Ignore browser warnings at your peril
Researchers at Brigham Young University have published a paper in the “Journal of the Association for Information Systems” that explores how users can end up being fooled by phishing sites. End users are often the weak point in an organisation; many attacks occur because a user falls for a phishing site.
As part of an experiment, subjects were first required to undertake an online survey. The questions posed by the researchers included 16 related to information security, along with more general questions related to personality and demographics. The general questions were designed to disguise the nature of the experiment.
Subjects were asked to bring their own laptop for the second part of the study. The subjects were informed that the purpose of the study was to see if an algorithm designed to categorise images could outperform a human given the same task. The subjects were shown various images of Batman and asked to decide whether the images were photographs or animations. The users had ten seconds to decide the type of image being presented. Incorrect answers were penalised.
Throughout the task, users were presented with a screen very similar to the Chrome warning screen that indicates a possible phishing site. If the users decided not to proceed, they were penalised. If they clicked yes, they were able to continue onto the image classification page. The penalties created an additional time pressure for the subjects, and were designed to mimic a real life work situation.
Continual clicking on yes eventually led to an image being displayed, allegedly from an Algerian Hacker, telling the user “Say Goodbye to your computer”, and informing them that they had “been hax0red”. Many subjects were visibly disturbed when they received the “hax0red” message. Fortunately the message eventually disappeared.
The online survey results suggested many of the subjects considered themselves aware of web security issues. This was revealed to be inconsistent with their behaviour (at first) when performing the image classification task. The subjects who received the “hax0red” message were far more cautious when continuing on with the experiment.
The study shows that end users subjected to time pressures can easily fall for phishing or other malicious sites. Even IT savvy people can still fall for phishing sites. Part of the answer is better user education and awareness. Other parts are using web and email filtering to keep end users from stumbling onto phishing sites.