395 research outputs found
Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
Each month, more attacks are launched with the aim of making web users
believe that they are communicating with a trusted entity which compels them to
share their personal, financial information. Phishing costs Internet users
billions of dollars every year. Researchers at Carnegie Mellon University (CMU)
created an anti-phishing landing page supported by Anti-Phishing Working Group
(APWG) with the aim to train users on how to prevent themselves from phishing
attacks. It is used by financial institutions, phish site take down vendors,
government organizations, and online merchants. When a potential victim clicks
on a phishing link that has been taken down, he / she is redirected to the
landing page. In this paper, we present the comparative analysis on two
datasets that we obtained from APWG's landing page log files; one, from
September 7, 2008 - November 11, 2009, and other from January 1, 2014 - April
30, 2014. We found that the landing page has been successful in training users
against phishing. Forty six percent users clicked lesser number of phishing
URLs from January 2014 to April 2014 which shows that training from the landing
page helped users not to fall for phishing attacks. Our analysis shows that
phishers have started to modify their techniques by creating more legitimate
looking URLs and buying large number of domains to increase their activity. We
observed that phishers are exploiting ICANN accredited registrars to launch
their attacks even after strict surveillance. We saw that phishers are trying
to exploit free subdomain registration services to carry out attacks. In this
paper, we also compared the phishing e-mails used by phishers to lure victims
in 2008 and 2014. We found that the phishing e-mails have changed considerably
over time. Phishers have adopted new techniques like sending promotional
e-mails and emotionally targeting users in clicking phishing URLs
"Do Users fall for Real Adversarial Phishing?" Investigating the Human response to Evasive Webpages
Phishing websites are everywhere, and countermeasures based on static
blocklists cannot cope with such a threat. To address this problem,
state-of-the-art solutions entail the application of machine learning (ML) to
detect phishing websites by checking if they visually resemble webpages of
well-known brands. These techniques have achieved promising results in research
and, consequently, some security companies began to deploy them also in their
phishing detection systems (PDS). However, ML methods are not perfect and some
samples are bound to bypass even production-grade PDS.
In this paper, we scrutinize whether 'genuine phishing websites' that evade
'commercial ML-based PDS' represent a problem "in reality". Although nobody
likes landing on a phishing webpage, a false negative may not lead to serious
consequences if the users (i.e., the actual target of phishing) can recognize
that "something is phishy". Practically, we carry out the first user-study
(N=126) wherein we assess whether unsuspecting users (having diverse
backgrounds) are deceived by 'adversarial' phishing webpages that evaded a real
PDS. We found that some well-crafted adversarial webpages can trick most
participants (even IT experts), albeit others are easily recognized by most
users. Our study is relevant for practitioners, since it allows prioritizing
phishing webpages that simultaneously fool (i) machines and (ii) humans --
i.e., their intended targets
Why People Still Fall for Phishing Emails: An Empirical Investigation into How Users Make Email Response Decisions
Despite technical and non-technical countermeasures, humans continue to be
tricked by phishing emails. How users make email response decisions is a
missing piece in the puzzle to identifying why people still fall for phishing
emails. We conducted an empirical study using a think-aloud method to
investigate how people make 'response decisions' while reading emails. The
grounded theory analysis of the in-depth qualitative data has enabled us to
identify different elements of email users' decision-making that influence
their email response decisions. Furthermore, we developed a theoretical model
that explains how people could be driven to respond to emails based on the
identified elements of users' email decision-making processes and the
