research-article

BogusBiter: A transparent protection against phishing attacks

Authors:

Haining WangAuthors Info & Claims

ACM Transactions on Internet Technology (TOIT), Volume 10, Issue 2

Article No.: 6, Pages 1 - 31

https://doi.org/10.1145/1754393.1754395

Published: 10 June 2010 Publication History

Abstract

Many anti-phishing mechanisms currently focus on helping users verify whether a Web site is genuine. However, usability studies have demonstrated that prevention-based approaches alone fail to effectively suppress phishing attacks and protect Internet users from revealing their credentials to phishing sites. In this paper, instead of preventing human users from “biting the bait,” we propose a new approach to protect against phishing attacks with “bogus bites.” We develop BogusBiter, a unique client-side anti-phishing tool, which transparently feeds a relatively large number of bogus credentials into a suspected phishing site. BogusBiter conceals a victim's real credential among bogus credentials, and moreover, it enables a legitimate Web site to identify stolen credentials in a timely manner. Leveraging the power of client-side automatic phishing detection techniques, BogusBiter is complementary to existing preventive anti-phishing approaches. We implemented BogusBiter as an extension to the Firefox 2 Web browser, and evaluated its efficacy through real experiments on both phishing and legitimate Web sites. Our experimental results indicate that it is promising to use BogusBiter to transparently protect against phishing attacks.

References

[1]

Adida, B. 2007. BeamAuth: Two-factor Web authentication with a bookmark. In Proceedings of the Conference on Computer and Communication Security (CCS). 48--57.

Digital Library

[2]

Ahn, L., Blum, M., Hopper, N., and Langford, J. 2003. CAPTCHA: Using hard AI problems for security. In Proceedings of Eurocrypt. 294--311.

Digital Library

[3]

APWG. 2008. Anti-Phishing Working Group (APWG). http://www.antiphishing.org/.

[4]

APWG-PSTC. 2008. APWG: Phishing Scams by Targeted Company. http://www.millersmiles.co.uk/scams.php.

[5]

Poettering, B. 2008. jssha256. http://point-at-infinity.org/jssha256/.

[6]

Birk, D., Dornseif, M., Gajek, S., and Gröbert, F. 2006. Phishing phishers—tracing identity thieves and money launderer. Tech. rep. Horst-Görtz Institute of Ruhr-University of Bochum.

[7]

Bortz, A., Boneh, D., and Nandy, P. 2007. Exposing private information by timing Web applications. In Proceedings of the International World Wide web Conference (WWW). 621--628.

Digital Library

[8]

Chiasson, S., van Oorschot, P. C., and Biddle, R. 2006. A usability study and critique of two password managers. In Proceedings of the USENIX Security Symposium. 1--16.

Digital Library

[9]

Chou, N., Ledesma, R., Teraguchi, Y., and Mitchell, J. C. 2004. Client-side defense against web-based identity theft. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[10]

Dhamija, R. and Tygar, J. D. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 77--88.

Digital Library

[11]

Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 581--590.

Digital Library

[12]

Downs, J. S., Holbrook, M. B., and Cranor, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 79--90.

Digital Library

[13]

EBankingSecurity. 2008. eBanking Security. http://www.ebankingsecurity.com/ebanking_bad_for_your_bank_balance.pdf.

[14]

Egelman, S., Cranor, L. F., and Hong, J. 2008. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 1065--1074.

Digital Library

[15]

Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web Spoofing: An Internet Con Game. In Proceedings of the 20th National Information Systems Security Conference.

[16]

Fette, I., Sadeh, N., and Tomasic, A. 2007. Learning to detect phishing emails. In Proceedings of the International World Wide Web Conference (WWW). 649--656.

Digital Library

[17]

Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1.

Digital Library

[18]

FirefoxPhishingProtection. 2008. Firefox Phishing Protection. http://www.mozilla.com/en-US/firefox/phishing-protection/.

[19]

FirefoxPhishingTest. 2006. Firefox 2 Phishing Protection Effectiveness Testing. http://www.mozilla.org/security/phishing-test.html.

[20]

Florêncio, D. and Herley, C. 2006. Password rescue: A new approach to phishing prevention. In Proceedings of the USENIX Workshop on Hot Topics in Security (HOTSEC).

