BogusBiter: A transparent protection against phishing attacks

Authors:
Chuan Yue;Haining Wang
Affiliations:
College of William and Mary, Williamsburg, VA;College of William and Mary, Williamsburg, VA
Venue:
ACM Transactions on Internet Technology (TOIT)
Year:
2010

Citing 38
Cited 4

Password hardening based on keystroke dynamics

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Password security: a case history

Communications of the ACM
Securing passwords against dictionary attacks

Proceedings of the 9th ACM conference on Computer and communications security
Trusted Paths for Browsers

Proceedings of the 11th USENIX Security Symposium
A convenient method for securely managing passwords

WWW '05 Proceedings of the 14th international conference on World Wide Web
The battle against phishing: Dynamic Security Skins

SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Gathering evidence: use of visual security cues in web browsers

GI '05 Proceedings of Graphics Interface 2005
Protecting Users Against Phishing Attacks with AntiPhish

COMPSAC '05 Proceedings of the 29th Annual International Computer Software and Applications Conference - Volume 01
Why phishing works

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Designing ethical phishing experiments: a study of (ROT13) rOnl query features

Proceedings of the 15th international conference on World Wide Web
Passpet: convenient password management and phishing protection

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Decision strategies and susceptibility to phishing

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Web wallet: preventing phishing attacks by revealing user intentions

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft

Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft
Protecting people from phishing: the design and evaluation of an embedded training email system

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Exposing private information by timing web applications

Proceedings of the 16th international conference on World Wide Web
Cantina: a content-based approach to detecting phishing web sites

Proceedings of the 16th international conference on World Wide Web
Learning to detect phishing emails

Proceedings of the 16th international conference on World Wide Web
A large-scale study of web password habits

Proceedings of the 16th international conference on World Wide Web
Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds

NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2
Stronger password authentication using browser extensions

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
The Emperor's New Security Indicators

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A usability study and critique of two password managers

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Password rescue: a new approach to phishing prevention

HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish

Proceedings of the 3rd symposium on Usable privacy and security
Social phishing

Communications of the ACM
Fighting phishing at the user interface

Fighting phishing at the user interface
BrowserShield: vulnerability-driven filtering of dynamic HTML

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Examining the impact of website take-down on phishing

Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
A framework for detection and measurement of phishing attacks

Proceedings of the 2007 ACM workshop on Recurring malcode
Beamauth: two-factor web authentication with a bookmark

Proceedings of the 14th ACM conference on Computer and communications security
You've been warned: an empirical study of the effectiveness of web browser phishing warnings

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do strong web passwords accomplish anything?

HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
SpyProxy: execution-based detection of malicious web content

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Anti-Phishing in Offense and Defense

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
CAPTCHA: using hard AI problems for security

EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Phoolproof phishing prevention

FC'06 Proceedings of the 10th international conference on Financial Cryptography and Data Security

Smartening the crowds: computational techniques for improving human verification to fight phishing scams

Proceedings of the Seventh Symposium on Usable Privacy and Security
Preventing the revealing of online passwords to inappropriate websites with logininspector

lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design

Proceedings of the third ACM conference on Data and application security and privacy
A measurement study of insecure javascript practices on the web

ACM Transactions on the Web (TWEB)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Many anti-phishing mechanisms currently focus on helping users verify whether a Web site is genuine. However, usability studies have demonstrated that prevention-based approaches alone fail to effectively suppress phishing attacks and protect Internet users from revealing their credentials to phishing sites. In this paper, instead of preventing human users from “biting the bait,” we propose a new approach to protect against phishing attacks with “bogus bites.” We develop BogusBiter, a unique client-side anti-phishing tool, which transparently feeds a relatively large number of bogus credentials into a suspected phishing site. BogusBiter conceals a victim's real credential among bogus credentials, and moreover, it enables a legitimate Web site to identify stolen credentials in a timely manner. Leveraging the power of client-side automatic phishing detection techniques, BogusBiter is complementary to existing preventive anti-phishing approaches. We implemented BogusBiter as an extension to the Firefox 2 Web browser, and evaluated its efficacy through real experiments on both phishing and legitimate Web sites. Our experimental results indicate that it is promising to use BogusBiter to transparently protect against phishing attacks.