What Is Phishing (Or, How to Fight Phishing at the User-Interface Level)
Pages: 1, 2, 3, 4, 5, 6


When a message is presented to the user, in either an email client or a web browser, the user interface can provide visual cues to help the user decide whether the message is legitimate.

Current web browsers reflect information about the source and integrity of a web page through a set of visual cues. For example, the address bar at the top of the window displays the URL of the retrieved web page. A lock icon, typically found in the status bar, indicates whether the page was retrieved through an encrypted, authenticated connection. These cues are currently the most widely deployed and most user-accessible defenses against phishing, and security advisories about phishing warn users to pay close attention to them at all times. [12], [13], [14]

Unfortunately, these visual cues are vulnerable for several reasons. First, the cues are displayed in the peripheral area of the browser, separately from the page content. Because the content is central and almost always is the user's focus of attention, a peripheral cue must fight to draw the user's attention. Second, these cues can be attacked directly by phishing. As we mentioned earlier, URL hiding and domain name similarity are evidence that the address bar is susceptible to deception. JavaScript and Java applets have also been used to hide or fake other security cues, including the address bar, status bar, authentication dialog boxes, SSL lock icon, and SSL certificate information. [15], [16], [17]


A general problem with the presentation of security cues is that users may disregard them, or attribute their presence to causes other than malicious attack. We observed this effect recently while developing a new authentication mechanism for logging in to web sites through an untrusted, public Internet terminal. Instead of requesting a secret password through the untrusted terminal (where it may be recorded by a key logger), authentication is performed on the user's cell phone using SMS messages and WAP browsing. To defend this approach against spoofing, however, it was necessary to associate a unique session name with the login attempt.

The user's only task was to confirm that the session name displayed in the untrusted web browser was the same as the session name displayed on the cell phone. In a user study of 20 users, however, the error rate for this confirmation was 30%. In other words, out of 20 times that we simulated an attack in which the session name on the phone differed from the session name on the terminal, users erroneously confirmed the session 6 times—giving the attacker access to their account.

Some users erred simply because they had stopped paying attention to the session names. Others made telling comments:

  • "There must be a bug because the session name displayed in the computer does not match the one in the mobile phone."

  • "The network connection must be really slow because the session name has not been displayed yet."

We subsequently changed the user interface design so that instead of simply approving the session name (Yes or No), the user is obliged to choose the session name from a short list of choices. Not surprisingly, the error rate dropped to zero, because the new design forces users to attend to the security cue and prevents them from rationalizing away discrepancies.

eBay's Account Guard (Figure 7) puts a site identity indicator into a dedicated toolbar. [18] Account Guard separates the Internet into three categories, described next.

  • Web sites truly belonging to eBay or PayPal, indicated by a green icon

  • Known spoofs of eBay or PayPal, indicated by a red icon

  • All other sites, indicated by a neutral gray icon

One problem with this approach is its lack of scalability. Of course, phishing attacks are not limited to eBay and PayPal. As of October 2004, the Anti-Phishing Working Group has collected attacks targeted at customers of 39 different organizations. It is impossible to cram all the possible toolbars, each representing a single organization, into a single browser. A better approach would be a single toolbar, created and managed by a single authority such as VeriSign or TRUSTe, to which organizations could subscribe if they have been, or fear becoming, victims of phishing attacks. VeriSign might do this right away by rolling out a toolbar that automatically certifies all members of its VeriSign Secured Seal program. [19]

figure 7
Figure 7. eBay Account Guard toolbar

SpoofStick (Figure 8) is a browser extension that helps users parse the URL and detect URL spoofing by displaying only the most relevant domain information on a dedicated toolbar. For example, when the current URL is, SpoofStick displays "You're on". When the current URL is, SpoofStick displays "You're on". Because it uses a large, colorful font, this toolbar is presumably easier for users to notice. But SpoofStick cannot solve the similar-domain-name problem: is a domain owned by eBay, or is a legitimate domain for PayPal? If the user's answer to either of these questions is yes, then the user will be tricked even with SpoofStick installed. Moreover, it is unknown whether seeing an IP address instead of a domain name raises sufficient suspicion in users' minds, because some legitimate sites also use bare IP addresses (e.g., Google caches).

figure 8
Figure 8. SpoofStick toolbar

In order to address the problem of faked cues, Ye and Smith have proposed synchronized random dynamic boundaries. [20] With this approach, all legitimate browser windows change their border colors together at random intervals. Because a spoofed window generated by a remote site has no access to the random value generated on the local machine, its border does not change synchronously with the legitimate window borders. This approach was considered for inclusion in the Mozilla web browser, but was dropped out of concern that users wouldn't understand it (see Chapter 28).

A related approach, proposed by Tygar and Whitten, [21] is personalized display, in which legitimate browser windows are stamped with a personal logo, such as a picture of the user's face. The same principle can be used to distinguish legitimate web pages from phishing attacks. For example, Amazon and Yahoo! greet registered users by name. Anti-phishing advisories suggest that an impersonal email greeting should be treated as a warning sign for a potential spoofed email. [22] PassMark goes even further, by displaying a user-configured image as part of the web site's login page, so that the user can authenticate the web site at the same time that the web site authenticates the user. [23]

Personalization is much harder to spoof, but requires more configuration by the user. Configuration could be avoided if the web site automatically chose a random image for the user, but a system-chosen image may not be memorable. Another question about personalization is whether the lack of personalization in a phishing attack would raise sufficient warning flags in a user's mind. The absence of a positive cue like personalization may not trigger caution in the same way that the presence of a negative cue, like a red light in a toolbar, does.


Phishing depends on a user not only being deceived but also acting in response to persuasion. As a result, security advisories try to discourage users from performing potentially dangerous actions. For example, most current phishing attacks use email messages as the initial bait, in order to trick the recipient into clicking through a link provided in the email, which points to a phishing server. Security tips suggest that the user should ignore links provided by email, and instead open a new browser and manually type the URL of the legitimate site.

This advice is unlikely to be followed. Considering the low frequency of phishing attacks relative to legitimate messages, this suggestion sacrifices the efficiency of hyperlinks in legitimate emails in order to prevent users from clicking misleading links in very few phishing emails.

Pages: 1, 2, 3, 4, 5, 6

Next Pagearrow