Digital Library

[21]

Florêncio, D. and Herley, C. 2007. A large-scale study of Web password habits. In Proceedings of the International World Wide Web Conference (WWW). 657--666.

Digital Library

[22]

Florêncio, D., Herley, C., and Coskun, B. 2007. Do strong web passwords accomplish anything? In Proceedings of the USENIX Workshop on Hot Topics in Security (HOTSEC).

Digital Library

[23]

FSTC-Phishing. 2005. Understanding and countering the phishing threat. The Financial Services Technology Consortium (FSTC) Project White Paper, http://fstc.org/projects/counter_phishing_phase_1/.

[24]

Garera, S., Provos, N., Chew, M., and Rubin, A. D. 2007. A framework for detection and measurement of phishing attacks. In Proceedings of the ACM Workshop On Recuring Malcode (WORM).

Digital Library

[25]

GartnerSurvey. 2006. Gartner, inc.,. http://www.gartner.com/it/page.jsp?id=498245.

[26]

Halderman, J. A., Waters, B., and Felten, E. W. 2005. A convenient method for securely managing passwords. In Proceedings of the International World Wide Web Conference (WWW). 471--479.

Digital Library

[27]

IBM-FairUCE. 2005. IBM set to use spam to attack spammer. http://money.cnn.com/2005/03/22/technology/ibm_spam/index.htm.

[28]

InaccessibilityCAPTCHA. 2008. Inaccessibility of CAPTCHA. http://www.w3.org/TR/turingtest/.

[29]

Jagatic, T. N., Johnson, N. A., Jakobsson, M., and Menczer, F. 2007. Social phishing. Comm. ACM 50, 10, 94--100.

Digital Library

[30]

Jakobsson, M. and Myers, S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience.

Digital Library

[31]

Jakobsson, M. and Ratkiewicz, J. 2006. Designing ethical phishing experiments: A study of (ROT13) rOnl query features. In Proceedings of the International World Wide Web Conference (WWW). 513--522.

Digital Library

[32]

Jakobsson, M. and Young, A. 2005. Distributed phishing attacks. In Proceedings of the Workshop on Resilient Financial Information Systems.

[33]

Kandula, S., Katabi, D., Jacob, M., and Berger, A. W. 2005. Botz-4-Sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of the 2nd Symposium on Networked Systems Design and Implementation (NSDI). 287--300.

Digital Library

[34]

Kirda, E. and Kruegel, C. 2005. Protecting users against phishing attacks with AntiPhish. In Proceedings of the Annual International Computer Software and Applications Conference (COMPSAC). 517--524.

Digital Library

[35]

Klein, D. V. 1990. Foiling the cracker—A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Workshop on Security. 5--14.

[36]

Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., and Nung, E. 2007. Protecting people from phishing: The design and evaluation of an embedded training email system. In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 905--914.

Digital Library

[37]

KYE-Phishing. 2008. Know Your Enemy: Phishing. http://www.honeynet.org/papers/phishing/.

[38]

Ludl, C., McAllister, S., Kirda, E., and Kruegel, C. 2007. On the effectiveness of techniques to detect phishing sites. In Proceedings of the International Conference on Detection of Instructions and Malware & Vulnerability Assessment (DIMVA).

Digital Library

[39]

MarkMonitor. 2008. MarkMonitor: Internet Fraud Prevention and Brand Protection. http://www.markmonitor.com/.

[40]

MicrosoftPhishingFilter. 2008. Microsoft Phishing Filter. http://www.microsoft.com/protect/products/yourself/.

[41]

Monrose, F., Reiter, M. K., and Wetzel, S. 1999. Password hardening based on keystroke dynamics. In Proceedings of the Conference on Computer and Communication Security (CCS). 73--82.

Digital Library

[42]

Moore, T. and Clayton, R. 2007. Examining the impact of website take-down on phishing. In Proceedings of the APWG eCrime Researchers Summit.

Digital Library

[43]

Morris, R. and Thompson, K. 1979. Password security: A case history. Comm. ACM 22, 11, 594--597.

Digital Library

[44]

Moshchuk, A., Bragin, T., Deville, D., Gribble, S. D., and Levy, H. M. 2007. Spyproxy: Execution-based detection of malicious web content. In Proceedings of the USENIX Security Symposium. 27--42.

