论文信息 - Does domain highlighting help people identify phishing sites?

Does domain highlighting help people identify phishing sites?

Phishers are fraudsters that mimic legitimate websites to steal user's credenfitial information and exploit that information for identity theft and other criminal activities. Various anti-phishing techniques attempt to mitigate such attacks. Domain highlighting is one such approach recently incorporated by several popular web browsers. The idea is simple: the domain name of an address is highlighted in the address bar, so that users can inspect it to determine a web site's legitimacy. Our research asks a basic question: how well does domain highlighting work? To answer this, we showed 22 participants 16 web pages typical of those targeted for phishing attacks, where participants had to determine the page's legitimacy. In the first round, they judged the page's legitimacy by whatever means they chose. In the second round, they were directed specifically to look at the address bar. We found that participants fell into 3 types in terms of how they determined the legitimacy of a web page; while domain highlighting was somewhat effective for one user type, it was much less effective for others. We conclude that domain highlighting, while providing some benefit, cannot be relied upon as the sole method to prevent phishing attacks.

[1] Lorrie Faith Cranor,et al. You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[2] Markus Jakobsson,et al. Social phishing , 2007, CACM.

[3] Markus Jakobsson,et al. What Instills Trust? A Qualitative Study of Phishing , 2007, Financial Cryptography.

[4] Kori Inkpen Quinn,et al. Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[5] Markus Jakobsson,et al. Why and How to Perform Fraud Experiments , 2008, IEEE Security & Privacy.

[6] Evgeniy Gabrilovich,et al. The homograph attack , 2002, CACM.

[7] B. J. Fogg,et al. What makes Web sites credible?: a report on a large quantitative study , 2001, CHI.

[8] J. Gosby. MEDIA REVIEWS: Basics of Qualitative Research - Techniques and Procedures for Developing Grounded Theory 2nd Edition by A. Strauss and J. Corbin. Sage Publications, , 2000 .

[9] Marti A. Hearst,et al. Why phishing works , 2006, CHI.

[10] J. Doug Tygar,et al. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[11] Stuart E. Schechter,et al. The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12] Lorrie Faith Cranor,et al. Teaching Johnny not to fall for phish , 2010, TOIT.

[13] A. Strauss,et al. Basics of Qualitative Research , 1992 .

[14] Min Wu,et al. Do security toolbars actually prevent phishing attacks? , 2006, CHI.