Analyzing Social and Stylometric Features to Identify Spear phishing Emails

Spear phishing is a complex targeted attack in which, an attacker harvests information about the victim prior to the attack. This information is then used to create sophisticated, genuine-looking attack vectors, drawing the victim to compromise confidential information. What makes spear phishing different, and more powerful than normal phishing, is this contextual information about the victim. Online social media services can be one such source for gathering vital information about an individual. In this paper, we characterize and examine a true positive dataset of spear phishing, spam, and normal phishing emails from Symantec's enterprise email scanning service. We then present a model to detect spear phishing emails sent to employees of 14 international organizations, by using social features extracted from LinkedIn. Our dataset consists of 4,742 targeted attack emails sent to 2,434 victims, and 9,353 non targeted attack emails sent to 5,912 non victims; and publicly available information from their LinkedIn profiles. We applied various machine learning algorithms to this labeled data, and achieved an overall maximum accuracy of 97.76% in identifying spear phishing emails. We used a combination of social features from LinkedIn profiles, and stylometric features extracted from email subjects, bodies, and attachments. However, we achieved a slightly better accuracy of 98.28% without the social features. Our analysis revealed that social features extracted from LinkedIn do not help in identifying spear phishing emails. To the best of our knowledge, this is one of the first attempts to make use of a combination of stylometric features extracted from emails, and social features extracted from an online social network to detect targeted spear phishing emails.Comment: Detection of spear phishing using social media feature

Day of the Week Twitter Phishing Impact

Phishing has become ever more prevalent in everyday life with new attacks and attempts being made every hour of every day. Twitter has been a major social media player for many years now and continues to deal with phishing in every post. Phishing attempts are harmful to every user and currently most individuals cannot identify a phishing tweet, nor accept appropriately and avoid them in their entirety. Our original hypothesis was that the day of the week would impact the number and frequency of phishing attempts. We created a Python-based program, in conjunction with the Python Module of Tweepy to catch posts to Twitter over a two-week period of July 2nd to July 15th. The data was then processed through ScrapeBox to identify phishing tweets with Google Safe Browsing API. The results were then identified by date, time, day of the week, and specific post URL. From there, another Python Module called Pandas was used to manage the over 8 billion twitter posts as well as gather statistical information about our data to find a statistically significant aspect. Conclusions were drawn based on the influence of the day of the week which lead us to our conclusion about Twitter phishing attempts throughout the week and including holidays

Characterizing Phishing Threats with Natural Language Processing

Spear phishing is a widespread concern in the modern network security landscape, but there are few metrics that measure the extent to which reconnaissance is performed on phishing targets. Spear phishing emails closely match the expectations of the recipient, based on details of their experiences and interests, making them a popular propagation vector for harmful malware. In this work we use Natural Language Processing techniques to investigate a specific real-world phishing campaign and quantify attributes that indicate a targeted spear phishing attack. Our phishing campaign data sample comprises 596 emails - all containing a web bug and a Curriculum Vitae (CV) PDF attachment - sent to our institution by a foreign IP space. The campaign was found to exclusively target specific demographics within our institution. Performing a semantic similarity analysis between the senders' CV attachments and the recipients' LinkedIn profiles, we conclude with high statistical certainty (p $< 10^{-4}$) that the attachments contain targeted rather than randomly selected material. Latent Semantic Analysis further demonstrates that individuals who were a primary focus of the campaign received CVs that are highly topically clustered. These findings differentiate this campaign from one that leverages random spam.Comment: This paper has been accepted for publication by the IEEE Conference on Communications and Network Security in September 2015 at Florence, Italy. Copyright may be transferred without notice, after which this version may no longer be accessibl