Digital Library

[45]

Parno, B., Kuo, C., and Perrig, A. 2006. Phoolproof phishing prevention. In Proceedings of the Financial Cryptography. 1--19.

Digital Library

[46]

PhishTank. 2008. PhishTank. http://www.phishtank.com/.

[47]

Pinkas, B. and Sander, T. 2002. Securing passwords against dictionary attacks. In Proceedings of the Conference on Computer and Communication Security (CCS). 161--170.

Digital Library

[48]

Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. Browsershield: Vulnerability-driven filtering of dynamic html. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 61--74.

Digital Library

[49]

Robichaux, P. and Ganger, D. L. 2006. Gone phishing: Evaluating anti-phishing tools for Windows. http://www.3sharp.com/projects/antiphishing/gone-phishing.pdf.

[50]

Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. C. 2005. Stronger password authentication using browser extensions. In Proceedings of the USENIX Security Symposium. 17--32.

Digital Library

[51]

RSA. 2008. Home - RSA, The Security Division of EMC. http://www.rsa.com/.

[52]

Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. 2007. The emperor's new security indicators: An evaluation of Website authentication and the effect of role playing on usability studies. In Proceedings of the IEEE Symposium on Security and Privacy. 51--65.

Digital Library

[53]

Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. 2007. Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 88--99.

Digital Library

[54]

Tcpmon. 2008. tcpmon: An open-source utility to Monitor A TCP Connection. https://tcpmon.dev.java.net/.

[55]

VirtualKeyboard. 2007. Hacker demos how to defeat Citibanks virtual keyboard. http://blogs.zdnet.com/security/?p=195.

[56]

Whalen, T. and Inkpen, K. M. 2005. Gathering evidence: use of visual security cues in web browsers. In Proceedings of the Conference on Graphics Interface. 137--144.

Digital Library

[57]

Wu, M. 2006. Fighting Phishing at the User Interface. Ph.D. thesis, MIT.

Digital Library

[58]

Wu, M., Miller, R. C., and Garfinkel, S. L. 2006a. Do security toolbars actually prevent phishing attacks? In Proceedings of the Conference on Human Factors in Computing Systems (CHI). 601--610.

Digital Library

[59]

Wu, M., Miller, R. C., and Little, G. 2006b. Web Wallet: Preventing phishing attacks by revealing user intentions. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 102--113.

Digital Library

[60]

Wu, T. 1998. The secure remote password protocol. In Proceedings of the Network and Distributed System. Security Symposium (NDSS).

[61]

XMLHttpRequest. 2008. http://www.w3.org/TR/XMLHttpRequest/.

[62]

Ye, Z. E. and Smith, S. 2002. Trusted paths for browsers. In Proceedings of the USENIX Security Symposium. 263--279.

Digital Library

[63]

Yee, K.-P. and Sitaker, K. 2006. Passpet: Convenient password management and phishing protection. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 32--43.

Digital Library

[64]

Yue, C. and Wang, H. 2008. Anti-phishing in offense and defense. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). 345--354.

Digital Library

[65]

Zhang, Y., Egelman, S., Cranor, L. F., and Hong, J. 2007a. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[66]

Zhang, Y., Hong, J., and Cranor, L. 2007b. CANTINA: A content-based approach to detecting phishing web sites. In Proceedings of the International World Wide Web Conference (WWW). 639--648.

Digital Library

Cited By

Al-Hamar YKolivand HAl-Hamar A(2024)Anti-phishing Attacks in GamificationEncyclopedia of Computer Graphics and Games10.1007/978-3-031-23161-2_383(117-122)Online publication date: 5-Jan-2024
https://doi.org/10.1007/978-3-031-23161-2_383
Ahmed MAltamimi AKhan WAlsaffar MAhmad AKhan ZAlreshidi A(2023)PhishCatcher: Client-Side Defense Against Web Spoofing Attacks Using Machine LearningIEEE Access10.1109/ACCESS.2023.328722611(61249-61263)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3287226
SatheeshKumar MSrinivasagan KUnniKrishnan G(2022)A lightweight and proactive rule-based incremental construction approach to detect phishing scamInformation Technology and Management10.1007/s10799-021-00351-723:4(271-298)Online publication date: 17-Jan-2022
https://doi.org/10.1007/s10799-021-00351-7
Show More Cited By

