A Policy Analysis of Phishing Countermeasures
Submitted in partial fulfillment of the requirements for
the degree of
Doctor of Philosophy
in
Engineering and Public Policy
Xinguang (Steve) Sheng
B.S., Computer Engineering, University of Pennsylvania
M.S., Computer and Information Science, University of Pennsylvania
Carnegie Mellon University
Pittsburgh, PA
December 2009
c Copyright by Xinguang (Steve) Sheng December 2009
All Rights Reserved
i
To my wife Phoebe Chao, for her loving support every step along the way.
ii
ACKNOWLEDGMENTS
I would like to thank all the people who have helped and inspired me during my doctoral study.
I especially want to thank my advisor, Prof. Lorrie Cranor, for her guidance during my research
and study at Carnegie Mellon. Her warm and encouraging spirit, enthusiasm in research, and
invaluable research insights had motivated all her advisees, including me.
I am grateful for the rest of my thesis committee. They are Profs. Alessandro Acquisti, Jason Hong and Adrian Perrig. All of them have offered innumerable comments, suggestions, and
feedback about the research presented in my thesis.
I had the privilege of working with many bright and fun collaborators. I would like to thank
Bryant Magnien, Patrick Kelly, Elizebeth Nunge and Ponnurangam Kumaraguru for Anti-phishing
Phil; Yue Zhang, Brad Wardman, Gary Warner, Chengshan Zhang for the phishing blacklist study;
Mandy Holbook and Julie Downs for the mechanical turk study; and Ponnurangam Kumaraguru
for the expert interview study.
All my lab mates at the Cylab Usable Security Privacy and Security Laboratory (CUPS) made
it a convivial place to study. In particular, I would like to thank Ponnurangam Kumaraguru, Serge
Egelman, Justin Crenshaw, Kami Vaniea, Patrick Kelley, Janice Tsai, Rob Reeder and Robert
McGuire for their friendship and help in the past five years. Thanks.
I owe my deepest gratitude to my family for their unflagging love and support throughout this
dissertation is simply impossible without them. I am indebted to my father, Xiangchen Sheng, for
his care and love and I cannot ask for more from my mother, Fengzhi Wang, as she is the most
loving mother that I have met. My wife Phoebe has been an encourager, motivator, and counselor
along every step of this thesis, in fact this thesis cannot be completed without her, therefore I will
dedicate this thesis to her.
I would regret my doctoral years at Carnegie Mellon if I did not join Antioch cell group at
Pittsburgh Chinese Church Oakland (PCCO). I cherished the fellowship and support between me
and them, and the friendships with my Christian brothers and sisters at PCCO. I treasured all
precious moments we shared and would really like to thank them.
I would also like to acknowledge the support of National Science Foundation under grant CCF0524189, the Army Research Office under grant number DAAD19-02-1-0389.
Last but not least, thanks be to God for my life through all tests in the past five years. You
have enlarged my tent and made my life more bountiful. May your name be exalted, honored, and
glorified.
iii
ABSTRACT
Phishing is a kind of attack in which criminals use spoofed emails and fraudulent web sites to
trick people into giving up personal information. This thesis looks at the phishing problem holistically by examining various stakeholders and their countermeasures, and by surveying experts’
opinions about the current and future threats and the kinds of countermeasures that should be put
in place. It composed of four studies.
In the first study, we conducted semi-structured interviews with 31 anti-phishing experts from
academia, law enforcement, and industry. We surveyed experts’ opinions about the current and
future of phishing threats and the kind of countermeasures that should be put in place. Our analysis
led to eight key findings and 18 recommendations to improve phishing countermeasures. In the
second study, we study the effectiveness of popular phishing tools that are used by major web
browsers. We used fresh phish that were less than 30 minutes old to conduct two tests on eight
anti-phishing toolbars. We found blacklists were ineffective when protecting users initially. The
tools that uses heuristics to complement blacklists caught significantly more phish than blacklistonly tools with very low false positives. In the third study, we describe the design and evaluation
of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing
attacks. We used learning science principles to design and iteratively refine the game. We evaluated
Anti-Phishing Phil through laboratory and real-world experiments. These experiments showed that
people trained with Anti-Phishing Phil were much better at detecting phishing websites, and they
retain knowledge after one week. In the fourth and final study we present our results of a roleplay
survey instrument administered to 1001 online survey respondents to study both the relationship
between demographics and phishing susceptibility, and the effectiveness of several anti-phishing
educational materials. Our results suggest that women are more susceptible than men to phishing
iv
and participants between the ages of 18 and 25 are more susceptible to phishing than other age
groups. We explain these demographic factors through a mediation analysis. Educational materials
reduced users tendency to enter information into phishing webpages by 40% percent; however,
some of the educational materials we tested also slightly decreased participants tendency to click
on legitimate links.
v
TABLE OF CONTENTS
Page
ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.1
1.2
1.3
Thesis statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Thesis contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Outline of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
3
4
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
2.1
2.2
2.3
2.4
2.5
2.6
3
iii
Anatomy of Phishing . . . . . . . . . . . . . . .
2.1.1 Planning . . . . . . . . . . . . . . . . .
2.1.2 Setup . . . . . . . . . . . . . . . . . . .
2.1.3 Attack . . . . . . . . . . . . . . . . . . .
2.1.4 Collection . . . . . . . . . . . . . . . . .
2.1.5 Fraud . . . . . . . . . . . . . . . . . . .
Why people fall for phishing . . . . . . . . . . .
Cost of phishing . . . . . . . . . . . . . . . . . .
Recent developments in phishing . . . . . . . . .
Phishing countermeasures . . . . . . . . . . . .
2.5.1 Legal solutions . . . . . . . . . . . . . .
2.5.2 Technology countermeasures . . . . . . .
2.5.3 Social response: awareness and education
Economics of Information Security . . . . . . . .
2.6.1 Security investment . . . . . . . . . . . .
2.6.2 Security as externality . . . . . . . . . .
2.6.3 Misaligned incentives . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
5
8
9
14
16
16
18
19
22
22
23
26
27
28
28
29
Improving Phishing Countermeasures: An Analysis of Expert Interviews . . . . . . 31
3.1
3.2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
vi
Page
3.3
3.4
3.5
3.6
4
Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.1 Primary victims: . . . . . . . . . . . . . . . . . . . . . . . .
3.3.2 Infrastructure providers: . . . . . . . . . . . . . . . . . . . .
3.3.3 For-profit protectors: . . . . . . . . . . . . . . . . . . . . . .
3.3.4 Public protectors: . . . . . . . . . . . . . . . . . . . . . . .
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.1 Recruitment and Participants . . . . . . . . . . . . . . . . . .
3.4.2 Interview Protocol . . . . . . . . . . . . . . . . . . . . . . .
3.4.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . .
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5.1 Evolving threat . . . . . . . . . . . . . . . . . . . . . . . . .
3.5.2 Stakeholder incentives . . . . . . . . . . . . . . . . . . . . .
3.5.3 What stakeholders should do . . . . . . . . . . . . . . . . . .
3.5.4 Law enforcement and education . . . . . . . . . . . . . . . .
Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.6.1 Applicability of the Recommendations against Spear-phishing
3.6.2 Summary of findings . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
33
34
34
35
35
35
36
37
37
38
39
39
42
47
56
62
62
63
Case Study of Browser-based Anti-phishing Solutions . . . . . . . . . . . . . . . . . 73
4.1
4.2
4.3
4.4
Background and Related Work . . . .
4.1.1 Anti-Phishing Heuristics . . .
4.1.2 Phishing blacklists . . . . . .
4.1.3 Related Work . . . . . . . . .
Methodology . . . . . . . . . . . . .
4.2.1 Anti-phishing Testbed . . . .
4.2.2 Phishing Feed . . . . . . . . .
4.2.3 Evaluation Procedure . . . . .
Results . . . . . . . . . . . . . . . . .
4.3.1 Length of Phishing Campaign
4.3.2 Blacklist Coverage . . . . . .
4.3.3 False Positives . . . . . . . .
4.3.4 Accuracy of Heuristics . . . .
4.3.5 Total Protection . . . . . . . .
Discussion . . . . . . . . . . . . . . .
4.4.1 Limitations . . . . . . . . . .
4.4.2 Opportunities for Defenders .
4.4.3 Improving blacklists . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
74
75
76
77
78
78
79
80
82
82
83
86
88
89
91
91
91
93
vii
Appendix
Page
4.4.4
5
Anti-Phishing Phil: A Case study in User education . . . . . . . . . . . . . . . . . . 95
5.1
5.2
5.3
5.4
5.5
6
Use of heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Introduction . . . . . . . . . . . . . . . . . . . . .
Background and Related Work . . . . . . . . . . .
5.2.1 Why people fall for phishing . . . . . . . .
5.2.2 Tools to protect people from phishing . . .
5.2.3 Anti-phishing education . . . . . . . . . .
Design of Anti-phishing Phil . . . . . . . . . . . .
5.3.1 Game Design Principles . . . . . . . . . .
5.3.2 Game Description . . . . . . . . . . . . .
5.3.3 Training Messages . . . . . . . . . . . . .
5.3.4 Pilot Test . . . . . . . . . . . . . . . . . .
5.3.5 Modified Game . . . . . . . . . . . . . . .
Evaluation 1: Lab Study . . . . . . . . . . . . . .
5.4.1 Study design . . . . . . . . . . . . . . . .
5.4.2 Participant Recruitment and Demographics
5.4.3 Results . . . . . . . . . . . . . . . . . . .
Evaluation 2: Anti-Phishing Phil Field Study . . .
5.5.1 Study design . . . . . . . . . . . . . . . .
5.5.2 Participants . . . . . . . . . . . . . . . . .
5.5.3 Results . . . . . . . . . . . . . . . . . . .
Phishing Susceptibility Study
6.1
6.2
6.3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
95
97
97
98
99
100
100
103
105
109
110
111
111
113
114
121
121
121
122
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Background and related work . . . . . . . . . . . .
6.1.1 Demographics and Phishing Susceptibility
6.1.2 Susceptibility vs. Risk Behavior . . . . . .
6.1.3 Security User Education . . . . . . . . . .
Study Design . . . . . . . . . . . . . . . . . . . .
6.2.1 Recruitment . . . . . . . . . . . . . . . . .
6.2.2 Roleplay . . . . . . . . . . . . . . . . . .
6.2.3 Education Materials . . . . . . . . . . . .
6.2.4 Previous Experiences and Demographics .
6.2.5 Knowledge and Technical Background . .
6.2.6 Risk Perceptions . . . . . . . . . . . . . .
Results . . . . . . . . . . . . . . . . . . . . . . . .
6.3.1 Measuring User Performance . . . . . . .
6.3.2 Regression Analysis . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
127
127
128
128
130
130
130
134
135
136
137
137
137
137
viii
Appendix
Page
6.4
7
6.3.3 Gender and Falling for Phish
6.3.4 Age and Falling for Phish .
6.3.5 Effects of Education . . . .
DISCUSSION . . . . . . . . . . . .
6.4.1 Limitations . . . . . . . . .
6.4.2 Summary of findings . . . .
6.4.3 Role of education . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
139
141
143
145
145
145
146
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
LIST OF REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
APPENDIX
Appendix I: List of Recommendations . . . . . . . . . . . . . . . . . . 172
1
Chapter 1
Introduction
Phishing is a kind of attack in which criminals use spoofed emails and fraudulent web sites to
trick people into giving up personal information. Victims perceive these emails as associated with
a trusted brand, while in reality they are the work of con artists interested in identity theft [57].
Phishing is a widespread problem that is impacting both business and consumers. In May 2009,
MessageLabs estimated that 0.41% of the 3.3 billion emails going through their system each day
were phishing emails [87]. Microsoft Research recently estimated that 0.4% of email recipients are
victimized by phishing attacks [36]. The annual cost to consumers and businesses due to phishing
in the US alone is estimated to be between $350 million and $2 billion [43, 92].
To reduce the damage due to phishing, stakeholders have implemented their own countermeasures: major web browsers have built-in filters (e.g. [10], [46], [90]), Internet service providers
filter suspicious phishing emails, law enforcement officers find and prosecute phishers, and US
government agencies and corporations now educate consumers on phishing.
Phishing scams have also evolved, sometimes at a faster pace than countermeasures. Phishers
launch attacks on specific groups (e.g. users of social networking sites) through multiple channels
(e.g. phone, instant messaging), and phishing toolkits and compromised credentials are readily
available for sale at low prices on Internet black markets [38]. Sophisticated phishing schemes
such as man-in-the-middle attacks and malware are becoming more frequent [62].
As the battle against phishing continues, many questions remain about where stakeholders
should place their efforts to achieve effective prevention, speedy detection, and fast action. Do
2
stakeholders have sufficient incentives to act? What should be the top priorities for the antiphishing community?
1.1
Thesis statement
This dissertation aims to provide insights in answering the objectives raised above through four
studies.
This thesis presents recommendations about how to better fight phishing; these
recommendations are informed by empirical data on the effectiveness of current
approaches as well as systematic analyses of stakeholder interests and the phishing life cycle. Semi-structured expert interviews were used to rank and prioritize
the recommendations. In addition, we used case studies on the effectiveness of
web browser anti-phishing toolbars and anti-phishing education to provide empirical data for our analysis.
The centerpiece of the thesis is an expert analysis of phishing countermeasures. We conducted
semi-structured interviews with 31 anti-phishing experts from academia, law enforcement, and industry. We surveyed experts’ opinions about the current and future of phishing threats and the kind
of countermeasures that should be put in place. Experts discussed technical countermeasures, education, and law enforcement, which led to eight key findings and 18 recommendations to improve
phishing countermeasures.
One of the findings from the expert analysis is that experts think education and awareness are
important. However, not all experts agree on the effectiveness of end-user security education.
To investigate this issue further, we conducted two in-depth studies. Firstly, we studied phishing
susceptibility with a role-play survey administered to 1000 users of Mechanical Turk. This studies
showed different demographic factors’ impact on phishing susceptibility. In the second study, we
designed and evaluated Anti-Phishing Phil, an online game that teaches users good habits to help
them avoid phishing attacks.
3
Another key area where experts commented on is the strategic position of browsers. Several
experts noted that organizations are conservative about filtering and warning about phish because
they are worried about false positives. To investigate this further, we studied the effectiveness of
popular phishing tools that are used by major web browsers.
1.2
Thesis contribution
This thesis is both timely and needed to reduce the negative consequences of semantic attacks
on society. The education component of this research can potentially help reduce the increasing
number of people who fall for phishing and other semantic attacks, the policy recommendations
from this research could help government and various stakeholders to better prioritize their resources and manage their risks to fight for phishing and other semantic attacks. This thesis work
builds on existing knowledge in the fields of computer security and privacy, human computer interaction, and economics, and adds to the literature with the following contributions.
1. We designed and evaluated Anti-Phishing Phil, an online game that teaches users good habits
to help them avoid semantic attacks. People trained with Anti-phishing Phil were much better at distinguishing phishing website and legitimate websites, and retain their knowledge after one week. The Anti-Phishing Phil game has been played over 110,000 times world-wide
and is being commercialized by Wombat Security Technologies. This research showed that
computer users can be trained to make better online trust decisions if the training materials
are presented in a fun and interactive manner and grounded in learning science principles.
2. We conducted semi-structured interviews with 31 anti-phishing experts from academia, law
enforcement, and industry on phishing countermeasures. Our analysis led to eight key findings and 18 recommendations to improve phishing countermeasures.
3. We studied the effectiveness of popular phishing tools that is used by major web browsers.
We found blacklists were ineffective when protecting users initially, the tools that uses
heuristics to complement blacklists caught significantly more phish than blacklist-only tools
4
with very low false positives. We recommend toolbars vendors use heuristics to complement
blacklists to speed up phishing detection.
4. We studied demographics and phishing susceptibility with an role play survey administered
to 1001 users of Mechanical Turk. This research is the first study that studied demographics
factors contributing to susceptibility to semantic attacks. We also demonstrated the successful use of mechanical turk to conduct online experiments.
1.3
Outline of the thesis
The next chapter introduces the fundamentals of phishing attacks and some of the related work
that builds the foundation for the thesis; Chapter 3 discusses the expert interviews study in depth,
and presents the key findings and recommendations; Chapter 4 discussed our study on the effectiveness of popular phishing tools that is used by major web browsers; Chapter 5 described the design
and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them
avoid phishing attacks; Chapter 6 discussed the role-play survey conducted with mechanical turk
users to study demographics and phishing susceptibility. Finally, Chapter 7 presents conclusions
from this thesis work and offers recommendations for public policy makers.
5
Chapter 2
Background
In this Chapter, I will discuss the literature on phishing, relevant countermeasures, and the
literature on economics of information security.
2.1
Anatomy of Phishing
Phishing attacks usually take the following steps: planning, setup, attack, collection, fraud and
abuse, and post attack [35]. To fight phishing better, we need to understand the nuts and bolts of
the attack better. In this section, I described in detail how phishing attacks work. I model in detail
both the attackers and the defenders in each of the phishing steps.
Previous works have also modeled phishing attacks. The DHS report on phishing [105] separates phishing into seven steps and discusses countermeasures based on the model. The model
does not consider IM phishing and voice over IP phishing, nor does it include stakeholders other
than banks. My model includes different stakeholders and provides specific recommendations to
counter those two attacks. The FSTC report [35] discusses the phishing life cycle, but does not
provide details of attacks, or stakeholders. My analysis addresses these problems.