Methoden des Data-Minings zur Plagiatanalyse studentischer Abschlussarbeiten

Bestehende Ansätze der automatisierten Plagiatanalyse nutzen umfangreiche und pflegeaufwändige Referenzkorpora oder greifen ausschließlich auf die im Untersuchungsobjekt enthaltenen Informationen zurück. Die Nutzung externer Daten führt in der Regel zu besseren Analyseergebnissen (vgl. [Tschuggnall 2014, 8]). In der vorliegenden Arbeit wurde ein extrinsisches Verfahren zur Plagiatanalyse studentischer Abschlussarbeiten entwickelt und evaluiert, welches einen begrenzten Trainingsdatensatz als Referenzkorpus nutzt. Das genannte Verfahren greift hierbei auf die Methoden der Dokumenttypklassifikation und der Stilometrie zurück. Entspricht ein Abschnitt des Eingabedokuments nicht dem durchschnittlichen Schreibstil einer studentischen Abschlussarbeit, so wird dieser als potentielles Plagiat markiert. Anhand verschiedener Evaluationsschritte konnte gezeigt werden, dass das Verfahren prinzipiell für die Plagiatanalyse studentischer Abschlussarbeiten geeignet ist. Im simulierten Anwendungskontext konnten 71,03 % der Segmente aus Bachelor- und Masterarbeiten sowie 53,62 % der Segmente aus Fachbüchern, Fachartikeln und Wikipediaartikeln korrekt eingeordnet werden. Der erreichte F1-Wert entspricht der Performanz intrinsischer Verfahren. Der erzielte Recall-Wert ist hierbei wesentlich höher. Die aus den Trainingskorpora extrahierten features wurden als ARFF-Dateien zur Verfügung gestellt

AN ENHANCEMENT ON TARGETED PHISHING ATTACKS IN THE STATE OF QATAR

The latest report by Kaspersky on Spam and Phishing, listed Qatar as one of the top 10 countries by percentage of email phishing and targeted phishing attacks. Since the Qatari economy has grown exponentially and become increasingly global in nature, email phishing and targeted phishing attacks have the capacity to be devastating to the Qatari economy, yet there are no adequate measures put in place such as awareness training programmes to minimise these threats to the state of Qatar. Therefore, this research aims to explore targeted attacks in specific organisations in the state of Qatar by presenting a new technique to prevent targeted attacks. This novel enterprise-wide email phishing detection system has been used by organisations and individuals not only in the state of Qatar but also in organisations in the UK. This detection system is based on domain names by which attackers carefully register domain names which victims trust. The results show that this detection system has proven its ability to reduce email phishing attacks. Moreover, it aims to develop email phishing awareness training techniques specifically designed for the state of Qatar to complement the presented technique in order to increase email phishing awareness, focused on targeted attacks and the content, and reduce the impact of phishing email attacks. This research was carried out by developing an interactive email phishing awareness training website that has been tested by organisations in the state of Qatar. The results of this training programme proved to get effective results by training users on how to spot email phishing and targeted attacks

AUTHOR VERIFICATION OF ELECTRONIC MESSAGING SYSTEMS

Messaging systems have become a hugely popular new paradigm for sending and delivering text messages; however, online messaging platforms have also become an ideal place for criminals due to their anonymity, ease of use and low cost. Therefore, the ability to verify the identity of individuals involved in criminal activity is becoming increasingly important. The majority of research in this area has focused on traditional authorship problems that deal with single-domain datasets and large bodies of text. Few research studies have sought to explore multi-platform author verification as a possible solution to problems around forensics and security. Therefore, this research has investigated the ability to identify individuals on messaging systems, and has applied this to the modern messaging platforms of Email, Twitter, Facebook and Text messages, using different single-domain datasets for population-based and user-based verification approaches. Through a novel technique of cross-domain research using real scenarios, the domain incompatibilities of profiles from different distributions has been assessed, based on real-life corpora using data from 50 authors who use each of the aforementioned domains. The results show that the use of linguistics is likely be similar between platforms, on average, for a population-based approach. The best corpus experimental result achieved a low EER of 7.97% for Text messages, showing the usefulness of single-domain platforms where the use of linguistics is likely be similar, such as Text messages and Emails. For the user-based approach, there is very little evidence of a strong correlation of stylometry between platforms. It has been shown that linguistic features on some individual platforms have features in common with other platforms, and lexical features play a crucial role in the similarities between users’ modern platforms. Therefore, this research shows that the ability to identify individuals on messaging platforms may provide a viable solution to problems around forensics and security, and help against a range of criminal activities, such as sending spam texts, grooming children, and encouraging violence and terrorism.Royal Embassy of Saudi Arabia, Londo