‘Phinding Phish: An Evaluation of Anti-Phishing Toolbars’
‘There are currently dozens of freely available tools to help combat phishing and other web-based scams. Many of these tools come in the form of web browser extensions that warn users when they are browsing a suspected phishing site.
‘The information has been provided by Lorrie Cranor, Serge Egelman, Jason Hong, and Yue Zhang.
The original article can be found at: http://www.cylab.cmu.edu/files/cmucylab06018.pdf‘
We conducted two experiments assessing the effectiveness of five anti-phishing toolbars. To facilitate evaluation of larger data sets across longer periods of time, we developed an automated test bed for assessing the effectiveness of anti-phishing toolbars. We found that three of the 10 toolbars, SpoofGuard, EarthLink and Netcraft, were able to identify over 75% of the phishing sites tested. However, four of the toolbars were not able to identify even half the phishing sites tested. At the same time, SpoofGuard incorrectly identified 38% of the legitimate URLs as phishing URLs. It would seem that such inaccuracies might nullify the benefits SpoofGuard offers in identifying phishing sites. The 10 toolbars that we examined used a variety of methods for identifying fraudulent sites; however, we were able to exploit vulnerabilities in most of them. Thus, much more work needs to be done in this area from a technical standpoint. Yet even if it is possible to create a technically sound antiphishing toolbar, it is still unclear as to whether or not this would be beneficial to users. Usability problems plague all varieties of software, security software in particular. When using an anti-phishing toolbar, poor usability could mean the difference between correctly steering someone away from a phishing site and having them ignore the warnings only to become a victim of identity theft. Thus, we plan to further examine both the technical aspects of this domain as well as the human factors.’