In the final step of a successful phishing attack, the user's action is translated into a system operation. This is the last chance we have to prevent the attack. Unfortunately, because phishing does not exploit system bugs, the system operations involved in a phishing attack are perfectly valid. For example, it is ordinary to post information to a remote server. Warnings based solely on system operations will inevitably generate a high rate of false positive errors—that is, warning users about innocent actions (Figure 9). These false-positives eventually cause users to disable the warnings or simply to become habituated to "swatting" the warning away.
Figure 9. Warning based on system operations
A more interesting approach involves modifying the system operation according to its destination. Web password hashing applies this idea to defend against phishing attacks that steal web site passwords.  The browser automatically hashes the password typed by the user with the domain name to which it is being sent, in order to generate a unique password for each site—and hence sending useless garbage to a phishing site. Web password hashing assumes that users will type their passwords only into a password HTML element. But this element can be spoofed, and a sophisticated attack may be able to trick users into disclosing their passwords through other channels.
Case Study: SpoofGuard
The most comprehensive solution thus far for stopping phishing at the user interface is SpoofGuard, a browser plug-in for Internet Explorer.  SpoofGuard addresses three of the four steps where phishing might be prevented.
At message retrieval time, SpoofGuard calculates a total spoof score for an incoming web page. The calculation is based on common characteristics of known phishing attacks, including:
Potentially misleading patterns in URLs, such as use of @
Similarity of the domain name to popular or previously visited domains, as measured by edit distance
Embedded images that are similar to images from frequently spoofed domains, as measured by image hashing
Whether links in the page contain misleading URLs
Whether the page includes password fields but fails to use SSL, as most phishing sites eschew SSL
At presentation time, SpoofGuard translates this spoof score into a traffic light (red, yellow, or green) displayed in a dedicated toolbar. Further, when the score is above a threshold, SpoofGuard pops up a modal warning box that demands the user's consent before it proceeds with displaying the page.
For the action step, SpoofGuard does nothing to modify the user's online behavior. The user is free to click on any links or buttons in the page, regardless of their spoof score.
SpoofGuard becomes involved again in the system operation step, however, by evaluating posted data before it is submitted to a remote server. The evaluation tries to detect whether sensitive data is being sent, by maintaining a database of passwords (stored as hashes) and comparing each element sent against the database. If a user's eBay password is sent to a site that isn't in ebay.com, then the spoof score for the interaction is increased. This evaluation is also linked with the detection of embedded images so that if the page also contained an eBay logo, the spoof score is increased still more. If the evaluation of the system operation causes the spoof score to exceed a certain threshold, then the post is blocked and the user is warned.
In general, however, SpoofGuard is an impressive step toward fighting phishing attacks at the client side.
Phishing attacks are likely to grow more sophisticated in the days ahead, and our defenses against them must continue to improve. Phishing succeeds because of a gap between the user's mental model and the true implementation, so promising technical solutions should try to bridge this gap, either by finding ways to visualize for the user details of implementation that would otherwise be invisible, or by finding ways to see the message from the user's point of view.
If technical solutions fail, we might ask whether there are legal or policy solutions. As a species of wire fraud, phishing is, of course, already illegal; no new legislation is required to prosecute an attacker. So, legal and policy solutions may have to restrict legitimate access instead, in order to make phishing attacks easier to detect or attackers easier to track down. One policy measure, already being undertaken by some companies, is to stop using email for critical communications with customers. AOL, one of the earliest targets of phishing attacks in the Internet era, has a unique message system for "Official AOL Mail" that cannot be spoofed by outsiders or other AOL members. More recently, eBay has responded to the spate of phishing attacks against it by setting up a private webmail system, "My Messages," for sending unspoofable messages to its users.
The success of phishing suggests that users authenticate web sites mainly by visual inspection: looking at logos, page layout, and domain names. The web browser can improve this situation by digging up additional information about a site and making it available for direct visual inspection. How many times have I been to this site? How many other people have been to this site? How long has this site existed on the Web? How many other sites link to it, according to a search engine like Google? Reputation is much harder to spoof than mere visual appearance. Authentication by visual inspection would be easier and more dependable if these additional visual cues were not all buried in the periphery of the web browser, but were integrated into the content of the page, in the user's locus of attention.
