TORPEDO - TOoltip-poweRed Phishing Email DetectiOn

TORPEDO is an add-on for the Thunderbird email client, to help users to detect phishing emails. We first explain what phishing is, then how TORPEDO works and finally how to configure it.

What is phishing?
Phishing is a method fraudsters use to defraud or harm you. To achieve their aims, phishers send messages (emails) purporting to come from someone you can trust. The email usually copies a legitimate email's layout and format so that it is hard to detect the treachery. Phishing messages usually contain one more links that appear to be legitimate but are actually red herrings. The Phisher wants you to click on this dangerous link without thinking about it too much. If you click on these links you might download malware onto your device or you will be redirected to a website that looks exactly like the legitimate one. Phishing websites are usually an almost undetectable copy of the original. If you provide your credentials to this website, the phisher will gain access to your secret password and probably use it to log into the legitimate website and carry out actions that could harm you (e.g. charge items to your credit card). Technical measures cannot detect all phishing emails in order to divert them before they arrive in your inbox so you will inevitably receive some of these emails from time to time. If you want to be certain about whether an email is a phish you have to check the link (the URL, or web page address) very carefully. This will help you to judge the legitimacy of the link and help you to protect yourself when technical measures have failed to prevent the phishing attempt. Phishers are clever enough to hide the real destination of the link so that just looking at the link is often insufficient – you have to examine the real destination, not just look at the displayed destination (these are often different because the phisher's intention is to deceive).

If you have been deceived and have clicked on the link you might then realize that you have been connected to a phishing server. In this case you should close the browser immediately and let IT support know, just in case some bad software has been downloaded onto your computer.

How does TORPEDO work?
TORPEDO helps to expose malicious links in phishing emails so that you can expose their attempts to deceive you. TORPEDO displays the destination web address in a dialog box (a tooltip box) when you hover over a link with your mouse. The tooltip highlights the so-called domain of the link because this is the only relevant part to be used when you decide whether the web address is legitimate or not.

For example, if you receive an email that, at first glance, seems to be sent by amazon but the actual destination is: www.amazon.com.buy-here.com/login, this is definitely a phishing email because amazon uses the domain amazon.com and in this example the domain is "buy-here.com". Because it is sometimes difficult to check the domain, TORPEDO gives extra information (when you click on the question mark) and tips to guide examination of the URL. The tooltip frame is colored to provide an extra signal. There are three different colors depending on the potential security risk.

A green frame means the domain is classified as reliable by the developers of TORPEDO, and used daily by many web users.

If the frame is grey the domain should be checked carefully before you click on it, because the link could be dangerous. TORPEDO delays down activation of the link to give you time to check it. You have to wait three seconds before activation. You can click on for more information any time you see one of these warnings.

A blue border means that you have indicated that the web address is to be trusted, because, since you installed TORPEDO, you have clicked on this link in e-mails at least twice.

Settings

You can tailor TORPEDO via Thunderbird's settings. You can customize the activation delay, setting how much time you need to check the domain before the link is activated.

You can also decide whether TORPEDO's list of reliable domains is correct. You can also personalize your "safe" domains: these will be activated immediately.

Download

  • We are listed on addons.mozilla.org, so you can download TORPEDO in Thunderbird.
  • You want the most current version? Download TORPEDO beta.
  • If you are interested in the source code of this add-on, you can find it at GitHub.

Contact us

For questions or comments regarding the App do not hesitate to contact us here.

The Add-On was developed in cooperation between three research groups: 

  • Human Centred Security Group University of Glasgow
  • Privacy and Security Group Karlstad University
  • SECUSO Group Darmstadt University

Publications

TORPEDO: TOoltip-poweRed Phishing Email DetectiOn
Melanie Volkamer, Karen Renaud und Benjamin Reinheimer
In: 31st International Conference on ICT Systems Security and Privacy Protection - IFIP SEC 2016, Juni 2016. 

List of trustworthy classified domains

google.de, youtube.com, facebook.com, amazon.de, google.com, ebay.de, wikipedia.org, web.de, gmx.net, t-online.de, bing.com, ebay-kleinanzeigen.de, yahoo.com, bild.de, msn.com, spiegel.de, live.com, chip.de, mobile.de, paypal.com, otto.de, gutefrage.net, focus.de, immobilienscout24.de, outbrain.com, twitter.com, telekom.com, postbank.de, instagram.com, bahn.de, chefkoch.de, autoscout24.de, 1und1.de, microsoft.com, kicker.de, blogspot.de, welt.de, netflix.com, booking.com, idealo.de, xing.com, fiducia.de, twitch.tv, pinterest.com, tumblr.com, zalando.de, wetter.com, heise.de, dict.cc, arbeitsagentur.de, wordpress.com, computerbild.de, ikea.com, sueddeutsche.de, vice.com, sky.de, leo.org, zeit.de, sport1.de, ask.com, deutsche-bank.de, linkedin.com, commerzbank.de, zdf.de, freenet.de, faz.net, adobe.com, n-tv.de, mediamarkt.de, siteadvisor.com, aol.com, tchibo.de, hm.com, immowelt.de, vodafone.de, ing-diba.de, dhl.de, giga.de, telekom.de, meinestadt.de, wetteronline.de, tagesschau.de, bonprix.de, apple.com, duden.de, whatsapp.com, lidl.de, check24.de, reddit.com, stern.de, wikia.com, 9gag.com, arcor.de, ebay.com, dasoertliche.de, dropbox.com, holidaycheck.de, dkb.de, dawanda.com, tripadvisor.de, ardmediathek.de, google.co.uk, amazon.co.uk, bbc.co.uk, ebay.co.uk, dailymail.co.uk, theguardian.com, gov.uk, rightmove.co.uk, bt.com, imgur.com, amazon.com, lloydsbank.co.uk, sky.com, imdb.com, tripadvisor.co.uk, tesco.com, telegraph.co.uk, office.com, argos.co.uk, hsbc.co.uk, santander.co.uk, national-lottery.co.uk, booking.com, itv.com, barclays.co.uk, independent.co.uk, mirror.co.uk, nationwide.co.uk, asda.com, marksandspencer.com, natwest.com, johnlewis.com

Links

A A A | Drucken Print | Impressum Impressum | Sitemap Sitemap | Suche Search | Kontakt Contact | Website Analysis: More Information
zum Seitenanfangzum Seitenanfang