Graham Titterington
More doom on phishing
New research from Harvard University and the University of California, Berkeley demonstrates how difficult it is to resist "phishing" web sites. Yesterday we saw reports of phishers posting fake eBay login pages within eBay auction sites. One of our analysts had received a very professional e-mail entitled "PayPal Notification: Account Privacy Report" that appears to exploit this scam the day before this report was published. Comment: The level of the phishing threat appears to be rising rapidly, which demonstrates the need for services like PhishRegistry.org that CipherTrust launched last week, which provide a free notification and warning system for web site owners. This new research casts a pessimistic assessment over some of the new features Microsoft is proposing for Internet Explorer 7 and Vista. The Harvard/Berkeley research involved only 22 participants, but produced a damming report on how often they were duped. The report identified three key weaknesses that users face: lack of knowledge, visual deception and lack of attention. In this survey the participants were all highly educated, computer literate, and knew that they were taking part in a survey of phishing deception techniques - meaning that "lack of attention" should not be a factor in these results. We can therefore assume that a survey of average Internet users who were under pressure to get on with their jobs and were not expecting to be duped, would show much worse results!The researchers did not find any significant divergence due to demographic factors in their participants, but this is not surprising in such a small sample. Each person was shown the same 20 web sites (7 legitimate and 13 phishing sites), in random order, and a sufficient portion of each web site was reproduced to enable them to browse around the initial page. On average the participants were fooled by 47% of the phishing sites, and rejected 25% of the legitimate sites! (Although not part of the research findings, the latter figure shows the potential damage to general confidence in the Internet.) The participants showed a poor understanding of the structure of URLs, and much less understanding of IP addresses, the browser padlock emblem, and the significance of SSL connections. They therefore paid little attention to the framework of the Internet browser and specific warning messages. They relied very heavily on their feel for the content of the web page itself. So if the page and its graphics looked right, their fears were laid to rest and they proceeded with the transaction. The research indicates that improvements promised for Internet Explorer 7 - including colour coding the URL field - are unlikely to have much meaning for most users. Blocking of phishing web sites will help a little, but we are already doing this within the service provider infrastructure - and yet the authorities are unable to keep up with the speed with which the phishers move. The evidence from this study indicates that some relatively simple techniques such as the "identity cues" offered by start-up Green Armor (that we reported on in July 2005) would make a bigger dent in the effectiveness of phishing attacks.