Another potential opportunity arises in the action step of an online interaction. A phishing attack is harmless unless the user actually does something with it. If earlier analysis suggests that the risk of phishing is high, then the system can suggest alternative safe paths ("Use this bookmark to go to the real eBay.com"), or ask the user to choose which site they really want to receive the information ("eBay.com in California, or 184.108.40.206 in South Korea?").
The ideal defense against phishing might be an intelligent security assistant that can perceive and understand a message in the same way the user does so that it can directly compare the user's probable mental model against the real implementation and detect discrepancies. This ideal is likely to be a long way off. In the meantime, phishing will remain a problem that must be tackled by both a user and a computer, with an effective user interface in between.
Editor's note: Robert Miller and Min Wu contributed the material contained in this excerpt from Security & Usability. This excerpt is one of thirty-four essays in the book that cover authentication, privacy and anonymity, secure systems, commercialization, and more.
About the Authors
Robert Miller is an assistant professor in MIT's Department of Electrical Engineering and Computer Science and a member of the MIT Computer Science and Artificial Intelligence Laboratory. He received his Ph.D. in computer science from Carnegie Mellon University in 2002. His research concerns intelligent user interfaces, end-user programming, and applications of usability to security, including authentication, secure email, and network visualization.
Min Wu is a Ph.D. candidate in electrical engineering and computer science at MIT. He received his M.S. in electrical engineering and computer science at MIT in 2001. He is interested in different techniques to deal with Internet fraud.
 Anti-Phishing Working Group, "Phishing Attack Trends Report, April 2004"; http://antiphishing.org/APWG_Phishing_Attack_Report-Apr2004.pdf.
 Bob Sullivan, "Consumers Still Falling for Phish," MSNBC (July 28, 2004); http://www.msnbc.msn.com/id/5519990/.
 Neil Chou, Robert Ledesma, Yuka Teraguchi, and John C. Mitchell, "Client-Side Defense Against Web-Based Identity Theft," 11th Annual Network and Distributed System Security Symposium (2004); http://theory.stanford.edu/people/jcm/papers/spoofguard-ndss.pdf.
 Anti-Phishing Working Group, "eBay—NOTICE eBay Obligatory Verifying—Invalid User Information" (March 9, 2004); http://www.antiphishing.org/phishing_archive/eBay_03-09-04.htm.
 Bruce Schneier, "Semantic Attacks: The Third Wave of Network Attacks," Crypto-Gram Newsletter (Oct. 15, 2000); http://www.schneier.com/crypto-gram-0010.html#1.
 Anti-Phishing Working Group, "US Bank—Maintenance Upgrade" (July 6, 2004); http://www.antiphishing.org/
 Anti-Phishing Working Group, "Citibank—Your Citibank Account!" (July 13, 2004); http://www.antiphishing.org/phishing_archive/07-13-04_Citibank_(your_Citibank_account!).html.
 EarthLink Toolbar: Featuring ScamBlocker; http://www.earthlink.net/earthlinktoolbar/download/.
 Tropical Software Secure Browser; http://www.tropsoft.com/secbrowser/.
 F-SECURE, "F-Secure Virus Descriptions: Bagle.N"; http://www.f-secure.com/v-descs/bagle_n.shtml.
 Anti-Phishing Working Group, "MBNA—MBNA Informs You!" (Feb. 24, 2004); http://www.antiphishing.org/phishing_archive/MBNA_2-24-04.htm.
 eBay Inc., "Email and Websites Impersonating eBay"; http://pages.ebay.com/ help/confidence/isgw-account-theft-spoof.html.
 Federal Bureau of Investigation, Department of Justice, "FBI Says Web 'Spoofing' Scams Are a Growing Problem" (2003); http://www.fbi.gov/pressrel/pressrel03/spoofing072103.htm.
 PayPal Inc., "Security Tips"; http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fraud-prevention-outside.
 eBay toolbar; http://pages.ebay.com/ebay_toolbar/.
 VeriSign Secured Seal Program; http://www.verisign.com/products-services/security-services/secured-seal/index.html.
 eBay, Inc., "Tutorial: Spoof (fake) Emails"; http://pages.ebay.com/education/spooftutorial/.
 PassMark Security; http://www.passmarksecurity.com/twoWay.jsp.
 Dan Boneh, John Mitchell, and Blake Ross, "Web Password Hashing," Stanford University; http://crypto.stanford.edu/PwdHash/.
Return to the O'Reilly Network