ABSTRACT

In spite of the myriad of solutions proposed by industry and the research community to address the phishing problem, the number of phishing attacks continues to grow at a remarkable rate. This alarming trend suggests that the research community must develop new approaches to solutions that prevent phishing attacks.

In this presentation, I will describe iTrustPage, an anti-phishing tool that relies on user input and external repositories of information to prevent users from filling out phishing Web forms. When encountering a suspicious Web form, iTrustPage asks the user to describe the site they intend to access, as if they are entering search terms to a search engine. If the form is found in the top search results, the form is validated, and the user can proceed to fill it out. Otherwise, the user is presented with visual previews of the top search results: these are well-known sites matching the user supplied search terms. Users can either choose one of these trustworthy sites or refine their search terms.

We present a three-pronged evaluation of iTrustPage, investigating its performance, effectiveness, and ease-of-use. For this, we use previously collected traces of Web traffic, data collected from our real deployment of iTrustPage, and data collected from a controlled usability study of our tool. Our evaluation shows that iTrustPage is effective and easy to use.

This is joint work with Troy Ronda (University of Toronto) and Alec Wolman (Microsoft Research).

BIOGRAPHY

Stefan joined the Computer Science at the University of Toronto in 2005 after a brief hiatus at Amazon.com. Stefan received his Ph.D. in 2004 from the University of Washington where he worked with Steve Gribble and Hank Levy. Stefan's research interests span the range from operating systems to networking and distributed systems.