relationships uncovered from the data. The findings provide deeper insights
into phishing email susceptibility due to people's email response
decision-making behavior. We also discuss the implications of our findings for
designers and researchers working in anti-phishing training, education, and
awareness intervention
How to Conduct Email Phishing Experiments
Õngitsusrünnete hulk on aasta-aastalt kasvanud ja ründed on muutunud keerumkamaks kui kunagi varem, põhjustades ettevõtetele rahalist kahju. Akadeemilistes ringkondades on kasvanud huvi simuleeritud õngitsusrünnete vastu, kuid uuringud keskenduvad peamiselt spetsiifilistele aspektidele, nagu näiteks eetilised kaalutlused ja mitte õngitsuseksperimendi läbiviimisele. Autor ei leidnud olemasolevate teadustööde hulgast konsolideeritud juhised,mis kirjeldaksid, kuidas viia läbi õngituskirjade eksperimenti. Käesoleva lõputöö eesmärgiks on uurida, kuidas viia läbi simuleeritud õngitsuskirjade eksperimenti ja luua konsolideeritud juhiseid, mida ettevõtted saaksid lihtsalt rakendada ettevõtte X2 näitel. Lõputöö uurimisküsimused on järgnevad: mida peaksid ettevõtted arvestama õngitsuseksperimendi läbiviimsel? Mis seos on õngitsuskirja raskusastme ja klikkimise sageduse vahel? Kuidas inimesed reageerivad simuleeritud õngitsuseksperimentidele? Antud uurimistöös kasutati nii kvantitatiivseid kui ka kvalitatiivseid meetodeid. Esiteks sai loodud konsolideeritud juhised simuleeritud õngitsuseksperimentide läbiviimiseks, mis baseeruvad eelevatel uurimustöödel. Teiseks viidi läbi õngitsuseksperiment (Eksperiment I) 53 osaleja hulgas, kasutades ristuva uuringu disaini. Töötajad jaotati juhuslikult kaheks grupiks: (Grupp K) ja (Grupp L).Neile saadeti erinevatel kuupäevadel kaks e-kirja erinevate raskusastemega: (Tüüp X) ja (Tüüp Y). Esimeses kampaanias saadeti Grupile K keerulisem kiri (Tüüp X) ja Grupile L lihtsam kiri (Tüüpi Y) ja teise kampaania ajal oli see vastupidi. Raskemad (Tüüp X) e-kirjad olid sihipärased, grammatiliselt korrektsed ja relevantse sisuga. Kergemad e-kirjad (Tüüp Y) olid üldisemad ja nähtavate grammatikavigadega. Suunatud õngitsuseksperiment (Eksperiment II) viidi läbi kahe osaleja hulgas, kasutades üksikosaleja kvaasi eksperimentaalset uurimustöö disaini. Tüüp Z e-kirjad, mis saadeti välja suunatud õngitsuseksperimendi ajal, olid personaalsed ja relevantse sisuga ning baseerusid kahe osaleja taustauuringutel. Kolmandaks kavandati ja viidi läbi kvalitatiivsed intervjuud osalejatega, kes osalesid simuleeritud õngitsusrünnetes, et uurida, kuidas nad sellistele eksperimentidele reageerivad ja parandada lähtuvalt nende tagasisidest õngituskirjade eksperimendi juhiseid. Antud uurimistöö kinnitas, et väljatöötatud juhised on piisavad, et viia läbi õngituskirjade eksperimenti ettevõttetes. Uurimistöö tulemused näitasid, et 23% töötajatest klikkisid raskemini äratuntavale e-kirjale (Tüüp X) ja 11% lihtsamini ära tuntavale e-kirjale (Tüüp Y). Lisaks raporteeriti lihtsamini ära tuntavat kirja sagedamini (22,6%) kui raskemini ära tuntavat kirja(18.9%). Suunatud õngitsuseksperiment osutus edukas ja osalejad ei saanud aru simuleeritud pettusest. Käesolev lõputöö näitab, et õngitsusrünnede edukus on suurem, kui e-kirja sisu on sihitud ja relevantne. Töötajate raporteerimise teadlikkuse tase oli madal ja üks peamisi klikkimise põhjuseid oli uudishimu. Selle uuringu tulemused viitavad sellele, et inimesed reageerivad simuleeritud õngitsusrünnetele positiivselt, kui need viiakse läbi viisil, mis ei tekita osalejatele psühholoogilist kahju või stressi.Phishing attacks are on the rise and more sophisticated than ever before inflicting major financial damage on businesses. Simulated phishing attacks are of growing interest in academia, however, the studies are mainly focusing on the specific angles of the phenomenon, e.g. ethical considerations; and not on the implementation itself. Author was not able to find consolidated guidelines that would walk through the whole process of conducting email phishing experiments. The aim of this study is to explore how to conduct simulated phishing experiments and to create consolidated guidelines that companies could easily implement on the example of Company X1. The research questions postulated for this study are: What should companies consider when conducting phishing experiments? What is the correlation between the phishing email difficulty