2.1.1
Planning
Phishers first need to decide whom to target, and what information to steal. A recent study [38]
shows that a large and thriving underground ecrime economy of highly specialized criminals exists.
Based on this insight, I model phishers as rational agents. They pick and choose their targets to
6
Networth of
the clients
Security
measures of the
institution
+
+
-
User base of
the institution
-
Difficulty of
launching
attacks
Phisher
Cost of
launching
attacks
Figure 2.1 A model of a phisher’s decision process
maximize their gain and minimize their cost and risks. Figure 2.1 lists the likely factors they
consider when they plan the attack.
• User base of the institution. The larger the institution’s user base, the higher the percentage
that targets receiving phishing emails will actually have an account relationship with the
institution. Today, each US household carries an average of 6.3 credit cards, and the issuance
of these credit cards is concentrated among five banks.1 Based on my estimate, there is a
15%-45% chance that a household receiving a phishing email from one of these top banks
is an actual customer of the bank2 . This rule does not apply to targeted attacks in which
phishers have specific information about customers’ account relationships.
• Net worth of clients. The higher the worth of the client, the higher the returns of an attack. As countermeasures become more widely available, phishers will launch more attacks
against and put high net worth clients such as executives and small business merchant accounts at special risk.
1
For
more
information
about
credit
card
usage,
see
FDIC’s
review
at
http://www.fdic.gov/bank/analytical/banking/2005nov/article2.html
2
The number of households in US are 110 million in 2010, the top creditcard issue bank (Citibank) have 48 million
active cards, the lowest of five (Bank of America) have 20 million accounts.
7
• Security measures or processes implemented by the institution. The stronger an institution’s security measures and processes are, the harder it is for phishers to penetrate, commit
fraud, and launder money. Phishers can learn about an institution’s preparedness through
previous attack experience and publicly available information (news and press releases).
• The value of credentials. The more valuable the credentials are, the more frequent the
attacks will be. Currently small business accounts and checking and money market accounts
are for sale at a high price in the Internet black market, whereas credit card numbers are
cheap. This means that attacks to steal these accounts will continue to grow. As time goes
by, credentials such as social networking data may become more valuable as phishers team
up with malware writers to deliver malware and launch phishing.
This analysis of phishers motives and their operating environments yields a few important
insights:
• As the underground black market continues to develop, phishing will become an operation
that involves multiple parties with different specialties. We can further predict that the economics of scope and scale will be in effect, where phishing operations consolidate into a few
phishing gangs to increase profit and reduce cost. This is both good and bad news for law
enforcement. The good news is that there are fewer phishers to catch. The bad news is that
these gangsters will be more technically capable and advanced enough to hide their trails.
• If a bank is robbed once, we blame the robbers. However, if the same bank is repeatedly
robbed, there must be some problem with its security. Simply put, if a particular institution is
the repeat target of phishers, its institutional risk control and methods for handling incidents
needs to be scrutinized.
• Different categories of targets face different risks and therefore would require different countermeasures.
8
phishing gang
roolkit provider
domain registrar
legitimate websites
botnet herders (or host
providers)
spammers
1) decide on target
2) buy toolkit and websites
3a) register malicious or random domain
3b) hack into legitimate sites and plant phishing
4) buy hosts to set up attack machinary
5) ask spammers to send phishing emails
Figure 2.2 Details of Phishing attack planing and setup including stakeholders
2.1.2
Setup
After deciding on the target, phishers will set up the attack infrastructure. Figure 2.2 models
how phishers do this and how various stakeholders are involved. The key insight here is that phishers rely on hackers, spammers, botnet herders, and pay loaders to launch a large-scale phishing
attack.
A few other insights:
• Phishers will go to great lengths to reduce the probability of being caught. To that end,
they will systematically exploit registrars that have weak security or process loopholes (for
example, recent rock phish gang exploits of the .hk domain which has a weak verification
process), operate from countries that have inadequate law enforcement resources and laws,
and deploy proxies to hide their true destinations.
• As shown in Figure 2.2, domain registrars are the first line of contact for phishers. If the
registrars improve their security process for registration and fraud detection (for example,
9
Phisher
Spam relays
botnets
Recipient
mail gateways
Mail
storage
Internet service
provider
User’s
mail client
1) send phishing emails
2) Deliver phishing emails
3) spam filtering
4) MTX move email to storage
5) User check email
6) Establish Connection to Provider
7) email transferred
8) email transferred
Figure 2.3 Phishing attack via email
simple check against rock phish-type registration), it would sever phishers abilities to get
domain names.
• Botnets are the crucial machinery for launching and covering-up phishing attacks. Bots
configured as proxies hide the trails of phishing attacks and make it very difficult for law
enforcement to investigate.
• All of the criminals meet and trade at the Internet black market. This means that efforts and
research to disrupt the Internet black market will not only reduce phishing, but other types
of attacks as well.
2.1.3
Attack
Once the machinery is set up, attacks are launched through various vectors. Email and website
phishing are the two most common attack vectors. Attacks using instant messenger and voice over
IP are also increasing. In this section, I analyze these attacks separately.
10
Vector: email
Figure 2.3 details the steps of attack through the email and web vectors. First, spammers
send phishing emails through spam relays, botnets, anonymous mailers, and other common spam
techniques (for a detailed treatment of these techniques, see [142]). The packets arrive at the ISP’s
mail gateway where emails are put back together. The gateway then performs filtering. After that,
mail transfer agents move emails to storage. When users check their email, mail clients on user
machines connect to the mail storage through user ISPs, and download emails to their personal
machines. If the end user’s mail client is a web client, it connects directly to the mail storage
through a web interface and retrieves the email.
Figure 2.4 and 2.5 shows an example of phishing email and website from eBay.
Mail providers are in a unique position to combat phishing. They are the first point of contact
for phishing emails. Their filtering effort will reduce the magnitude of the problem later on. Their
reporting effort will reduce the time for blocking phishing websites. However, we need to consider
that mail providers’ primary worry is spam. It consumes their bandwidth, takes up server space,
and annoys customers. The amount of phishing they receive is only about 1% of the overall spam,
so it is likely that they will consider phishing as part of the spam problem. To this end, they would
be happy to process phishing if the spam filters also catch them, but they may not be willing to
add additional phishing filters that consume their resources. Similarly, they also lack incentive to
report phishing emails when it would take manual work to do so.
There are over one thousand commercial free mail providers3 around the world and many, many
more corporate or educational institution email providers. Not all of them are equally resourceful.
Major mail providers, such as Yahoo and Microsoft, have resources to invest heavily into antiphishing and anti-spam technology. Smaller providers with limited IT budgets may have to rely on
open source filters such as spam assassin, which is not very effective when it comes to phishing.4
3
Statistics compiled from free email providers’ guide [39]
Research has shown that the standard configuration of spam assassin currently only catches about 70% of phishing
emails [34].
4
11
Figure 2.4 An example phishing email from eBay asking users to login to update an account. It
warns users that failure to comply will lead to account suspension. The email address is spoofed,
and the URL link is spoofed as well.
Figure 2.5 An example phishing website from eBay that people see once they clicked on the link
in the email example above.
12
spammer bots
Internet
Chatroom
IM
Servers
IM
clients
User
People on
the buddy list
1) Look for IM usernames
Get IM usernames
2) persuade add to buddy list
added to buddies
3) send IM message with software exploits
4) message relayed
5) receive message
6) decision
run malware
7) phishing message sent
Figure 2.6 Phishing attack via Instant Messenger
Instant messaging phishing
In the instant messaging phishing case, the attack method is very similar to SPIM (spam over
IM) and malware. Figure 2.6 documents one particular way to launch the attack. This attack
method assumes that not all instant messaging users have configured their clients to receive messages only from their buddy lists. In this example, phishers first get IM names from various chat
networks or trick users to add them to their buddy lists. Phishers then send software exploit to
hijack account holders’ instant messenger lists. If the users run the exploit, phishing messages are
sent out as if coming from the users. Alternatively, phishers can also send exploits through email,
like a regular malware or virus attack.
Instant messaging phishing and regular email phishing have some similarities and differences:
• In email phishing, users control when they will read messages, whereas in instant messaging, users will generally read message when they are sent. This difference means that IM
countermeasures have a shorter window of opportunity to detect and stop messages.
13
• IM is more contextualized than email. This means that an IM phishing attack targeting a bank
will probably not be very effective because users would regard it out of context. However,
a message purported from the messaging software vendor (AOL, Yahoo, Microsoft) asking
users to update account information would be much more appealing. A message pretending
to be sent from a friend to ask to view a picture (while installing a malware that alters the
local DNS) could also be highly effective in IM. I expect IM attacks to be more sophisticated
and deploy malware-based phishing rather than just regular phishing.
• IM networks are more connected than email networks. If IM networks are attacked, potential
infection can have a greater ripple effect than email. Some research has shown that theoretically it would only take 30 seconds to infect 500,000 machines that have IM clients [80].
• IM is easier to control than email. In IM, a few companies own the infrastructure and the
delivery channel of the IM network. This means that it is easy to implement control measures
at the IM gateway level if messages are routed in peer to server mode [49]. Clients can also
connect in peer to peer mode, bypassing the server altogether.
Vector: phishing over VoIP
There are two ways to launch phishing attacks with voice over IP. In the first method, phishers
create an exact replica of the target company’s voice system, obtain an 800 number from a VoIP
service provider, and write and send an email messages that instructs recipients to call the 800
number and verify their credentials. Figure 2.7 illustrates this attack.
In the second method, phishers directly dial victims’ phone numbers. Phishers use a random
digit dialer or other means to acquire lists of phone numbers to dial (similar to spam over VOIP).
Once they have a list, they dial numbers using prerecorded messages, usually alerting consumers
of fraud and asking them to verify personal information such as social security numbers and bank
pin numbers. Consumers may be tricked into giving credentials on the spot, or by calling back.
In my expert interview, I will ask experts about what can be done regarding VoIP phishing.
14
Figure 2.7 Phishing attack via VoIP combined with traditional email scam methods. [132]
2.1.4
Collection
The next step is the collection process. Figure 2.8 shows the process of a user falling for an
email-based phishing attack. Other attacks that do not involve the email vector but have the web
vector, can also be applied.
Users, email client vendors, browser vendors, and ISPs all have a stake in developing and
deploying countermeasures. Below is a list of possible measures.
• Email clients are the first intervention points that can present visible warnings to users. Effective warnings presented here will alert users who were previously unaware of the issue.
So far little research exists on the effectiveness of these warnings.
• When users visit phishing websites, most of them have already committed time to read the
emails, and it is likely that most will follow the steps of the website and submit information
if no warnings were given to them. Studies have suggested that this is indeed the case [68].
15
end user
email client
browser on user local
machine
internet service
provider
phishing
web site
1) request email
2) present message
3) read message
4) Click on the link in email
5) open browser
6) connect to phishing site
7) connect to phishing site
8) phishing site loaded
9) phishing site loaded into browser
10) user reads phishing site
11) user think about it
12) enter information into browser
13) send to phishing site
14) send to phishing site
Figure 2.8 Attack and Data collection process
16
This means that warnings should be focused on earlier in the process, at the email client level.
Browser warnings must make it very difficult by design for users to bypass the warnings.
• Browsers are suited to implement solutions, as there are only a few browser products available, compared with tens of thousands of registrars, and ISPs. Currently, major browsers
like Internet Explorer and Firefox have phishing filters built into their systems. However,
these filters are not so good. For example, in an recent study, Internet Explorer only catches
about 50 80% of the phishing urls during the first 6 hours (see figure ??). Research should
be conducted to benchmark and improve its performance.
2.1.5
Fraud
The final process is fraud. Once the information is stolen, it is usually sold on the Internet black
market. It is also possible that phishers themselves use the information to defraud customers. The
fraud takes place in three steps:
• Phishers use credentials to open new credit cards, or penetrate into user accounts. They
would either do this themselves, or employ a cashier.
• Phishers recruit money mules with accounts in the same institution and transfer the money
to the mule’s account. If they are able to obtain credit cards, they will buy expensive items
and have them shipped to the mule.
• Mules take out the money and transfer to the phishers in other countries using Western
Union and Money Gram. Phishers may also repackage the expensive goods and ship to a
third location.
2.2
Why people fall for phishing
Phishing is part of a larger class of attacks known as semantic attacks. Rather than taking
advantage of system vulnerabilities, semantic attacks take advantage of the way humans interact
with computers or interpret messages [123]. In the phishing case, attacks exploit the fact that users
17
tend to trust email messages and web sites based on superficial cues that actually provide little or
no meaningful trust information [23, 26].
Research on phishing have shown that people are vulnerable for several reasons. First, people
tend to judge a website’s legitimacy by its “look and feel”, which attackers can easily replicate [23].
Second, many users do not understand or trust the security indicators in web browsers [140]. Third,
although some consumers are aware of phishing, they do not link that awareness to their own
vulnerability or to strategies for identifying phishing attacks [26]. Fourth, the perceived severity
of the consequences of phishing does not predict their behaviors [27]. Below I summarize some of
the seminal research in understanding why people fall for phishing.
Dhamija et al showed twenty-two participants twenty web sites and asked them to determine
which were fraudulent. Participants made mistakes on the test set 40% of the time. Many of
the participants rely on the content of the webpage (logos, layout, graphic design) to determine its
legitimacy. The authors noted that 23% of their participants ignored all cues in the browser address
bar and status bar as well as all security indicators [23]. Two related study done by Wu et al and
Jakobsson showed similar results [54, 140] .
Downs et al have described the results of an interview and role-playing study aimed at understanding why people fall for phishing emails and what cues they look for to avoid such attacks.
There were two key findings in their work. First, while some people are aware of phishing, they do
not link that awareness to their own vulnerability or to strategies for identifying phishing attacks.
Second, while people can protect themselves from familiar risks, people tend to have difficulties
generalizing what they know to unfamiliar risks [26].
In a follow up study, Downs et al surveyed 232 computer users to reveal predictors of falling
for phishing emails, as well as trusting legitimate emails. Their data suggested that deeper understanding of the web environment, such as being able to correctly interpret URLs and understanding
what a lock signifies, is associated with less vulnerability to phishing attacks. However, they also
found that the perceived severity of the consequences of phishing does not predict behavior, suggesting that educational efforts should aim to increase users’ intuitive understanding, rather than
merely warning them about risks [27].
18
2.3
Cost of phishing
Phishing exerts both direct and indirect cost to the society. Examples of direct loss include
consumers losing money, and banking fraud, etc. Examples of indirect cost include erosion of
consumer trust of the Internet, negative impact to businesses’ brand, , an increase in service call
center complaints volume etc. Estimating either cost is hard, as there are many stages of the attack
and it is difficult to collect good data. Three reports attempted estimating direct costs.
Gartner Research conducted a survey of 5000 Internet users in August 2006 asking whether
consumers have received, clicked or given information in phishing emails. Based on this survey,
they estimated that 24.4 million Americans have clicked on a phishing e-mail in 2006, while 3.5
million have given sensitive information. They calculated that the economic loss be 2.8 billion
dollars in 2006 [42]. A follow up survey in 2007 with similar methodology estimated that 3.2
billion dollars is lost in 2007 [43].
The above studies rely on people’s survey responses. Psychology literature has shown that
there is often a wide discrepancy between people’s stated choices and their actual behavior.
Moore and Clayton empirically studied phishing websites using PhishTank data. They found
that a phishing site lives for 61 hours on average. Using the web log data of some of these phishing
sites, they estimated that on average 18 users would fall for phishing on the first day when the site
was up, and subsequently 8 users per day afterwards. The total cost to consumers per year was
estimated around 320 million dollars [92].
Florencio and Herley [36] instrumented Microsoft’s anti-phishing toolbar to send notifications
back to Microsoft every time a password was re-used on more than one site. They cross-checked
sites that reused password against Microsoft’s blacklist, and estimated that 0.4% of people are
falling for phishing (the data set had 500k people across a few months). Using this data, and
an average of $572 per victim, the estimated yearly cost of phishing to consumers is around 350
million dollars.
The above empirical studies use separate methodologies to estimate phishing costs. Their
research designs are reasonable, and their estimates agree remarkably well. We can thus treat 350
19
million as a lower bound on the direct economic loss of phishing to consumers. The actual cost of
phishing exceeds this amount as we consider cost to businesses, and other indirect costs.
It is worth noting that there is disagreement of the magnitude of phishing losses. For example,
Florencio and Herley recently used stylized economic models to predict that phishing is a classic
example of tragedy of the commons, in which there is open access to a resource that has limited
ability to regenerate. Since each phisher independently seeks to maximize his return, the resource
is over-grazed and yields far less than it is capable of. The situation stabilizes only when the
average phisher is making only as much as he gives up in opportunity cost. They estimate the
annual loss to phishing around 60 million dollars [50]. Other security experts have criticized both
their research assumptions and results [21]. Such disagreement highlights the lack of empirical
evidence for phishing losses.
Last but not least, the cost of phishing is disproportionally borne by consumers. The fraud
is relatively small in most phishing scams (medium loss per victim around 200 dollars [43]), but
the psychological fear, anxiety it causes the victims, and the time it takes to restore identity can
be substantial. However many organizations only consider direct monetary loss to them in their
calculation.
2.4
Recent developments in phishing
Traditional phishing is delivered through email, where phishers send mass email to consumers
asking them to visit a website to enter information. However, recently attacks have become more
sophisticated. In this section, I will talk about three recent developments: voice over IP phishing,
spear phishing , and some new phishing techniques such as rock phish and fast flux.
