Week 7.3 Semantic Attacks - Spear Phishing

PrivacyandSecurityinOnlineSocialMedia

CourseonNPTELNOC-CS07Week7.3

PonnurangamKumaraguru(“PK”)AssociateProfessor

ACMDistinguishedSpeakerfb/ponnurangam.kumaraguru,@ponguru

SemanticAttacks

� “Targetthewaywe,ashumans,assignmeaningtocontent.”

� Systemandmentalmodel

http://groups.csail.mit.edu/uid/projects/phishing/proposal.pdf

Security attacks

Physical Semantic Syntactic

Phishing Mules Nigerian

Verification Security alertUpdate info

PaypalAmazon eBay BOA

Mortgage

Semanticattacks

Subject: eBay: Urgent Notification From Billing Department

Features in the email

Features in the email

We regret to inform you that you eBay account could be suspended if you don’t update your account information.

https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerid=2&sidteid=0

Features in the email

Website to collect information

http://www.kusi.org/hcr/eBay/ws23/eBayISAPI.htm

Phishing Cost

36

Types of Phishing Attacks

⚫Phishing

⚫Context-aware phishing / spear phishing

⚫Whaling

⚫Vishing

⚫Smsishing

⚫Social Phishing?

37

Until now, work that we have seen?

⚫Using voters database

⚫Using Medical health database

⚫Using Pictures from FB

38

Goal

⚫To see how phishing attacks can be performed by collecting personal information from social networks -How easily or effectively can phisher use this

information?

39

40

Methodology

⚫Collected publicly available personal information using simple tools like Perl LWP library

⚫Correlated this data with IU’s address book database

⚫Launched in April 2005

⚫Age between 18 – 24

41

42

Control Vs. Experiment

⚫Control: The email from IU email ID, but, from an unknown person

⚫Experiment: From a friend in IU

43

Methodology

⚫ Blogging, social network, and other public data is harvested

⚫ Data is correlated and stored in a relational database

⚫ Heuristics are used to craft spoofed email message by Eve “as Alice” to Bob (a friend)

⚫Message is sent to Bob

⚫ Bob follows the link contained within the email message and is sent to an unchecked redirect

⚫ Bob is sent to attacker whuffo.com site

⚫ Bob is prompted for his University credentials

⚫ Bob’s credentials are verified with the University authenticator

⚫ a. Bob is successfully phishedb. Bob is not phished in this session; he could try again.

44

Victims

⚫Control group high – sender email ID was IU

⚫Experimental condition consistent with other studies

45

Success rate

46

⚫70% authentications in first 12 hrs

⚫Takedown has to be successful

Repeated authentications

47

⚫ Subject tried multiple times

⚫ Tried again because “overload” message was shown

⚫ Lower bound of users to fall, continued to be deceived

⚫ Some tried 80 times

Gender

48

⚫18,294 Ms and 19,527 Fs

⚫Overall F more victims

⚫More successful if it came from opposite gender

⚫F to M (13%) was more effect than M to F (2%)

49

⚫Younger targets more vulnerable

50

⚫All majors significant difference between control and experimental

⚫Max difference in Science

⚫Technology lowest #satisfying ☺

Reactions

⚫Anger -Unethical, inappropriate, illegal, fraudulent -Researchers fired -Psychological cost

⚫Denial -Nobody accepted that they fell for it -Admitting our vulnerability is hard

⚫Misunderstanding over spoofing emails ⚫Underestimation of publicly available

information

51

Conclusions

⚫Extensive educational campaigns

⚫Browser solutions

⚫Digitally signed emails

⚫OSM provides lot more information for making the attack successful

52

References

⚫http://markus-jakobsson.com/papers/jakobsson-commacm07.pdf

54

References

⚫http://www.mpi-sws.org/~farshad/TwitterLinkfarming.pdf

⚫www.isical.ac.in/~acmsc/TMW2014/N_ganguly.ppt

55

Thank youpk@iiitd.ac.in

precog.iiitd.edu.in fb/ponnurangam.kumaraguru