BogusBiter: A transparent protection against phishing attacks

ACM Transactions on Internet Technology

Volumn 10, Issue 2, 2010, Pages

  Yue, Chuan ^a   Wang, Haining ^a  

^a Dept of Economics and Thomas Jefferson Program in Public Policy at the College of William and Mary   (United States)

Author keywords

Credential theft; Phishing; Security; Usability; Web spoofing

Indexed keywords

ANTI-PHISHING; DETECTION TECHNIQUE; FIREFOX; HUMAN USERS; INTERNET USERS; NEW APPROACHES; PHISHING; PHISHING ATTACKS; TRANSPARENT PROTECTION; USABILITY STUDIES; WEB SPOOFING;

WEB BROWSERS; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 77953587426     PISSN: 15335399     EISSN: 15576051     Source Type: Journal    
DOI: 10.1145/1754393.1754395     Document Type: Article

References (66)

1. ADIDA, B. 2007. BeamAuth: Two-factor Web authentication with a bookmark. In Proceedings of the Conference on Computer and Communication Security (CCS). 48-57.
2. AHN, L., BLUM, M., HOPPER, N., AND LANGFORD, J. 2003. CAPTCHA: Using hard AI problems for security. In Proceedings of Eurocrypt. 294-311.
3. APWG. 2008. Anti-Phishing Working Group (APWG). http://www.antiphishing. org/.
4. APWG-PSTC. 2008. APWG: Phishing Scams by Targeted Company. http://www.millersmiles.co.uk/scams.php.
5. POETTERING, B. 2008. jssha256. http://point-at-infinity.org/jssha256/.
6. BIRK, D., DORNSEIF, M., GAJEK, S., AND GRÖBERT, F. 2006. Phishing phishers - tracing identity thieves and money launderer. Tech. rep. Horst-Görtz Institute of Ruhr-University of Bochum.
7. BORTZ, A., BONEH, D., AND NANDY, P. 2007. Exposing private information by timing Web applications. In Proceedings of the International World Wide web Conference (WWW). 621-628.
8. CHIASSON, S., VAN OORSCHOT, P. C., AND BIDDLE, R. 2006. A usability study and critique of two password managers. In Proceedings of the USENIX Security Symposium. 1-16.
9. CHOU, N., LEDESMA, R., TERAGUCHI, Y., AND MITCHELL, J. C. 2004. Client-side defense against web-based identity theft. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
10. DHAMIJA, R. AND TYGAR, J. D. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 77-88.
11. DHAMIJA, R., TYGAR, J. D., AND HEARST, M. 2006. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 581-590.
12. DOWNS, J. S., HOLBROOK, M. B., AND CRANOR, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 79-90.
13. EBANKINGSECURITY. 2008. eBanking Security. http://www.ebankingsecurity. com/ebanking-bad-for-your-bank-balance.pdf.
14. EGELMAN, S., CRANOR, L. F., AND HONG, J. 2008. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 1065-1074.
15. FELTEN, E. W., BALFANZ, D., DEAN, D., AND WALLACH, D. S. 1997. Web Spoofing: An Internet Con Game. In Proceedings of the 20th National Information Systems Security Conference.
16. FETTE, I., SADEH, N., AND TOMASIC, A. 2007. Learning to detect phishing emails. In Proceedings of the International World Wide Web Conference (WWW). 649-656.
17. FIELDING, R., GETTYS, J., MOGUL, J., FRYSTYK, H., MASINTER, L., LEACH, P., AND BERNERS-LEE, T. 1999. RFC 2616, Hypertext Transfer Protocol - HTTP/1.1.
18. FIREFOXPHISHINGPROTECTION. 2008. Firefox Phishing Protection. http://www.mozilla.com/en-US/firefox/phishing-protection/.
19. FIREFOXPHISHINGTEST. 2006. Firefox 2 Phishing Protection Effectiveness Testing. http://www.mozilla.org/security/phishing-test.html.
20. FLORÊNCIO, D. AND HERLEY, C. 2006. Password rescue: A new approach to phishing prevention. In Proceedings of the USENIX Workshop on Hot Topics in Security (HOTSEC).
