Something Looks Phishy Here: Applications of Signal Detection Theory to Cyber-Security Behaviors in the Workplace

Martin, Jaclyn

15 March 2017

Cyber-security is an ever-increasing problem in the 21st century. Though the majority of cyber-security breaches are a direct result of human error (Hu, Dinev, Hart, & Cooke, 2012), there is a dearth of research in psychology on the application of human decision-making for cyber-security compliance. Through an online inbox simulation, the present research examined the utility of a robust psychological model for decision-making, signal detection theory (SDT) for modeling decision-making in the context of receiving and responding to phishing and spear-phishing email scams. The influence of individual differences, specifically conscientiousness, on phishing email detection was also examined. The results indicate that SDT is useful for modeling and measuring cyber-compliance behavior in terms of responding to phishing emails. This finding supports the feasibility of using SDT to monitor training effectiveness for individuals’ resistance to social engineering in phishing email detection. There were no significant relationships between participants’ scores on conscientiousness and their phishing and spear-phishing email detection ability. Future research should explore predictors of cyber-compliance with regards to individuals’ phishing and spear-phishing susceptibility.

cyberpsychology

spear-phishing

phishing

personality

SDT

decision-making

Psychology

Phishing Warden: Enhancing Content-Triggered Trust Negotiation to Prevent Phishing Attacks

Henshaw, James Presley

01 June 2005

Phishing attacks are spam e-mails that attempt to fool recipients into divulging their identifying information by posing as a message from a well known company and using that company's branding and logos. It is estimated that phishing attacks have cost bank and credit card customers $1.2 billion in the U.S. in 2003. Previous work, content-triggered trust negotiation (CTTN), filters Internet traffic for sensitive data, and prevents a user from disclosing sensitive information to an un-trusted server. However, existing CTTN implementations are vulnerable to client-side scripts that obfuscate any data the client's browser sends to the web server in order to bypass CTTN's filter. To increase the security of CTTN, this thesis introduces Phishing Warden, a browser-plug-in that filters content before client-side scripts can execute, thereby preventing the scripts from obfuscating data in order to bypass the filter. Phishing Warden negotiates the release of sensitive data through web forms via the AutoFill button. After Phishing Warden determines the web server is trustworthy of the requested information, the sensitive data is automatically inserted into the form, indirectly informing the user that Phishing Warden trusts the server with this information. Besides potentially obfuscating data, scripts in Internet browsers can exploit security vulnerabilities which allow malicious scripts to potentially take over the computer, or deceive the user with a fake toolbar [31]. In addition to preventing data obfuscation by client-side scripts, Phishing Warden also allows a user to customize script control with the push of a button, letting the user decide which websites to trust enough to run scripts. Phishing Warden extends CTTN to remember past sites deemed trustworthy by the user.

phishing

internet security

trust negotiation

Phishing Warden

Computer Sciences

Using Web bugs and honeytokens to investigate the source of phishing attacks

McRae, Craig Michael

03 May 2008

Phishing is the use of social engineering and electronic communications such as emails to try and illicit sensitive information such as usernames, passwords, and financial information. This form of identity theft has become a rampant problem in today’s society. Phishing attacks have cost financial institutions millions of dollars per year and continue to do so. Today’s defense against phishing attacks primarily consists of trying to take down the phishing web site as quickly as possible before it can claim too many victims. This thesis demonstrates that is possible to track down a phisher to the IP address of the phisher’s workstation rather than innocent machines used as intermediaries. By using web bugs and honeytokens on the fake web site forms the phisher presents, one can log accesses to the web bugs by the phisher when the attacker views the results of the forms.

