To deceive or not to deceive! Legal implications of phishing covert research

Whilst studying mobile users' susceptibility to phishing attacks, we found ourselves subject to regulations concerning the use of deception in research. We argue that such regulations are misapplied in a way that hinders the progress of security research. Our argument analyses the existing framework and the ethical principles of conducting phishing research in light of these regulations. Building on this analysis and reflecting on real world experience; we present our view of good practice and suggest guidance on how to prepare legally compliant proposals to concerned ethics committee

Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Honey Sheets: What Happens to Leaked Google Spreadsheets?

Cloud-based documents are inherently valuable, due to the volume and nature of sensitive personal and business content stored in them. Despite the importance of such documents to Internet users, there are still large gaps in the understanding of what cybercriminals do when they illicitly get access to them by for example compromising the account credentials they are associated with. In this paper, we present a system able to monitor user activity on Google spreadsheets. We populated 5 Google spreadsheets with fake bank account details and fake funds transfer links. Each spreadsheet was configured to report details of accesses and clicks on links back to us. To study how people interact with these spreadsheets in case they are leaked, we posted unique links pointing to the spreadsheets on a popular paste site. We then monitored activity in the accounts for 72 days, and observed 165 accesses in total. We were able to observe interesting modifications to these spreadsheets performed by illicit accesses. For instance, we observed deletion of some fake bank account information, in addition to insults and warnings that some visitors entered in some of the spreadsheets. Our preliminary results show that our system can be used to shed light on cybercriminal behavior with regards to leaked online documents

Cyber-crime Science = Crime Science + Information Security

Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions

MARA and public user characteristics in response to phishing emails

“Social Engineering” refers to the attacks that deceive, persuade and influence an individual to provide information or perform an action that will benefit the attackers. Fraudulent and deceptive individuals use social engineering traps and tactics through Social Networking Sites (SNSs) and electronic communication forms to trick users into obeying them, accepting threats, falling victims to various silent crimes such as phishing, clickjacking, malware installation, sexual abuse, financial abuse, identity theft and physical crime. Although computers can enhance our work activities, e.g., through greater efficiency in document production and ease of communication., the reliance on its benefits has reduced with the introduction of social engineering threats. Phishing email results in significant losses, estimated at billions of dollars, to organisations and individual users every year. According to the 2019 statistics report from retruster.com, the average financial cost of a data breach is 3.8 million dollars, with 90% of it coming from phishing attacks on user accounts. To reduce users’ vulnerability to phishing emails, we need first to understand the users’ detection behaviour. Many research studies focus only on whether participants respond to phishing or not. A widely held view that we endorse is that this continuing challenge of email is not wholly technical in nature and thereby cannot be entirely resolved through technical measures. Instead, we have here a socio-technical problem whose resolution requires attention to both technical issues and end-users’ specific attitudes and behavioural characteristics. Using a sequential exploratory mixed method approach, qualitative grounded theory is used to explore and generate an in-depth understanding of what and why the phishing characteristics influence email users to judge the attacker as credible. Quantitative experiments are used to relate participants’ characteristics with their behaviour. The study was carefully designed to ensure that valid data could be collected without harm to participants, and with University Ethics Committee approval. The research output is a new model to explain the impact of users’characteristics on their detection behaviour. The model was tested through two study groups, namely Public and MARA . In addition, the final model was tested using structural equation modelling (SEM). This showed that the proposed model explains 17% and 39%, respectively, for the variance in Public and MARA participants’ tendency to respond to phishing emails. The results also explained which, and to what extent, phishing characteristics influence users’ judgement of sender credibility.“Social Engineering” refers to the attacks that deceive, persuade and influence an individual to provide information or perform an action that will benefit the attackers. Fraudulent and deceptive individuals use social engineering traps and tactics through Social Networking Sites (SNSs) and electronic communication forms to trick users into obeying them, accepting threats, falling victims to various silent crimes such as phishing, clickjacking, malware installation, sexual abuse, financial abuse, identity theft and physical crime. Although computers can enhance our work activities, e.g., through greater efficiency in document production and ease of communication., the reliance on its benefits has reduced with the introduction of social engineering threats. Phishing email results in significant losses, estimated at billions of dollars, to organisations and individual users every year. According to the 2019 statistics report from retruster.com, the average financial cost of a data breach is 3.8 million dollars, with 90% of it coming from phishing attacks on user accounts. To reduce users’ vulnerability to phishing emails, we need first to understand the users’ detection behaviour. Many research studies focus only on whether participants respond to phishing or not. A widely held view that we endorse is that this continuing challenge of email is not wholly technical in nature and thereby cannot be entirely resolved through technical measures. Instead, we have here a socio-technical problem whose resolution requires attention to both technical issues and end-users’ specific attitudes and behavioural characteristics. Using a sequential exploratory mixed method approach, qualitative grounded theory is used to explore and generate an in-depth understanding of what and why the phishing characteristics influence email users to judge the attacker as credible. Quantitative experiments are used to relate participants’ characteristics with their behaviour. The study was carefully designed to ensure that valid data could be collected without harm to participants, and with University Ethics Committee approval. The research output is a new model to explain the impact of users’characteristics on their detection behaviour. The model was tested through two study groups, namely Public and MARA . In addition, the final model was tested using structural equation modelling (SEM). This showed that the proposed model explains 17% and 39%, respectively, for the variance in Public and MARA participants’ tendency to respond to phishing emails. The results also explained which, and to what extent, phishing characteristics influence users’ judgement of sender credibility

Email Babel: Does Language Affect Criminal Activity in Compromised Webmail Accounts?

