DOCSLIB.ORG

Improving Phishing Countermeasures: an Analysis Ofexpert Interviews

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Improving Phishing Countermeasures: an Analysis Ofexpert Interviews Improving Phishing Countermeasures: An Analysis ofExpert Interviews 2 2 Steve Sheng,' Ponnurangam Kumaraguru.i Alessandro Acquisti;' Lorrie Cranor, 1, and Jason Hong 'Department ofEngineering and Public Policy, Carnegie Mellon University, Pittsburgh PA 15213 USA 2School ofComputer Science, Carnegie Mellon University, Pittsburgh PA 15213 USA 3Heinz School ofPublic Policy, Carnegie Mellon University, Pittsburgh PA 15213 USA In this paper, we present data from 31 semi-structured interviews with anti-phishing experts from academia, law enforcement, and industry. Our analysis led to eight key findings and 18 recommendations to improve phishing countermeasures. Our findings describe the evolving phishing threat, stakeholder incentives to devote resources to anti-phishing efforts, what stakeholders should do to most effectively address the problem, and the role of education and law enforcement. Index Terms-anti-phishing, expert interview, electronic crime. more effectively, and incentives that various stakeholders have I. INTRODUCTION in their fight against phishing. PHISHING is a widespread problem that is impacting both The experts we interviewed agreed that phishing is evolving business and consumers. In November 2007, MessageLabs into a more organized effort. It is becoming part of a larger estimated that 0.41% of the 3.3 billion emails going through crime eco-system, where it is increasingly blended with their system each day were phishing emails [1]. Microsoft malware and used as a gateway for other attacks. Some of the Research recently estimated that 0.4% of email recipients are experts suggested that incentives for fighting phishing may be victimized by phishing attacks [2]. The annual cost to misaligned, in the sense that the stakeholders who are in a consumers and businesses due to phishing in the US alone is position to have the largest impact do not have much incentive estimated to be between $350 million and $2 billion [3]. to devote resources to anti-phishing efforts. In terms of To reduce the damage due to phishing, stakeholders have countermeasures, experts identified improving law implemented their own countermeasures: major web browsers enforcement and shutting down money trails as top priorities. have built-in filters (e.g. [5], [6], [7]), Internet service They also identified operating systems vendors, web providers filter suspicious phishing emails, law enforcement application providers, browsers, and Internet service providers officers fmd and prosecute phishers, and US government as stakeholders with key technology influence on phishing. agencies and corporations now educate consumers on Finally, experts agreed that education is an important factor phishing. that is not emphasized enough; however, they did not agree on Phishing scams have also evolved, sometimes at a faster the extent of the impact that education may have. We present pace than countermeasures. Phishers launch attacks on these fmdings and a set of recommendations to improve specific groups (e.g. users of social networking sites) through countermeasures. multiple channels (e.g. phone, instant messaging), and Although previous reports have studied phishing and issued phishing toolkits and compromised credentials are readily recommendations, to the best ofour knowledge this is the first available for sale at low prices on Internet black markets [8]. study that synthesizes the opinions of experts from different Sophisticated phishing schemes such as man-in-the-middle fields, and examines the incentives of various stakeholders to attacks and malware are becoming more frequent [9]. contribute to anti-phishing efforts. As the battle against phishing continues, many questions remain about where stakeholders should place their efforts to II. RELATED WORK achieve effective prevention, speedy detection, and fast action. In response to the growing phishing problem, government Do stakeholders have sufficient incentives to act? What should agencies, industry groups, and consumer groups have be the top priorities for the anti-phishing community? To conducted studies and issued recommendations [10,11,12,13]. provide insights into these questions we conducted 31 in-depth The Financial Services Technology Consortium's report is interviews with anti-phishing experts between May 2008 and the first report that analyzed how phishing works by May 2009. We selected experts from academia, Computer articulating the life cycle of phishing. It also encouraged Emergency Response Team (CERT) centers, the Anti­ fmancial institutions to assess the costs and risks associated Phishing Working Group (APWG) officers, law enforcement, with phishing, develop better intelligence on phishers through and key industry stakeholders. We sought their expertise on improved sharing, and invest and adopt in better mutual the current and future state of phishing attacks, authentication. However, the report did not issue countermeasures that should be implemented to fight phishing recommendations for non-fmancial institutions who also have high stakes in the phishing problem [10]. Manuscript received June 30, 2009. Corresponding author: Steve Sheng (e­ mail: [email protected]). 