VoIP Phishing
In April 2006, phishers started to use Voice over IP to scam consumers (a.k.a vishing). The
attacks work as follows. First, phishers set up a voice-mail system using voice over IP and private branch exchange software (such as open-source PBX software Asterisk). They then use an
automatic dialer to call a long list of people and play a recorded message, or simply send emails
20
asking them to call a number to update their account [112]. When consumers respond, they hear
an automated message asking them to enter their account information [138]. Using VOIP, phishers
can achive economics of scale by dialing through a long list of numbers, it also makes them harder
to track down than using regular phones.
Vishing is growing. MessageLabs has observed the increase frequency of such attacks toward
the end of 2007 [86]. Vishing is more damaging than other phishing methods because research
has shown that customers generally trust the phone channel more than the email channel [54], and
they are well accustomed to enter credit card numbers through automated systems. In my proposed
work, I will elicit experts’ opinion on how to better counter vishing attacks.
Spear Phishing
Spear phishing is a highly targeted phishing scam. Instead of sending mass phishing emails
to everyone, phishers exploit the social context to send spoofed emails to consumers that appear
to come from someone they know. For example, phishers can send emails impersonating an organization’s system administrator asking people to update their passwords, or impersonate one of
your friends in social networking sites. Attacks like these are possible because a myriad of information about consumers exists on the Internet and in many cases are readily available through
basic mining of the web. For example attackers can obtain information about consumers’ bidding
history or shopping preference from eBay, what banks they use (discoverable through web browser
history [56]) or even social security number [53].
A recent incident of spearphishing targeted wall street executives. Phishers sent emails to
middle and upper senior management of some wall street firms. These emails appeared to be
complaints from the Better Business Bureau, and it contained an a .doc attachment where a spying
trojan was embedded [86], many opened the attachment and later found they became victims of
fraud.
Research studies have shown that spear phishing can be highly effective. In a recent study by
Jagatic et al at Indiana University, they send email to students impersonating their friends in the
social networking site. The email asked them to enter their secure University credentials. They
21
found that 72% of the time, users would enter their correct credentials, four times more effective
over the traditional phishing methods [53]. Studies at West Point Military Academy showed similar
results [33].
In my proposed work, I will also elicit experts’ opinion on how to counter spearphishing attacks.
Rock phish and fast-flux
Rock phish refers to phishing committed by the rock phish gang. They were referred to as the
Rock phish gang because early versions of their attacks contained the word rock. The rock phish
gang has employed several techniques that make them more difficult to defeat than other phishers.
First they use stolen credentials to register multiple short and random domain names at multiple
registrars. They then host their own DNS servers, and provide name-to-IP service for each of the
fraudulently registered domain. The name-to-IP matches to a farm of compromised computers,
which do not host the phishing site, but merely act as a proxy to a handful of servers that host
phishing sites [81].
Techniques like these pose challenges. Random domain registrations make it hard for automatic detection. Layers of redundancy makes it hard to shut them down quickly, especially if it is
from different jurisdictions. A recent study by Moore and Clayton showed that rock phish domains
last almost three times longer than regular phishing domains [92].
Another technique the rock phish gang use is fast flux. It is a DNS technique to evade blacklists.
It works the following way: multiple nodes within a network register and deregister their address
to a single DNS record. Some of these registration lasts only a few hours. Techniques like these
pose challenges to blacklists as phishers cycle through hundreds of addresses in a day.
In summary, phishers continue to improve themselves using new techniques such as rock phish
and fast-flux, targetting specific groups, and using alternative channels to attack. In my proposed
work, I will elicit the experts’ recommendations and stakeholder’s countermeasures addressing
specifically these three new threats, and other evolving threats.
22
2.5
Phishing countermeasures
Phishing countermeasures can be categorized as legal solutions, technology countermeasures,
and social responses. In this section, I will survey each of these types of solutions briefly.
2.5.1
Legal solutions
In the wake of increasing publicity about phishing scams, both federal and state legislatures
acted. In January 2005, Virgina added phishing to its computer crimes act, categorizing the use
of a computer to obtain personal information “through the use of material artifice, trickery or
deception” a Class 6 felony punishable by prison sentences of up to five years and fines of up
to $2,500 [137]. Similar statues has been enacted in New Mexico [103], and New York [130].
By February 2007, half of the 50 U.S states have enacted laws addressing phishing [98]. At the
federal level, anti-phishing laws have been passed in the House of Representatives in 2004 [133],
2005 [134] and 2007 [135], but the Senate failed to act upon it.
Some prosecutions has been made. In 2006, a Florida man has been indicted in Pennsylvania
for a phishing scam that mimicked a Hurrican Katrina relief website [73]. In 2004, Zachary Keith
Hill plead guilty in a Texas federal court to crimes related to phishing activity and was sentenced to
46 months imprisonment [45]. The U.S. Department of Justice has successfully prosecuted several
other defendants in U.S. courts [118].
However, criminal law does a poor job of deterring phishing because phishers are so hard to
find [14]. Law enforcement authorities have little time to track down the criminal through the
fraudulent site because on average they only live a few days. Once the site is shut down, the e-mail
is the only remaining evidence, and phishers often cover their tracks using such tools as anonymous
remailers [14].
In light of this, some legal experts argue that Internet service providers be made liable for part
of the Internet “insecurity”. Their argument is that “Internet service providers control the gateway
through which Internet pests enter and reenter the public computer system. They should therefore
bear some responsibility for stopping these pests before they spread and for helping to identify
23
Figure 2.9 Taxonomy of phishing technical countermeasures
individuals who originate malicious code in the first place” [74]. Service providers, however, have
largely been immune to such liability. Because they are distributors of the content, not publishers
of the content, and as long as they exercise due diligence to remove these materials, they are be not
held liable.
How can law enforcements be more effective in the fight against phishing? In my proposed
work, I plan to address this issue with further analysis of laws and cases, and by interviewing several law enforcement experts from the Department of Justice and Federal Bureau of Investigation.
2.5.2
Technology countermeasures
Anti-phishing services are now provided by Internet service providers (ISPs), built into mail
servers and clients, and available as web browser toolbars. In this section, I will review some commercial offerings as well as academic research. Drawing from the life cycle of phishing attacks,
we can categorize countermeasures into the following stages: prevention, detection/analysis, shutdown, block emails/websites and warning users (see Figure 2.9). I discuss each of these stages
briefly below.
• Prevention: As shown in Figure 2.9, the first step to fight phishing is to prevent attacks
before they are materialized. Law enforcement officers can catch and prosecute phishers
before they launch the attack. Registrars can monitor domain registrations and analyze suspicious registrations. Mail providers can use email verification solutions such as SPF to drop
Stages
Prevention
Table 2.1 Summary of commercial phishing countermeasures
Techniques Used
Examples of Companies
offering the Service
1) monitor domain registrars for suspicious
MarkMonitor,
Brandimensions,
registrations; 2) register domain names
defensively to protect a brand; 3) Sender Policy Cyveillance,
Framework or similar technologies to validate
InternetIdentity.com,
email senders; 4) email encryption using
GoDaddy.com, Verisign,
TimerWeed
S/Mime or PGP
Communications, RSA
Metrics for Effectiveness
number of criminals caught
and prosecuted, number of
phishing attacks stopped
Detection /
analysis
1) Set up honeynet or spam traps to collect
phishing emails; 2) Scan mail provider’s
incoming mails; 3) Scan through company
weblogs for suspicious activities; 4) User
report phishing scams; 5)Scan the web to find
malicious websites
MarkMonitor, RSA,
Cyveillance
detection time, true positives
vs false positives
Block
emails /
websites
1) blacklist; 2) heuristics
internet service providers
true positives and false
positives
Warn User
1) Email client warning; 2) Browser
antiphishing toolbars
Microsoft, Google,
CloudMark, Earthlink
reach (market share), time to
warn, true positives and false
positives
Shutdown
Contact ISPs, CERTs or necessary authorities
to shutdown malicious website
RSA
time to shutdown, cost of
shutdown
Verisign, GlobalSign, RSA,
Tricipher
To be determined
24
Authentication1) Extended Validation Certificates (EV Certs)
and fraud 2) Two factor authentication (smart card,
detection
tokens) 3) fraud detection system
25
unverified traffic. The more effective the prevention is, the smaller the phishing problem will
be.
• Detection: Once phishing attacks are launched, the best defense is to detect and analyze
them as early as possible. Internet service providers can add detection systems in their e-mail
processing and storage systems to detect suspicious emails. Anti-phishing tool providers can
set up spam traps or honeynets to receive early notice of new waves of attacks. Once suspicious emails and websites are identified, analysis will follow, usually combing automatic
analysis with human expertise. Table 2.2 lists some of the current state of the art techniques
used in automated detection.
• Shutdown: Once attacks are verified, service providers can be contacted to shutdown websites.
• Block emails / websites: Shutting down websites may take a few days, especially if they are
on foreign domains. However, mail providers can delete phishing emails from storage (or
move them to a separate spam or phishing folder). Internet service providers can block their
customers access to these websites, and replace them with generic education messages.
• Warning users: Browsers and, email clients are in a unique position to warn users because
their warnings are most visible and direct.
• Authentication and fraud detection: This is the last line of defense. Correctly implemented two factor authentication systems can stop phishers from defraud financial institutions, fraud detection system can also discover the scam and stop it.
In summary, the objective is to prevent phishing attacks as much as possible; to detect attacks
as early as possible; to shutdown operations as quickly as possible; and to warn users as effectively
as possible. Table 2.1 summarizes some of the commercial offerings by the stages, and Table 2.2
summarizes major academic contributions to detection.
In my proposed work, I plan to gain more understanding of the effectiveness of these solutions.
Specifically, I will test ten anti-phishing toolbars empirically.
26
Authors
Fette et
al [34]
AbuNimeh
et al [1]
Yue et
al [148]
Anthony
et
al [40]
Table 2.2 Meta analysis of proposed detection methods by academics
Vectors Vectors Addressed
Test
Results
Addressed
Emails
Machine Learning:
860 phishing emails,
True positive: 96.1%,
Random Forests
and 6950 non-phishing false positive: 0.1%
Approach. 6 features
emails
Emails
Compared multiple ML 1171 phishing emails
logistic regression
techniques, large
and 1718 legitimate
lowest false positive
feature set
emails
4.89%, random forest
lowest false negative:
11.12%
Websites Content based
100 phishing and 100
True positive: 97%,
approach on TD-IDF
legitimate URLs
false positive 10%
with five heuristics
Websites Use a linear
1000 real webpage, 9
precision: 99.87%,
programming model to phishing page
recall: 88.88%
assess the visual
features’ similarity
Figure 2.10 Active warning toolbars in Mozilla Firefox blocking a known phishing site
2.5.3
Social response: awareness and education
Despite claims by some security and usability experts that user education about security does
not work [31], there is evidence that well designed user security education can be effective [68].
27
Web-based training materials, contextual training, and embedded training have all been shown to
improve users’ ability to avoid phishing attacks.
A number of organizations have developed online training materials to educate users about
phishing [28, 32]. In a previous study, we tested the effectiveness of some of these online materials
and found that, while these materials could be improved, they are surprisingly effective when users
actually read them [70].
Several studies have adopted a contextual training approach in which users are sent simulated
phishing emails by the experimenters to test users’ vulnerability to phishing attacks. At the end
of the study, users are given materials that inform them about phishing attacks. This approach has
been used in studies involving Indiana University students [53], West Point cadets [33], and New
York State employees [104]. In the New York State study, employees who were sent the simulated
phishing emails and follow-up notification were better able to avoid subsequent phishing attacks
than those who were given a pamphlet containing information on how to combat phishing.
A related approach, called embedded training, teaches users about phishing during their regular
use of email. In a previous laboratory experiment to evaluate our prototype embedded training
system, we asked our participants to role play and respond to the messages in an email inbox that
included two training emails designed to look like phishing emails. If a participant clicked on a
link in a training email, we immediately presented an intervention designed to train them not to fall
for phishing attacks. We created several intervention designs based on learning sciences, and found
that our interventions were more effective than standard security notices that companies email to
their customers [68]. A follow up study showed that people were able to retain what they learned
in the training as well [69].
2.6
Economics of Information Security
To fight phishing, companies have to allocate resources. As companies make decisions as how
to best allocate resources, it is important to understand incentives and tradeoffs of these decisions.
There is a growing field of literature on economics of information security that broadly addresses
some of these questions.
28
2.6.1
Security investment
In general, security investment studies seek to answer the question: what is the optimal amount
of investment for information security for a given company? What are the incentives and disincentives that affect the security investment? There are two approaches to answer this question. The
first type is through quantitative models, and the second approach is qualitative studies.
Seminal work in quantitative economic modeling includes works by Gordon and Loeb [47],
and by Cavusoglu and Raghunathan [15].
For qualitative studies, Row and Gallaher [117] conducted a series of interviews with large
organizations in a variety of sectors. Based on the interview, they derived a conceptual approach
for security investment in organizations (see Figure 2.11). The paper made three key observations.
First, various internal and external incentives (drivers) affects organizations to adopt countermeasures. Second, some organizations tend to adopt more proactive countermeasures while others
more reactive. In my proposed work, I extend their model and study the incentives for different
stakeholders in phishing countermeasures.
2.6.2
Security as externality
Externalities can be found when we analyze security investment, as protection often depends
on the efforts of many principals.
Anderson and Moore used the following analogy to explain this externality.
Consider a medieval city. If a main threat is a siege, each family is responsible for
maintaining and guarding one stretch of the wall, then the city’s security will depend
on the efforts of the laziest and most cowardly family. If, however, disputes are settled
by single combat between champions, then its security depends on the strength and
courage of its most valiant knight. But if wars are a matter of attrition, then it is the
sum of all the citizens’ efforts that matters [4].
Does successfully combat phishing depends on the efforts of the laziest and most cowardly
family (weakest link)? or is it depends on the most valiant knight? or sum of efforts?
29
Kunreuther and Heal notes that security investments can be strategic complements: An individual taking proactive measures creates positive externalities for others that in turn may discourage
their own investment [72]. An example is airline security where airlines may decide not to screen
luggage transferred from other carriers that are believed to be careful with security.
For phishing countermeasures, externality is clearly an issue. Banks and online merchants
suffer loss because the Internet is not secure. On the other hand, the efforts of Internet service and
mail providers may reduce the incentive for banks to invest more in phishing, in other words, make
them free ride.
2.6.3
Misaligned incentives
Anderson and Moore indicates that incentive misalignment significantly undermines information security [4]. For example, in the United Kingdom, banks are liable for financial fraud only
when it is proven that they are at fault. The the burden of proof is with consumers. Therefore
customers complaints are not taken seriously, and this leads to lots of fraud [4].
Would there be misaligned incentives among stakeholders of phishing countermeasures? Would
those in the best position to fight the phishing lack incentives to do so?
30
Figure 2.11 Diagram of Cybersecurity Investment by Row and Gallaher [117]
31
Chapter 3
Improving Phishing Countermeasures: An Analysis of Expert Interviews
This chapter is joint work with Alessandro Acquisti, Lorrie Cranor, Jason Hong, and
Ponnurangam Kumaraguru. An earlier version of the content in this chapter is published at 2009 eCrime Researchers Summit [126].
3.1
Introduction
As the battle against phishing continues, many questions remain about where stakeholders
should place their efforts to achieve effective prevention, speedy detection, and fast action. Do
stakeholders have sufficient incentives to act? What should be the top priorities for the antiphishing community?
To provide insights into these questions we conducted 31 in-depth interviews with anti-phishing
experts between May 2008 and May 2009. We selected experts from academia, Computer Emergency Response Team (CERT) centers, the Anti-Phishing Working Group (APWG) officers, law
enforcement, and key industry stakeholders. We sought their expertise on the current and future
state of phishing attacks, countermeasures that should be implemented to fight phishing more effectively, and incentives that various stakeholders have in their fight against phishing.
The experts we interviewed agreed that phishing is evolving into a more organized effort. It
is becoming part of a larger crime eco-system, where it is increasingly blended with malware and
used as a gateway for other attacks. Some of the experts suggested that incentives for fighting
phishing may be misaligned, in the sense that the stakeholders who are in a position to have the
32
largest impact do not have much incentive to devote resources to anti-phishing efforts. In terms of
countermeasures, experts identified improving law enforcement and shutting down money trails as
top priorities. They also identified operating systems vendors, web application providers, browsers,
and Internet service providers as stakeholders with key technology influence on phishing. Finally,
experts agreed that education is an important factor that is not emphasized enough; however, they
did not agree on the extent of the impact that education may have. We present these findings and a
set of recommendations to improve countermeasures.
Although previous reports have studied phishing and issued recommendations, to the best of
our knowledge this is the first study that synthesizes the opinions of experts from different fields,
and examines the incentives of various stakeholders to contribute to anti-phishing efforts.
3.2
Related Work
In response to the growing phishing problem, government agencies, industry groups, and con-
sumer groups have conducted studies and issued recommendations [35, 52, 100, 105].
The Financial Services Technology Consortium’s report is the first report that analyzed how
phishing works by articulating the life cycle of phishing. It also encouraged financial institutions to
assess the costs and risks associated with phishing, develop better intelligence on phishers through
improved sharing, and invest and adopt in better mutual authentication. However, the report did
not issue recommendations for non-financial institutions who also have high stakes in the phishing
problem [35].
The Identity Theft Technology Council report also analyzed different phases of phishing and
recommended a set of 21 technical countermeasures citeiitc:phishing-report. We selected a subset of recommendations from this report as a starting point for discussion in our expert interviews.
