Why Phishing Works on Smartphones: A Preliminary Study

Phishing is a form of fraud where an attacker attempts to acquire sensitive information from a target by posing as trustworthy. One strategy to fool the target is spoofing of a legitimate website. But why do people fall for phishing, and what security indicators are utilized or not utilized when deciding the legitimacy of a website? Hitherto, two studies have been conducted in 2006 and 2015. As time has passed since then, we like to check if people are meanwhile more certain in identifying spoofed websites. Therefore, 20 participants were observed when they analyzed and classified websites as legitimate or spoofed. On average participants had a success rate of 69 %, like previous studies’ results. The URL was used as an indicator by most of the participants (80 %), indicating user behavior and ease of identifying spoofed and legitimate websites is not very different on a smartphone compared to a desktop. Almost all participants used the content of the website at least once when deciding if a website was spoofed or legitimate. These findings will be used to conduct a bigger study to create more resilient results

Understanding Phishing and Phishing Techniques in Client-Side Web-Based Systems

As auspicious as the technology is, the bane of the internet has always been the constant threats of online identity theft and other forms of fraud prevalent on the information highway. Phishing is a form of internet fraud in which emails and websites that are purportedly from legitimate organisations and agencies are used to deceive users into disclosing personal or financial information. Despite the plethora of anti-spam filters that are readily available today, phishing emails are still able to bypass such measures and find their ways into users’ inboxes. This challenge at the client side of the web-based infrastructure is prevalent as clients are at varying levels of usage and knowledge of internet infrastructure. This paper takes a look at the phishing scenario by examining why it works. We provide extensive insights into extant literature in the subject domain as a basis for the development of tools to mitigate phishing and assisting users understand phishing attacks

Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed

Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page

Each month, more attacks are launched with the aim of making web users believe that they are communicating with a trusted entity which compels them to share their personal, financial information. Phishing costs Internet users billions of dollars every year. Researchers at Carnegie Mellon University (CMU) created an anti-phishing landing page supported by Anti-Phishing Working Group (APWG) with the aim to train users on how to prevent themselves from phishing attacks. It is used by financial institutions, phish site take down vendors, government organizations, and online merchants. When a potential victim clicks on a phishing link that has been taken down, he / she is redirected to the landing page. In this paper, we present the comparative analysis on two datasets that we obtained from APWG's landing page log files; one, from September 7, 2008 - November 11, 2009, and other from January 1, 2014 - April 30, 2014. We found that the landing page has been successful in training users against phishing. Forty six percent users clicked lesser number of phishing URLs from January 2014 to April 2014 which shows that training from the landing page helped users not to fall for phishing attacks. Our analysis shows that phishers have started to modify their techniques by creating more legitimate looking URLs and buying large number of domains to increase their activity. We observed that phishers are exploiting ICANN accredited registrars to launch their attacks even after strict surveillance. We saw that phishers are trying to exploit free subdomain registration services to carry out attacks. In this paper, we also compared the phishing e-mails used by phishers to lure victims in 2008 and 2014. We found that the phishing e-mails have changed considerably over time. Phishers have adopted new techniques like sending promotional e-mails and emotionally targeting users in clicking phishing URLs

Scalable Detection and Isolation of Phishing

This paper presents a proposal for scalable detection and isolation of phishing. The main ideas are to move the protection from end users towards the network provider and to employ the novel bad neighborhood concept, in order to detect and isolate both phishing e-mail senders and phishing web servers. In addition, we propose to develop a self-management architecture that enables ISPs to protect their users against phishing attacks, and explain how this architecture could be evaluated. This proposal is the result of half a year of research work at the University of Twente (UT), and it is aimed at a Ph.D. thesis in 2012

Cyber-crime Science = Crime Science + Information Security

Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions