Phishing

Ungraded Quiz

phishing: tricks a person into visiting a fraudulent version of a legitimate website, with the goal of obtaining sensitive information — passwords, banking information, credit card details
spear phishing: targeted to a particular individual or organization
- can be more convincing since it is targeting an individual
- attacker will research the target in advance
- can purport to come from a known contact or include reference to known information
whaling: targeted to higher-level management
see Crowdstrike explanation and examples

mental model: a person’s understanding of how a system works and what it does
- influences a person’s security-related decisions / threat model
- phishing may exploit flaws in a person’s mental model
- software developers (especially working in security) should try to align their software with mental models
URLs by design hide the actual link
typosquatting
redirects
web design that looks like the authentic website or “looks trustworthy”
copycate domains, like paypal-security.com or pay.pal.com
misunderstanding that the lock icon means a site is “safe”

spam filtering
domain filtering
user education
notes of interest
- transient phishing sites are a problem
- once users are on a fraudulent site, even experts have a hard time detecting this

a closed padlock icon
HTTPS
warnings (Not Secure)
regular changes may be confusing
differences between browsers
Rethinking Connection Security Indicators — if you want to see justification for Chrome’s designs
distinguishing between “not secure” (not using HTTPS) vs “unsafe” (hosting malware) — see Google Safe Browsing project

area of research that combines human factors and security
- merges two areas of CS (HCI, security)
- frequently uses theories and methods from psychology and sociology
see Table 9.3, page 273 and discussion to see some examples of design principles
see SOUPS 2023 Technical Sessions
see SOUPS 2022 Technical Sessions