However, we updated the set to address non-technical countermeasures as well as new and evolving
threats that were not discussed in the report. In addition to discussing the set of recommendations,
we also studied the incentives that stakeholders have to implement them as well as how the incentives can be increased.
33
Table 3.1 Phishing stakeholders. Primary victims suffer direct losses from phishing.
Infrastructure providers have technical capabilities to mitigate the problem. For-Profit protectors
sell solutions to primary victims and infrastructure providers. Public protectors include law
enforcement officials, computer emergency response teams, and academic researchers.
Categories
Examples of key stakeholders
Roles
Consumers
–
Primary victims
Organizations
Military, Universities, Corporations
Financial Institutions
Bank of America, Citibank, Paypal
Merchants
Online merchants (eBay, Amazon), offline
merchants
Registrars and
GoDaddy, Verisign
Infrastructure
Registries
providers
Internet Service
AT&T, Comcast, AOL, Universities
Providers
Email Providers
Gmail, Yahoo!Mail, Hotmail
Browsers
Internet Explorer, Firefox, Safari
Software Vendors
Symantec, RSA, MarkMonitor, Cyveillence
For-profit protectors
Law Enforcement
Federal Bureau of Investigation (FBI), Secret Public Protectors
Service state and local enforcement
Computer Emergency CERT-CC, CSIRTs
Response Teams
Academia
In addition to these reports, the Anti-Phishing Working Group (APWG) has issued a set of
best practices and recommendations for hacked website owners [8], registrars [6], and ISPs and
mailbox service providers [85]. Each of these reports focus narrowly on one particular area. In
our analysis, we analyzed the phishing issue holistically and asked our experts to prioritize their
recommendations based on their importance and effectiveness.
3.3
Stakeholders
Phishing involves many stakeholders, including consumers, financial institutions, online merchants, Internet Service Providers (ISPs), mail client and web browser vendors, and law enforcement. In this paper, we have classified stakeholders into the following categories: primary victims,
34
infrastructure providers, for-profit protectors, and public protectors. Table 1 describes these stakeholders and their roles. We used it to select experts and structure our interviews.
3.3.1
Primary victims:
In most cases, consumers, organizations, financial institutions, and merchants are direct targets
of phishing attacks. Each of them is negatively affected by phishing in a different way.
Consumers who fall for phishing can potentially become victims of identity theft: they not
only suffer monetary loss, but also psychological costs (e.g. fear, anxiety). Generally speaking,
consumers fall for phishing because they have incorrect mental models about what constitutes
trustworthy emails and websites [23] and they are susceptible to manipulation and social engineering. Organizations such as the military and corporations worry that phishing may lead to further
compromise of credentials that can be used to steal key intellectual property or conduct corporate
espionage.
Financial institutions lose money from fraud conducted with credentials acquired through
phishing. They may also suffer indirect losses such as increased customer service cost, damage to
reputation, etc. Some argued that indirect losses are much greater than the direct losses, although
this claim has not been independently verified. Merchants lose money because these financial
institutions eventually charge them for the fraudulent transactions.
In general, these entities are most impacted by phishing, and have the strongest incentive to
protect against phishing. However, as shown later in the result section, some of them have limited
capabilities to counter phishing attacks.
3.3.2
Infrastructure providers:
Internet service providers, email providers, browsers, domain name registrars, and registries are
infrastructure providers. In most cases, phishers do not go after these providers for their money;
instead, they seek to gain access to the entities’ infrastructures so that phishers may launch their
attacks. For example, phishers register fake domain names with registrars. Phishers use compromised machines from Internet Service Providers as part of a botnet to launch phishing campaigns,
35
sending emails to end user mailboxes or compromising mail provider accounts to send phishing
emails. These stakeholders are important to study, as they are in a better position than most victims to protect against phishing. However some infrastructure providers do not lose money from
phishing, so they may not have sufficient incentives to devote resources to combating phishing. In
our interview study, we asked experts what these stakeholders can do and examined whether or not
they have incentives to do so.
3.3.3
For-profit protectors:
Certain organizations actually benefit from phishing because it is an opportunity to develop
and sell products to other stakeholders. These include companies that sell spam filters and antivirus software, as well as companies that take down phishing websites. As they are the frontline defenders against phishing, we selected a few of our experts from these companies. Table
X also However, as they make money from combating phishing, it could somewhat bias their
recommendations. We discuss these potential biases in detail in the methodology section.
3.3.4
Public protectors:
In contrast to anti-virus vendors and spam filter companies who are for-profit protectors, law
enforcement, computer emergency response teams (CERT), and academics are public protectors.
There are some para-organizations such as the Anti-Phishing Working Group (APWG) and the
Message Anti-Abuse Working Group (MAAWG) that aim to bring different stakeholders together
to fight more effectively against phishing. Some of the experts we interviewed hold positions in
these organizations. However, we did not consider these organizations as separate stakeholders in
our analysis.
3.4
Methodology
During May 2008 and May 2009, we conducted in-depth interviews with 31 experts involved
in phishing countermeasures. In this section, we discuss how we selected the experts, the interview
process, and the steps taken to analyze the data.
36
Table 3.2 Anti-phishing experts interviewed. For confidentiality purposes, all partipants are
anonymized.
Affiliation
No. of Experts
CERT
4
Academic researchers
5
APWG officers
3
Law enforcement
5
Registrars, Registries
3
Financial institutions
4
Internet service providers
3
Browser vendors
1
Other experts
3
Total
31
3.4.1
Recruitment and Participants
We recruited experts in several ways. First, we compiled a list of frequent speakers from
2004 through 2007 APWG member conferences and generated a list of well-known experts in
academia and industry. To recruit law enforcement officers, we attended the 2008 Digital PhishNet
conference. To recruit experts in Internet service providers, registrars, and technology vendors, we
solicited recommendations from APWG’s Internet Policy Committee (IPC), which is composed of
90 members from various stakeholders. Finally, we recruited additional interviewees through our
own network of contacts. In order to obtain a variety of views, we tried to select candidates from
different organizations who worked at different levels of company hierarchy.
We recruited a total of 31 experts responsible for, or knowledgeable of, operational or policy decisions with regard to phishing and malware prevention in their organizations. Most of the
interviewees chose to remain anonymous. Table 2 shows the organizational profiles of these experts. 67% of the experts interviewed had a technical background, 20% had a policy or business
background, and the remainder had a background in law or law enforcement.
In addition to the 31 experts interviewed, we also had a short interview with a legal expert on
the question of liability for false positives.
37
The sample size of 31 balances the resource-intensive demands of in-depth interviews and
analysis against the marginal return of new insights from additional participants. We had multiple participants who shared similar views on most of the topics we discussed in our interviews,
suggesting that theoretical saturation was likely achieved, even with our small sample.
3.4.2
Interview Protocol
We used a semi-structured interview protocol. The protocol allowed us to ask structured questions that enabled comparable responses across participants, while providing the interviewer flexibility in drilling down on areas of particular relevance to each participant [115].
Each interview typically lasted 60 minutes (min =25, max = 90) and was recorded for transcription. Some interviews were conducted in-person, while others were conducted over the phone. We
began each interview by asking each expert to describe his or her background and responsibilities. We then asked a set of open-ended questions about how phishing impacts their organizations,
amount of losses, current and future state of phishing, and the effectiveness of current countermeasures. We then asked them specifically to comment on a set of 31 recommendations broken into
six categories that we compiled through our research. Experts prioritized the recommendations
in each category and provided feedback on them. Finally, at the end of each interview, we asked
experts to provide additional recommendations, and if they did, we summarized and added them
to our list of recommendations and asked experts about them in subsequent interviews.
3.4.3
Analysis
After completing each interview, we transcribed the audio recordings and recorded the answers
to each question in a spreadsheet. We then analyzed the interview results and synthesized a series
of findings and accompanying recommendations.
In our analysis, we synthesized experts’ opinions by selecting themes that recurred most frequently across all interviews. We also report some of the comments that were discussed by only
one or two experts, but that we found particularly useful in thinking about phishing countermeasures.
38
3.4.4
Limitations
Before turning to the empirical findings, it is important to note the scope and limitations of this
study.
Most of the experts interviewed were from the US, but we also had some from Japan, Hong
Kong, Italy and Britain. Thus, while there is some international representation, for the most part
these interviews represent a US-centric view.
It is also reasonable to assume that this set of interviewees was influenced by some degree
of self-selection. Registries, for example, are more likely to respond favorably to an interview
request about their phishing countermeasures if they have policies in place that are at least on par
with other registries, if not better. With that said, some of the organizations we interviewed are not
known for having outstanding records with regard to phishing.
Our findings reflect how stakeholders themselves describe what they are doing and why. In
other words, we report on the perceptions of the interviewees, not the independent assessment
of their actions and the factors driving them. Whenever possible, we did crosscheck information
provided to us against the information from other interviews and against publicly available data,
such as reports, surveys and research publications.
In addition, the interviewees are not experts in all areas, and they have biases of their own. For
example, take-down vendors are more likely than others to recommend that more efforts should be
focused on take-downs. We address this in a few ways. During our interviews, we let interviewees
select the two to three areas in which they are most experienced to comment on. Whenever possible, we asked them to provide evidence to support their positions and recommendations, and in
some instances, we tried to probe experts further by presenting a counter-argument for experts to
respond to.
Despite these limitations, our approach is an important complement to purely technical analysis of phishing (e.g. [52] ). First, our interview approach synthesizes the opinions of experts from
many different fields. It would be difficult to obtain this information through other methods. Second, our interviews examine the incentives of various stakeholders to contribute to anti-phishing
39
efforts, an important consideration in producing workable solutions. For example, past qualitative research in information security investments has proven to be a valuable complement to the
knowledge generated through quantitative modeling or analysis (e.g. [119], [117]).
In the next sections we present the findings from our interviews. We classified our findings
into four topical categories: the evolving threat, stakeholder incentives, what stakeholders should
do, and law enforcement and education. We also provide a set of recommendations based on these
findings. Table 3.3 presents the high-level findings from the interviews.
Finally, this paper does not discuss some relevant technologies such as email authentication
(SPF, DKIM), extended validation certificates. These technologies were rarely mentioned by the
experts we interviewed and we found no consensus on the effectiveness of these technologies.
3.5
3.5.1
Results
Evolving threat
Categories
Evolving
threat
Stakeholder
incentives
What
stakeholders
should do
Law
enforcement
and education
Table 3.3 High-level findings.
Findings
A. Phishing is evolving to be more organized and targeted. It is becoming part of a
large crime eco-system.
B. Phishing and malware are increasingly blended together.
A. Stakeholders have varying incentives to fight phishing.
B. Sometimes stakeholder incentives are misaligned.
A. Operating systems vendors, web application providers, browser vendors, and Internet service providers are stakeholders with key technology influence over phishing.
B. Organizations are conservative about filtering and warning about phish because
they are worried about false positives.
C. Registries and registrars can play an important role in fighting against phishing.
A. Law enforcement should be emphasized; but law enforcement lacks the necessary tools, personnel, and resources to catch phishers.
B. Shutting down money trails is very important to defeat phishers.
C. Education and awareness are important factors that are not emphasized enough.
However, not all experts agree on the effects of education.
40
Phishing is evolving to be more organized and targeted. It is increasingly used
as a gateway to other attacks.
We asked experts to describe the phishing attack trends they have observed and predict how
phishing attacks will continue to evolve. Experts observed that phishing attacks are becoming
more organized. One technical expert in law enforcement explained:
These are criminal organizations that exist that perpetrate these types of fraud. It is
not likely your teenage hacker like in the old days. They are criminal organizations
with business plans and contingency plans. They are typically involved in other crimes
besides phishing. It could be malware, it could be hosting other content, possibly child
pornography, and it could be the old 419 scams and mule schemes. What we see is
that these types of folks don’t just do one thing. They either do other things or work
with groups that do other things.
One example of an organized group mentioned frequently by experts is the rock phish group,
which is believed by many experts to originate from a group of phishers in Eastern Europe. One
academic researcher said 88% of the one million URLs his research group processed in October
2008 had rock phish characteristics. Published studies have also analyzed the frequency of fast
flux phishing attacks. For example, Moore et al. found that 68% of the phishing emails in their
study sample were sent using fast flux techniques [95].
Another trend that experts observed is that phishing is increasingly used as a gateway to other
attacks. One expert from a major browser vendor said:
We are seeing a lot of blended attacks, where a piece of the infrastructure is a phishing
attack, but that’s not necessarily the end goal. . . . It is malware, it’s affiliate advertising,
it’s spam as form of advertising, scams, and ring tones, there is a number of ways to
monetize. But the goal is to look for not only the traditional stuff but ways to monetize
groups of users. And you know, stealing a password is a pretty good way to tag into
real people, real networks, so we see the social network site is being targeted very
heavily, and it’s the result of that.
41
One of the experts from a major US bank agreed, and added that his institution had been
seeing an increasing amount of cross channel fraud, where credentials harvested through traditional
phishing attacks were being used to commit fraud in other channels such as telephone banking.
Finally, experts agreed that phishing attacks are evolving into be more targeted attacks, which
are very effective and harder for spam filters to detect. Recent phishing attempts to defraud top
executives are examples of these targeted attacks. Past research has demonstrated the effectiveness
of spear phishing attacks. For example in a study at Indiana University, 16% of participants fell
for regular phishing emails, but 72% fell for spear-phishing emails [53].
Phishers kept moving to new targets as traditional targets of phishing attacks have devised
response plans. Some experts thought that small and medium brands would become the next
victims. Others speculated that credit unions, social network sites, and Xbox live accounts would
be increasingly targeted.
Phishing and malware are increasingly blended together.
Experts mentioned that malware attacks that use phishing emails are on the rise and pose a
serious threat. One academic researcher framed phishing and malware as different expressions of
the same problem. He said:
You will see social engineering aspects of malware and high automation aspects of
phishing. At some point, it might be hard to tell them apart . . . To the attackers, it
doesn’t matter what they use. They know social engineering has an effect on the end
user, they know script and code and have some effect on the user’s machine. It is just
a matter of putting what they know and what they have.
Some of the experts we interviewed believe that malware now poses a bigger threat than phishing. Their reasoning is that due to vulnerabilities in operating systems and web applications it is
easy for computers to get infected with malware, and that even security-conscious users may have
difficulty avoiding infection.
42
3.5.2
Stakeholder incentives
Stakeholders have varying incentives to fight phishing.
We asked experts how phishing impacts their organizations. Their responses provided insights
into their organizations’ incentives to fight phishing.
In general, we found that the primary victims have incentives to invest resources to protect
against phishing as they suffer direct losses from phishing. Nonetheless, there is evidence that not
all potential primary victims have made this investment. One expert from academia said that many
midsize and smaller banks he talked to did not have a strategy for phishing, as they had never been
targets: “There is low chance that those banks are targeted, but if they are targeted, they could lose
a lot of money.”
The stakeholders who do invest in anti-phishing protection sometimes feel that they are carrying a disproportionate share of the burden. One expert said:
After speaking to many service providers such as financial institutions, there is one
thing that stands out very clearly, a sense of “injustice,” that they are often carrying
the cost for something they have no ability control or even measure. For example,
financial service providers, they are not able to determine if their clients, the end users,
have appropriate anti-virus software or not. So one way to align the incentives is for
service providers be able to audit the security posture of user clients.
Our interviews revealed information on the incentives of several types of stakeholders, described below.
Financial institutions. Financial institutions are among the primary victims of phishing as they
lose money from fraud committed with compromised accounts. Currently, over 79% of phishing
attacks target financial institutions [131]. A major US bank told us that over the past 12 months,
their loss due to phishing and malware was $4.5 million, accounting for 25% of their fraud loss
through online channels.
Financial loss and regulatory oversight are both drivers for adopting anti-phishing technologies.
One electronic fraud risk manager from a major bank in Asia mentioned that their loss to phishing
43
and electronic crime is less than 1% of their overall fraud loss. However, they still invest a lot of
money in anti-phishing efforts because regional regulators demand two-factor authentication and
require comprehensive analysis for electronic crime incidents. Thus, stakeholder incentives may
vary depending on local regulations.
Finally, reputation was also mentioned by some as a factor. This same risk manager mentioned that another major reason his bank was spending a lot of money in this area was that bank
management wanted to position their electronic banking service as the safest in the region.
It is worth noting the inherent difficulty of obtaining accurate phishing loss figures for financial
institutions. It is difficult to separate phishing from other electronic fraud, such as malware. Furthermore, such losses impact a variety of different parts of a company, such as customer service,
and thus may not be fully accounted for by the fraud department. Finally, it is difficult to quantify
indirect loss such as damage to one’s reputation.
Even if financial institutions have accurate phishing loss estimates, they often do not have
incentives or regulatory requirements to disclose them. They may prefer not to disclose these
losses due to fear of brand erosion due to negative publicity. This leads to a wide range of loss
estimates that differ by an order of magnitude (e.g. [92] vs. [43]).
Merchants. Merchants lose money because financial institutions eventually charge them back
for fraudulent transactions. When a phisher makes a purchase using a stolen credit card, the credit
card company usually charges the merchant for the loss. With online and telephone transactions
known as “card-not-present” transactions, merchants assume this liability directly if cardholders
dispute a charge. The Merchant Risk Council estimates that merchants who manage their risk well
still lose about 1% of their revenue to credit card fraud [84].
Internet Service Providers: The ISPs we interviewed all considered phishing as part of the
spam problem, which is their number one concern. Since phishing usually represents less than
1% of the spam they receive, their typical response is to filter out phish with spam. For example,
one University ISP expert said, “We filter as much as we could and we would like [our users]
not be sending their credit card and social security numbers online, but we don’t see that as our
44
responsibilities to protect those numbers, it is their personal data to protect.” Other experts from
academia echoed this sentiment as well.
ISPs do have an incentive when phishing targets their own mail systems. These phishing attacks
typically seek to compromise users’ webmail accounts hosted by these ISPs and use them to send
out more spams. ISPs have the incentive to ensure mail flows properly and avoid having their mail
servers being blocked by blacklists.
When it comes to fixing compromised machines that are often used as part of a botnet to send
out phishing emails, ISPs currently do little. These compromised machines sometimes form a
fast flux network, in which a domain name that phishers use has multiple IP (Internet Protocol)
addresses assigned to it. The phishers switch those domains quickly between the addresses (often
compromised machines) so that it is not as easy to find or shut down the phishing sites. One expert
from a major US ISP recognized that compromised PCs cause major problems, and told us that
close to 10% of their customers’ machines were infected with malware. However, when asked why
his company does not remove these computers from the network he said, “Well, they are paying [a
monthly fee] . . . for Internet access.”
Experts from other ISPs made similar comments and noted that fixing infected computers can
be costly. Infected computers may need to have their operating systems reinstalled. One expert
from an ISP mentioned that customer service is the largest cost for the ISP. However, most experts
who did not work for ISPs identified infected machines on ISP networks as a major problem that
needs to be fixed.
Domain Registrars: Registrars have been generally regarded as lagging in terms of phishing
countermeasures. One expert claimed that registrars actually have a disincentive to fight phishing
as criminals still pay them for registering phishing domains. However, another expert familiar with
the registrars disagreed, saying, “Registrars would get charge back eventually because phishers are
usually using fake credit cards to register these domains.” Some other experts suggested that
registrars lacked the capability to detect and shutdown phishing fraud, as they work on small profit
margins.
45
Stakeholder Capabilities and Incentives are Often Misaligned.
Economists have suggested that liability should be assigned to the party that can do the best
job of managing risk [136]. However, throughout the interviews, we found that the party that can
do the best job is not always managing the risk.
For example, in Asia, if banks can prove that a customer acted with negligence, the bank is
not liable for a phishing loss. The difficulty is to prove that customers acted with negligence. One
participant from a major bank in Asia said that when his bank was first attacked by phishers, the
bank reimbursed victims. However, he said, “We’ve then since done a lot of education and we have
joined the association of banks for a series of community bank education programs. After that, if
customers do not pay attention to the education, we consider that to be negligent, so we try not to
reimburse them. Of course, if the customer starts to yell and complain to the regulators, then it is
entered into a fueled debate.”
As another example, experts mentioned that merchants are held liable when phishers use fake
credit card credentials to buy goods from them. When banks find out about the fraudulent charges,
they will charge the merchant for it and sometimes also charge fines. This liability can be shifted
if merchants implement the “Verified by Visa” program, but many merchants do not because of
usability concerns. Furthermore, one expert argued that it is very difficult for merchants to notice
that a credit card is stolen, noting that banks are at a much better position to make that judgment
because they possess more information about the given credit card and a history of the transactions
that make it easier for them to spot fraudulent charges.
As a third example, some experts claimed that ISPs are in the best position to protect their network and clean up compromised machines, but are not willing to take proactive measures because
they would incur high costs while generating little benefit. One expert said:
The ISP is in a good position to inspect and identify some machines that are sending
out spam and launching denial of service attacks. . . . There are quarantine devices
that exist. . . . ISPs have it, but even for the ISPs using them, it is not used much. It is
expensive for ISPs. If you put the user on quarantine, you end up having high customer
46
cost, the person will call the help desk, and you have to walk them through everything.
The benefit to the ISP is very low compared to the cost. This is because the ISP did
not bear the cost of compromised machines, putting externalities, hosting spam, it is
not infecting the ISPs bottom line, but it is impacting every one else’s bottom line.
We asked experts to comment and prioritize on a set of recommendations on the issues of
incentives. We discuss the first recommendation with our experts and introduced the second recommendation based on our findings.
Recommendation (R1): Financial institutions should produce more accurate estimates of
phishing losses and report these statistics. As we mentioned earlier, accurate estimates of the
phishing threat are difficult to come by, but very important. For example, it is difficult for law
enforcement to open cases if they do not have a good idea of the amount of loss or the type of
damages. Similarly, without quantifying damages, it is hard for corporations to manage the risks.
For a corporation to obtain these figures, experts suggest two possible steps: first, law enforcement should collect and preserve forensics data when the phishing servers or drop accounts
(email accounts used to gather stolen credentials) are seized, provide detailed information about
the accounts stolen, and collaborate with banks to double check these fraud cases. Second, fraud
managers within the organization should look at the organization as a whole when estimating damages, not just the online fraud itself. For example, they could examine how phishing increases
customer service costs.
The cost to financial institutions for implementing these policies include researching the damage to the institution holistically, implementing measures to record the losses if no measure is in
place. The immediate benefit to the financial institutions is that they will have a clear picture how
phishing impacts their organization. The larger benefit, however is given to other stakeholders in
that they can make their decisions better with more accurate data.
The obstacles for implmenting this recommendation is that currently many financial institutions
do not have incentives to report estimates of phishing losses, and fear of negative publicity serves
as a disincentive. One way to address this is mandatory anonymous reporting, such as in the case
47
of the UK payment association (APACS), which requires its members to report their losses and
aggregate them together.
Recommendation (R2): Regulators and academic researchers need to investigate the issue
of incentives further.
As mentioned in our findings, some stakeholders (such as consumers or
merchants) are not really equipped to protect themselves against fraud, so placing the liability or
burden of proof on them would do little to help fight against phishing. On the other hand, ISPs who
are in a better position to clean the compromised machines do not have incentives to do so. Further
research is needed to develop incentive models and determine where incentives are misaligned and
ways to realign the incentives.
3.5.3
What stakeholders should do
Experts identified operating system vendors, web application providers, browser
vendors and Internet service providers as stakeholders with key technology influence over phishing.
Experts identified operating system vendors, web application providers, browser vendors, and
Internet service providers as being best positioned to fight phishing.
Operating systems are crucial because their security or insecurity has far reaching effects. Experts generally praised Microsoft for their efforts in hardening their operating systems, but pointed
out more to be done in this area. They gave a few recommendations that we will cover in the later
part of this section.
Experts pointed out the insecurity of web applications as a significant hurdle. One technical
expert charged web application vendors for the current state of the problem:
[Phishers] are losing on the email; the majority of the places are running filtering now,
spam and antivirus filtering. But if I want to compromise the end-user, I am going to
send them a URL and redirect them to some website that hosts malware. The stuff that
can become most widespread is SQL injection of some legitimate server, and users
will see an iframe that loads a malware onto it.
48
Experts also commented on the strategic position of the browsers in the fight to protect consumers. First, web browsers can warn users directly and effectively. A recent laboratory study
showed that when Firefox 2 presented phishing warnings, none of the users entered sensitive information into phishing websites [29]. This study also recommended changes to Internet Explorer’s
phishing warnings, and Microsoft has already acted on some of them to improve IE 8’s warning
mechanism. Second, the browser market is fairly concentrated, with two browsers (Internet Explorer and Firefox) accounting for 95% of the total market [101]. Solutions implemented by these
two browsers would provide the majority of users with a defense against phishing.
Finally, experts pointed out that ISPs are in the best position to clean up compromised machines, as described earlier.
We asked experts to comment on and prioritize a set of recommendations for securing the
computing environment. Experts ranked the following as top priorities.
Recommendation (R3): OS vendors should continue to secure operating systems by implementing secure coding practices, investing in secure vulnerability patching, and building
anti-malware capability directly into the operating systems to enhance default security.
To secure the operating system, experts suggested Microsoft protect the hosts file in Windows XP
and earlier versions, as done by some Antivirus software [149], to prevent pharming attacks.
Another way to secure the operating system is by constantly patching with the latest updates,
as a fully patched computer with firewall enabled provides a strong defense against exploit-based
malware. However, one of the problems with patching is that distributing a patch provides information to criminals about the security vulnerability that is being patched. Even if the description is
vague, a patch can be disassembled and compared to the code that it replaces. Once a new exploit
is known, a malware exploit can be quickly crafted using pre-built components. It currently takes
less than three days – sometimes only a matter of hours – between the time a patch is released
and the time a malicious exploit appears. After this short period of time, most computers are still
vulnerable to infection. Research and application development into securely delivering patches to
computers, possibly using public-key cryptography, would help alleviate the problem [52].
49
Finally, some experts suggested building anti-virus and anti-malware capability directly into
the OS. Experts pointed out that XP service pack 2 has a security center with firewalls enabled
and suffers fewer attacks than service pack 1 [12]. These experts also praised Microsoft’s effort
to distribute malware removal tools and updated malware signatures monthly, and argued that
Microsoft should provide some default protection to computer users who do not buy anti-virus
software.
Recommendation (R4): Stakeholders should focus on improving the security of web applications, providing support and incentives for fixing applications.
Currently, over 70% of
phishing websites are hosted on hacked websites or free hosting sites. Many vulnerabilities for
web applications exist (e.g. SQL injection, cross site scripting, remote code execution), making
them a tempting target for criminals. Experts suggested a few ways to improve the security of web
applications. One expert felt that technical authorities such CERT or APWG should produce a list
of most frequently hacked websites and notify the website operators of their vulnerability.
However, not all website operators have the technical capability or incentives to fix the problem.
A recent paper by Moore and Clayton showed that 25% of the hosts used for phishing end up
being compromised again within a couple of months [94]. If the compromise is due to a lack of
technical capability, then there needs to be a way to provide tools and educational resources to
help them secure their web application. On the other hand, if repeated compromises are due to a
lack of incentives to fix, then there needs to be a way of punishing transgressors, with escalating
consequences.
Another approach is to involve the hosting provider. For example encourage these providers
run intrusion detection on the applications they are hosting, and scanning newly created pages for
phishing and malware.
Recommendation (R5): Web browser vendors should continue to improve the performance
of integrated browser anti-phishing warning systems, with a goal to catch 90% of phishing
URLs within an hour after they go online.
As mentioned previously in this section, web
50
browsers is at a strategic position as they can warn users effectively, and faster than other methods. Currently, browser-integrated phishing warning systems catch only 40-60% of the URLs 3
hours after the attacks are launched [128]. To provide the majority of Internet users with adequate
protection, these warning systems should be improved.
To accomplish this, the key is heuristics. Currently major browsers only use human-verified
blacklists. To raise detection rates significantly, heuristics need to be used to supplement existings blacklists and block attacks more quickly [128]. Another way to improve the coverage of the
blacklists is to gather phishing feeds from multiple sources to maximize their coverage [93]. However, as discussed in the next section, browser vendors are extremely cautious in using heuristics
because of false positives, incorrectly labeling a legitimate site as phishing, which could potentially expose them to costly lawsuits. We present recommendations to address this issue in the next
section.
Recommendation (R6): Academics and for-profit protectors should develop better techniques to quickly identify botnets and proxies, shut down botnet command and control, and
clean compromised machines.
To shut down botnets, experts recommended that we either go
after their command and control centers or clean the bot machine themselves.
In November 2008, a hosting company named McColo that hosted a bot command and control
center was disconnected by its upstream providers, causing a nearly 70% drop in spam volume [65].
More efforts to identify and shutdown comand and control centers would diminish the usefulness
of other bots. However, we have to be mindful that criminals will continue to regroup and attack
again. A good illustration is that two months after the McColo case, the spam volume was back
to the previous level [20]. Spammers find other bot command and control centers, and they are
getting more sophisticated in using P2P tools to control bots instead of traditional IRC commands.
Defenders need to learn from successes and failures to ensure faster reaction in the future.
The McColo case offers several lessons. There invariably exists some rogue hosting companies (also known as bullet-proof hosting), so persuading them to clean up their network would be
difficult and likely have limited effect. Therefore it is important to involve upstream connectivity
51
providers. However, these providers face some challenges for proactive monitoring. For example, the infrastructure for monitoring is expensive, the legal justification is unclear, and because of
contractual agreements, they are likely to be very cautious. So other stakeholders such as public
protectors or for-profit companies needs to help provide as much evidence as possible. Second,
media can play an important role. In the case of McColo, a Washington Post report played a critical role in pursuading the upstream providers. Similarly, the media played an important role in
having the Russian authorities shut down the Russian business network, a known hosting provider
for Internet miscreants [30]. Finally, the higher the level of coordination between stakeholders, the
better they are at identifying and shutting down these rogue providers.
Another approach focuses on cleaning up individual machines. This is a much more challenging task as there are millions of compromised machines to fix. ISPs need to be involved.
Recognizing the disincentives mentioned in section VI, one expert suggested a notice and take
down approach: certain third parties can notify an ISP that a certain computer on its network is in
a botnet or doing something malicious. Once the ISP receives the notification, it becomes obligated
to clean up the machine.
The cost for ISP in this instance is the cost of cleaning up the compromised machine, elevated
customer service costs, and potential costs due to customer leaving. The benefit to ISP in this
case is little, however the benefit to other stakeholders are more pronounced. Therefore, it is still
necessary to implement a notice and take down approach. Another challenge for the notice and
take down approach is who is providing the notice? and whether ISP will trust the notice served.
With some kind of safe harbor regulation similar to DMCA’s notice and takedown provision, this
problem can be solved.
Finally, efforts are needed to automate the clean up process. Experts suggested that we won’t
see much of an impact on crime rate until we clean up a large fraction of compromised machines.
Hence, better automatic solutions are needed to complement the notice and take-down approach.
Although no actions have been taken so far, the ISPs we interviewed acknolwedged that compromised machines are a big problem. During the interviews, they asked about academic research
52
on automated tools to quarentine these compromised machines. We suggest conducting more research and development focusing on automated mitigation of malware-infected computers.
Organizations are conservative about filtering and warning about phish because
they are worried about false positives. However, this often leads to repeated
efforts and slow reaction.
The issue of false positives came up frequently during our interviews. Generally speaking,
phishing detection falls into two categories: blacklist-based methods in which humans verify suspicious phishing URLs, and heuristic approaches that utilize HTML or content signatures to identify phish automatically. In our interviews, we found that providers favor blacklists over heuristics,
and even those who do use heuristics are using them conservatively. For example, an expert at an
ISP told us that they had a system that warns users if a certain email appears to be phish (based
on blacklists and heuristics), but they did not delete these emails because they consider their falsepositive rate to be too high.
Browser vendors are also extremely concerned about false positives. The expert from a major
browser vendor said that they take false positives very seriously and manually verify each URL on
their blacklist to avoid false positives. All of the major browsers appear to favor human-verified
blacklists with extremely low false positives over heuristics that may potentially have higher false
positives.
Registries consider false positives as their biggest concern in implementing anti-abuse policies.
One registry told us that they do not take act on phishing URLs submitted by third parties (such as
takedown vendors) until the URLs have undergone a review process to determine if they are really
phishing URLs. In other words, a phishing site is verified multiple times by different parties before
action is taken, wasting precious time.
Infrastructure providers are concerned about potential liability from mislabeling or taking down
legitimate websites. There have been cases where companies have attempted to hold service
providers responsible for false positives, but as of yet no company has been held responsible.
53
For example, in a 2005 court case, Associated Bank-Corp sued Earthlink after the Earthlink antiphishing software ScamBlocker blocked the bank’s legitimate page [11]. Earthlink was able to
fend off the suit on the basis that it was using a blacklist of phish provided by a third party, thus,
under a provision in the Communication Decency Act (CDA), it could not be held liable as a publisher when that information is erroneous. Although the bank apparently did not sue the provider
of the blacklist, the court opened the door for them to do that.
False positives based on heuristics have more subtle concerns. If heuristic-based software
blocks a phish that turns out to be a false positive, the vendor may be regarded as a publisher under
the CDA, and thus not immunized. Because of these fears, heuristics are not favored in integrated
browser phishing protection.
It is unclear, however, how future cases, if any, will be handled. One legal expert thought there
was no case to be made. He said:
I think everything will depend on what statements are made about the blocked site by
the anti-phishing software. For example, when it says, ‘we think this site might be a
phishing site,’ unless they were grossly negligent (in which case the thinking would not
be reasonable), there would probably be no liability. If it said ‘This site is absolutely a
phishing site’ it would be a whole different story.
It is worth noting that vendors have developed blacklist processes and heuristics with extremely
low false positive rates. One software vendor told us at their current false positive rate is so low
that a user would encounter a false positive only once in a few years. Another takedown provider
told us that they only had one or two false positives in the past four or five years, and even those
false positives were arguably true positives. Recent academic work has shown that heuristics seem
to detect websites with near zero false positives ( [75], [128]). It is therefore, unclear why vendors
remain so reluctant to use heuristics more aggressively.
To address this issue, we introduce three recommendations based on our findings.
Recommendation (R7): Clarify the legal issues surrounding false positives of blacklists and
heuristics.
Companies are adopting conservative strategies to avoid false positives for fear of
54
liability, even when false positives occur rarely. This is hurting phishing protection, especially
when heuristics offer real-time protection against phishing and have considerable benefits over
blacklists. We encourage more discussion on liability surrounding the use of phishing blacklists
and heuristics. So far, there has been no test case on this matter. The question at hand is at what
level of accuracy heuristics can be applied to block phish and not be held liable? Some experts
argued that zero false positive is the only acceptable level, but most of the experts interviewed feel
that it would be reasonable to block with less-than perfect accuracy if a procedure were in place
to correct errors. Safe harbor legislation, which immunizes providers from liability if they meet
certain standards, may be necessary to make companies comfortable that they will not be held
liable.