978-1-4244-4626-1109/$25.00 ©2009 IEEE Authorized licensed use limited to: Carnegie Mellon Libraries. Downloaded on July 09,2020 at 18:11:40 UTC from IEEE Xplore. Restrictions apply. Table 1: Phishing stakeholders. Primary victims suffer direct losses from phishing. Infrastructure providers have technical capabilities to mitigate the problem. For-Profit protectors sell solutions to primary victims and infrastructure providers. Public protectors include law enforcement officials, computer emergency response teams, and academi enuc researchers. Categories Examples ofkey stakeholders Roles Consumers -- Organizations Military, Universities, Corporations Primary victims Financial Institutions Bank ofAmerica, Citibank, Paypal Merchants Online merchants (eBay, Amazon), offline merchants Registrars and Registries GoDaddy, Verisign Internet Service Providers AT&T, Comcast, AOL, Universities Infrastructure providers Email Providers Gmail, Yahoo!Mail, Hotmail Browsers Internet Explorer, Firefox, Safari Software Vendors Symantec, RSA, MarkMonitor, Cyveillence For-profit protectors Law Enforcement Federal Bureau ofInvestigation (FBI), Secret Service state and local enforcement Computer Emergency CERT-CC, CSIRTs Public Protectors Response Teams Academia The Identity Theft Technology Council report also analyzed compromise of credentials that can be used to steal key different phases of phishing and recommended a set of 21 intellectual property or conduct corporate espionage. Financial technical countermeasures [11]. We selected a subset of institutions lose money from fraud conducted with credentials recommendations from this report as a starting point for acquired through phishing, and merchants lose money because discussion in our expert interviews. However, we updated the these fmancial institutions eventually charge them for the set to address non-technical countermeasures as well as new fraudulent transactions. In general, these entities are most and evolving threats that were not discussed in the report. In impacted by phishing, and have the strongest incentive to addition to discussing the set of recommendations, we also protect against phishing. However, as shown later in the result studied the incentives that stakeholders have to implement section, some of them have limited capabilities to counter them as well as how the incentives can be increased. phishing attacks. In addition to these reports, the Anti-Phishing Working Infrastructure providers: Internet service providers, email Group (APWG) has issued a set of best practices and providers, browsers, domain name registrars, and registries are recommendations for hacked website owners [14], registrars infrastructure providers. In most cases, phishers do not go [15], and ISPs and mailbox service providers [16]. Each of after these providers for their money; instead, they seek to these reports focus narrowly on one particular area. In our gain access to the entities' infrastructures so that phishers may analysis, we analyzed the phishing issue holistically and asked launch their attacks. For example, phishers register fake our experts to prioritize their recommendations based on their domain names with registrars. Phishers use compromised importance and effectiveness. machines from Internet Service Providers as part ofa botnet to launch phishing campaigns, sending emails to end user III. STAKEHOLDERS mailboxes or compromising mail provider accounts to send Phishing involves many stakeholders, including consumers, phishing emails.Thesestakeholdersareimportanttostudy.as fmancial institutions, online merchants, Internet Service they are in a better position than most victims to protect Providers (ISPs), mail client and web browser vendors, and against phishing. However some infrastructure providers do law enforcement. In this paper, we have classified not lose money from phishing, so they may not have sufficient stakeholders into the following categories: primary victims, incentives to devote resources to combating phishing. In our infrastructure providers, for-profit protectors, and public interview study, we asked experts what these stakeholders can protectors. Table 1 describes these stakeholders and their do and examined whether or not they have incentives to do so. roles. We used it to select experts and structure our interviews. For-profit protectors: Certain organizations
Load more

Recommended publications
  • Phishing Brochure
    hereʼs a new type of Internet Here’s how phishing works: How to Protect Yourself piracy called “phishing.” Itʼs n a typical case, youʼll receive an e-mail that Never provide your personal pronounced “fishing,” and appears to come from a reputable company information in response to an Tthatʼs exactly what these thieves are that you recognize and do business with, unsolicited request, whether it is over the Isuch as your financial institution. In some 1phone or over the Internet. E-mails and Internet doing: “fishing” for your personal cases, the e-mail may appear to come from a pages created by phishers may look exactly financial information. What government agency, including one of the federal like the real thing. They may even have a fake financial institution regulatory agencies. padlock icon that ordinarily is used to denote they want are account numbers, The e-mail will probably warn you of a serious a secure site. If you did not initiate the passwords, Social Security problem that requires your immediate attention. communication, you should not provide any numbers, and other confidential It may use phrases, such as “Immediate attention information. information that they can use to loot required,” or “Please contact us immediately If you believe the contact may be about your account.” The e-mail will then legitimate, contact the financial your checking account or run up encourage you to click on a button to go to the institution yourself. You can find bills on your credit cards. institutionʼs Web site. 2phone numbers and Web sites on the monthly statements you receive from your financial In a phishing scam, you could be redirected In the worst case, you could find institution, or you can look the company up in to a phony Web site that may look exactly a phone book or on the Internet.
