate between
legit and fake sites
Certain decision making tasks are hard to automate
reliably, yet very easy for people to decide
e.g., deciding when 2 Web sites appear visually similar
Use external Web information repositories
Use Internet sources to help determine legitimacy of
particular Web site or form
e.g., many attacks target well-known, popular Web sites +
search engines can identify such sites
Outline
Motivating the need for new approaches
Lessons learned from current approaches
iTrustPage demo
Design and implementation
Evaluation
Conclusions
Outline
Motivating the need for new approaches
Lessons learned from current approaches
iTrustPage demo
Design and implementation
Evaluation
Conclusions
Automatic Classification
iTrustPage stores locally previously visited forms
Two additional conservative heuristics
No need to re-validate form
Google’s PageRank >= 5
Must be verified by TrustWatch
Heuristics could be exploited by attackers
Fundamental trade-off between usability & security
Validation
Web form is validated if:
1.
2.
Our conservative heuristics validate it (automatically)
Form’s domain in top 10 domains from Google
3.
Repeat step 2 k-times, refining search keywords
4.
Based on user-input keywords
Where k is variable depending on form’s PageRank
Higher PageRank means lower k
When everything else fails, raise flashy warning box
Fundamental corner-case, common to all tools
Implementation
5,200 lines of code for Firefox extension
Tested with Linux, Mac, Windows
Open-source, freely available
900 downloads in one month
Recently released ver. 2.0 with better interface
It still needs lots of work though
Circumventing iTrustPage
Create phishing page on site with high PageRank
1.
2.
Break into popular site
“Google bomb” attack
Compromise user’s Web browser
In this case, all bets are off (spyware!)
Outline
Motivating the need for new approaches
Lessons learned from current approaches
iTrustPage demo
Design and implementation
Evaluation
Conclusions
Outline
Motivating the need for new approaches
Lessons learned from current approaches
iTrustPage demo
Design and implementation
Evaluation
Conclusions
Evaluation Strategy
1.
Performance evaluation
2.
Evaluating iTrustPage’s effectiveness
3.
Usability study
Evaluation Strategy
1.
Performance evaluation
2.
Evaluating iTrustPage’s effectiveness
3.
Usability study
Methodology
Would users notice a performance degradation?
iTrustPage prefetches PageRank and TrustWatch
Load pages of randomly chosen 115 US banks
Average PC: P III, 256MB RAM, U of T network
Compare page loading times of unmodified
browser to browser+iTrustPage
Very Little Additional Overhead
Percentage of Web sites
100
80
stock Browser 1st time
over
stock Browser 2nd time
60
(Browser + iTrustPage) over
stock Browser
40
20
0
0
0.5
1
1.5
2
Ratio of Load Times
2.5
Average site has 27ms extra overhead
3
Evaluation Strategy
1.
Performance evaluation
2.
Evaluating iTrustPage’s effectiveness
3.
Usability study
Questions
Are automatic validation heuristics correct?
How often do users need to validate forms?
For hard-to-validate forms, how often do users
need to revise search terms?
Questions
Are automatic validation heuristics correct?
How often do users need to validate forms?
For hard-to-validate forms, how often do users
need to revise search terms?
Methodology
Can’t measure from iTrustPage’s deployment
Use previously collected traces of Websites
We do not record number of forms visited by users
Research log: 14 research lab users over 3.5 months
IRCache log: 8,714 users over 6.5 months
Assume all pages have forms
40% Sites are Automatically Validated
100%
80%
59.53%
Must Use
iTrustPage
62.76%
60%
40%
20%
40.47%
iTrustPage
Remains
Transparent
37.24%
0%
Research Sites
IRCache Sites
Users are Disrupted Less over Time
iTrustPage's Cache Hit Rate
60%
40%
20%
0%
1 day
2 days 3 days 4 days 5 days 6 days 1 week 2 wks. 3 wks.
This data is from iTrustPage’s deployment
Evaluation Strategy
1.
Performance evaluation
2.
Evaluating iTrustPage’s effectiveness
3.
Usability study
Methodology
4-step study:
Fill-out preliminary survey to gather background info
Present tutorial on iTrustPage
Ask users to perform six steps, including:
Visit popular legit form
Visit unpopular legit form, could be easily found on Google
Visit phishing site
Visit unpopular legit form, can’t be found on Google
Post-study questionnaire
15 participants
Easy / Safe
More disruptions, less easy to use!
5
Ease of Use
Feel Safe
4
Hard / Unsafe
3
2
1
Common
task
Common
login
Less
common
task
Less
common
login
Phishing
form
Login on
unpopular
form
Agree
Security vs. Usability
5
4
3
Disagree
2
1
Overall ease-of- Overall sense of
use
security
Phishing
protection is
important
Anti-phishing
tools important
even when not
easy to use
Give up online
banking if
phishing
becomes
prevalent
Agree
Security vs. Usability
5
4
3
Disagree
2
1
Overall ease-of- Overall sense of
use
security
Phishing
protection is
important
Anti-phishing
tools important
even when not
easy to use
Give up online
banking if
phishing
becomes
prevalent
Conclusions
New anti-phishing tool based on two insights
User input can be used to distinguish legit from fake
sites, as long as interaction is simple and intuitive
Internet information repositories can be used to assist
user with their decision
Our evaluation has shown:
Negligible performance overhead
Automatic classification heuristics correct and useful
Tool becomes less disruptive over time
User like tool when few disruptions only
Works Surprisingly Well
Download iTrustPage (Firefox Extension)
www.cs.toronto.edu/~ronda/itrustpage/