Preventing SMishing Attack Using Fake User Information Based on Common Behavior of Phishing Websites

학위논문 (석사)-- 서울대학교 대학원 : 전기·컴퓨터공학부, 2014. 2. 조유근.스미싱 공격은 모바일 피싱 공격의 한 유형으로 스마트폰 사용자의 개인정보를 탈취하거나 소액결제 등으로 금전적 피해를 입히는 것을 목적으로 한다. URL이 포함된 메시지로 사용자를 속여 악의적인 웹사이트에 접속을 유도하는 방법으로 최근 피해 사례가 크게 증가하고 있다. 본 논문에서는 스마트폰의 스미싱 공격 방지 기법으로 몇 가지 기법을 합쳐 Phishing URL Detector를 제안한다. 첫 단계에서는 접속할 URL을 분석하여 알려진 피싱 URL 패턴이 포함된 경우 접속을 차단한다. 두 번째 단계로 모바일 웹 브라우저의 북마크와 접속 이력을 기반으로 한 whitelist를 검색해 접속할 URL이 포함돼 있으면 안전한 것으로 간주하고 접속을 허용한다. 세 번째 단계에서는 blacklist를 검색하여 접속할 URL이 포함되어 있으면 위험한 URL로 간주하고 접속을 차단한다. 마지막은 URL의 안전성을 판단할 수 없는 단계이므로 우선 URL에 접속한 뒤 허위 사용자 정보를 입력한 뒤 웹사이트의 동작을 분석하고 피싱 웹사이트인지 판별한다. 이 기법은 입력하는 정보의 유효성을 실시간으로 확인할 수 없고, 모두 입력 되었는지 확인만 가능하다는 피싱 웹사이트의 특징을 이용한다. 따라서, 허위 사용자 정보에도 유효성 검사 후 재입력 요구 없이 다른 동작이 진행된다면 피싱 웹사이트로 판별할 수 있다. URL에 접속해 보기 전에는 피싱 URL 판별이 어렵다는 기존의 문제점을 해결할 수 있는 본 기법은 스미싱 공격을 효과적으로 방지할 수 있는 첫 번째 방어막이 될 수 있다.요약 목차 그림 목차 표 목차 제 1 장 서론 제 2 장 스미싱 공격 2.1 모바일 피싱 공격 2.2 스미싱 공격 2.3 관련 연구 제 3 장 스미싱 공격 방지 기법 3.1 스미싱 공격 특성 분석 3.1.1 스미싱 공격 흐름 분석 3.1.2 스미싱 공격 특징 분석 3.1.3 스미싱 SMS 특징 분석 3.2 Phishing URL Detector 제안 3.2.1 피싱 웹사이트 공통 동작 패턴 분석 3.2.2 Phishing URL Detector 제 4 장 실험 및 구현 4.1 피싱 웹사이트 공통 동작 패턴 확인 실험 4.2 Phishing URL Detector 구현 제 5 장 결론 참고문헌 AbstractMaste

Human-centered Information Security and Privacy: Investigating How and Why Social and Emotional Factors Affect the Protection of Information Assets

