Sheng et al.’s research identified
a gap between research and industry
in terms of true positives. Academic
research has generally focused on
heuristics and machine-learning techniques with very good true positives
though somewhat high false positives.
These heuristics are good at identifying phishing sites not seen before. On
the other hand, industry relies primarily on blacklists, which have middling
true positives but no false positives.
However, blacklists do not generalize
well to future unseen cases, can be slow
to respond to zero-hour attacks, and
are easily overwhelmed by automatically generated URLs, a tactic phishers
have already adopted.
In follow-up work, Sheng et al. 31
probed the issue of heuristics vs. blacklists by interviewing people in industry, law enforcement, and academia,
finding that concern over liability for
false positives is the major barrier to
deploying more aggressive heuristics.
However, the first few hours of an attack are critical for blocking it, as a
substantial fraction of users will have
read their email by the time blacklists
are updated. Jagatic et al. 19 found that
during regular work hours, most users
who fell for a phishing attack did so in
the eight hours following the start of
Sheng et al. 31 identified several ways
to ameliorate the situation; foremost
is to clarify the legal issues surrounding false positives. Another is to have a
central clearinghouse for phish, rather
than piecemeal efforts that take longer to identify phish due to duplicated
effort. A third is for researchers to develop better heuristics that minimize
false positives. An early example of
such heuristics was developed by Xiang
et al. 38 observing that many phish are
near or exact duplicates because they
are generated by toolkits. Once a phish
is on a blacklist, other copies of it can
be identified quickly and blocked with
virtually no risk of false positives. Using probabilistic-matching methods,
the obvious countermeasure of adding
noise can also be mitigated.
Taking down phishing sites. Several
organizations identify and take down
phishing sites, and private mailing
lists help share information about fake
sites, as well as find contact information for specific ISPs and Web sites.
When phishing sites are taken
down, end users who click on a phish
are typically shown a “page not found”
error. One innovation developed by
APWG and Carnegie Mellon University
is to have ISPs and take-down providers replace the phishing page with a
training message, teaching people
who click on phishing email messages about such attacks. The APWG
landing page, 2 in use since September
2008, is available in several languages.
As of April 2010, it has been displayed
in place of 1,285 phishing pages and
viewed almost 200,000 times. 17 While
measuring the effect of the landing
page is difficult, it is a step in the right
direction, offering multiple ways of
protecting people worldwide.
Better interfaces. The second major
strategy for protecting people is to provide better interfaces. The following
paragraphs cover innovations in warnings, support for properly identifying
Web sites, and authentication.
A general problem with security
warnings is that users often close them
the instant they appear, a perfectly ra-
tional behavior, as many warnings are
so obtuse people don’t understand
what the problem is or what they
should do. Other warnings annoyingly
interrupt what people are trying to ac-
complish. Warning notifications can
also be too subtle, with people not even
figure 2. the active warnings used by Mozilla firefox when blocking phishing pages are
more effective than passive warnings.