We set out to understand the effects of differing language on the ability of cybercriminals to navigate webmail accounts and locate sensitive information in them. To this end, we configured thirty Gmail honeypot accounts with English, Romanian, and Greek language settings. We populated the accounts with email messages in those languages by subscribing them to selected online newsletters. We hid email messages about fake bank accounts in fifteen of the accounts to mimic real-world webmail users that sometimes store sensitive information in their accounts. We then leaked credentials to the honey accounts via paste sites on the Surface Web and the Dark Web, and collected data for fifteen days. Our statistical analyses on the data show that cybercriminals are more likely to discover sensitive information (bank account information) in the Greek accounts than the remaining accounts, contrary to the expectation that Greek ought to constitute a barrier to the understanding of non-Greek visitors to the Greek accounts. We also extracted the important words among the emails that cybercriminals accessed (as an approximation of the keywords that they searched for within the honey accounts), and found that financial terms featured among the top words. In summary, we show that language plays a significant role in the ability of cybercriminals to access sensitive information hidden in compromised webmail accounts

You are probably not the weakest link: Towards practical prediction of susceptibility to semantic social engineering attacks

Semantic social engineering attacks are a pervasive threat to computer and communication systems. By employing deception rather than by exploiting technical vulnerabilities, spear-phishing, obfuscated URLs, drive-by downloads, spoofed websites, scareware, and other attacks are able to circumvent traditional technical security controls and target the user directly. Our aim is to explore the feasibility of predicting user susceptibility to deception-based attacks through attributes that can be measured, preferably in real-time and in an automated manner. Toward this goal, we have conducted two experiments, the first on 4333 users recruited on the Internet, allowing us to identify useful high-level features through association rule mining, and the second on a smaller group of 315 users, allowing us to study these features in more detail. In both experiments, participants were presented with attack and non-attack exhibits and were tested in terms of their ability to distinguish between the two. Using the data collected, we have determined practical predictors of users' susceptibility against semantic attacks to produce and evaluate a logistic regression and a random forest prediction model, with the accuracy rates of. 68 and. 71, respectively. We have observed that security training makes a noticeable difference in a user's ability to detect deception attempts, with one of the most important features being the time since last self-study, while formal security education through lectures appears to be much less useful as a predictor. Other important features were computer literacy, familiarity, and frequency of access to a specific platform. Depending on an organisation's preferences, the models learned can be configured to minimise false positives or false negatives or maximise accuracy, based on a probability threshold. For both models, a threshold choice of 0.55 would keep both false positives and false negatives below 0.2

