Web Security

AuntieTuna

We've developed a Chrome extension for detecting if a visited website is phish or not by comparing its content to the original, known good website.

The most updated code and instructions is available at:

latest updates

2019-10-15: The information here is outdated and retained for archival purposes! Please check https://auntietuna.ant.isi.edu for the latest in developments!

introduction

AuntieTuna is a browser extension that checks if each visited page is a potential phishing website based on snapshots of known good websites that a user adds.

For example, a user first visits PayPal (Figure 1) and adds its snapshot using AuntieTuna (Figure 2).


Figure 1: The original PayPal login page (2016).


Figure 2: A button that adds and stores a snapshot of a known-good site.

AuntieTuna then checks every other page the user visits to see if it looks like or contains content from the original PayPal page. If it does, the page is detected as suspect phish and blocked.

For example, Figure 3 shows a detected PayPal-phish. The user is blocked from moving forward by AuntieTuna.


Figure 3: AuntieTuna blocks an actual PayPal-phishing site (2016).

A paper describing additional details and usability of this work, AuntieTuna: Personalized Content-based Phishing Detection [1], was presented at the 2016 NDSS Usable Security Workshop.

An early version of this work was presented at the 2015 IEEE Security and Privacy poster session (2015-05-18) [2]: abstract and poster.

changelog

  • 2019-06-26: v0.0.3 released
  • 2016-01-20: renamed to AuntieTuna, version 0.0.2 released
  • 2015-05-25: version 0.0.1 released

feedback

We’d greatly appreciate it if you could alpha test our plugin!

v0.0.2 of the plugin compares and detects PayPal phish by default. Users personalize and add their own “known-good” sites as they browse.

In your testing, we’d like to know your experience with:

  • performance or installation issues
  • false positives (did it say the page is suspected phish if it wasn’t?)
  • false negatives (did it not detect an actual phish?)
  • true positives (did it properly detect phish?)

Please send email to calvin@isi.edu with questions, bugs, feature requests, patches, and any notes on your usage!

instructions

  1. Go to Extensions (Window → Extensions) or enter URL “chrome://extensions/”
  2. Click on “Load unpacked extensions…”
  3. Select the directory containing this extension and click on “Select”
  4. To view debugging information for the extension on a visited webpage, go to View → Developer → JavaScript Console

references

  • Calvin Ardi and John Heidemann 2016. AuntieTuna: Personalized Content-Based Phishing Detection. Proceedings of the NDSS Workshop on Usable Security (San Diego, California, USA, Feb. 2016). [PDF] Details
  • Calvin Ardi and John Heidemann 2015. Poster: Lightweight Content-based Phishing Detection. Technical Report ISI-TR-2015-698. USC/Information Sciences Institute. [PDF] Details
Copyright (C) 2016. University of Southern California.

This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.

This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.