21. FLORÊNCIO, D. AND HERLEY, C. 2007. A large-scale study of Web password habits. In Proceedings of the International World Wide Web Conference (WWW). 657-666.
22. FLORÊNCIO, D., HERLEY, C., AND COSKUN, B. 2007. Do strong web passwords accomplish anything? In Proceedings of the USENIX Workshop on Hot Topics in Security (HOTSEC).
23. FSTC-PHISHING. 2005. Understanding and countering the phishing threat. The Financial Services Technology Consortium (FSTC) Project White Paper, http://fstc.org/projects/counter-phishing-phase-1/.
24. GARERA, S., PROVOS, N., CHEW, M., AND RUBIN, A. D. 2007. A framework for detection and measurement of phishing attacks. In Proceedings of the ACM Workshop On Recuring Malcode (WORM).
25. GARTNERSURVEY. 2006. Gartner, inc., http://www.gartner.com/it/page.jsp? id=498245.
26. HALDERMAN, J. A., WATERS, B., AND FELTEN, E.W. 2005. Aconvenient method for securely managing passwords. In Proceedings of the International World Wide Web Conference (WWW). 471-479.
27. IBM-FAIRUCE. 2005. IBM set to use spam to attack spammer. http://money.cnn.com/2005/03/22/technology/ibm-spam/index.htm.
28. INACCESSIBILITYCAPTCHA. 2008. Inaccessibility of CAPTCHA. http://www.w3.org/TR/turingtest/.
29. JAGATIC, T. N., JOHNSON, N. A., JAKOBSSON, M., AND MENCZER, F. 2007. Social phishing. Comm. ACM 50, 10, 94-100.
30. JAKOBSSON, M. AND MYERS, S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience.
31. JAKOBSSON, M. AND RATKIEWICZ, J. 2006. Designing ethical phishing experiments: A study of (ROT13) rOnl query features. In Proceedings of the International World Wide Web Conference (WWW). 513-522.
32. JAKOBSSON, M. AND YOUNG, A. 2005. Distributed phishing attacks. In Proceedings of the Workshop on Resilient Financial Information Systems.
33. KANDULA, S., KATABI, D., JACOB, M., AND BERGER, A. W. 2005. Botz-4-Sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of the 2nd Symposium on Networked Systems Design and Implementation (NSDI). 287-300.
34. KIRDA, E. AND KRUEGEL, C. 2005. Protecting users against phishing attacks with AntiPhish. In Proceedings of the Annual International Computer Software and Applications Conference (COMPSAC). 517-524.
35. KLEIN, D. V. 1990. Foiling the cracker - A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Workshop on Security. 5-14.
36. KUMARAGURU, P., RHEE, Y., ACQUISTI, A., CRANOR, L. F., HONG, J., AND NUNG, E. 2007. Protecting people from phishing: The design and evaluation of an embedded training email system. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 905-914.
37. KYE-PHISHING. 2008. Know Your Enemy: Phishing. http://www.honeynet.org/ papers/phishing/.
38. LUDL, C., MCALLISTER, S., KIRDA, E., AND KRUEGEL, C. 2007. On the effectiveness of techniques to detect phishing sites. In Proceedings of the International Conference on Detection of Instructions and Malware & Vulnerability Assessment (DIMVA).
39. MARKMONITOR. 2008. MarkMonitor: Internet Fraud Prevention and Brand Protection. http://www.markmonitor.com/.
40. MICROSOFTPHISHINGFILTER. 2008. Microsoft Phishing Filter. http://www.microsoft.com/protect/products/yourself/.
41. MONROSE, F., REITER, M. K., AND WETZEL, S. 1999. Password hardening based on keystroke dynamics. In Proceedings of the Conference on Computer and Communication Security (CCS). 73-82.
42. MOORE, T. AND CLAYTON, R. 2007. Examining the impact of website take-down on phishing. In Proceedings of the APWG eCrime Researchers Summit.
