Phishing attacks are pretty cleverly designed, because they skip most virus checkpoints altogether and go for the true weak spot in human-computer interaction, the human. Lorrie Faith Cranor, a computer security researcher at Carnegie Mellon University, has been studying phishing attacks to identify new ways to fight them.
Some of the things her research team has learned:
- Users who are simply taught about phishing attacks don’t retain the info and keep falling for them, but users who are tricked into falling for a phishing attack first and then taught show far greater retention—it’s a “teachable moment” in the researchers’ terminology. (Idea: when phishers are caught, their punishment is to have them continue to phish but on behalf of government entities in order to create these “teachable moments.”)
- Even when web browsers warned users they were on a phishing site, many ignored the warnings. People who used IE 7 were more likely to ignore warnings than people who used Firefox 2. You might assume this is because Firefox users are generally savvier computer users, but Cranor says the difference can be attributed to the clearer interface design of Firefox, where severe warnings stand out more dramatically than day-to-day warnings, so that users have a better chance of noticing them. (She says IE 8 has taken notice of this and improved its warning presentation.)
- Antiphishing programs that rely on a combination of blacklists and heuristics are dramatically better at catching phishing sites immediately than those that rely on blacklists alone, which is crucial because many phishing sites are extremely short-lived:
We discovered that most of the blacklist programs caught fewer than 20 percent of the phishing sites when we tested them within minutes of receiving the URLs. After five hours, most could detect about 60 percent of the active phishing sites. The programs that used a combination of blacklists and heuristics fared much better, with one detecting almost 90 percent of phishing attacks from the beginning of our test.
So now you know what to look for in an anti-phishing program, but wait there’s more! If you’re bored this weekend and want to play a barely-entertaining game that will teach you more about phishing, check out Anti-Phising Phil by grad student Steve Sheng. You’ll have to catch worms with “good” urls and avoid phishing worms. We found it informative, but maybe a little less exciting than, say, Halo 3. Hmm, maybe save the link for Monday morning when you’re back at work and bored.
“How to Foil “Phishing” Scams” [Scientific American]