If you want to read the ten-page study itself, you can check it out at this link. But I feel that I must warn you, it’s not for those who have weak stomachs, especially if you’re a systems administrator. Of course, you could tell that much from the title: “Why Phishing Works.”
The three authors (Rachna Dhamija, J. D. Tygar, and Marti Hearst) had certain theories about why phishing attacks work, based on their analysis of a large database of captured phishing attacks. They then designed a usability study in which they enlisted 22 participants to test these theories. While the study was created to answer the question of what makes a bogus site credible, it has interesting implications for anyone dealing with web site design (including many SEOs).
As with any good study, the authors read related work, including studies of browser security and phishing. From this work and their analysis, they formulated the hypothesis that phishers take advantage of their victims in three ways. First, they count on their victims’ lack of knowledge about computer systems and security indicators. Second, they use visually deceptive text (such as “typejacking attacks” that use similar-looking URLs), images, and similar means to mask the true identity of their fake web site. Third, they simply hope the user will not pay attention to either the presence or absence of security indicators.
The nature of the study the authors devised was fairly simple. They recruited 22 participants of varying ages, education levels, computer activity/experience, and both sexes. Using a laptop computer, they presented these participants with 20 websites in a mostly random order, of which slightly less than half were legitimate, and slightly more than half were phishing websites that they copied exactly to three levels deep and put on a local server for purposes of the study.
Participants were told to “Imagine that you receive an email message that asks you to click on one of the following links. Imagine that you decide to click on the link to see if it is a legitimate web site or a ‘spoof’ (a fraudulent copy of that website).” They were told they could interact with the website as users normally would and that any website might be legitimate or not. Since they were supposed to be paying attention, the study couldn’t test the third hypothesis of how phishers count on their victims behaving, but it could test the other two.
The study’s authors found that the participants used five different strategies to determine the legitimacy of the web sites with which they interacted. There was no significant correlation as to age, gender, educational level, etc. and which strategy a participant used. There was, however, a definite correlation as to which strategy a participant used and his or her ability to correctly identify legitimate and bogus web sites.
The first strategy, used by about a quarter of the participants, involved looking for security indicators in website content only. This included examining “logos, layout and graphic design, presence of functioning links and images, type of information presented, language, and accuracy of information.” These participants did not look in the address bar or any other part of the browser for security information. Those using this strategy received the lowest scores for being able to correctly distinguish legitimate and bogus web sites.
The second strategy involved checking not only the web site’s content, but the browser’s address bar. While these participants were not sensitive to factors such as “HTTPS” in the address bar, they at least noticed when it changed from site to site. Those using this strategy scored somewhat better than participants judging based on web site content alone.
Two of the study participants used the third strategy, which involved checking web site content and address bar, and noticing the presence of “HTTPS” in the address bar. They didn’t look for the padlock in the address bar, however. This approach was somewhat unreliable, as one of the participants using it incorrectly believed that site icons (favicons) in the address bar were a good indicator of site legitimacy because they couldn’t be copied (which of course is false).
The fourth strategy used by study participants involved being aware of everything in the third strategy, plus the padlock icon. Five participants used this approach. As you would expect, it was more reliable than the third strategy.
Finally, two participants used a strategy that looked for everything you’d find in the fourth strategy, and also checked for SSL certificates. This was the strongest approach as far as being able to distinguish legitimate and bogus sites.
Before I go into the results of the study, I’d like to mention two participants that were at extreme ends of the spectrum as far as security awareness and checking for bogus web sites. The one who scored at the low end actually submitted her username and password to some websites to check whether it was a site at which she had an account. She’d used this strategy before, she said, thinking “What’s the harm? Passwords are not dangerous to give out, like financial information is.” (If you’re a sysadmin, you can be forgiven for making a dash to the bathroom before continuing).
At the other end of the spectrum in both security awareness and score was the participant who opened up a second window into which he typed all URLs by hand to compare these pages with every web site presented to him in the study. He sometimes used Yahoo as well to search for the organization. His hypersensitivity can be attributed in part to the fact that a family member of his had fallen prey to a PayPal phishing attack.
The study asked participants not only to judge whether a web site was legitimate or bogus, but how confident they were of their judgment, on a scale of 1 to 5. Interestingly, most participants were pretty confident of their judgments, whether or not they were correct. This is particularly disturbing in light of the fact that one of the phishing web sites fooled more than 90 percent of the participants. The fake web site, for Bank of the West, included the following factors that convinced most participants of its authenticity:
- “Cute” design.
- High level of detail.
- Does not ask for a great deal of information.
- Animated bear video which two participants believed would “take a lot of effort to copy.”
- Links to other sites.
- Link to an SSL protected web page, hosted at VeriSign, showing the SSL certificate status for the real Bank of the West web site.
Of the two participants who realized this was a spoof web site, one noticed the URL in the address bar included a doubled “v” rather than a “w” for “west,” and the other one noticed an outdated date in the content of the web page.
Disturbingly, in interviews about user knowledge of phishing and security, seven participants hadn’t even heard the term “phishing” before, and some seemed surprised that these kinds of attacks occur. Some did not know the meaning of the padlock in the address bar, and at least one participant incorrectly believed it meant the web site could not read passwords or set cookies. Only one of the participants was able to explain the purpose of SSL certificates, and he was a systems administrator.
The one quarter of participants who used strategy one to distinguish legitimate from bogus web sites were wrong 40 percent of the time. While other participants fared better, it seems clear that there is cause for concern.
Two of the author’s hypotheses were supported by the results of the study. First of all, it showed that participants were tripped up “because they lacked knowledge of how computer systems worked and did not have an understanding of security systems and indicators.” Many participants were also fooled by visual tricks used by phishers to convince them their sites were genuine. (Remember, the study’s design precluded any chance to prove that lack of attention was a cause of users falling victim to phishing attacks).
The authors added two other hypotheses, based on the results of the study, as to why web surfers fall for phishing attacks. One was lack of knowledge of web fraud. If a user doesn’t know that web sites can be spoofed, he or she won’t have any reason to be suspicious. The other hypothesis is that many users’ knowledge of security is in error. The authors cited a number of misconceptions the study participants held as to what features indicate a web site is legitimate. These included “professional-looking images, animations, and ads.” Likewise, some participants distrusted legitimate web pages because they lacked such indicators.
So what does this mean for web site designers? Well, it suggests that a different approach needs to be taken as far as creating secure web sites. Certainly, education is in order, not only for what signals a secure web site, but what doesn’t. Otherwise, legitimate organizations can find themselves judged to be less than trustworthy even when they “follow security precautions, such as allowing users to only login from dedicated SSL protected pages.”