169 research outputs found
Detecting and characterizing lateral phishing at scale
We present the first large-scale characterization of lateral phishing attacks, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations. In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefit-ting from both the implicit trust and the information in the hijacked user's account. We develop a classifier that finds hundreds of real-world lateral phishing emails, while generating under four false positives per every one-million employee-sent emails. Drawing on the attacks we detect, as well as a corpus of user-reported incidents, we quantify the scale of lateral phishing, identify several thematic content and recipient targeting strategies that attackers follow, illuminate two types of sophisticated behaviors that attackers exhibit, and estimate the success rate of these attacks. Collectively, these results expand our mental models of the 'enterprise attacker' and shed light on the current state of enterprise phishing attacks
"It may take ages":understanding human-centred lateral phishing attack detection in organisations
Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes
Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale
In this paper we provide evidence of an emerging criminal infrastructure
enabling impersonation attacks at scale. Impersonation-as-a-Service (ImpaaS)
allows attackers to systematically collect and enforce user profiles
(consisting of user credentials, cookies, device and behavioural fingerprints,
and other metadata) to circumvent risk-based authentication system and
effectively bypass multi-factor authentication mechanisms. We present the
ImpaaS model and evaluate its implementation by analysing the operation of a
large, invite-only, Russian ImpaaS platform providing user profiles for more
than Internet users worldwide. Our findings suggest that the ImpaaS
model is growing, and provides the mechanisms needed to systematically evade
authentication controls across multiple platforms, while providing attackers
with a reliable, up-to-date, and semi-automated environment enabling target
selection and user impersonation against Internet users as scale.Comment: Presented at ACM CCS 2020. Appendix on "Deriving a Threat Model from
Observation" available at
https://michelecampobasso.github.io/publication/2020-11-10-impaa
Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts
The rise in phishing attacks via e-mail and short message service (SMS) has
not slowed down at all. The first thing we need to do to combat the
ever-increasing number of phishing attacks is to collect and characterize more
phishing cases that reach end users. Without understanding these
characteristics, anti-phishing countermeasures cannot evolve. In this study, we
propose an approach using Twitter as a new observation point to immediately
collect and characterize phishing cases via e-mail and SMS that evade
countermeasures and reach users. Specifically, we propose CrowdCanary, a system
capable of structurally and accurately extracting phishing information (e.g.,
URLs and domains) from tweets about phishing by users who have actually
discovered or encountered it. In our three months of live operation,
CrowdCanary identified 35,432 phishing URLs out of 38,935 phishing reports. We
confirmed that 31,960 (90.2%) of these phishing URLs were later detected by the
anti-virus engine, demonstrating that CrowdCanary is superior to existing
systems in both accuracy and volume of threat extraction. We also analyzed
users who shared phishing threats by utilizing the extracted phishing URLs and
categorized them into two distinct groups - namely, experts and non-experts. As
a result, we found that CrowdCanary could collect information that is
specifically included in non-expert reports, such as information shared only by
the company brand name in the tweet, information about phishing attacks that we
find only in the image of the tweet, and information about the landing page
before the redirect
RAIDER: Reinforcement-aided Spear Phishing Detector
Spear Phishing is a harmful cyber-attack facing business and individuals
worldwide. Considerable research has been conducted recently into the use of
Machine Learning (ML) techniques to detect spear-phishing emails. ML-based
solutions may suffer from zero-day attacks; unseen attacks unaccounted for in
the training data. As new attacks emerge, classifiers trained on older data are
unable to detect these new varieties of attacks resulting in increasingly
inaccurate predictions. Spear Phishing detection also faces scalability
challenges due to the growth of the required features which is proportional to
the number of the senders within a receiver mailbox. This differs from
traditional phishing attacks which typically perform only a binary
classification between phishing and benign emails. Therefore, we devise a
possible solution to these problems, named RAIDER: Reinforcement AIded Spear
Phishing DEtectoR. A reinforcement-learning based feature evaluation system
that can automatically find the optimum features for detecting different types
of attacks. By leveraging a reward and penalty system, RAIDER allows for
autonomous features selection. RAIDER also keeps the number of features to a
minimum by selecting only the significant features to represent phishing emails
and detect spear-phishing attacks. After extensive evaluation of RAIDER over
11,000 emails and across 3 attack scenarios, our results suggest that using
reinforcement learning to automatically identify the significant features could
reduce the dimensions of the required features by 55% in comparison to existing
ML-based systems. It also improves the accuracy of detecting spoofing attacks
by 4% from 90% to 94%. In addition, RAIDER demonstrates reasonable detection
accuracy even against a sophisticated attack named Known Sender in which
spear-phishing emails greatly resemble those of the impersonated sender.Comment: 16 page
Holmes: An Efficient and Lightweight Semantic Based Anomalous Email Detector
Email threat is a serious issue for enterprise security, which consists of
various malicious scenarios, such as phishing, fraud, blackmail and
malvertisement. Traditional anti-spam gateway commonly requires to maintain a
greylist to filter out unexpected emails based on suspicious vocabularies
existed in the mail subject and content. However, the signature-based approach
cannot effectively discover novel and unknown suspicious emails that utilize
various hot topics at present, such as COVID-19 and US election. To address the
problem, in this paper, we present Holmes, an efficient and lightweight
semantic based engine for anomalous email detection. Holmes can convert each
event log of email to a sentence through word embedding then extract
interesting items among them by novelty detection. Based on our observations,
we claim that, in an enterprise environment, there is a stable relation between
senders and receivers, but suspicious emails are commonly from unusual sources,
which can be detected through the rareness selection. We evaluate the
performance of Holmes in a real-world enterprise environment, in which it sends
and receives around 5,000 emails each day. As a result, Holmes can achieve a
high detection rate (output around 200 suspicious emails per day) and maintain
a low false alarm rate for anomaly detection
From Chatbots to PhishBots? -- Preventing Phishing scams created using ChatGPT, Google Bard and Claude
The advanced capabilities of Large Language Models (LLMs) have made them
invaluable across various applications, from conversational agents and content
creation to data analysis, research, and innovation. However, their
effectiveness and accessibility also render them susceptible to abuse for
generating malicious content, including phishing attacks. This study explores
the potential of using four popular commercially available LLMs - ChatGPT (GPT
3.5 Turbo), GPT 4, Claude and Bard to generate functional phishing attacks
using a series of malicious prompts. We discover that these LLMs can generate
both phishing emails and websites that can convincingly imitate well-known
brands, and also deploy a range of evasive tactics for the latter to elude
detection mechanisms employed by anti-phishing systems. Notably, these attacks
can be generated using unmodified, or "vanilla," versions of these LLMs,
without requiring any prior adversarial exploits such as jailbreaking. As a
countermeasure, we build a BERT based automated detection tool that can be used
for the early detection of malicious prompts to prevent LLMs from generating
phishing content attaining an accuracy of 97\% for phishing website prompts,
and 94\% for phishing email prompts
- …