Information systems (IS) are becoming increasingly integrated into the fabric of our everyday lives, for example, through cloud-based collaboration platforms, smart wearables, and social media. As a result, nearly every aspect of personal, social, and professional life relies on the constant exchange of information between users and online service providers. However, as users and organizations entrust more and more of their personal and sensitive information to IS, the challenges of ensuring information security and privacy become increasingly pressing, particularly given the rise of cybercrime and microtargeting capabilities. While the protection of information assets is a shared responsibility between technology providers, legislation, organizations, and individuals, previous research has emphasized the pivotal role of the user as the last line of defense. Whereas prior works on human-centered information security and privacy have primarily studied the human aspect from a cognitive perspective, it is important to acknowledge that security and privacy phenomena are deeply embedded within users’ social, emotional, and technological environment. Therefore, individual decision-making and organizational phenomena related to security and privacy need to be examined through a socio-emotional lens. As such, this thesis sets out to investigate how and why socio-emotional factors influence information security and privacy, while simultaneously providing a deeper understanding of how these insights can be utilized to design effective security and privacy-enhancing tools and interventions. This thesis includes five studies that have been published in peer-reviewed IS outlets. The first strand of this thesis investigates individual decision-making related to information security and privacy. Daily information disclosure decisions, such as providing login credentials to a phishing website or giving apps access to one’s address book, crucially affect information security and privacy. In an effort to support users in their decision-making, research and practice have begun to develop tools and interventions that promote secure and privacy-aware behavior. However, our knowledge on the design and effectiveness of such tools and interventions is scattered across a diverse research landscape. Therefore, the first study of this thesis (article A) sets out to systematize this knowledge. Through a literature review, the study presents a taxonomy of user-oriented information security interventions and highlights crucial shortcomings of current approaches, such as a lack of tools and interventions that provide users with long-term guidance and an imbalance regarding cyber attack vectors. Importantly, the study confirms that prior works in this field tend to limit their scope to a cognitive processing perspective, neglecting the influence of social and emotional factors. The second study (article B) examines how users make decisions on disclosing their peers’ personal information, a phenomenon referred to as privacy interdependence. Previous research has shown that users tend to have a limited understanding of the social ramifications of their decisions to share information, that is, the impact of their disclosure decisions on others’ privacy. The study is based on a theoretical framework that suggests that for a user, recognizing and respecting others’ privacy rights is heavily influenced by the perceived salience of others within their own socio-technical environment. The study introduces an intervention aimed at increasing the salience of others’ personal data during the decision-making process, resulting in a significant decrease of interdependent privacy infringements. These findings indicate that current interfaces do not allow users to make informed decisions about their peers’ privacy – a problem that is highly relevant for policymakers and regulators. Shifting the focus towards an organizational context of individual security decision-making, the third study (article C) investigates employees’ underlying motives for reporting cyber threats. With the aim to maximize employees’ adoption of reporting tools, the study examines the effect of two tool design features on users’ utilitarian and hedonic motivation to report information security incidents. The findings suggest that reporting tools that elicit a sense of warm glow, that is, a boost of self-esteem and personal satisfaction after performing an altruistic act, result in higher tool adoption compared to those that address solely users’ utilitarian motivation. This unlocks a new perspective on organizational information security as a whole and showcases new ways in which organizations can engage users in promoting information security. The second strand of this thesis focuses on the context of organizational information security. Beyond individual decision-making, organizations face the challenge of maintaining an information security culture, including, for example, employees’ awareness of security risks, top management commitment, and interdepartmental collaboration with regard to security issues. The fourth study (article D) presents a measurement instrument to assess employees’ security awareness. Complementary to the predominant method of self-reported surveys, the study introduces an index based on employees’ susceptibility to simulated social engineering attacks. As such, it presents a novel way to measure security awareness that closes the intention-behavior gap and enables information security officers to nonintrusively monitor human vulnerabilities in real-time. Furthermore, the findings indicate that security education, training and awareness (SETA) programs not only increase employees’ awareness of information security risks, but also improve their actual security behavior. Finally, the fifth study (article E) investigates the influence of external socio-emotional disruption on information security culture. Against the backdrop of the COVID-19 pandemic, the longitudinal study reveals novel inhibitors and facilitators of information security culture that emerged in the face of global socially and emotionally disruptive change over the course of 2020. Specifically, the study demonstrates that such disruptive events can influence information security culture negatively, or – counterintuitively – positively, depending on prerequisites such as digital maturity and economic stability. Overall, this thesis highlights the importance of considering socio-emotional factors in protecting information assets by providing a more comprehensive understanding of why and how such factors affect human behavior related to information security and privacy. By doing so, this thesis answers calls for research that urge scholars to consider security and privacy issues in a larger social and emotional context. The studies in this thesis contribute to IS research on information security and privacy by (1) uncovering social and emotional motives as hitherto largely neglected drivers of users decision-making, (2) demonstrating how tools and interventions can leverage these motives to improve users’ protection of information assets, and (3) revealing the importance of external socio-emotional factors as a thus far under-investigated influence on organizational information security. In practice, this thesis offers actionable recommendations for designers building tools and interventions to support decision-making with regard to information security and privacy. Likewise, it provides important insights to information security officers on how to build a strong and resilient information security culture, and guides policymakers in accounting for socially embedded privacy phenomena