Why Phishing Sites Work
According to a recent study, user education may indeed be the only solution.
(PDF download) was recently produced by several individuals
from Harvard and U.C. Berkeley. The study approached the phishing problem from
the perspective of trying to determine what users did to verify the trustworthiness
of a Web site. Fifty nine percent of the study participants relied entirely
on the Web site page contents and domain name alone, ignoring all browser security
While the study only involved 22 participants, its findings are interesting
and well worth reading if you are in the business of designing a Web site or
user interface tool intended to impart trustworthiness information to consumers.
The study found that users were better grouped according to what information
they relied upon for trustworthiness. Grouping them demographically, say age
or sex, or by length of computer experience yielded extremely little difference.
In other words, it appears to come down to how a person has learned to read
what their browsers were presenting them in determining whether they'd be any
good at distinguishing a phishing site from a real one. While this certainly
makes sense, it's amazing how many people have either not learned to see the
interface as well as the content, or have learned to ignore it.
Could this be similar to the way people typically turn off pop-up dialog boxes
when given the option? Could it be a result of being bombarded with overly technical
jargon in such dialog boxes? Many of the subjects in the study appeared to not
even read what was being presented, like a broken certificate warning dialog.
Others couldn't distinguish between a locked padlock in the interface versus
one in the content itself, and still others felt it was more secure when the
lock was in the content!
With so many people relying on the content over the interface, it’s understandable
that we’re seeing tools like SiteAdvisor,
which implants security queues in the content itself. SiteAdvisor was recently
acquired by McAfee. The problem is if we pander to this habit of relying upon
the content, we actually end up making it easier for phishers to do their evil
deeds. Our content can already be so rich and interactive; attempting to enforce
it as the reason for trustworthiness definitely doesn’t feel right to
I’m not suggesting I know the solution. Could we get security rules to
prevent the mouse from clicking on a bad link? Sure! But could we also prevent
a phishing Web site or spyware application from preventing that from happening?
Probably not. User education is often ridiculed as impossible, but this study
certainly tells me it is the route we have to follow.
The big question now is can we still re-educate so many people who have already
learned the wrong things? Perhaps that will only happen when they become victims,
but I sure hope not.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.