Clarifying liability is important because lack of clarity on these matters could further reduce
vendors’ incentives to use heuristics to detect phishing and get protections in place rapidly. Major
browser vendors and ISPs potentially take on liability for false positives, but do not lose money
directly from phishing. Therefore, an uncertain legal situation may reduce their willingness to be
proactive.
Recommendation (R8): Create a central clearinghouse to quickly verify phishing reports
coming into APWG and on vendor blacklists.
Currently there is a great deal of duplicated
effort as phishing reports end up getting verified by multiple sources. For example, many vendors
and service providers will not trust phishing reports until they have verified them themselves. A
verification organization could serve as a clearinghouse for phishing reports and allow these reports
to be verified rapidly using a standard process in which the evidence supporting each report is fully
documented. In addition, it is important to report whether each phishing site is a domain setup for
phishing or a legitimate domain that has been hacked. This distinction is important for registrars
and registries, as these cases require different actions to be taken.
Recommendation (R9): Researchers should focus on heuristics that minimize false positives.
A sampling of published research has found that current anti-phishing heuristics have a false
55
positive rate of 0.43% - 12% [128]. However, to make sure these heuristics are used, the false
positive rate needs to be extremely low. Since billions of websites are visited each day, even if
a heuristic has a 1% false positive rate, it means millions of webpages are falsely labeled. For
heuristics to be used widely, the false positive of heuristics needs to be at near zero levels. Recent
efforts such as [143] and [109] is a good start.
Registrars and registries can play an important role in fighting phishing.
As mentioned earlier, registrars and registries have been generally regarded as lagging in terms
of phishing countermeasures, but many experts interviewed agreed that they could play a more
active role. For example in the case of fast flux attacks, registrars need to be prepared to suspend
phishing domains. The Anti-Phishing Working Group produced a set of recommendations for
registrars and registries [6].
One key player is the Internet Corporation of Assigned Names and Numbers (ICANN). It is
responsible for managing the root zone DNS, setting and negotiating contractual standards for
registrars and registries. ICANN is not a regulatory body like the Federal Communication Commission (FCC) and it has limited capabilities to regulate. Going forward, many experts think that
ICANN can and should play a more active role in combating phishing and other crimes. Experts
suggested that ICANN establish a minimum set of standards for registrars and registries, coupled
with self-regulation and better enforcement. However, experts acknowledged that ICANN needs
to play a delicate role and achieve consensus with the parties involved to avoid backlash.
We asked experts to comment on and prioritize a set of recommendations for registrars and
registries. Experts ranked the following recommendations as top priorities.
Recommendation (R10): ICANN should improve enforcement of domain abuse.
Experts
agree that one thing ICANN can do better is to enforce compliance. One expert familiar with
ICANN said:
Some registrars . . . are very good at enforcing compliance. Other registrars are very
good at looking as if they can’t do it. KnujOn lists top 10 registrars with domain
56
abuses. Most of my anecdotal research, we see those same names that come up again
and again. But they are just confident enough to keep their accreditation.
ICANN has been improving their efforts. In October 2008, they de-accredited one of the illbehaving registrars. Experts think more of these efforts would be good, because de-accreditation
produces a credible penalty for non-compliance, as it essentially terminated the registrar’s business.
Recommendation (R11): ICANN should encourage registries to adopt anti-abuse policies.
Several registries have implemented anti-abuse policies, and anecdotal evidence [7] suggests that
registries who have implemented anti-abuse policies have much less fraud than those who have not.
An expert who works for a registry that recently adopted anti-abuse policies told us his company
adopted these policies after they observed how similar policies helped other registries.
However, some registries may not have enough incentives to adopt anti-abuse policies because
adding policies creates overhead. ICANN can provide some incentives. One way to encourage
adoption is for registries who have adopted anti-abuse policies to share their stories and explain
how they led to cost savings and how they handle the issue of false positives. To some extent
this is already being done, but ICANN can encourage this further. Another inducement to adopt
anti-abuse policies is for ICANN or APWG to publish phishing data based on different registries’
performance on phishing takedowns, and to share this information regularly with registrars and
registries. Finally, as a stronger incentive, ICANN could use anti-abuse metrics as part of their
evaluation criteria for future registry applications, for example approving new gTLDs.
3.5.4
Law enforcement and education
Experts agreed that law enforcement should be emphasized, but law enforcement lacks the necessary tools, personnel, and resources to catch phishers.
Experts agreed that law enforcement is essential to deter phishers, and the top priority for law
enforcement anti-phishing efforts is to catch organized phishing operations such as rock phish,
which are responsible for more than 50% of the phishing attacks. One expert commented:
57
If we can take out the major hubs, it is not going to solve the problem, but it can show
that law enforcement can catch them . . . On top of that, these criminals have complex
network, and it is not easy to set up. If we can get these gangs, then we may still have
the coding kiddies, but those are a lot easier to catch.
However, experts acknowledged that law enforcement face significant challenges:
International nature of the problem. Experts acknowledged that the underground economy
is very specialized. One gang is using compromised web servers in many countries that launch
attacks with victims in multiple countries. Currently the Mutual Legal Assistance Treaty (MLAT)
forms the basis for cooperation between different nations. However, the law enforcement experts
that we interviewed complained that this process is very slow.
Proxies. Phishers use proxies so that it is difficult to catch them when they check balances on
compromised accounts. This problem is hard to overcome, as there are estimated to be over 10,000
active proxies and it is necessary for law enforcement agents to perform network monitoring of the
proxy machine to catch phishers. However, a warrant is required for law enforcement to legally
monitor proxy machines, and by the time a warrant has been issued, the phisher has moved on to a
different proxy.
Lack of accuracy in Whois data: Phishes are aware that law enforcement uses Whois data
to trace illegal activity, so phishes fabricate contact information when they register domain names
using stolen credit cards.
Lack of analytical capabilities: Law enforcement often lacks the ability to analyze the data
they have. One law enforcement officer that we interviewed said:
It takes a lot to identify a criminal. There is a lot of data submitted to us from members
of APWG or DPN (Digital PhishNet). We don’t have time to look at it all. We have
to pick out a few variables we know historically told us that is a good target. But the
question is that what are we missing? Is there something on that phishing kit are we
missing?
58
Lack of case development tools to process the subpoena request: Multiple law enforcement agents commented on the lace of case development tools. One local law enforcement agent
commented:
When we issue subpoenas, some will give searchable PDFs, others give us Microsoft
Access database, and some even give us paper. We need tools to conform to the same
form of dataset. This is usually done case by case. If law enforcement has a centralized
place to do that so that agents all over the country can use it.
We asked experts to comment on and prioritize a set of recommendations for more effective
law enforcement. Experts ranked the following recommendations as top priorities.
Recommendation (R12): Improve and invest more into law enforcement, specifically for international cooperation.
Experts commented that it is currently fairly difficult to cooperate with
different law enforcement in different jurisdictions because there is often not a lot of money set
aside for cooperation. At this time, the cooperation is through the MLAT process, which is very
slow. One way to improve on this is to have a joint-task force between two police jurisdictions.
Recommendation (R13): The US Government should invest in technologies to provide law
enforcement with better analytical capabilities to prioritize and manage cases.
There are
over 40,000 classic phishing attempts every month, and prioritizing which cases to pursue is critical. One expert said:
Just speaking on [our organization’s] behalf, we get a lot of information in, but we
are overloaded. People can share data now, that’s occurring, but what’s not happening
is the analysis piece. We have limited resources . . . We do it manually. We need resources, software and hardware to enable that, also more bodies looking at it. There is
no magic about the data, but the magic is in the analysis. . . taking institutional knowledge and applying some data mining algorithms.
59
Recommendation (R14): Get more corporations to aggregate and submit fraud data to law
enforcement to identify proxies.
Currently, most phishing attacks are from botnets and proxies
and almost all criminal organizations use proxies to check account balances of phished accounts.
Aggregating these data from various sources will help law enforcement to determine where to
request subpeonas for wire taps. One way to do this is by having corporations work together and
give law enforcement fraud data with a single list of IP addresses that have checked balances on
compromised accounts. Another way is for Internet service providers who have information to
share that with law enforcements.
Recommendation (R15): Continue to strengthen collaboration between public protectors,
private protectors, and between law enforcement in different countries.
Collaboration is key
to catch phishers due to the international nature of phishing. It is vitally important for law enforcement to develop good relationships with their peers in other countries. One noteable effort is
the Digital PhishNet conferences that NCFTA and Microsoft organize each year. More efforts like
these are needed.
Experts agree that shutting down money trails is very important to defeat phishers.
Experts said that shutting down the money trail can make phishing less attractive. For example,
phishers often use “money mules,” persons recruited to receive stolen funds (or goods bought using
stolen funds) and then transfer the money out of the country. Mules are recruited by a variety of
methods, including spam emails, advertisement on genuine recruitment web sites and newspapers,
approaching people who have their CVs available online, and instant messaging.
To shut down money trails, one expert recommended we find out where the mules typically are
and how mules are recruited. Another expert suggested that banks and take-down organizations
put more effort into shutting down mule recruitment websites. He mentioned recent research that
mule recruitment sites takes much longer to shutdown than normal phishing websites.
60
Another expert proposed a clearinghouse of accounts where each participating bank submit
accounts that have been used as mules. Currently, bank fraud systems can detect some suspicious
transactions to mule accounts, but there is no system in place to share this information with other
banks. If this list of suspicious accounts were shared, a lot of money laundering could be stopped.
Education and awareness are important factors that are not emphasized enough.
However, not all experts agree on the effects of education.
Most experts agreed that anti-phishing education for end users needs to be implemented better.
However, some experts strongly endorses it, while others say eductaion should not be a focus.
Both sides have strong words to say. For example, one expert in favor of more education said:
There needs to be some accountability on Internet users . . . . People still click on URLs
they shouldn’t. So we need to stress user education, and a little bit of common sense.
We are a society that becomes desensitized to our responsibility. You really end up
paying for this over time. You are going to end up paying high interest rates. So you
really do need to pay more attention.
Another expert who has worked on anti-phishing campaigns at a large US institution doubted
the efficacy of such efforts:
My experience of education is that it won’t make that much difference. You have to
do it, because if you don’t, consumers will get mad at you. There is trust and there
is safety. You have to balance both of them. . . . However, education doesn’t impact
phishing losses, or make it less. It doesn’t do any of that, what it does is making
people feel safer. If your goal is to improve security, then education shouldn’t be of
top priority.”
Based on these comments, we introduced a set of recommendations.
Recommendations (R16): Academic researchers and industry should continue to make education fun, engaging and up to date.
Current academic research shows that popular online
61
user education materials are effective if users actually read them. For example, Kumaraguru et.
al asked users to read four popular training materials online and tested their ability to recognize
phishing websites. They found that users were able to distinguish phishing websites from legitimate ones much better after reading these training materials [70]. However, the problem is that
users normally don’t read security training materials [69].
To make education more effective, we recommend developing more innovative ways to make
education fun, engaging, and up to date (e.g. [127], [67]).
Recommendation (R17): Launch an education campaign to educate the public about mules,
and encourage social networking sites to take the initiative to educate their customers about
phishing.
Experts mentioned the need to educate money mules, some of whom unknowingly
become accomplices to crimes. To educate mules, experts recommend we find out where the
mules typically are and how mules are recruited. Finding out where they are recruited can help
determine whether national campaigns or if targeted campaigns are needed.
Experts also thought social networking sites should take the initiative to educate their customers
about phishing, as they are increasingly becoming targets of phishing campaigns.
Recommendation (R18): Complement education with other countermeasures such as filtering and better user interfaces.
Where possible, efforts should focus on automatic filtering that
does not require user knowledge, and designing better user interfaces that make it more obvious to
users what the right trust decision is.
However, education remains an important part of combating phishing because it is unlikely that
any automated system will ever be completely accurate in detecting phishing attacks, especially
when detection requires knowledge of contextual information. There will still remain many kinds
of trust decisions that users must make on their own, usually with limited or no assistance.
62
3.6
Discussion
3.6.1
Applicability of the Recommendations against Spear-phishing
In this chapter, we reported on 18 recommendations from 31 qualitative interviews with antiphishing experts. These recommendations are effective for combating generic phishing. However,
as spear-phishing increases, what are the unique challenges that it poses? Can we combat it by
applying our anti-phishing recommendations? In the concluding section of this chapter, we address
these questions.
Compared with traditional phishing, spear-phishing poses two unique challenges. First, unlike
traditional phishing scams that send mass phishing emails to everyone, spear-phishers send fewer,
more targeted emails. This poses challenges to the current signature-based email filtering systems,
which rely on large number of emails for fingerprinting. Second, Spear-phishing is a highly targeted phishing scam. Phishers exploit the social context to send spoofed emails to consumers that
appear to come from someone they know. These attacks pose a severe threat for the end users, who
normally use social context as cues in determining email legitimacy [50]. As a result, users fall for
more spear-phishing attacks compared to regular phishing attacks [53].
Although spear-phishing poses these problems, the majority of our recommendations are likely
not affected. Our recommendations attack the root problem of phishing by improving law enforcement (R12 - R15), improving incentives for stakeholders with better statistics and more research
(R1, 2), and hardening the underlying infrastructure to make phishing less easy to conduct (R3,4,
6, 10,11). All of these efforts can lead to the reduction of both generic phishing and spear-phishing.
A few of our recommendations would be particularly useful in terms of combating spearphishing. Heuristics would be very important in identifying spear-phishing emails, as it does not
use signature-based fingerprinting that relies on a large number of emails to be accurate. Therefore the two recommendations on improving heuristics would be particularly helpful in combating
spear-phishing (R7,9).
63
The majority of our recommendations on education will be effective against spear-phishing as
well, although for recommendation R16, educators need to additionally incorporate elements of
spear-phishing into their education curriculum.
Finally, spear-phishing poses challenges to two of our recommendations: R5, for web browser
phishing protection and R8, for a central clearinghouse to quickly verify phishing reports. The
challenge is that spear-phishes are harder to detect, and therefore may take a longer time to verify and warn. However, by deploying heuristics more aggressively, the deficiencies of these two
recommendations can be overcome.
3.6.2
Summary of findings
In this chapter, we reported on seven findings (summarized in Table 3) and 18 recommendations
(summarized in Appendix A) from 31 qualitative interviews with anti-phishing experts.
Our findings suggest that phishing is evolving into a more organized effort. It is part of a larger
crime eco-system, where it is increasingly blended with malware and used as a gateway for other
attacks.
Experts identified several places where incentives for fighting phishing may be misaligned, in
the sense that the stakeholders who are in a position to have the largest impact do not have much
incentive to devote resources to anti-phishing. To resolve this, we recommend further study of
these misalignments and development of policy alternatives to correct them.
In terms of countermeasures, experts identified improving law enforcement and shutting down
money trails as top priorities. We identified key difficulties that law enforcement organizations
face, and recommend investment into specific types of technologies made to equip law enforcement
to better prioritize cases. Collaboration is the key in these investigations, so we recommend ways
to foster it.
Experts agreed that education is an important factor that is not emphasized enough, however,
they did not agree on the effects of education. We recommend developing more innovative ways
to make education fun, engaging and up to date and propose content areas that education needs to
be focused on.
64
Finally, we qualitatively analyzed the challenges and obstacles for implementing these recommendations, their associated costs, and benefits, and actionable items that stakeholders can do to
(see Table 3.4).
Table 3.4: Obstacles and Challenges, benefits, costs, and actionable items for the recommendations
Recommendation
1. Financial institutions
should produce more
accurate estimates of
phishing losses and
report these statistics.
2. Regulators and
academic researchers
need to investigate the
issue of incentives
further (a study
comparing different
phishing liability regimes
around the world)
Obstacles and
Challenges
1. Financial institutions
do not have incentives to
report estimates of
phishing losses, and fear
of negative publicity
serves as a disincentive.
2. It is hard to separate
phishing from other
kinds of losses such as
malware.
3. Phishing losses appear
in different units of the
company and could be
difficult to compile.
1. Data hard to get from
financial institutions.
2. Regulatory
environments are
different around the
world.
Costs
Benefits
Actionable Items
Cost to FI:
1. researching the
phishing damage
holistically.
2. Implementing
measures to record the
losses if no measures are
in place.
Benefit to FIs: they will
have a clearer picture
how phishing impacts
their organization.
Federal regulators draft rules
to require mandatory anonymous reporting, such as in
the case of the UK payment
association (APACS).
Costs: Time and
resources of
academicians and
regulators for the
research
Benefits: Solid research
can help regulators to
assign liability to the
party who is most
capable of fixing the
problem.
Benefit to others: They
can make more informed
decisions about the
investment and
management of the risk.
Regulators in different regions compel financial institutions to provide the data.
65
Table 3.4: Obstacles and Challenges, benefits, costs, and actionable items for the recommendations
Recommendation
2a. Regulators develop a
notice-takedown
approach for botnet
C&C removal
3. OS vendors should
continue to secure
operating systems by
implementing secure
coding practices,
investing in secure
vulnerability patching,
and building
anti-malware capability
directly into the
operating systems to
enhance default security.
Obstacles and
Challenges
Challenges: privacy and
contractual
considerations for ISPs and hosting
providers; potential for
abuse
Costs
Benefits
Actionable Items
Costs: time to address
concerns of opponents
and negotiate compromises; cost of enforcement
Challenges:
1. Secure coding takes
time to mature.
2. OS vendors may lack
expertise and experience
in antivirus and
anti-malware tools.
Costs to OS vendors:
investment of resources
(time, personnel)
Benefits: faster notice- Regulators develop a protakedown of botnet com- cess for takedown and apmand and control would peal.
reduce the effectiveness
of botnets dramatically in
the short term
Benefits to OS vendor:
Improved security and
visibility of the operation
system.
Benefits to others: a
cleaner network
environment with default
security enabled
66
Table 3.4: Obstacles and Challenges, benefits, costs, and actionable items for the recommendations
Recommendation
4. Stakeholder should
focus on improving on
the security of web
applications.
5. Web browser vendors
should continue to
improve the performance
of integrated browser
anti-phishing warning
systems, with a goal to
catch 85-95% of phishing
URLs within an hour
after they go online.
Obstacles and
Challenges
Challenges:
1. The total number of
web applications needs
to be fixed is large and
owners may not know
about them.
2. Attacks are
continuous, so requires
constant vigilance.
3. Website application
owners lack expertise or
may not care.
4. Hosting providers
lacks incentive to
proactively scan their
network
Challenges: browsers are
conservative in using
heuristics because of
false positives
Costs
Benefits
Actionable Items
Costs to technical
authority: gather
knowledge and tools for
reporting them.
Benefit to web
applications: reduce the
risk of being blacklisted,
improve the security.
Cost to web application
operators: time, resource
and expertise to fix the
vulnerabilities
Benefit to others: Overall
improvement in the
general security.
1. technical authorities such
CERT or APWG produce
a list of most frequently
hacked websites and notify
the website operators of their
vulnerability.
2. Provide educational resources for those who lack
technical capability.
3.
Punishing continuing
transgressors, with escalating consequences such as a
reputation-based systems.
Cost to browsers:
continual investment in
improving anti-phishing
capacity with better feeds
Benefits: significant
default protection offered
to the end user.
1. Browsers use heuristics as
a way to label websites for
blacklist review.
2. Legal authorities clarify the liabilities surrounding the use of heuristics.
67
Table 3.4: Obstacles and Challenges, benefits, costs, and actionable items for the recommendations
Recommendation
Obstacles and
Challenges
6. Academics and
Challenges:
for-profit protectors
1. Botnet C&C is very
should develop better
adaptable and tend to retechniques to quickly
group after being shutidentify botnets and
down.
proxies, shut down botnet 2. Hosting providers are
command and control,
cautious because infrasand clean compromised
tructure for monitoring is
machines.
expensive, the legal justification is unclear, contractual agreements could
pose problems.
3. We need to fix a significant amount of machines
to significantly impact to
ecrime infrastructure.
4.
There are privacy
concerns of sharing fraud
data between institutions
7. Clarify the legal issues Challenges: Determining
of the false positives of
the right level of false
blacklists and heuristics. positives; legal risks for
companies who are the
test case.
Costs
Benefits
Actionable Items
Costs to ISP: the cost of
cleaning up the
compromised machine,
elevated customer service
costs, potential costs due
to customer leaving.
Benefits to ISP: little.
1. Other stakeholders such
as public protectors or forprofit companies need to
help provide as much evidence as possible.
2. The higher the level of
coordination between stakeholders, the better they are
at identifying and shutting
down these rogue providers.
Cost: legal research and
proceedings
Benefits: extremely high
for stakeholders such as
browsers and ISPs
Benefit to others:
significant reducing in
the key ecrime
infrastructure.
APWG set the standard for
acceptable level of false positives.
68
Table 3.4: Obstacles and Challenges, benefits, costs, and actionable items for the recommendations
Recommendation
8. Create a central
clearinghouse to quickly
verify phishing reports
coming into APWG and
on vendor blacklists.
9. Academics should
focus heuristic research
on reducing false
positives.
10. ICANN should
improve enforcement on
domain abuse.
Obstacles and
Challenges
Challenges: Providing
phishing feed is a
legitimate business, a
central clearinghouse
would likely drive these
out of the business; also
likely to be reinventing
the wheels
Costs
Benefits
Actionable Items
Costs: building the
system and the ongoing
administration of the
system and verifying of
phishing feeds
Benefits: A single source
reduce the duplicated
efforts by various
organizations and
provides uniform
protections for its users.
Challenges:
Transforming research
into production is
nontrivial.
1. ICANN has limited capability regulating registrars and registries.
2. The ICANN consensus
process could be timeconsuming.
Costs: Time and
resources for the research
Benefits: Low false
positive heuristics would
benefit browsers, email
providers greatly.
Benefits: deterrence
effect for criminals and
registrars who opt to play
with them.
NOTE: These obstacles
means that there would be
little incentives for APWG
or other parties to take
initiatives on this; a more
likely scenario is for APWG
to define certain performance metrics and certify
the existing feed providers
NSF or industries provide
more research funding.
Costs to ICANN:
developing technical
capabilities for spotting
domain abuse.
Action:
ICANN should
define metrics for domain
abuse, and devise incentives
to reward registrars with low
abuse rates.
69
Table 3.4: Obstacles and Challenges, benefits, costs, and actionable items for the recommendations
Recommendation
11. ICANN should
encourage registries to
adopt anti-abuse
policies.
Obstacles and
Challenges
Registries concern for
false positives would
slow their action time.
2. Registries may push
the responsibilities to
registrars.
12. Improve and invest
more into law
enforcement, specifically
for international
cooperation.
Challenges: Phishers
hide their traces in many
countries; ecrime cases
in other countries may
have a low priority.
Costs
Benefits
Actionable Items
Cost to registries:
building the system,
receiving and verifying
the phishing feed, and
dealing with false
positives.
Benefits to registries:
Improved security,
competitive advantage.
Benefits to others: fewer
entities for takedown
companies to interface
with and faster takedown
time.
1.
Registries who have
adopted anti-abuse policies
to share their stories and explain how they led to cost
savings and how they handle
the issue of false positives.
2. ICANN or APWG to
publish phishing data based
on different registries’ performance on phishing takedowns.
3. ICANN provide incentives to registries who have
implemented abuse policies,
for example giving them priority for new gTLDs applications.
Action items: FBI to establish a joint-task force between two police jurisdictions.
70
Table 3.4: Obstacles and Challenges, benefits, costs, and actionable items for the recommendations
Recommendation
13. US Government
should invest in
technologies to provide
law enforcement with
better analytical
capability to prioritize
and manage cases.
14. More corporations
aggregating fraud data
and submit to law
enforcement to identify
proxies.
15. Continue to
strengthen collaboration
between law enforcement
in different countries,
public and private
protectors.
Obstacles and
Challenges
Challenges: Which law
enforcement agencies to
invest?
Costs
Benefits
1. Corporations may not
be willing to share
because of privacy, and
consumer trust concerns
(reminiscent of telecom’s
wiretapping scandal after
9/11).
2. Corporations may not
share for competitive
reasons.
Challenges: Law
enforcement in different
countries may not know
each other, hard to find
the right people to handle
the case; phishing and
ecrime cases in other
countries maybe of low
priority.
Costs to law
enforcements: costs to
set up the system and
cost of analysis
Benefits: law
enforcement would be
able to determine which
proxies to place wiretaps,
significantly improving
the opportunity to
identify the criminals’
originating machine.
Costs: organizing and
subsidizing
conferences, supporting mutual
exchanges,
Benefit: Getting the good
people organized better
is crucial in fighting
cybercrime.
Actionable Items
US government invest in
tools for better case management and better digital evidence processing; Expand
scholarship programs to recruit graduates in computer
science
Action items: FBI to produce a list of fraud data variables that it wants financial
institutions to share.
71
Table 3.4: Obstacles and Challenges, benefits, costs, and actionable items for the recommendations
Recommendation
16. Academic
researchers and industry
continue to make
education fun and
engaging and up to date.
17. Launch education
campaign to educate the
public about mules, and
encourage social
networking sites to take
initiative to educate their
customers.
18. Complement
education with other
countermeasures such as
filtering and better user
interface design.
Obstacles and
Challenges
Challenges: Lack
resources; quickly
evolving nature of the
phishing threat so need
continual education
Challenges: some of the
mules knowingly
participate in the crime;
educating people about
mules may make some
more likely to become
mules
N/A
Costs
Benefits
Actionable Items
Costs: Resources to
design and disseminate
these materials
Benefit: education that
are engaging and fun is
important as otherwise
users will not proactively
read them.
Benefit: Mule education
will help those who are
unaware to be more
cautious; education on
social network phishing
can reduce people falling
for them
N/A
Industry and government to
fund licensing and deployment of some of the training
materials that are proven to
be effective.
Action: FTC, APWG, US
Postal service and other industry groups take lead in
designing the materials, fund
licensing and deployment of
existing materials that are
proven to be effective.
N/A
Cost: developing
materials and
disseminating them
N/A
72
73
Chapter 4
Case Study of Browser-based Anti-phishing Solutions
This chapter is largely a reproduction of a paper co-authored with Lorrie Cranor, Brad
Wardman (University of Alabama), Gary Warner, and Chengshan Zhang, and published at CEAS 2009 [128].
As discussed in Chapter 2, to reduce phishing damage, stakeholders have enacted their own
countermeasures. Internet service providers, mail providers, browser vendors, registrars and law
enforcement all play important roles. Due to the strategic position of the browser and the concentration of the browser market, web browser vendors play a key role. Web browsers are at a strategic
position at which they can warn users directly and effectively. In addition, the browser market is
fairly concentrated with two browsers (Internet Explorer and Firefox) accounting for 95% of the
total market [101]. Solutions that these two browsers implement provide the majority of users
with a defense against phishing. A recent laboratory study shows that when Firefox 2 presented
phishing warnings, none of the users entered sensitive information into phishing websites [29].
This study also recommended changes to Internet Explorer’s phishing warnings, and Microsoft
has already acted on some of them to improve IE 8’s warning mechanism.
For browsers to truly realize their potential to protect users, their warnings need to be accurate
(low false positives) and timely. Currently, most browsers with integrated phishing protection
or anti-phishing browser toolbars rely on blacklists of phish and, sometimes, heuristics to detect
phishing websites. Perhaps because toolbar vendors are striving to avoid potential lawsuits from
mislabeling websites, blacklists are favored over heuristics due to their low false positives.
74
In this chapter, we study the effectiveness of phishing blacklists. We used 191 fresh phish that
were less than 30 minutes old to conduct two tests on eight phishing toolbars. We found that 63%
of the phishing campaigns in our dataset lasted less than two hours. Blacklists were ineffective
when protecting users initially, as most of them caught less than 20% of phish at hour zero. We
also found that blacklists were updated at different speeds, and varied in coverage, as 47% - 83% of
phish appeared on blacklists 12 hours from the initial test. We found that two tools using heuristics
to complement blacklists caught significantly more phish initially than those using only blacklists.
However, it took a long time for phish detected by heuristics to appear on blacklists. Finally, we
tested the toolbars on a set of 13,458 legitimate URLs for false positives, and did not find any
instance of mislabeling for either blacklists or heuristics.
To the best of our knowledge, this paper is the first attempt to quantitatively measure the length
of phishing campaigns and the update speed and coverage of phishing blacklists. Based on these
measurements, we discuss opportunities for defenders, and propose ways that phishing blacklists
can be improved.
The remainder of the document is organized as follows: section 2 introduces the background
and related work, section 3 discusses the test setup, section 4 presents our results, and section 5
discusses ways in which phishing blacklists and toolbars can be improved.
4.1
Background and Related Work
Efforts to detect and filter phish can be implemented at the phishing e-mail level and at the
phishing website level. To prevent phishing emails from reaching potential victims, traditional
spam-filter techniques such as bayesian filters, blacklists, and rule based rankings can be applied.
Recently, some phishing-specific filters were developed as well [1, 34]. In addition to these efforts,
some protocols have been proposed to verify the identities of email senders [24, 124]. Although
these efforts are promising, many users remain unprotected. Filtering techniques, are imperfect
and many phishing emails still arrive in users’ inboxes. Thus, we need to make an effort to detect
phishing websites as well.
75
Generally speaking, research to detect phish at the website level falls into two categories:
heuristic approaches, which use HTML or content signatures to identify phish, and blacklist-based
methods, which leverage human-verified phishing URLs to reduce false positives. Our research on
blacklist measurement contributes to understanding the effectiveness of blacklists to filter phish at
the website level.
4.1.1
Anti-Phishing Heuristics
Most of these heuristics for detecting phishing websites use HTML, website content, or URL
signatures to identify phish. Machine learning algorithms are usually applied to build classification
models over the heuristics to classify new webpages. For example, Garera et al. identified a
set of fine-grained heuristics from phishing URLs alone [41]. Ludl et al. discovered a total of
18 properties based on the page structure of phishing webpages [75]. Zhang et al. proposed
a content-based method using TF-IDF and six other heuristics to detect phish [148]. Pan et al.
proposed a method to compile a list of phishing webpage features by extracting selected DOM
properties of the webpage, such as the page title, meta description field, etc [107]. Finally, Xiang
and Hong described a hybrid phish detection method with an identity-based detection component
and a keyword-retrieval detection component [144]. These methods achieve true positive rates
between 85% and 95%, and false positive rates between 0.43% and 12%.
The heuristics approach has pros and cons. Heuristics can detect attacks as soon as they are
launched, without the need to wait for blacklists to be updated. However, attackers may be able
to design their attacks to avoid heuristic detection. In addition, heuristic approaches may produce
false positives, incorrectly labeling a legitimate site as phishing.
Several tools such as Internet Explorer 7 and Symantec’s Norton 360 include heuristics in their
phishing filters. Our research examines the accuracy of these heuristics in terms of their ability
to detect phish and avoid false positives. In addition, we examine how anti-phishing tools use
heuristics to complement their blacklists.
76
4.1.2
Phishing blacklists
Another method web browsers use to identify phish is to check URLs against a blacklist of
known phish. Blacklist approaches have long been used in other areas.
Blacklists of known spammers have been one of the predominant spam filtering techniques.
There are more than 20 widely used spam blacklists in use today. These blacklists may contain IP
addresses or domains used by known spammers, IP addresses of open proxies and relays, country
and ISP netblocks that send spam, RFC violators, and virus and exploit attackers [61].
Although a spam blacklist of known IP addresses or domain names can be used to block the
delivery of phishing emails, it is generally inadequate to block a phishing website. One reason is
that some phishing websites are hosted on hacked domains. It is therefore not possible to block the
whole domain because of a single phish on that domain. So a blacklist of specific URLs is a better
solution in the phishing scenario.
Compiling and distributing a blacklist is a multi-step process. First, a blacklist vendor enters
into contracts with various data sources for suspicious phishing emails and URLs to be reviewed.
These data sources may include emails that are gathered from spam traps or detected by spam
filters, user reports (eg. Phishtank or APWG), or verified phish compiled by other parties such as
takedown vendors or financial institutions. Depending on the quality of these sources, additional
verification steps may be needed. Verification often relies on human reviewers. The reviewers can
be a dedicated team of experts or volunteers, as in the case of Phishtank. To further reduce false
positives, multiple reviewers may need to agree on a phish before it is added to the blacklist. For
example, Phishtank requires votes from four users in order to classify a URL in question as a phish.
Once the phish is confirmed, it is added to the central blacklist. In some instances, the blacklist
is downloaded to local computers. For example, in Firefox 3, blacklists of phish are downloaded
to browsers every 30 minutes [122]. Doing so provides the advantage of reducing network queries,
but performance may suffer between blacklist updates.
A number of these blacklists are used in integrated browser phishing protection [10, 46, 90],
and in web browser toolbars [16, 17, 102]. Although blacklists have low false positive rates, they
generally require human intervention and verification, which may be slow and prone to human
77
error. Yet this is the most commonly used method to block phish. Our research investigates the
speed of blacklist updates and the accuracy of blacklists?
4.1.3
Related Work
Several authors have studied the effectiveness of phishing toolbars. In Nov 2006, Ludl et. al
used 10,000 phishing URLs from Phishtank to test the effectiveness of the blacklists maintained by
Google and Microsoft [75]. They found that the Google blacklist contained more than 90% of the
live phishing URLs, while Internet Explorer contained only 67% of them. The authors concluded
that blacklist-based solutions were “quite effective in protecting users against phishing attempts.”
One limitation of this study is that the freshness of the data feed was not reported. We overcome
this weakness by using a fresh phish feed less than 30 minutes old and by using an automated
testbed to visit phishing websites nine times in 48 hours to study the coverage and update speed of
blacklists. We arrive at a different conclusion from this chapter.
In a related study, Zhang et al. [147] tested the effectiveness of 10 popular anti-phishing tools in
November 2006 using data from Phishtank and APWG. Using 100 URLs from each source and 516
legitimate URLs to test for false positives, they found that only one tool was able to consistently
identify more than 90% of phishing URLs correctly, but with false positive rates of 42%. Of the
remaining tools, only one correctly identified over 60% of phishing URLs from both sources. This
study had a similar weakness to the first study, and it also had a small sample of false positives
URLs. We based our study on this setup, but made the following improvements. First, we used a
source of fresh phish less than 30 minutes old. Second, we extend the methodology by separately
analyzing phish caught by heuristics versus blacklists. Third, we tested phish nine times over 48
hours to study the coverage and update speed of blacklists; Finally, we used a much larger sample
to test for false positives.