Index Terms

BogusBiter: A transparent protection against phishing attacks

Recommendations

Security and identification indicators for browsers against spoofing and phishing attacks

In spite of the use of standard Web security measures (SSL/TLS), users enter sensitive information such as passwords into fake Web sites. Such fake sites cause substantial damages to individuals and corporations. In this work, we identify several ...
Exposing private information by timing web applications
WWW '07: Proceedings of the 16th international conference on World Wide Web

We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as ...
Effective protection against phishing and web spoofing
CMS'05: Proceedings of the 9th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security

Phishing and Web spoofing have proliferated and become a major nuisance on the Internet. The attacks are difficult to protect against, mainly because they target non-cryptographic components, such as the user or the user-browser interface. This means ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Internet Technology

ACM Transactions on Internet Technology Volume 10, Issue 2

May 2010

123 pages

ISSN:1533-5399

EISSN:1557-6051

DOI:10.1145/1754393

Issue’s Table of Contents

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 June 2010

Accepted: 01 November 2009

Revised: 01 October 2009

Received: 01 January 2009

Published in TOIT Volume 10, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
1,491
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)7

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Al-Hamar YKolivand HAl-Hamar A(2024)Anti-phishing Attacks in GamificationEncyclopedia of Computer Graphics and Games10.1007/978-3-031-23161-2_383(117-122)Online publication date: 5-Jan-2024
https://doi.org/10.1007/978-3-031-23161-2_383
Ahmed MAltamimi AKhan WAlsaffar MAhmad AKhan ZAlreshidi A(2023)PhishCatcher: Client-Side Defense Against Web Spoofing Attacks Using Machine LearningIEEE Access10.1109/ACCESS.2023.328722611(61249-61263)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3287226
SatheeshKumar MSrinivasagan KUnniKrishnan G(2022)A lightweight and proactive rule-based incremental construction approach to detect phishing scamInformation Technology and Management10.1007/s10799-021-00351-723:4(271-298)Online publication date: 17-Jan-2022
https://doi.org/10.1007/s10799-021-00351-7
Wang KReiter M(2022)Using Amnesia to Detect Credential Database BreachesCyber Deception10.1007/978-3-031-16613-6_9(183-215)Online publication date: 7-Oct-2022
https://doi.org/10.1007/978-3-031-16613-6_9
Sahin MHébert CCabrera Lozoya R(2022)An Approach to Generate Realistic HTTP Parameters for Application Layer DeceptionApplied Cryptography and Network Security10.1007/978-3-031-09234-3_17(337-355)Online publication date: 20-Jun-2022
https://dl.acm.org/doi/10.1007/978-3-031-09234-3_17
Kumar Sahoo P(2021)An Emerging Solution for Detection of Phishing AttacksCybersecurity Threats with New Perspectives [Working Title]10.5772/intechopen.96134Online publication date: 3-Mar-2021
https://doi.org/10.5772/intechopen.96134
Khan WAhmad AQamar AKamran MAltaf M(2021)SpoofCatch: A Client-Side Protection Tool Against Phishing AttacksIT Professional10.1109/MITP.2020.300647723:2(65-74)Online publication date: 1-Mar-2021
https://doi.org/10.1109/MITP.2020.3006477
O'Mara AAlsmadi IAlEroud A(2021)Generative Adverserial Analysis of Phishing Attacks on Static and Dynamic Content of Webpages2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00222(1657-1662)Online publication date: Sep-2021
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00222
Kumar CBharati TPrakash S(2021)Online Social Network Security: A Comparative Review Using Machine Learning and Deep LearningNeural Processing Letters10.1007/s11063-020-10416-353:1(843-861)Online publication date: 1-Feb-2021
https://dl.acm.org/doi/10.1007/s11063-020-10416-3
Al-Hamar YKolivand HAl-Hamar A(2021)Anti-Phishing Attacks in GamificationEncyclopedia of Computer Graphics and Games10.1007/978-3-319-08234-9_383-1(1-7)Online publication date: 23-Sep-2021
https://doi.org/10.1007/978-3-319-08234-9_383-1
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents