Teaching Johnny Not to Fall for Phish - PowerPoint PPT Presentation

1 / 73
About This Presentation
Title:

Teaching Johnny Not to Fall for Phish

Description:

Title: Teaching Johnny Not to Fall for Phish Author: Jason Hong Last modified by: mpsotace Created Date: 6/7/2004 12:23:39 AM Document presentation format – PowerPoint PPT presentation

Number of Views:184
Avg rating:3.0/5.0
Slides: 74
Provided by: JasonH171
Category:

less

Transcript and Presenter's Notes

Title: Teaching Johnny Not to Fall for Phish


1
Teaching Johnny Not to Fall for Phish
Jason Hong, PhDCarnegie Mellon
UniversityWombat Security Technologies
2
Everyday Privacy and Security Problem
3
This entire process known as phishing
4
How Bad Is Phishing?Consumer Perspective
  • Estimated 0.5 of Internet users per year fall
    for phishing attacks
  • Conservative 1B direct losses a year to
    consumers
  • Bank accounts, credit card fraud
  • Doesnt include time wasted on recovery of funds,
    restoring computers, emotional uncertainty
  • Growth rate of phishing
  • 30k reported unique emails / month
  • 45k reported unique sites / month
  • Social networking sites now major targets

5
How Bad Is Phishing?Perspective of Corporations
  • Direct damage
  • Loss of sensitive customer data

6
How Bad Is Phishing?Perspective of Corporations
  • Direct damage
  • Loss of sensitive customer data
  • Loss of intellectual property

7
How Bad Is Phishing?Perspective of Corporations
  • Direct damage
  • Loss of sensitive customer data
  • Loss of intellectual property
  • Fraud
  • Disruption of network services
  • Indirect damage
  • Damage to reputation, lost sales, etc
  • Response costs (call centers, recovery)
  • One bank estimated it cost them 1M per phishing
    attack

8
Phishing Increasing in SophisticationTargeting
Your Organization
  • Spear-phishing targets specific groups or
    individuals
  • Type 1 Uses info about your organization

General Patton is retiring next week, click here
to say whether you can attend his retirement
party
9
Phishing Increasing in SophisticationTargeting
Your Organization
  • Around 40 of people in our experiments at CMU
    would fall for emails like this (control
    condition)

10
Phishing Increasing in SophisticationTargeting
You Specifically
  • Type 2 Uses info specifically about you
  • Social phishing
  • Might use information from social networking
    sites, corporate directories, or publicly
    available data
  • Ex. Fake emails from friends or co-workers
  • Ex. Fake videos of you and your friends

11
Phishing Increasing in SophisticationTargeting
You Specifically
Heres a video I took of yourposter presentation.
12
Phishing Increasing in SophisticationTargeting
You Specifically
  • Type 2 Uses info specifically about you
  • Whaling focusing on big targets

Thousands of high-ranking executives across the
country have been receiving e-mail messages this
week that appear to be official subpoenas from
the United States District Court in San Diego.
Each message includes the executives name,
company and phone number, and commands the
recipient to appear before a grand jury in a
civil case. -- New York Times Apr16 2008
13
Phishing Increasing in SophisticationCombination
with Malware
  • Malware and phishing are becoming combined
  • Poisoned attachments (Ex. custom PDF exploits)
  • Links to web sites with malware (web browser
    exploits)
  • Can install keyloggers or remote access software

14
(No Transcript)
15
Protecting People from Phishing
  • Research we have done at Carnegie Mellon
  • http//cups.cs.cmu.edu/trust.php
  • Human side
  • Interviews and surveys to understand
    decision-making
  • PhishGuru embedded training
  • Micro-games for security training
  • Understanding effectiveness of browser warnings
  • Computer side
  • PILFER email anti-phishing filter
  • CANTINA web anti-phishing algorithm
  • Evaluating effectiveness of existing blacklists
  • Machine learning of blacklists

16
Results of Our Research
  • Startup
  • Customers of micro-games featured include
    governments, financials, universities
  • Our email filter is labeling several million
    emails per day
  • Study on browser warnings -gt MSIE8
  • Elements of our work adopted by Anti-Phishing
    Working Group (APWG)
  • Popular press article in Scientific American

17
Outline of Rest of Talk
  • Rest of talk will focus on educating end-users
  • PhishGuru embedded training
  • Anti-Phishing Phil micro-game

18
User Education is Challenging
  • Users are not motivated to learn about security
  • Security is a secondary task
  • Difficult to teach people to make right online
    trust decision without increasing false positives
  • User education is a complete waste of time. It
    is about as much use as nailing jelly to a wall.
    They are not interestedthey just want to do
    their job.
  • Martin Overton, IBM security specialist
    http//news.cnet.com/21007350_361252132.html

19
But Actually, Users Are Trainable
  • Our research demonstrates that users can learn
    techniques to protect themselves from phishing
    if you can get them to pay attention to training
  • P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor,
    and J. Hong. Teaching Johnny Not to Fall for
    Phish. CyLab Technical Report CMU CyLab07003,
    2007.

20
How Do We Get People Trained?
  • Solution
  • Find teachable moments PhishGuru
  • Make training fun Anti-Phishing Phil
  • Use learning science principles throughout

21
PhishGuru Embedded Training
  • Send emails that look like a phishing attack
  • If recipient falls for it, show intervention that
    teaches what cues to look for in succinct and
    engaging format
  • Multiple user studies have demonstrated that
    PhishGuru is effective
  • Delivering same training via direct email is not
    effective!

22
Subject Revision to Your Amazon.com Information
23
Subject Revision to Your Amazon.com Information
Please login and enter your information
24
(No Transcript)
25
Evaluation of PhishGuru
  • Is embedded training effective?
  • Study 1 Lab study, 30 participants
  • Study 2 Lab study, 42 participants
  • Study 3 Field trial at company, 300
    participants
  • Study 4 Field trial at CMU, 500 participants
  • Studies showed significant decrease in falling
    for phish and ability to retain what they learned
  • P. Kumaraguru et al. Protecting People from
    Phishing The Design and Evaluation of an
    Embedded Training Email System. CHI 2007.
  • P. Kumaraguru et al. Getting Users to Pay
    Attention to Anti-Phishing Education Evaluation
    of Retention and Transfer. eCrime 2007.

26
Study 4 at CMU
  • Investigate effectiveness and retention of
    training after 1 week, 2 weeks, and 4 weeks
  • Compare effectiveness of 2 training messages vs
    1 training message
  • Examine demographics and phishing
  • P. Kumaraguru, J. Cranshaw, A. Acquisti, L.
    Cranor, J. Hong, M. A. Blair, and T. Pham.
    School of Phish A Real-World Evaluation of
    Anti-Phishing Training. 2009. SOUPS 2009.

27
Study design
  • Sent email to all CMU students, faculty and
    staff to recruit participants (opt-in)
  • 515 participants in three conditions
  • Control / One training message / Two messages
  • Emails sent over 28 day period
  • 7 simulated spear-phishing messages
  • 3 legitimate (cyber security scavenger hunt)
  • Campus help desks and IT departments notified
    before messages sent

28
Effect of PhishGuru Training
Condition N who clicked on Day 0 who clicked on Day 28
Control 172 52.3 44.2
Trained 343 48.4 24.5
29
Discussion of PhishGuru
  • PhishGuru can teach people to identify phish
    better
  • People retain the knowledge
  • People trained on first day less likely to be
    phished
  • Two training messages work better
  • People werent less likely to click on legitimate
    emails
  • People arent resentful, many happy to have
    learned
  • 68 out of 85 surveyed said they recommend CMU
    continue doing this sort of training in future
  • I really liked the idea of sending CMU students
    fake phishing emails and then saying to them,
    essentially, HEY! You could've just gotten
    scammed! You should be more careful -- here's
    how....
  • Contrast to US DOJ and Guam Air Force Base

30
APWG Landing Page
  • CMU and Wombat helped Anti-Phishing Working Group
    develop landing page for taken down sites
  • Already in use by several takedown companies
  • Seen by 200,000 people in past 27 months

31
Anti-Phishing Phil
  • A micro-game to teach people not to fall for
    phish
  • PhishGuru about email, this game about web
    browser
  • Also based on learning science principles
  • Goals
  • How to parse URLs
  • Where to look for URLs
  • Use search engines for help
  • Try the game!
  • Search for phishing game
  • S. Sheng et al. Anti-Phishing Phil The Design
    and Evaluation of a Game That Teaches People Not
    to Fall for Phish. In SOUPS 2007, Pittsburgh, PA,
    2007.

32
Anti-Phishing Phil
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37

38
Evaluation of Anti-Phishing Phil
  • Is Phil effective? Yes!
  • Study 1 56 people in lab study
  • Study 2 4517 people in field trial
  • Brief results of Study 1
  • Phil about as effective in helping people detect
    phishing web sites as paying people to read
    training material
  • But Phil has significantly fewer false positives
    overall
  • Suggests that existing training material making
    people paranoid about phish rather than
    differentiating

39
Evaluation of Anti-Phishing Phil
  • Study 2 4517 participants in field trial
  • Randomly selected from 80000 people
  • Conditions
  • Control Label 12 sites then play game
  • Game Label 6 sites, play game, then label 6
    more, then after 7 days, label 6 more (18 total)
  • Participants
  • 2021 people in game condition, 674 did retention
    portion

40
Anti-Phishing Phil Study 2
  • Novices showed most improvement in false
    negatives (calling phish legitimate)

41
Anti-Phishing Phil Study 2
  • Improvement all around for false positives

42
Anti-Phishing Phyllis
  • New micro-game just released by Wombat Security
  • Focuses on teaching people about what cues to
    look for in emails
  • Some emails are legitimate, some fake
  • Have to identify cues as dangerous or harmless

43
Summary
  • Phishing is already a plague on the Internet
  • Seriously affects consumers, businesses,
    governments
  • Criminals getting more sophisticated
  • End-users can be trained, but only if done right
  • Use a combination of fun and learning science
  • PhishGuru embedded training uses simulated
    phishing
  • Anti-Phishing Phil and Anti-Phishing Phyllis
    micro-games
  • Can try PhishGuru, Phil, and Phyllis
    at www.wombatsecurity.com