    [Show full text]
  • Copy of OC Awareness Campaign #5
    DDOONN‘‘TT GGEETT CCAAUUGGHHTT IINN AA TTEECCHH SSUUPPPPOORRTT SSCCAAMM!! HOW DO TECH SUPPORT SCAMS WORK? Tech support scammers may call you, enlist pop-up ads on your computer, or place ads for their "tech support company" to look credible and attempt a scam. They often gain control of your computer by asking you to give them remote access to your computer. Once they gain access, the scammer may pretend to run a diagnostic test of your computer. In reality, they are downloading malware, or other viruses, downloading sensitive information that was stored on your computer, or locking you out of your computer by downloading ransomware. WHAT'S IN IT FOR THE SCAMMER? Obtain sensitive information Find credit card information Ask you to pay to fix an issue that doesn't exist with a wire transfer, gift card, or credit card. Though some will ask you for credit card information, the scammer often asks you to pay by wiring money, putting money on a gift card, prepaid card or cash reload card, or using a money transfer app because they know those types of payments can be hard to reverse. SPOTTING AND AVOIDING TECH SUPPORT SCAMS Tech support scammers use many different tactics to trick people. Spotting these tactics will help you avoid falling for the scam. Phone Calls (Vishing) Tech support scammers may call and pretend to be a computer technician from a well-known company. They say they’ve found a problem with your computer. They often ask you to give them remote access to your computer and then pretend to run a diagnostic test.
    [Show full text]
  • Phishing Attacks Or to Give Sensitive Information Away (Such As Bank Details)
    Phishing emails try to convince users to click on links to dodgy websites or attachments, Phishing attacks or to give sensitive information away (such as bank details). This advice includes tips about how to spot the most obvious signs of phishing, and what to do if you think you've Dealing with suspicious emails clicked a bad link. For more information, please visit www.ncsc.gov.uk/phishing . Make yourself a Tell tale signs harder target of phishing ***** Information from your website or Spotting a phishing email is social media accounts leaves a becoming increasingly difficult, and 'digital footprint' that can be even the most careful user can be exploited by criminals. You can make yourself tricked. Here are some tell tale signs less likely to be phished by doing the following: that could indicate a phishing attempt. Criminals use publicly available ? Is the email addressed to you by information about you to make their name, or does it refer to 'valued phishing emails appear convincing. customer', or 'friend' or 'colleague'? Review your privacy settings, and think This can be a sign that the sender about what you post. does not actually know you, and that it What is phishing? Be aware what your friends, family and is part of a phishing scam. colleagues say about you online, as Others will try and create official- Phishing is when criminals attempt to this can also reveal information that can be used to target you. looking emails by including logos and trick people into doing 'the wrong thing', graphics. Is the design (and quality) such as clicking a link to a dodgy website.
