Achievement

When asking users to enter credentials, today's operating systems often use windows that provide scant evidence that would allow a user to know that a request is genuine and that the password will not be read by untrusted principals. We measured the efficacy of web-based attacks that spoof these operating system credential-entry windows to steal users' device-login passwords. We recruited 504 users of Amazon's Mechanical Turk to evaluate a series of games on third-party websites. The third such website indicated that it needed to install software from the publisher that provided the participants' operating system. The website then displayed a spoofed replica of a window the participant's client operating system would use to request a user's device credentials. In our most effective attacks, over 20% of participants entered passwords that they later admitted were the genuine credentials used to login to their devices. See: http://research.microsoft.com/apps/pubs/default.aspx?id=169190