Why Phishing Sites Work -- Microsoft Certified Professional Magazine Online

Why Phishing Sites Work

According to a recent study, user education may indeed be the only solution.

By Russ Cooper
04/19/2006

An extremely interesting study (PDF download) was recently produced by several individuals from Harvard and U.C. Berkeley. The study approached the phishing problem from the perspective of trying to determine what users did to verify the trustworthiness of a Web site. Fifty nine percent of the study participants relied entirely on the Web site page contents and domain name alone, ignoring all browser security cues.

While the study only involved 22 participants, its findings are interesting and well worth reading if you are in the business of designing a Web site or user interface tool intended to impart trustworthiness information to consumers. The study found that users were better grouped according to what information they relied upon for trustworthiness. Grouping them demographically, say age or sex, or by length of computer experience yielded extremely little difference.

In other words, it appears to come down to how a person has learned to read what their browsers were presenting them in determining whether they'd be any good at distinguishing a phishing site from a real one. While this certainly makes sense, it's amazing how many people have either not learned to see the interface as well as the content, or have learned to ignore it.

Could this be similar to the way people typically turn off pop-up dialog boxes when given the option? Could it be a result of being bombarded with overly technical jargon in such dialog boxes? Many of the subjects in the study appeared to not even read what was being presented, like a broken certificate warning dialog. Others couldn't distinguish between a locked padlock in the interface versus one in the content itself, and still others felt it was more secure when the lock was in the content!

With so many people relying on the content over the interface, it’s understandable that we’re seeing tools like SiteAdvisor, which implants security queues in the content itself. SiteAdvisor was recently acquired by McAfee. The problem is if we pander to this habit of relying upon the content, we actually end up making it easier for phishers to do their evil deeds. Our content can already be so rich and interactive; attempting to enforce it as the reason for trustworthiness definitely doesn’t feel right to me.

I’m not suggesting I know the solution. Could we get security rules to prevent the mouse from clicking on a bad link? Sure! But could we also prevent a phishing Web site or spyware application from preventing that from happening? Probably not. User education is often ridiculed as impossible, but this study certainly tells me it is the route we have to follow.

The big question now is can we still re-educate so many people who have already learned the wrong things? Perhaps that will only happen when they become victims, but I sure hope not.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.