    [Show full text]
  • Beware of These Common Scams
    Beware of these common scams Nigerian Scams People claiming to be officials, businessmen or surviving relatives of former government officials in countries around the world send countless offers via e-mail, attempting to convince consumers that they will transfer thousands of dollars into your bank account if you will just pay a fee or "taxes" to help them access their money. If you respond to the initial offer, you may receive documents that look "official." Unfortunately, you will get more e-mails asking you to send more money to cover transaction and transfer costs, attorney's fees, blank letterhead and your bank account numbers and other sensitive, personal information. Tech Support Scams A tech support person may call or email you and claim that they are from Windows, Microsoft or another software company. The person says your computer is running slow or has a virus and it’s sending out error messages. Scammers will ask you to visit a website that gives them remote access to your computer. If the caller obtains access they can steal personal information, usernames and passwords to commit identity theft or send spam messages. In some cases, the caller may even be asked for a wired payment or credit card information. Lottery Scams In foreign lottery scams, you receive an email claiming that you are the winner of a foreign lottery. All you need to do to claim your prize is send money to pay the taxes, insurance, or processing or customs fees. Sometimes, you will be asked to provide a bank account number so the funds can be deposited.
    [Show full text]
  • SECURITY GUIDE with Internet Use on the Rise, Cybercrime Is Big Business
    SECURITY GUIDE With internet use on the rise, cybercrime is big business. Computer savvy hackers and opportunistic spammers are constantly trying to steal or scam money from internet users. PayPal works hard to keep your information secure. We have lots of security measures in place that help protect your personal and financial information. PayPal security key Encryption This provides extra security when When you communicate with Here’s you log in to PayPal and eBay. When PayPal online or on your mobile, how to get you opt for a mobile security key, the information you provide is we’ll SMS you a random 6 digit encrypted. This means it can only a security key code to enter with your password be read by you. A padlock symbol when you log in to your accounts. is displayed on the right side of your 1. Log in to your PayPal You can also buy a credit card sized web browser to let you know you account at device that will generate this code. are viewing a secure web page. www.paypal.com.au Visit our website and click Security to learn more. Automatic timeout period 2. Click Profile then If you’re logged into PayPal and My settings. Website identity verification there’s been no activity for 15 3. Click Get started beside If your web browser supports an minutes, we’ll log you out to help “Security key.” Extended Validation Certificate, the stop anyone from accessing your address bar will turn green when information or transferring funds 4. Click Get security key you’re on PayPal’s site.
    [Show full text]
  • Phishing: Crime That Pays
    1 Phishing: Crime That Pays Philip J. Nero, Brad Wardman, Heith Copes, Gary Warner University of Alabama at Birmingham Abstract—Email phishing requires functional The 2010 Javelin Strategy Identity Theft & Fraud countermeasures, as does any crime that results in Survey shows that there were an estimated 11.1 million millions of dollars in yearly losses. Many financial victims of identity theft and/or fraud in 2009 (Javelin, institutions currently combat phishing by contracting 2010). These victims lost over 54 billion dollars. A large takedown companies that remove relevant phishing percentage of these victims were victims of cyber-based websites as soon as possible after they are detected. By criminal activity. According to a recent Gartner Research comparing the median time necessary for professionals to study, 3.6 million American consumers lost money to take a phishing website down to the average time it takes phishing scams in 2007 (Gartner, 2007). Each phishing for a phishing website to turn a profit for its creator, I victim lost an average of $361. Therein, the approximate have demonstrated the overall effectiveness of the financial loss to phishing in the United States in 2008 takedown process. On average, takedown companies fail was nearly $2 billion. These studies also show that to eradicate phishing websites before their creators financial institutions accrue $1 billion in losses from garner valuable information from multiple victims. phishing every year. The above statistics demonstrate Furthermore, forensic evidence that could lead to the serious criminal activity, but the real problem is that the arrest of the cybercriminals responsible for the phishing vast majority of phishers go unpunished.