investigation

tracking

web bugs

honeytoken

anti-phishing

phishing

Detecting Visually Similar Web Pages: Application to Phishing Detection

Teh-Chung, Chen

06 1900

We propose a novel approach for detecting visual similarity between two web pages. The proposed approach applies Gestalt theory and considers a webpage as a single indivisible entity. The concept of supersignals, as a realization of Gestalt principles, supports our contention that web pages must be treated as indivisible entities. We objectify, and directly compare, these indivisible supersignals using algorithmic complexity theory. We apply our new approach to the domain of anti-Phishing technologies, which at once gives us both a reasonable ground truth for the concept of “visually similar,” and a high-value application of our proposed approach. Phishing attacks involve sophisticated, fraudulent websites that are realistic enough to fool a significant number of victims into providing their account credentials. There is a constant tug-of-war between anti-Phishing researchers who create new schemes to detect Phishing scams, and Phishers who create countermeasures. Our approach to Phishing detection is based on one major signature of Phishing webpage which can not be easily changed by those con artists –Visual Similarity. The only way to fool this significant characteristic appears to be to make a visually dissimilar Phishing webpage, which also reduces the successful rate of the Phishing scams or their criminal profits dramatically. For this reason, our application appears to be quite robust against a variety of common countermeasures Phishers have employed. To verify the practicality of our proposed method, we perform a large-scale, real-world case study, based on “live” Phish captured from the Internet. Compression algorithms (as a practical operational realization of algorithmic complexity theory) are a critical component of our approach. Out of the vast number of compression techniques in the literature, we must determine which compression technique is best suited for our visual similarity problem. We therefore perform a comparison of nine compressors (including both 1-dimensional string compressors and 2-dimensional image compressors). We finally determine that the LZMA algorithm performs best for our problem. With this determination made, we test the LZMA-based similarity technique in a realistic anti-Phishing scenario. We construct a whitelist of protected sites, and compare the performance of our similarity technique when presented with a) some of the most popular legitimate sites, and b) live Phishing sites targeting the protected sites. We found that the accuracy of our technique is extremely high in this test; the true positive and false positive rates reached 100% and 0.8%, respectively. We finally undertake a more detailed investigation of the LZMA compression technique. Other authors have argued that compression techniques map objects to an implicit feature space consisting of the dictionary elements generated by the compressor. In testing this possibility on live Phishing data, we found that derived variables computed directly from the dictionary elements were indeed excellent predictors. In fact, by taking advantage of the specific characteristic of dictionary compression algorithm, we slightly improve on our accuracy when using a modified/refined LZMA algorithm for our already perfect NCD classification application. / Software Engineering and Intelligent Systems

Phishing

Computer security

Webpage similarity

Detecting Visually Similar Web Pages: Application to Phishing Detection

Teh-Chung, Chen

Unknown Date

No description available.

Phishing

Computer security

Webpage similarity

Feeding phishers a thesis /

Lynch, Nicholas James. Nico, Phillip Lovis.

January 1900

Thesis (M.S.)--California Polytechnic State University, 2009. / Title from PDF title page; viewed on August 27, 2009. "July 2009." "In partial fulfillment of the requirements for the degree [of] Master of Science in Computer Science." "Presented to the faculty of California Polytechnic State University, San Luis Obispo." Major professor: Philip Nico, Ph.D. Includes bibliographical references (p. 53-57).

Characterization of phishing website characteristics / Karakterisering av egenskaper hos phishing domäner

Karlström, Axel, Kihlberg Gawell, Elsa

January 2022

The occurrence of phishing domains are increasing continuously as attackers are able to make use of tool kits that creates the phishing websites for them. When knowledge in web development is no longer needed, anyone can perform a phishing attack and existing detection methods can not seem to keep up. Finding new techniques to identify these malicious domains are crucial to protect the potential victims visiting the website. Many of the existing methods are focusing on the visual appearance of the websites. This thesis choose to focus on the underlying structure instead. By collecting data on style sheets and certificates from both verified phishing domains and benign domains, datasets were created for both types of domains. Using a token-based similarity algorithm on the collected style sheet data, subsets were created based on style sheet similarity. Our analysis were focused on three main parts of the results, the characteristics of phishing domains compared to benign domains, the created subsets based on style sheet similarities and the matching style sheets in two of the subsets. The characteristics of the phishing domains were for the most part rather different compared to the benign domains, except for similarities found in the data on the style sheets. The created subsets using style sheet similarities where grouped into three datasets based on the amount of matching style sheets. The three datasets, despite originating from the same dataset, proved to have distinct differences in characteristics. From the two chosen subsets, one of the subsets contained style sheets indicating the domains in the subset were created by a phishing kit. We conclude that a method based on structural similarities to identify both phishing kits and phishing domains is possible to implement. Our methodology shows the possibilities of this method, but further development and research are required to make it reliable.

Phishing

Phishing domain

Detection

Phishing detection

Structural analysis

Website structure

Phishing characteristics

Other Computer and Information Science

Annan data- och informationsvetenskap

Phishing on Open WLANs: Threat and Preventive Measure

Khanna, Isha

10 January 2010

Phishing is an internet security issue whose shape is still changing and size is still increasing. This thesis shows the possibility of a phishing attack on open, private Wireless LANs. Private WLANs which use a login page to authenticate users in hotels, airports and academic campuses are all vulnerable to this attack. Virginia Tech's WLAN is used as an example to show that the attack is possible. The attack combines two very well known attacks: one is to deceptively guide a user into logging into a fake website, which shows similar log-in page to the page of the website the user intends to go to, and the second attack is to show users a valid certificate, which does not show a warning. The rogue server takes the user to a log-in page which is similar to Virginia Tech's log-in page and shows him a valid security certificate. We present a solution to the proposed problem. Software is implemented that runs on Windows Vista. The software warns the user if there are servers with more than one type of security certificates, claiming to be from the same network. We contrast our method to already existing methods, and show in what respects our solution is better. The biggest advantage of this method is that it involves no change on the server side. It is not necessary for the users to have any prior knowledge of the network, which is very helpful when the users access WLAN at airports and hotels. Also, when using this method, the user does not need to connect to any network, and is still able to get a warning. It however, requires the user to be able to differentiate between the real and fake networks after the user has been warned. / Master of Science

Phishing

Rogue AP

SSL

Certificate

Three Essays on Phishing Attacks, Individual Susceptibility, and Detection Accuracy

Bera, Debalina

08 1900

Phishing is a social engineering attack to deceive and persuade people to divulge private information like usernames and passwords, account details (including bank account details), and social security numbers. Phishers typically utilize e-mail, chat, text messages, or social media. Despite the presence of automatic anti-phishing filters, phishing messages reach online users' inboxes. Understanding the influence of phishing techniques and individual differences on susceptibility and detection accuracy is an important step toward creating comprehensive behavioral and organizational anti-phishing awareness programs. This dissertation seeks to achieve a dual purpose in a series of three essays. Essay 1 seeks to explore the nature of phishing threats that including identifying attack intentions, and psychological and design techniques of phishing attacks. Essay 2 seeks to understand the relative influence of attack techniques and individual phishing experiential traits on people's phishing susceptibility. Essay 3 seeks to understand an individual's cognitive and affective differences that differentiate between an individual's phishing detection accuracy.

Phishing

susceptibility

detection accuracy

topic modelling

content analysis

mock phishing experiment

phishing techniques

mindfulness

affectivity

A defense-in-depth approach to phishing

Barnes, David S.

09 1900

Phishing is a form of crime in which identity theft is accomplished by use of deceptive electronic mail and a fake site on the World Wide Web. Phishing threatens financial institutions, retail companies, and consumers daily and phishers remain successful by researching anti-phishing countermeasures and adapting their attack methods to the countermeasures, either to exploit them, or completely circumvent them. An effective solution to phishing requires a multi-faceted defense strategy. We propose a model for phishing. We report on a survey we conducted of user detection of phishing. We also report on experiments to assess the success of automated methods for assessing clues to phishing email. We present recommendations for a defense-in-depth strategy to prevent phishing.

Computer science

Fraud

Phishing

Social engineering

Internet