Malicious interface design: exploiting the user

In an ideal world, interface design is the art and science of helping users accomplish tasks in a timely, efficient, and pleasurable manner. This paper studies the inverse situation, the vast emergence of deliberately constructed malicious interfaces that violate design best practices in order to accomplish goals counter to those of the user. This has become a commonplace occurrence both on and off the desktop, particularly on the web. A primary objective of this paper is to formally define this problem, including construction of a taxonomy of malicious interface techniques and a preliminary analysis of their impact on users. Findings are presented that gauge the self-reported tolerance and expectation levels of users with regard to malicious interfaces as well as the effectiveness and ease of use of existing countermeasures. A second objective of this paper is to increase awareness, dialogue, and research in a domain that we consider largely unexplored but critical to future usability of the WWW. Our results were accomplished through significant compilation of malicious interface techniques based on review of thousands of web sites and by conducting three surveys. Ultimately, this paper concludes that malicious interfaces are a ubiquitous problem that demands intervention by the security and human computer interaction communities in order to reduce the negative impact on the global user population.

[1]  J. Cole About face , 1998, Nature.

[2]  Heike Schaumburg,et al.  Why Are Users Banner-Blind? The Impact of Navigation Style on the Perception of Web Banners , 2006, J. Digit. Inf..

[3]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[4]  John Boyd,et al.  The rise of intrusive online advertising and the response of user experience research at Yahoo! , 2004, CHI EA '04.

[5]  Jakob Nielsen,et al.  Homepage Usability: 50 Websites Deconstructed , 2001 .

[6]  J. P. Benway,et al.  Banner Blindness: Web Searchers Often Miss "Obvious" Links , 1998 .

[7]  John T. Stasko,et al.  Attacking information visualization system usability overloading and deceiving the human , 2005, SOUPS '05.

[8]  W. Buxton Human-Computer Interaction , 1988, Springer Berlin Heidelberg.

[9]  Jenifer Tidwell Designing Interfaces , 2005 .

[10]  Gregory J. Conti,et al.  A framework for countering denial-of-information attacks , 2005, IEEE Security & Privacy Magazine.

[11]  Jakob Nielsen,et al.  Designing web usability , 1999 .

[12]  Ben Shneiderman,et al.  Designing The User Interface , 2013 .

[13]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[14]  Gregory D. Abowd,et al.  Human-Computer Interaction (3rd Edition) , 2003 .

[15]  Deirdre K. Mulligan,et al.  Stopping spyware at the gate: a user study of privacy, notice and spyware , 2005, SOUPS '05.

[16]  Jakob Nielsen,et al.  Designing Web Usability: The Practice of Simplicity , 1999 .

[17]  Alan Smigielski,et al.  The Rehabilitation Act , 2005 .

[18]  Daniel Gooch,et al.  Communications of the ACM , 2011, XRDS.

[19]  Calton Pu,et al.  Guarding the next Internet frontier: countering denial of information attacks , 2002, NSPW '02.

[20]  Dean Peters,et al.  Son of Web Pages That Suck: Learn Good Design by Looking at Bad Design , 1998 .

[21]  Gregory J. Conti,et al.  Malicious Interfaces and Personalization's Uninviting Future , 2009, IEEE Security & Privacy.

[22]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.