level and the click through rate? How people react to simulated email phishing experiments? Both quantitative and qualitative research methodswere applied to find answers to the research questions. Firstly, based on the existing studies, guidelines on how to conduct phishing experiments in companies were created. Secondly, phishing experiment (Experiment I) was designed and conducted among 53 participants applying a crossover research design. The employees were randomly divided into two groups (Group K) and (Group L); and they were sent in two distinct time periods two emails whichcorresponded to the different difficulty levels (Type X and Type Y). During the first campaign Group K was sent Type X email and Group L was sent Type Y email and during the second campaign it was vice versa. Type X email messages were designed to be targeted, grammatically correct and with relevant content. Type Y email messages were designed to be general and with visible grammar mistakes. Additionally, a spear phishing experiment (Experiment II) was conducted among two participants applying a single-subject quasi-experimental research design. The third type of emails (Type Z) that were sent out during thespear phishing experiment were personalized and relevant based on the pre-conducted research about the two targets. Thirdly, qualitative interviews were designed and conducted with the employees who participated in the simulated phishing experiments to investigate how they react to such experiments and to improve the guidelines based on their feedback.This research confirmed that the proposed guidelines are sufficient for conducting phishing experiments in a company setting. The results of this research show that 23% of the employees clicked on the link embedded to the more complex (Type X) phishing email and 11% of the employees clicked on the link embedded to the simpler (Type Y) email. Furthermore, Type Y emails were reported as phishing emails more frequently (22,6%), whereas Type X, emails were reported less (18,9%). The spear phishing experiment was successful,and the participants did not recognize the deceptiveness of the simulated phishing emails.This research shows that the phishing success rate is higher when the content is targeted and relevant. The employee awareness level about reporting phishing was low and the main stimuli for clicking on phishing links was curiosity. The findings of this study imply that people react positively to phishing experiments if these are conducted in a manner that it does not pose psychological damage or distress for the participants
Large Language Model Lateral Spear Phishing: A Comparative Study in Large-Scale Organizational Settings
The critical threat of phishing emails has been further exacerbated by the
potential of LLMs to generate highly targeted, personalized, and automated
spear phishing attacks. Two critical problems concerning LLM-facilitated
phishing require further investigation: 1) Existing studies on lateral phishing
lack specific examination of LLM integration for large-scale attacks targeting
the entire organization, and 2) Current anti-phishing infrastructure, despite
its extensive development, lacks the capability to prevent LLM-generated
attacks, potentially impacting both employees and IT security incident
management. However, the execution of such investigative studies necessitates a
real-world environment, one that functions during regular business operations
and mirrors the complexity of a large organizational infrastructure. This
setting must also offer the flexibility required to facilitate a diverse array
of experimental conditions, particularly the incorporation of phishing emails
crafted by LLMs. This study is a pioneering exploration into the use of Large
Language Models (LLMs) for the creation of targeted lateral phishing emails,
targeting a large tier 1 university's operation and workforce of approximately
9,000 individuals over an 11-month period. It also evaluates the capability of
email filtering infrastructure to detect such LLM-generated phishing attempts,
providing insights into their effectiveness and identifying potential areas for
improvement. Based on our findings, we propose machine learning-based detection
techniques for such emails to detect LLM-generated phishing emails that were
missed by the existing infrastructure, with an F1-score of 98.96
- …