    [Show full text]
  • An Analysis of the Nature of Groups Engaged in Cyber Crime
    International Journal of Cyber Criminology Vol 8 Issue 1 January - June 2014 Copyright © 2014 International Journal of Cyber Criminology (IJCC) ISSN: 0974 – 2891 January – June 2014, Vol 8 (1): 1–20. This is an Open Access paper distributed under the terms of the Creative Commons Attribution-Non- Commercial-Share Alike License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited. This license does not permit commercial exploitation or the creation of derivative works without specific permission. Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime Roderic Broadhurst,1 Peter Grabosky,2 Mamoun Alazab3 & Steve Chon4 ANU Cybercrime Observatory, Australian National University, Australia Abstract This paper explores the nature of groups engaged in cyber crime. It briefly outlines the definition and scope of cyber crime, theoretical and empirical challenges in addressing what is known about cyber offenders, and the likely role of organized crime groups. The paper gives examples of known cases that illustrate individual and group behaviour, and motivations of typical offenders, including state actors. Different types of cyber crime and different forms of criminal organization are described drawing on the typology suggested by McGuire (2012). It is apparent that a wide variety of organizational structures are involved in cyber crime. Enterprise or profit-oriented activities, and especially cyber crime committed by state actors, appear to require leadership, structure, and specialisation. By contrast, protest activity tends to be less organized, with weak (if any) chain of command. Keywords: Cybercrime, Organized Crime, Crime Groups; Internet Crime; Cyber Offenders; Online Offenders, State Crime.
    [Show full text]
  • December 2013 Feature Article: the Year of Surviving Dangerously: Highlights from We Live Security 2013
    December 2013 Feature Article: The Year of Surviving Dangerously: Highlights from We Live Security 2013 Table of Contents The Year of Surviving Dangerously: Highlights from We Live Security 2013 .............................................................3 2013: a Scammer’s Eye View ................................................................................................................................... 11 ESET Corporate News .............................................................................................................................................. 18 The Top Ten Threats ................................................................................................................................................ 18 Top Ten Threats at a Glance (graph) ....................................................................................................................... 21 About ESET .............................................................................................................................................................. 22 Additional Resources ............................................................................................................................................... 22 This month we decided to present a retrospective of all 2013, pertained to Java vulnerability CVE-2013-0422 being added to a so we develop and delve into the most prominent threats that couple of popular exploit packs, thus making it more accessible each month had. Also published an article that specifically
    [Show full text]
  • Technical Report RHUL–MA–2014– 2 01 September 2014
    Leveraging knowledge sharing for preventing and investigating on-line banking frauds: On-line Fraud Centre Salvatore Camillo Zammataro Technical Report RHUL–MA–2014– 2 01 September 2014 Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom www.ma.rhul.ac.uk/tech Salvatore Camillo “Toto” Zammataro Leveraging knowledge sharing for preventing and investigating on-line banking frauds: On-line Fraud Centre MSc Information Security Project Report Supervisor: Dr John Austen Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. 1 EXECUTIVE SUMMARY For social, technological and political reasons electronic transactions are now the most used payment method in Europe. As such, fraudsters have been focusing on On-Line transactions to gain money through Phishing and Crimeware. These kind of frauds generates losses for EU citizen of an estimated value of 250M€/year. Banks and Law Enforcement Agencies are engaged in the prevention, detection and prosecution of this crime. Some limit of actual legislation (i.e. Data Protection, International Treaties on cyber-crime, Fraud prosecution laws), low speed of communication between Banks and LEAs, and the fraudster’s speed in taking advantage of weaknesses of the system leave the space for improvement. To improve the countermeasures that Banks and LEAs have deployed, this paper suggests the adoption of an InfoSharing Service between national banking system and Law Enforcement Agencies. This service uses a “hub-and-spoke” framework, where LEA is the hub and banks are the spokes. Target of the service is to shorten the time needed to communicate from Banking Fraud Managers to LEAs, and to share the relevant information on fraudster accounts in the whole banking industry.