44
Acknowledgments
  • Ponnurangam Kumaraguru
  • Steve Sheng
  • Lorrie Cranor
  • Norman Sadeh

45
(No Transcript)
46
Screenshots
Internet Explorer Passive Warning
47
Screenshots
Internet Explorer Active Block
48
Screenshots
Mozilla FireFox Active Block
49
How Effective are these Warnings?
  • Tested four conditions
  • FireFox Active Block
  • IE Active Block
  • IE Passive Warning
  • Control (no warnings or blocks)
  • Shopping Study
  • Setup some fake phishing pages and added to
    blacklists
  • We phished users after purchases (2 phish/user)
  • Real email accounts and personal information
  • S. Egelman, L. Cranor, and J. Hong. You've Been
    Warned An Empirical Study of the Effectiveness
    of Web Browser Phishing Warnings. CHI 2008.

50
How Effective are these Warnings?
Almost everyone clicked, even those with
technical backgrounds
51
How Effective are these Warnings?
52
Discussion of Phish Warnings
  • Nearly everyone will fall for highly contextual
    phish
  • Passive IE warning failed for many reasons
  • Didnt interrupt the main task
  • Slow to appear (up to 5 seconds)
  • Not clear what the right action was
  • Looked too much like other ignorable warnings
    (habituation)
  • Bug in implementation, any keystroke dismisses

53
Screenshots
Internet Explorer Passive Warning
54
Discussion of Phish Warnings
  • Active IE warnings
  • Most saw but did not believe it
  • Since it gave me the option of still proceeding
    to the website, I figured it couldnt be that
    bad
  • Some element of habituation (looks like other
    warnings)
  • Saw two pathological cases

55
Screenshots
Internet Explorer Active Block
56
Internet Explorer 8 Re-design
57
A Science of Warnings
  • See the warning?
  • Understand?
  • Believe it?
  • Motivated?
  • Can and will act?
  • Refining this model for computer warnings

58
Outline
  • Human side
  • Interviews and surveys to understand
    decision-making
  • PhishGuru embedded training
  • Anti-Phishing Phil game
  • Understanding effectiveness of browser warnings
  • Computer side
  • PILFER email anti-phishing filter
  • CANTINA web anti-phishing algorithm
  • Machine learning of blacklists

Can we improve phish detection of web sites?
59
Detecting Phishing Web Sites
  • Industry uses blacklists to label phishing sites
  • But blacklists slow to new attacks
  • Idea Use search engines
  • Scammers often directly copy web pages
  • But fake pages should have low PageRank on search
    engines
  • Generate text-based fingerprint of web page
    keywords and send to a search engine
  • Y. Zhang, S. Egelman, L. Cranor, and J. Hong
    Phinding Phish Evaluating Anti-Phishing Tools.
    In NDSS 2007.
  • Y. Zhang, J. Hong, and L. Cranor. CANTINA A
    content-based approach to detecting phishing web
    sites. In WWW 2007.
  • G. Xiang and J. Hong. A Hybrid Phish Detection
    Approach by Identity Discovery and Keywords
    Retrieval. In WWW 2009.

60
Robust Hyperlinks
  • Developed by Phelps and Wilensky to solve 404
    not found problem
  • Key idea was to add a lexical signature to URLs
    that could be fed to a search engine if URL
    failed
  • Ex. http//abc.com/page.html?sigword1word2...
    word5
  • How to generate signature?
  • Found that TF-IDF was fairly effective
  • Informal evaluation found five words was
    sufficient for most web pages

61
Fake
eBay, user, sign, help, forgot
62
Real
eBay, user, sign, help, forgot
63
(No Transcript)
64
(No Transcript)
65
Evaluating CANTINA
PhishTank
66
Machine Learning of Blacklists
  • Human-verified blacklists maintained by
    Microsoft, Google, PhishTank
  • Pros Reliable, extremely low false positives
  • Cons Slow to respond, can be flooded with URLs
    (fast flux)
  • Observation 1 many phishing sites similar
  • Constructed through toolkits
  • Observation 2 many phishing sites similar
  • Fast flux (URL actually points to same site)
  • Idea Rather than just examining URL, compare
    content of a site to known phishing sites

67
Machine Learning of Blacklists
  • Approach 1 Use hashcodes of web page
  • Simple, good against fast flux
  • Easy to defeat (though can allow some
    flexibility)
  • Approach 2 Use shingling
  • Shingling is an approach used by search engines
    to find duplicate pages
  • connect with the eBay community -gt connect
    with the, with the eBay, the eBay community
  • Count the number of common shingles out of total
    shingles, set threshold

68
Machine Learning of Blacklists
  • Use Shingling
  • Protect against false positives
  • Phishing sites look a lot like real sites
  • Have a small whitelist (ebay, paypal, etc)
  • Use CANTINA too

69
Tells people why they are seeing this message,
uses engaging character
70
Tells a story about what happened and what the
risks are
71
Gives concrete examples of how to protect oneself
72
Explains how criminals conduct phishing attacks
73
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com