43. MORRIS, R. AND THOMPSON, K. 1979. Password security: A case history. Comm. ACM 22, 11, 594-597.
44. MOSHCHUK, A., BRAGIN, T., DEVILLE, D., GRIBBLE, S. D., AND LEVY, H. M. 2007. Spyproxy: Execution-based detection of malicious web content. In Proceedings of the USENIX Security Symposium. 27-42.
45. PARNO, B., KUO, C., AND PERRIG, A. 2006. Phoolproof phishing prevention. In Proceedings of the Financial Cryptography. 1-19.
46. PHISHTANK. 2008. PhishTank. http://www.phishtank.com/.
47. PINKAS, B. AND SANDER, T. 2002. Securing passwords against dictionary attacks. In Proceedings of the Conference on Computer and Communication Security (CCS). 161-170.
48. REIS, C., DUNAGAN, J., WANG, H. J., DUBROVSKY, O., AND ESMEIR, S. 2006. Browsershield: Vulnerability-driven filtering of dynamic html. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 61-74.
49. ROBICHAUX, P. AND GANGER, D. L. 2006. Gone phishing: Evaluating anti-phishing tools for Windows. http://www.3sharp.com/projects/antiphishing/ gone-phishing.pdf.
50. ROSS, B., JACKSON, C., MIYAKE, N., BONEH, D., AND MITCHELL, J. C. 2005. Stronger password authentication using browser extensions. In Proceedings of the USENIX Security Symposium. 17-32.
51. RSA. 2008. Home - RSA, The Security Division of EMC. http://www.rsa.com/.
52. SCHECHTER, S. E., DHAMIJA, R., OZMENT, A., AND FISCHER, I. 2007. The emperor's new security indicators: An evaluation of Website authentication and the effect of role playing on usability studies. In Proceedings of the IEEE Symposium on Security and Privacy. 51-65.
53. SHENG, S., MAGNIEN, B., KUMARAGURU, P., ACQUISTI, A., CRANOR, L. F., HONG, J., AND NUNGE, E. 2007. Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 88-99.
54. TCPMON. 2008. tcpmon: An open-source utility to Monitor A TCP Connection. https://tcpmon.dev.java.net/.
55. VIRTUALKEYBOARD. 2007. Hacker demos how to defeat Citibanks virtual keyboard. http://blogs.zdnet.com/security/?p=195.
56. WHALEN, T. AND INKPEN, K. M. 2005. Gathering evidence: use of visual security cues in web browsers. In Proceedings of the Conference on Graphics Interface. 137-144.
57. WU, M. 2006. Fighting Phishing at the User Interface. Ph.D. thesis, MIT.
58. WU, M., MILLER, R. C., AND GARFINKEL, S. L. 2006a. Do security toolbars actually prevent phishing attacks? In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 601-610.
59. WU, M., MILLER, R. C., AND LITTLE, G. 2006b. Web Wallet: Preventing phishing attacks by revealing user intentions. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 102-113.
60. WU, T. 1998. The secure remote password protocol. In Proceedings of the Network and Distributed System. Security Symposium (NDSS).
61. XMLHTTPREQUEST. 2008. http://www.w3.org/TR/XMLHttpRequest/.
62. YE, Z. E. AND SMITH, S. 2002. Trusted paths for browsers. In Proceedings of the USENIX Security Symposium. 263-279.
63. YEE, K.-P. AND SITAKER, K. 2006. Passpet: Convenient password management and phishing protection. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 32-43.
64. YUE, C. AND WANG, H. 2008. Anti-phishing in offense and defense. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). 345-354.
65. ZHANG, Y., EGELMAN, S., CRANOR, L. F., AND HONG, J. 2007a. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
66. ZHANG, Y., HONG, J., AND CRANOR, L. 2007b. CANTINA: A content-based approach to detecting phishing web sites. In Proceedings of the International World Wide Web Conference (WWW). 639-648.