    [Show full text]
  • The Economics of Online Crime
    Journal of Economic Perspectives—Volume 23, Number 3—Summer 2009—Pages 3–20 The Economics of Online Crime Tyler Moore, Richard Clayton, and Ross Anderson he economics of information security has recently become a thriving and fast-moving discipline. This field was kick-started in 2001 by the observa- T tion that poorly aligned incentives explain the failure of security systems at least as often as technical factors (Anderson, 2001). As distributed computing systems are assembled from machines controlled by principals with divergent interests, microeconomic analysis and game-theoretic analysis become just as im- portant for dependability as protocol analysis or cryptanalysis. The economic approach not only provides a more effective way of analyzing straightforward information-security problems such as privacy, spam, and phishing, but also gives insights to scholars of system dependability, conflict, and crime. An annual Work- shop on the Economics of Information Security (WEIS) was established in 2002. The field now involves over 100 active researchers; the subject has drawn together security engineers, economists, and even lawyers and psychologists. For a survey of security economics in general, see Anderson and Moore (2006). This paper will focus on the subject of online crime, which has taken off as a serious industry since about 2004. Until then, much of the online nuisance came from amateur hackers who defaced websites and wrote malicious software in pursuit of bragging rights. In the old days, electronic fraud was largely a cottage y Tyler Moore is a Postdoctoral Fellow, Center for Research on Computation and Society (CRCS), Harvard University, Cambridge, Massachusetts. Richard Clayton is an Industrial Research Fellow and Ross Anderson is Professor of Security Engineering, both at the Computer Laboratory, University of Cambridge, Cambridge, England.
    [Show full text]
  • A Systematic Literature Review on Phishing and Anti-Phishing Techniques
    Pakistan Journal of Engineering and Technology, PakJET Multidisciplinary & Peer Reviewed Volume: 04, Number: 01, Pages: 163- 168, Year: 2021 A Systematic Literature Review on Phishing and Anti-Phishing Techniques Ayesha Arshad1, Attique Ur Rehman1, Sabeen Javaid1, Tahir Muhammad Ali2, Javed Anjum Sheikh1, Muhammad Azeem1 1Department of Software Engineering, University of Sialkot, Sialkot, Pakistan 2Department of Computer Science, Gulf University of Science and Technology, Kuwait Corresponding author: Attique Ur Rehman (e-mail: [email protected]) Abstract- Phishing is the number one threat in the world of internet. Phishing attacks are from decades and with each passing year it is becoming a major problem for internet users as attackers are coming with unique and creative ideas to breach the security. In this paper, different types of phishing and anti-phishing techniques are presented. For this purpose, the Systematic Literature Review(SLR) approach is followed to critically define the proposed research questions. At first 80 articles were extracted from different repositories. These articles were then filtered out using Tollgate Approach to find out different types of phishing and anti-phishing techniques. Research study evaluated that spear phishing, Email Spoofing, Email Manipulation and phone phishing are the most commonly used phishing techniques. On the other hand, according to the SLR, machine learning approaches have the highest accuracy of preventing and detecting phishing attacks among all other anti-phishing approaches. Index Terms— phishing techniques, anti-phishing techniques, SLR, review. I. INTRODUCTION data of user and browser is found. It also reported that, in the The Phishing technique and attack is a method to access 3rd quarter of 2020, the most targeted sector is web email sites sensitive and restricted information of end users by using social and Software-as-a-Service [8].
    [Show full text]
  • Fraud: Everything Old Is New Again Tough Times Bring out Tried & True Tricks from Fraudsters
    Fraud: Everything Old is New Again Tough Times Bring out Tried & True Tricks from Fraudsters I once heard a line on – of all places – sports talk radio, and it’s stuck with me through the years, especially during the past one. “Tough times don’t build character, they reveal it.” Well, there’s no question the past year has brought tough times to all Tom Field of us, and as for some of the fraudulent characters they’ve revealed? Editorial Director Whew! It seems like every tried-and-true fraud scheme is back these days with a vengeance, as criminals renew their efforts to deprive us of our financial and informational assets. The only difference: In- stead of focusing on only one fraud channel, criminals today tend to be attempting multiple entry points simultaneously. Everything old is new again, and it’s coming at you all at once! I trust you’ll enjoy the articles, interviews and opinion pieces we’ve collected here, and I welcome hearing from you after you’ve soaked in some of this information. What are the fraud schemes you’re seeing most this year? How are you educating your customers to avoid them? Where have you had success thwarting the fraudsters? The tough times will get better. Fraud, alas, won’t go away. We just have to make sure that we – like the criminals – get smarter, organized and educated. It’s going to be a long fight, but we can win it. Best, Tom Field Editorial Director, Information Security Media Group [email protected] Volume 1, Issue 5 IN THIS ISSUE..
    [Show full text]