Min Wu, Robert C. Miller, and Greg Little: Web Wallet
July 14, 2006 by PingPhishing is a semantic attack: it exploits the gap between user’s intentions and the system’s operation (in particular when submitting data). The key factors are: what is the data and where will it go?
The Web Wallet is a browser sidebar that users open by pressing a secure attention key (F2). In the sidebar, users select the password, credit card, or other piece of sensitive information they want to submit, and the Web Wallet fills the form automatically.
Since the Web Wallet knows which record the user selected, it can now compare the user’s intended recipient with the actual site, and bring up a warning if they are different. Moreover, it can direct the user to the real site if the current one is a fake.
In a study of 20 users, Web Wallet was very effective at defending users when they opened the Web Wallet, but was vulnerable to attack when the attacker displays a spoofed Web-Wallet-like sidebar.
When Web Wallet detects a form for sensitive information, it disables the form fields so that the user is forced to activate Web Wallet. To discourage users from just typing in their password when the attacker’s page has a form that Web Wallet does not detect, the characters typed into any website are shown flying out of the cursor in a large font. However, this feature wasn’t very effective at deterring users, and will be looked at more in future work.