‘Phinding Phish: An Evaluation of Anti-Phishing Toolbars’

Summary

‘There are currently dozens of freely available tools to help combat phishing and other web-based scams. Many of these tools come in the form of web browser extensions that warn users when they are browsing a suspected phishing site. We used verified phishing URLs and legitimate URLs to test the effectiveness of 10 popular antiphishing toolbars. Overall, we found that the anti-phishing toolbars that were examined in this study left a lot to be desired. SpoofGuard did a very good job at identifying fraudulent sites, but it also incorrectly identified a large fraction of legitimate sites as fraudulent. EarthLink, Google, Netcraft, Cloudmark, and Internet Explorer 7 identified most fraudulent sites correctly and had few, if any, false positives, but they still missed more than 15% of fraudulent sites. The TrustWatch, eBay, and Netscape 8 toolbars could correctly identify less than half the fraudulent sites, and McAfee SiteAdvisor did not correctly identify any fraudulent sites. Many of the toolbars we tested were vulnerable to some simple exploits as well. In this paper we describe the anti-phishing toolbar test bed we developed, summarize our findings, and offer observations about the usability and overall effectiveness of these toolbars. Finally, we suggest ways to improve anti-phishing toolbars.’

Credit:

‘The information has been provided by Lorrie Cranor, Serge Egelman, Jason Hong, and Yue Zhang.
The original article can be found at: http://www.cylab.cmu.edu/files/cmucylab06018.pdf


Details

Conclusions:
We conducted two experiments assessing the effectiveness of five anti-phishing toolbars. To facilitate evaluation of larger data sets across longer periods of time, we developed an automated test bed for assessing the effectiveness of anti-phishing toolbars. We found that three of the 10 toolbars, SpoofGuard, EarthLink and Netcraft, were able to identify over 75% of the phishing sites tested. However, four of the toolbars were not able to identify even half the phishing sites tested. At the same time, SpoofGuard incorrectly identified 38% of the legitimate URLs as phishing URLs. It would seem that such inaccuracies might nullify the benefits SpoofGuard offers in identifying phishing sites. The 10 toolbars that we examined used a variety of methods for identifying fraudulent sites; however, we were able to exploit vulnerabilities in most of them. Thus, much more work needs to be done in this area from a technical standpoint. Yet even if it is possible to create a technically sound antiphishing toolbar, it is still unclear as to whether or not this would be beneficial to users. Usability problems plague all varieties of software, security software in particular. When using an anti-phishing toolbar, poor usability could mean the difference between correctly steering someone away from a phishing site and having them ignore the warnings only to become a victim of identity theft. Thus, we plan to further examine both the technical aspects of this domain as well as the human factors.’

Categories: Reviews