How to Conduct Email Phishing Experiments

Õngitsusrünnete hulk on aasta-aastalt kasvanud ja ründed on muutunud keerumkamaks kui kunagi varem, põhjustades ettevõtetele rahalist kahju. Akadeemilistes ringkondades on kasvanud huvi simuleeritud õngitsusrünnete vastu, kuid uuringud keskenduvad peamiselt spetsiifilistele aspektidele, nagu näiteks eetilised kaalutlused ja mitte õngitsuseksperimendi läbiviimisele. Autor ei leidnud olemasolevate teadustööde hulgast konsolideeritud juhised,mis kirjeldaksid, kuidas viia läbi õngituskirjade eksperimenti. Käesoleva lõputöö eesmärgiks on uurida, kuidas viia läbi simuleeritud õngitsuskirjade eksperimenti ja luua konsolideeritud juhiseid, mida ettevõtted saaksid lihtsalt rakendada ettevõtte X2 näitel. Lõputöö uurimisküsimused on järgnevad: mida peaksid ettevõtted arvestama õngitsuseksperimendi läbiviimsel? Mis seos on õngitsuskirja raskusastme ja klikkimise sageduse vahel? Kuidas inimesed reageerivad simuleeritud õngitsuseksperimentidele? Antud uurimistöös kasutati nii kvantitatiivseid kui ka kvalitatiivseid meetodeid. Esiteks sai loodud konsolideeritud juhised simuleeritud õngitsuseksperimentide läbiviimiseks, mis baseeruvad eelevatel uurimustöödel. Teiseks viidi läbi õngitsuseksperiment (Eksperiment I) 53 osaleja hulgas, kasutades ristuva uuringu disaini. Töötajad jaotati juhuslikult kaheks grupiks: (Grupp K) ja (Grupp L).Neile saadeti erinevatel kuupäevadel kaks e-kirja erinevate raskusastemega: (Tüüp X) ja (Tüüp Y). Esimeses kampaanias saadeti Grupile K keerulisem kiri (Tüüp X) ja Grupile L lihtsam kiri (Tüüpi Y) ja teise kampaania ajal oli see vastupidi. Raskemad (Tüüp X) e-kirjad olid sihipärased, grammatiliselt korrektsed ja relevantse sisuga. Kergemad e-kirjad (Tüüp Y) olid üldisemad ja nähtavate grammatikavigadega. Suunatud õngitsuseksperiment (Eksperiment II) viidi läbi kahe osaleja hulgas, kasutades üksikosaleja kvaasi eksperimentaalset uurimustöö disaini. Tüüp Z e-kirjad, mis saadeti välja suunatud õngitsuseksperimendi ajal, olid personaalsed ja relevantse sisuga ning baseerusid kahe osaleja taustauuringutel. Kolmandaks kavandati ja viidi läbi kvalitatiivsed intervjuud osalejatega, kes osalesid simuleeritud õngitsusrünnetes, et uurida, kuidas nad sellistele eksperimentidele reageerivad ja parandada lähtuvalt nende tagasisidest õngituskirjade eksperimendi juhiseid. Antud uurimistöö kinnitas, et väljatöötatud juhised on piisavad, et viia läbi õngituskirjade eksperimenti ettevõttetes. Uurimistöö tulemused näitasid, et 23% töötajatest klikkisid raskemini äratuntavale e-kirjale (Tüüp X) ja 11% lihtsamini ära tuntavale e-kirjale (Tüüp Y). Lisaks raporteeriti lihtsamini ära tuntavat kirja sagedamini (22,6%) kui raskemini ära tuntavat kirja(18.9%). Suunatud õngitsuseksperiment osutus edukas ja osalejad ei saanud aru simuleeritud pettusest. Käesolev lõputöö näitab, et õngitsusrünnede edukus on suurem, kui e-kirja sisu on sihitud ja relevantne. Töötajate raporteerimise teadlikkuse tase oli madal ja üks peamisi klikkimise põhjuseid oli uudishimu. Selle uuringu tulemused viitavad sellele, et inimesed reageerivad simuleeritud õngitsusrünnetele positiivselt, kui need viiakse läbi viisil, mis ei tekita osalejatele psühholoogilist kahju või stressi.Phishing attacks are on the rise and more sophisticated than ever before inflicting major financial damage on businesses. Simulated phishing attacks are of growing interest in academia, however, the studies are mainly focusing on the specific angles of the phenomenon, e.g. ethical considerations; and not on the implementation itself. Author was not able to find consolidated guidelines that would walk through the whole process of conducting email phishing experiments. The aim of this study is to explore how to conduct simulated phishing experiments and to create consolidated guidelines that companies could easily implement on the example of Company X1. The research questions postulated for this study are: What should companies consider when conducting phishing experiments? What is the correlation between the phishing email difficulty level and the click through rate? How people react to simulated email phishing experiments? Both quantitative and qualitative research methodswere applied to find answers to the research questions. Firstly, based on the existing studies, guidelines on how to conduct phishing experiments in companies were created. Secondly, phishing experiment (Experiment I) was designed and conducted among 53 participants applying a crossover research design. The employees were randomly divided into two groups (Group K) and (Group L); and they were sent in two distinct time periods two emails whichcorresponded to the different difficulty levels (Type X and Type Y). During the first campaign Group K was sent Type X email and Group L was sent Type Y email and during the second campaign it was vice versa. Type X email messages were designed to be targeted, grammatically correct and with relevant content. Type Y email messages were designed to be general and with visible grammar mistakes. Additionally, a spear phishing experiment (Experiment II) was conducted among two participants applying a single-subject quasi-experimental research design. The third type of emails (Type Z) that were sent out during thespear phishing experiment were personalized and relevant based on the pre-conducted research about the two targets. Thirdly, qualitative interviews were designed and conducted with the employees who participated in the simulated phishing experiments to investigate how they react to such experiments and to improve the guidelines based on their feedback.This research confirmed that the proposed guidelines are sufficient for conducting phishing experiments in a company setting. The results of this research show that 23% of the employees clicked on the link embedded to the more complex (Type X) phishing email and 11% of the employees clicked on the link embedded to the simpler (Type Y) email. Furthermore, Type Y emails were reported as phishing emails more frequently (22,6%), whereas Type X, emails were reported less (18,9%). The spear phishing experiment was successful,and the participants did not recognize the deceptiveness of the simulated phishing emails.This research shows that the phishing success rate is higher when the content is targeted and relevant. The employee awareness level about reporting phishing was low and the main stimuli for clicking on phishing links was curiosity. The findings of this study imply that people react positively to phishing experiments if these are conducted in a manner that it does not pose psychological damage or distress for the participants