Advertisement

Effective Protection Against Phishing and Web Spoofing

  • Rolf Oppliger
  • Sebastian Gajek
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3677)

Abstract

Phishing and Web spoofing have proliferated and become a major nuisance on the Internet. The attacks are difficult to protect against, mainly because they target non-cryptographic components, such as the user or the user-browser interface. This means that cryptographic security protocols, such as the SSL/TLS protocol, do not provide a complete solution to tackle the attacks and must be complemented by additional protection mechanisms. In this paper, we summarize, discuss, and evaluate the effectiveness of such mechanisms against (large-scale) phishing and Web spoofing attacks.

Keywords

SSL/TLS phishing Web spoofing visual spoofing 

References

  1. 1.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 Protocol. In: USENIX Security Symposium, pp. 29–40 (1996)Google Scholar
  2. 2.
    Clayton, R.: Insecure Real-World Authentication Protocols (or Why Phishing is so Profitable). In: Financial Cryptography (2005)Google Scholar
  3. 3.
    Felten, W.E., Balfanz, D., Dean, D., Wallach, D.S.: Web Spoofing: An Internet Con Game. Technical Report 540-96, Dept. of Computer Science, Princeton University (1996)Google Scholar
  4. 4.
    Jakobsson, M., Myers, S.: Stealth Attacks and Delayed Password Disclosure (2005)Google Scholar
  5. 5.
    Adelsbach, A., Gajek, S., Schwenk, J.: Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures. In: Information Security Practice and Experience Conference (2005)Google Scholar
  6. 6.
    De Paoli, F., DosSantos, A., Kemmerer, R.: Vulnerability of ’Secure’ Web Browsers. In: National Information Systems Security Conference (1997)Google Scholar
  7. 7.
    Lefranc, S., Naccache, D.: Cut-&-Paste Attacks with JAVA. In: ICISC, pp. 1–15 (2002)Google Scholar
  8. 8.
    Li, T.Y., Wu, Y.: Trust on Web Browser: Attack vs. Defense. In: ACNS, pp. 241–253 (2003)Google Scholar
  9. 9.
    Herzberg, A., Gbara, A.: TrustBar: Protecting (even Naive) Web Users from Spoofing and Phishing Attacks. IACR Cryptology ePrint Archive (2004)Google Scholar
  10. 10.
    Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C.: Client-Side Defense Against Web-Based Identity Theft. In: NDSS (2004)Google Scholar
  11. 11.
    Jakobsson, M.: Modeling and preventing phishing attacks. In: S. Patrick, A., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 89–89. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Markham, G.: Phishing-Browser-based Defences (2005), http://www.gerv.net/security/phishing-browser-defences.html#ssl-essential
  13. 13.
    Perrig, A., Song, D.: Hash visualization: A new technique to improve real-world security. In: Cryptographic Techniques and E-Commerce (1999)Google Scholar
  14. 14.
    Perrig, A., Dhamija, R.: Déjà Vu: A User Study Using Images for Authentication. In: USENIX Security Symposium (2000)Google Scholar
  15. 15.
    Dohrmann, S., Ellison, C.: Public key support for collaborative work. In: PKI Research Workshop (2002)Google Scholar
  16. 16.
    Santesson, S., Housley, R., Freeman, T.: Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates (2004) Request for Comments 3709Google Scholar
  17. 17.
    Ye, Z.E., Smith, S.: Trusted Paths for Browsers. In: USENIX Security Symposium, pp. 263–279 (2002)Google Scholar
  18. 18.
    Tygar, J., Whitten, A.: WWW Electronic Commerce and Trojan Horses. In: USENIX Workshop on Electronic Commerce (1996)Google Scholar
  19. 19.
    Shin, M., Straub, C., Tamassia, R., Polivy, D.: Authenticating Web content with Prooflets. Technical report, Brown University, Center for Geometric Computing (2002)Google Scholar
  20. 20.
    Oppliger, R.: Sichere Streichlisten. Digma 5, 34–35 (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2005

Authors and Affiliations

  • Rolf Oppliger
    • 1
  • Sebastian Gajek
    • 2
  1. 1.eSECURITY TechnologiesGümligenSwitzerland
  2. 2.Horst Görtz Institute for IT-SecurityRuhr UniversityBochumGermany

Personalised recommendations