Learn to Spot Phishing URLs with the Android NoPhish App

  • Gamze Canova
  • Melanie Volkamer
  • Clemens Bergmann
  • Roland Borza
  • Benjamin Reinheimer
  • Simon Stockhardt
  • Ralf Tenberg
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 453)

Abstract

Phishing is a münich issue in today’s Internet. It can have financial or personal consequences. Attacks continue to become more and more sophisticated and the advanced ones (including spear phishing) can only be detected if people carefully check URLs – be it in messages or in the address bar of the web browser. We developed a game-based smartphone app – NoPhish – to educate people in accessing, parsing and checking URLs; i.e. enabling them to distinguish between trustworthy and non-trustworthy messages and websites. Throughout several levels of the game information is provided and phishing detection is exercised in a playful manner. Several learning principles were applied and the interfaces and texts were developed in a user-centered design.

Notes

Acknowledgements

This work was supported by CASED and EC SPRIDE.

References

  1. 1.
    Ramzan, Z.: Phishing attacks and countermeasures. In: Stavroulakis, P., Stamp, M. (eds.) Handbook of Information and Communication Security, pp. 433–448. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Aaron, G., Rasmussen, R., Routt, A.: Global Phishing Survey: Trends and Domain Name Use in 1h2014. Anti-Phishing Working Group (APWG), Lexington (2014)Google Scholar
  3. 3.
    Netcraft: Netcraft extension. http://toolbar.netcraft.com. Accessed 05 June 2014
  4. 4.
    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS 2007, pp. 88–99. ACM, New York (2007)Google Scholar
  5. 5.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)Google Scholar
  6. 6.
    Lin, E., Greenberg, S., Trotter, E., Ma, D., Aycock, J.: Does domain highlighting help people identify phishing sites? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2075–2084. ACM (2011)Google Scholar
  7. 7.
    Li, T., Han, F., Ding, S., Chen, Z.: Larx: large-scale anti-phishing by retrospective data-exploring based on a cloud computing platform. In: 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1–5. IEEE (2011)Google Scholar
  8. 8.
    Bundesamt für Sicherheit in der Informationstechnik: Phishing: Gefährliche umleitung für ihre passwörter. https://www.bsi-fuer-buerger.de/BSIFB/DE/GefahrenImNetz/Phishing/phishing_node.html. Accessed 26 May 2014
  9. 9.
    OnGuardOnline.gov: Phishing. http://www.onguardonline.gov/phishing. Accessed 26 May 2014
  10. 10.
    Online, S.S.: Race to stay safe. https://www.staysecureonline.com/staying-safe-online. Accessed 26 May 2014
  11. 11.
    SonicWALL: Sonicwall phishing iq test. http://www.sonicwall.com/furl/phishing. Accessed 26 May 2014
  12. 12.
    Wombat Security Technologies: Anti-phishing phyllis. http://www.wombatsecurity.com/antiphishingphyllis. Accessed 26 May 2014
  13. 13.
    Aleven, V., Chan, S.H., Moore, A., Sung, A.: Anti-phishing phil v2.0. http://jackieweber.net/Projects/phil.html. Accessed 05 June 2014
  14. 14.
    Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: an anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  15. 15.
    Boodaei, M.: Mobile users three times more vulnerable to phishing attacks (2011). http://www.trusteer.com/blog/mobile-users-three-times-more-vulnerable-to-phishing-attacks. Accessed 28 May 2014
  16. 16.
    Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, pp. 1–8. ACM (2007)Google Scholar
  17. 17.
    Gabrilovich, E., Gontmakher, A.: The homograph attack. Commun. ACM 45(2), 128 (2002)CrossRefGoogle Scholar
  18. 18.
    Larkin, E.: Spot the tiny phishing trick (2009). http://www.pcworld.com/article/161232/tinyphish.html. Accessed 26 May 2014
  19. 19.
    Alnajim, A.: Fighting internet fraud: anti-phishing effectiveness for phishing websites detection. Ph.D. thesis, Durham University (2009)Google Scholar
  20. 20.
    Thorndike, E.L.: The Fundamentals of Learning. Teachers College Bureau of Publications, New York (1932) CrossRefGoogle Scholar
  21. 21.
    Murphy, C.: Why games work and the science of learning. In: Interservice, Interagency Training, Simulations, and Education Conference (2011)Google Scholar
  22. 22.
    Badgeville: Game mechanics. http://badgeville.com/wiki/Game_Mechanics. Accessed 10 June 2014
  23. 23.
    Siering, G.: Gamification: using game-like elements to motivate and engage students (2012). citl.indiana.edu/news/newsStories/dir-mar2012.php. Accessed 10 June 2014
  24. 24.
    Abras, C., Maloney-krichmar, D., Preece, J.: User-centered design. In: Bainbridge, W. (ed.) Encyclopedia of Human-Computer Interaction. Sage Publications, Thousand Oaks (2004)Google Scholar
  25. 25.
    Volkamer, M., Stockhardt, S., Bartsch, S., Kauer, M.: Adopting the CMU/APWG anti-phishing landing page idea for germany. In: 2013 Third Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 46–52. IEEE (2013)Google Scholar
  26. 26.
    Avoine, G., Junod, P., Oechslin, P.: Computer System Security: Basic Concepts and Solved Exercises. EPFL Press, Lausanne (2004)Google Scholar
  27. 27.
    Simon, D.P.: The art of guerilla usability testing (2013). http://www.uxbooth.com/articles/the-art-of-guerilla-usability-testing/. Accessed 26 May 2014
  28. 28.
    Stilversprechend: Stilversprechend. http://stilversprechend.de/index.html. Accessed 26 May 2014
  29. 29.
    Leicht Lesbar: Testen sie ihren text. http://leichtlesbar.ch/html. Accessed 26 May 2014
  30. 30.
    Schöll, P.: Flesch-index berechnen. http://www.fleschindex.de. Accessed 26 May 2014
  31. 31.
    Amstad, T.: Wie verständlich sind unsere Zeitungen?. Abhandlung: Philosophische Fakultät I, 1977. Studenten-Schreib-Service, Zürich (1978)Google Scholar
  32. 32.
    Jansson, K., von Solms, R.: Simulating malicious emails to educate end users on-demand. In: 2011 3rd Symposium on Web Society (SWS), pp. 74–80 (2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Gamze Canova
    • 1
  • Melanie Volkamer
    • 1
  • Clemens Bergmann
    • 1
  • Roland Borza
    • 1
  • Benjamin Reinheimer
    • 1
  • Simon Stockhardt
    • 1
  • Ralf Tenberg
    • 1
  1. 1.Center for Advanced Security Research Darmstadt (CASED)Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations