1,550 research outputs found
Combating Phishing Attacks: A Knowledge Management Approach
This paper explores how an organization can utilize its employees to combat phishing attacks collectively through coordinating their activities to create a human firewall. We utilize knowledge management research on knowledge sharing to guide the design of an experiment that explores a central reporting and dissemination platform for phishing attacks. The 2x2 experiment tests the effects of public attribution (to the first person reporting a phishing message) and validation (by the security team) of phishing messages on reporting motivation and accuracy. Results demonstrate that knowledge management techniques are transferable to organizational security and that knowledge management can benefit from insights gained from combating phishing. Specifically, we highlight the need to both publicly acknowledge the contribution to a knowledge management system and provide validation of the contribution. As we saw in our experiment, doing only one or the other does not improve outcomes for correct phishing reports (hits)
Detecting and characterizing lateral phishing at scale
We present the first large-scale characterization of lateral phishing attacks, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations. In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefit-ting from both the implicit trust and the information in the hijacked user's account. We develop a classifier that finds hundreds of real-world lateral phishing emails, while generating under four false positives per every one-million employee-sent emails. Drawing on the attacks we detect, as well as a corpus of user-reported incidents, we quantify the scale of lateral phishing, identify several thematic content and recipient targeting strategies that attackers follow, illuminate two types of sophisticated behaviors that attackers exhibit, and estimate the success rate of these attacks. Collectively, these results expand our mental models of the 'enterprise attacker' and shed light on the current state of enterprise phishing attacks
An Evasion Attack against ML-based Phishing URL Detectors
Background: Over the year, Machine Learning Phishing URL classification
(MLPU) systems have gained tremendous popularity to detect phishing URLs
proactively. Despite this vogue, the security vulnerabilities of MLPUs remain
mostly unknown. Aim: To address this concern, we conduct a study to understand
the test time security vulnerabilities of the state-of-the-art MLPU systems,
aiming at providing guidelines for the future development of these systems.
Method: In this paper, we propose an evasion attack framework against MLPU
systems. To achieve this, we first develop an algorithm to generate adversarial
phishing URLs. We then reproduce 41 MLPU systems and record their baseline
performance. Finally, we simulate an evasion attack to evaluate these MLPU
systems against our generated adversarial URLs. Results: In comparison to
previous works, our attack is: (i) effective as it evades all the models with
an average success rate of 66% and 85% for famous (such as Netflix, Google) and
less popular phishing targets (e.g., Wish, JBHIFI, Officeworks) respectively;
(ii) realistic as it requires only 23ms to produce a new adversarial URL
variant that is available for registration with a median cost of only
$11.99/year. We also found that popular online services such as Google
SafeBrowsing and VirusTotal are unable to detect these URLs. (iii) We find that
Adversarial training (successful defence against evasion attack) does not
significantly improve the robustness of these systems as it decreases the
success rate of our attack by only 6% on average for all the models. (iv)
Further, we identify the security vulnerabilities of the considered MLPU
systems. Our findings lead to promising directions for future research.
Conclusion: Our study not only illustrate vulnerabilities in MLPU systems but
also highlights implications for future study towards assessing and improving
these systems.Comment: Draft for ACM TOP
Recommended from our members
RUST: A Retargetable Usability Testbed for Website Authentication Technologies
Website authentication technologies attempt to make the identity of a website clear to the user, by supplying information about the identity of the website. In practice however, usability issues can prevent users from correctly identifying the websites they are interacting with. To help identify usability issues we present RUST, a Retargetable USability Testbed for website authentication technologies. RUST is a testbed that consists of a test harness, which provides the ability to easily configure the environment for running usability study sessions, and a usability study design that evaluates usability based on spoofability, learnability, and acceptability. We present data collected by RUST and discuss preliminary results for two authentication technologies, Microsoft CardSpace and Verisign Secure Letterhead. Based on the data collected, we conclude that the testbed is useful for gathering data on a variety of technologies
On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name
Most modern web browsers today sacrifice optimal TLS security for backward
compatibility. They apply coarse-grained TLS configurations that support (by
default) legacy versions of the protocol that have known design weaknesses, and
weak ciphersuites that provide fewer security guarantees (e.g. non Forward
Secrecy), and silently fall back to them if the server selects to. This
introduces various risks including downgrade attacks such as the POODLE attack
[15] that exploits the browsers silent fallback mechanism to downgrade the
protocol version in order to exploit the legacy version flaws. To achieve a
better balance between security and backward compatibility, we propose a
mechanism for fine-grained TLS configurations in web browsers based on the
sensitivity of the domain name in the HTTPS request using a whitelisting
technique. That is, the browser enforces optimal TLS configurations for
connections going to sensitive domains while enforcing default configurations
for the rest of the connections. We demonstrate the feasibility of our proposal
by implementing a proof-of-concept as a Firefox browser extension. We envision
this mechanism as a built-in security feature in web browsers, e.g. a button
similar to the \quotes{Bookmark} button in Firefox browsers and as a
standardised HTTP header, to augment browsers security
Analysis of digital evidence in identity theft investigations
Identity Theft could be currently considered as a significant problem in the modern
internet driven era. This type of computer crime can be achieved in a number of
different ways; various statistical figures suggest it is on the increase. It intimidates
individual privacy and self assurance, while efforts for increased security and
protection measures appear inadequate to prevent it. A forensic analysis of the digital
evidence should be able to provide precise findings after the investigation of Identity
Theft incidents. At present, the investigation of Internet based Identity Theft is
performed on an ad hoc and unstructured basis, in relation to the digital evidence.
This research work aims to construct a formalised and structured approach to digital
Identity Theft investigations that would improve the current computer forensic
investigative practice. The research hypothesis is to create an analytical framework to
facilitate the investigation of Internet Identity Theft cases and the processing of the
related digital evidence.
This research work makes two key contributions to the subject: a) proposing the
approach of examining different computer crimes using a process specifically based
on their nature and b) to differentiate the examination procedure between the victimâs and the fraudsterâs side, depending on the ownership of the digital media. The
background research on the existing investigation methods supports the need of
moving towards an individual framework that supports Identity Theft investigations.
The presented investigation framework is designed based on the structure of the
existing computer forensic frameworks. It is a flexible, conceptual tool that will assist
the investigatorâs work and analyse incidents related to this type of crime. The
research outcome has been presented in detail, with supporting relevant material for
the investigator. The intention is to offer a coherent tool that could be used by
computer forensics investigators. Therefore, the research outcome will not only be
evaluated from a laboratory experiment, but also strengthened and improved based on
an evaluation feedback by experts from law enforcement.
While personal identities are increasingly being stored and shared on digital media,
the threat of personal and private information that is used fraudulently cannot be
eliminated. However, when such incidents are precisely examined, then the nature of
the problem can be more clearly understood
- âŠ