Browser Blacklists: The Utopia of Phishing Protection

Mobile devices - especially smartphones - have gained widespread adoption in recent years, due to the plethora of features they offer. The use of such devices for web browsing, accessing email services and social networking is also getting continuously more popular. The same holds true for other more sensitive online activities, such as online shopping, contactless payments, and web banking. However, the security mechanisms available on smartphones are not yet mature, while their effectiveness is still questionable. As a result, smartphone users face increased risks when performing sensitive online activities with their devices, compared to desktop/laptop users. In this paper, we present an evaluation of the phishing protection mechanisms that are available with the popular web browsers of the Android and iOS platform. Following, we compare the protection they offer against their desktop counterparts, revealing and analyzing the significant gap between the two. Finally, we provide a comparison between the Safe Browsing API implementation in Google Chrome and the Safe Browsing Lookup API, revealing significant inconsistencies between the two mechanisms.

[1]  R. Sharpe On the importance of being Earnest , 1995 .

[2]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[3]  Zhi Xu,et al.  Abusing Notification Services on Smartphones for Phishing and Spamming , 2012, WOOT.

[4]  Dr. M. Nazreen Banu,et al.  A Comprehensive Study of Phishing Attacks , 2013 .

[5]  Cheng Zeng,et al.  QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks , 2013, Financial Cryptography Workshops.

[6]  A. Darwish,et al.  Eye tracking analysis of browser security indicators , 2012, 2012 International Conference on Computer Systems and Industrial Informatics.

[7]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[8]  Christopher Krügel,et al.  Protecting users against phishing attacks with AntiPhish , 2005, 29th Annual International Computer Software and Applications Conference (COMPSAC'05).

[9]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[10]  Dimitris Gritzalis,et al.  Mobile devices: A phisher's paradise , 2014, 2014 11th International Conference on Security and Cryptography (SECRYPT).

[11]  Dimitris Gritzalis,et al.  Trusted Computing vs. Advanced Persistent Threats: Can a Defender Win This Game? , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.

[12]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Phishing Blacklists , 2009, CEAS 2009.

[13]  Ranran Alice in Battlefield: An Evaluation of the Effectiveness of Various UI Phishing Warnings , 2013 .

[14]  Tommy W. S. Chow,et al.  Textual and Visual Content-Based Anti-Phishing: A Bayesian Approach , 2011, IEEE Transactions on Neural Networks.

[15]  Dimitris Gritzalis,et al.  Evaluating the Manageability of Web Browsers Controls , 2013, STM.

[16]  Rossouw von Solms,et al.  Phishing for phishing awareness , 2013, Behav. Inf. Technol..

[17]  Peter Mell,et al.  Guide to Malware Incident Prevention and Handling , 2005 .

[18]  Panayiotis Kotzanikolaou,et al.  Risk-Based Criticality Analysis , 2009, Critical Infrastructure Protection.

[19]  Christopher Krügel,et al.  A layout-similarity-based approach for detecting phishing pages , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[20]  Imran Ashraf,et al.  Which web browser work best for detecting phishing , 2013, 2013 5th International Conference on Information and Communication Technologies.

[21]  Dimitris Gritzalis,et al.  Smartphone security evaluation The malware attack case , 2011, Proceedings of the International Conference on Security and Cryptography.

[22]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[23]  Dimitris Gritzalis,et al.  A Qualitative Metrics Vector for the Awareness of Smartphone Security Users , 2013, TrustBus.

[24]  Jigyasu Dubey,et al.  A Survey on Phishing Attacks , 2014 .

[25]  Panayiotis Kotzanikolaou,et al.  A multi-layer Criticality Assessment methodology based on interdependencies , 2010, Comput. Secur..

[26]  Dimitris Gritzalis,et al.  Delegate the smartphone user? Security awareness in smartphone platforms , 2013, Comput. Secur..