Other researchers have studied the effectiveness of spam blacklists [58, 61, 111]. For example,
Ramachandran et al. measured the effectiveness of eight spam blacklists in real time by analyzing a
17-month trace of spam messages collected at a “spam trap” domain [111]. In their study, whenever
a host spammed their domain, they examined whether that host IP was listed in a set of DNSBLs
78
Figure 4.1 High-level system architecture for our anti-phishing evaluation test bed. The Task
Manager (1) gets an updated list of URLs from a phishing feed, and then (2) sends that URL to a
set of Workers. Each worker (3) retrieves a web page and checks whether the web page was
labeled as a phishing scam or not, and (4) sends the result back to the Task Manager, which
aggregates all of the results. The Task Manager and Workers are grouped together because they
can be run on the same machine or on separate machines.
in real time. They found that about 80% of the received spam was listed in at least one of eight
blacklists, but even the most aggressive blacklist had a false negative rate of about 50%.
In addition to research work introduced above, a number of industry efforts were used to measure the effectiveness of phishing toolbars as well [59, 82, 88].
4.2
Methodology
In this section we describe our anti-phishing testbed, explain how we collected phishing URLs
for testing, and describe our evaluation methodology.
4.2.1
Anti-phishing Testbed
We used the anti-phishing testbed developed by Yue et al. [148]. The testbed has a client-andserver architecture. It includes a task manager and set of workers, each of which is responsible for
evaluating a single tool. During the test, the task manager first retrieved a list of potential phishing
sites to test against. The task manager then sent each URL to a set of workers, each of which
79
was running a separate tool. To reduce the number of machines needed, we ran each worker on a
virtual machine. Each worker downloaded the specified web page, examined whether its tool had
labeled the web page as phishing or not using a simple image-based comparison algorithm, and
returned that value back to the task manager. The image-based comparison algorithm works as
follows: each tool has several known states (e.g., a red icon if it has detected a phishing site and a
green icon if it has not), and each tool can be set up to be in a known location in the web browser.
We capture screenshots of the tools and compare relevant portions of those images to screenshots
of the tools in each of their known states. The task manager aggregated all of the results from the
workers and tallied overall statistics, including true positives, true negatives, false positives, false
negatives, and sites that no longer exist.
4.2.2
Phishing Feed
We obtained the phishing URLs for this study from the University of Alabama (UAB) Phishing Team’s data repository. UAB has relationships with several sources who share their spam as
part of the UAB Spam Data Mine. One of the largest sources is a spam-filtering company that
provides services ranging from small business to the Fortune 500 companies located in more than
80 countries. This company reviews well over one billion emails each day and uses a combination
of keyword searching and proprietary heuristics to identify potential phish. They then extract the
URLs from these emails and send these URLs to UAB in batches every four minutes.
UAB manually tested the URLs they received from the spam-filtering company to determine if
they were phishing URLs. If a URL was a phish and had not been reported to UAB before, it was
put on a list to be tested by the testbed. UAB sent this list to the testbed every 20 minutes.1 The
testbed began testing each batch of URLs within 10 minutes of receipt.
Because UAB received phish URLs every four minutes, they were able to label each URL with
the four-minute time segments in which it was seen. Thus they could identify the first segment
in which a URL was seen and identify subsequent time segments in which the same URL was
1
Sometimes randomization was introduced to URLs to attempt to defeat exact matching. We do not consider two
URLs as unique if their difference is only in the attribute portion of the URLs.
80
Table 4.1 The top 10 brands that appear in our data set. Total phish: 191
Institutions
# of
Percentage
Victimized
phish
Abbey
47
24.9%
Paypal
21
11.1%
Lloyds TSB
17
9.0%
Bank of America 14
7.4%
Halifax
13
6.9%
Capital One
11
5.8%
New Egg Bank
11
5.8%
HSBC
7
3.7%
eBay
6
3.2%
Wachovia
6
3.2%
Wellsfargo
6
3.2%
reported. This approach to recording phishing URLs allows us to determine the length of each
spam campaign — the time period over which phishers send out emails with the same phishing
URL. If the spam campaign lasts for only one day, the effectiveness of anti-phishing tools on
subsequent days is not as important as effectiveness on day one. While some users will read
phishing emails days after the initial email send time, most users will read phishing emails within
a few hours. Thus the most critical time to protect is when emails are still being actively sent by
the spammer.
We collected and tested a total of 191 verified phishing URLs during this study. Table 4.1 lists
the top 10 brands that appear in our data set.
4.2.3
Evaluation Procedure
Tools tested: We tested eight anti-phishing toolbars that use various blacklists and heuristics.
They are Microsoft Internet Explorer version 7 (7.0.5730.11), version 8 (8.0.6001. 18241), Firefox 2 (2.1.0.16), Mozilla Firefox 3 (3.0.1), Google Chrome (0.2.149.30), Netcraft toolbar (1.8.0),
McAfee Siteadvisor (2.8.255 free version), and Symantec Norton 360 (13.3.5). Except for Internet
Explorer 7 and Symantec, all of these tools use blacklists only. Those two toolbars that use heuristics to complement their blacklists trigger different warnings when a phish is detected by heuristics
81
versus blacklist. We configured all tools with their default settings, except for Firefox 2, in which
case we used the “Ask Google” option to query the central blacklist server every time instead of
downloading phishing blacklists every 30 minutes.2
Testbed setup: We configured 4 PCs running Intel Core 2 CPU 4300 @ 1.80 GHz. Each PC
ran two instances of VMware, each configured with a 720MB RAM and 8GB hard drive. For
each toolbar, we ran the task manager and workers on the same machine to avoid network latency.
Since some of the toolbars use local blacklists, we left every browser open for six to eight hours
before each test to download blacklists, and we left the browser open for 10 minutes between
every run during the test. We chose the eight-hour period because the necessary blacklists would
download reliably within this time. Thus we are investigating the best case scenario for blacklist
effectiveness.
Test period: We ran the test for two to three hours on October 2, 8, and 9, 2008 and on December
3, 4, 5, and 15, 2008. During this time, batches of new unique phish were sent to the testbed every
20 minutes. The testbed began testing them 10 minutes after receiving the phish, leaving a total
lapse time of approximately 30 minutes. Each worker opened up the desired browser with toolbars
for 30 seconds before taking the screenshot. For each URL, we tested the toolbars’ performance
at hour 0, 1, 2, 3, 4, 5 12, 24 and 48. We cleared the browser cache every hour. We collected and
tested 90 URLs in October and 101 URLs in December.
Post verification: After the data was compiled, we manually reviewed every website that toolbars
labeled as legitimate. This step was necessary because some host companies did not issue 404
errors when taking down a phish. Instead, they replaced it with their front page. In this case, the
toolbar will mark the website as legitimate, but in fact it was the phishing website being taken
down.
82
Figure 4.2 Length of phishing campaign, measured as the time between the first and last
appearance of the phish in our source report. The graph on the left shows length of phishing
campaigns in days. The graph on the right shows length of phishing campaigns in hours for those
campaigns that last one day or less.
4.3
Results
4.3.1
Length of Phishing Campaign
We define the length of a phishing campaign (LPC) as the time lapse between the first time a
phish appeared in our source report and the last time that phish appeared in our source report. As
mentioned in Section 3.2, we received reports from our source every 4 minutes.
Of the 191 phish we used to test phishing blacklists, 127 of them, 66%, had an LPC less than
24 hours, indicating that their corresponding phishing campaign lasted less than 24 hours. A total
of 25 URLs had an LPC between 24 and 48 hours, and the remaining URLs had an LPC between 3
and 23 days. Examining the first day’s data more closely, we found that 109 URLs were spammed
only in a two-hour period, accounting for 63% of the URLs in this dataset.
To validate our finding, we calculated the LPC for 5491 phish provided by the same source and
verified by UAB from February 17 through April 13, 2009. Similar to our testbed dataset result,
we found that 66% of these phish had an LPC less than 24 hours, 14.5% had an LPC between 24
and 48 hours, and the remaining 19% of URLs had an LPC between 3 and 47 days. We found
that 44% of the URLs had an LPC less than two hours. Figure 5.4 shows the LPC combined LPC
results for our two datasets.
2
This feature is no longer available for versions after Firefox 2 update 19.
83
Table 4.2 Website takedown rate vs. length of phishing campaign (LPC). LPC is measured as the
time between the first and last appearance of the phish in our source report. Website takedown rate
at each hour is measured by the number of phish taken down at that hour divided by total phish.
Hours % of website
%
Phishing
taken down
Campaign
finished
0
2.1%
0%
2
7.9%
63%
4
17.8%
67%
5
19.9%
70%
12
33.0%
72%
24
57.6%
75%
48
72.3%
90%
It is important to note that the LPC does not necessarily correspond to the time a phishing site
is live. In fact, we found that compared to the length of a phishing campaign, the time to take
websites down is generally much slower. By hour 2, 63% of phishing campaigns in our dataset
were finished, but only 7.9% of those phish were taken down. As shown in Table 4.2, on average,
33% of the websites were taken down within 12 hours, around half were taken down after 24 hours,
and 27.7% were still alive after 48 hours.
Our LPC findings demonstrate the freshness of our data and show that current takedown efforts
lag behind phishing campaigns. In the test conducted by Ludl et al., 64% of the phish were already
down when they conducted their test [75], whereas in our sample, only 2.1% of phish were aleady
down in our initial test.
4.3.2
Blacklist Coverage
In this section, we present the results of two tests performed in October and December of 2008
(Figures 4.3 and 4.4). We found that blacklists were ineffective when protecting users initially,
as most of them caught less than 20% of phish at hour zero. We also found that blacklists were
updated at different speeds, and varied in coverage, as 47% to 83% of phish appeared on blacklists
12 hours from the initial test in October.
84
Figure 4.3 Percentage of phish caught by various blacklists in October 2008 data. This
percentage is defined as the total number of phish on the blacklist divided by the total phish that
were alive. URLs that were taken down at each hour were excluded in the calculation. Total phish
at hour 0 was 90.
At any given hour, we define the coverage of the blacklist as:
No. of phish appearing on blacklist
T otal phish − phish that were taken down
We found that coverage rates of some of the blacklists were highly correlated. Firefox 2, 3 and
Google Chrome appear to use the same blacklists. Internet Explorer 7 and 8 also share a blacklist.
In our analysis, we combined the results for those tools that use the same blacklists.
In our October test, all of the blacklists contained less than 20% of the phish initially. New
phish appeared on the blacklists every hour, suggesting that the blacklists were updated at least
once every hour.
One notable improvement is the Symantec blacklist. In hour 0, their blacklist caught as much
phish as the others, but in hour 1 it caught 73% of the phish, 2 to 3 times more than the rest of the
toolbars. This difference is also statistically significant until 12 hours from the initial test.3 One
possible explanation is that Symantec uses results from their heuristics to facilitate rapid blacklist
updates [5].
3
ANOVA, p < 0.05
85
We observed that the coverage of the Firefox and Netcraft blacklist is consistently highly correlated. Five hours after our initial test in October, 91% of the URLs that appeared in the Netcraft
blacklist also appeared in the Firefox blacklist, and 95% of the URLs that appeared in the Firefox blacklist also appeared in Netcraft. The two blacklists are consistently highly correlated every
hour except for our initial test in December. This suggests that the two blacklists have overlap
in some of their data sources or have data sources with similar characteristics. Others were less
correlated, phish on Internet Explorer only appear 45% of time on Firefox blacklist and 73% vice
versa, suggesting they use different feeds with not much overlap.
We found that the Firefox blacklist was more comprehensive than the IE blacklist up to the first
5 hours, and the Symantec blacklists performed significantly better than the rest of the toolbars
from hour 2 to 12. After 12 hours, the differences were no longer statistically significant. Figure 4.3
shows this result in detail.
In our December dataset, we observed similar trends in terms of coverage for some toolbars.
However, Firefox and Netcraft performed much better here than in October. The Firefox blacklist
contained 40% of phish initially and by hour 2, 97% of phish were already on the blacklist. One
reason for this difference could be that during this period, the two tools acquired new sources that
were similar to our feed. Finally we did not observe statistically significant improvement in other
toolbars.
Finally, we examined phish that the IE 8 blacklist and Firefox blacklist missed five hours after
our initial test in October. We observed that at hour 5 the IE 8 blacklist missed 74 phish, of which
73% targeted foreign financial institutions. The Firefox blacklist missed 28 phish, of which 64%
targeted foreign financial institutions. However, given our limited sample size, we did not observe
a statistically significant difference in the speed at which phish targeting US institutions and foreign
institutions were added to the blacklist. There were some notable differences between the phish
missed by the IE8 blacklist and Firefox. For example, IE8 missed 21 Abbey Bank phish while
Firefox missed only 4 Abbey Bank phish.
86
Figure 4.4 Percentage of phish caught by various blacklists in December 2008 data. This
percentage is defined as the total number of phish on the blacklist divided by the total phish that
were alive. URLs that were taken down at each hour were excluded in the calculation. Total phish
at hour 0 was 101.
4.3.3
False Positives
We compiled a list of 13,458 legitimate URLs to test for false positives. The URLs were
compiled from three sources, detailed below.
A total of 2,464 URLs were compiled by selecting the login pages of sites using google’s inurl
function. Specifically, we used Google to search for pages where one of the following login-related
strings appears in the URL: login, logon, signin, signon, login.asp. A script was used to visit each
URL to determine if it was running and also whether it included a submission form. These pages
were selected to see whether tools can distinguish phishing sites from the legitimate sites they
commonly spoof. Ludl et al. also used this technique to gather their samples [147].
A total of 994 URLs were compiled by extracting 1000 emails reported to APWG on August
20, 2008. Out of the 1000 emails we scanned, we removed URLs that were down at the time of
testing or URLs used in spam campaigns through a spam URL blacklist service uribl.com. This
left us with 1076 URLs, which comprised a host of phish, malware, some spam and legitimate
sites. We manually checked each of these URLs and removed phishing URLs, leaving 994 verified
87
non-phishing URLs. We ran the test for false positives within 24 hours after retrieval. The list was
selected because it represented a source of phishing feeds that many blacklist vendors use, and thus
we would expect to have more false positives than other sources. While spam messages may be
unwanted by users, the URLs in these messages should not be classified as phishing URLs.
Similarly, we compiled 10,000 URLs by extracting non-phishing URLS from the list of spam,
phish, and malware URLS sent to UAB’s spam data mine on December 1-15, 2008. We tested
these URLs within one week of retrieval. Again, this represents a source of phishing feeds that
blacklist vendors would likely receive, and thus we would expect this source to have more false
positives than other sources.
We did not find a single instance of mislabeling legitimate login sites with phish. Among the
1,012 URLs from APWG, there was one instance where a malware website was labeled as a phish
by the Firefox blacklist. Finally we did not find any false positives in the 10,000 URLs from the
UAB spam data mine.
Compared with previous studies [147], our study tested an order of magnitude more legitimate
URLs for false positives, yet our findings on false positives are the same: phishing blacklists have
close to zero false positives.
Our results differ from a 2007 HP research study [88] in which the author obtained the Google
blacklist and checked each entry to see if it was a false positive. This study reports that the Google
blacklist contains 2.62% false positives. However, the methodology for verifying false positives is
not fully explained and the list of false positives is not included in the report. In our test of false
positives, we manually verified each URL labelled as phish and double-checked it with one of the
known repositories of phish on the Internet.
It is also possible that Google changed their techniques or sources for phishing URLs since
2007. For future work, we would like to verify the Google blacklist using the same method used
in the HP study [88]. However, Google’s blacklist is no longer publicly available.
88
Table 4.3 Accuracy and false positives of heuristics
Detected
Detected
false posiby
by
tives
blacklist
heuristics
at hour 0
IE7 - Oct 08
23%
41%
0.00%
Symantec - Oct 08
21%
73 %
0.00%
IE7 - Dec 08
15%
25%
0.00%
Symantec - Dec 08
14%
80%
0.00%
4.3.4
Accuracy of Heuristics
Heuristics are used in Symantec’s Norton 360 toolbar and Internet Explorer 7. In this section,
we report on their performance.
We found that tools that use heuristics were able to detect significantly more phish than those
that use only blacklists. At hour 0, Symantec’s heuristics detected 70% of phish, while Internet
explorer 7’s heuristics caught 41% of phish. This is two to three times the amount of phish caught
by the blacklists in that period. Furthermore, the heuristics triggered no false positives for the
13,458 URLs we tested. Table 4.3 summarizes these results.
We also found that IE 7 and Symantec use heuristics somewhat differently. Both tools display
a transient and less severe warning for possible phish detected by heuristics. However, Symantec’s
toolbar introduced a feedback loop. When a user visits a possible phish which is detected by
heuristics and is not on the blacklist then the URL is sent to Symantec for human review [5]. In
our test, 95% of the phish detected by Symantec heuristics appeared on the Symantec blacklist at
hour 1, while none of the phish detected by IE7 heuristics appeared on the IE blacklist at hour 1.
This feedback loop is important at the user interface level. If a phish is detected by heuristics,
toolbars display less severe, passive warnings to avoid potential liability. However, once the phish
is verified as a phishing site by human, toolbars can block the content of the web page completely
(active warnings). A recent laboratory study [29] showed that users only heed active phishing
warnings and ignore passive warnings.
89
Figure 4.5 Protection rate for the October run of 91 phishing URLs. Protection rate is defined as
total number of phish caught by blacklist or heuristic plus phish taken down divided by the total
number of phish.
4.3.5
Total Protection
Finally, we consider protection offered to users by phishing toolbars. We define protection rate
as:
phish on blacklist + detected by heuristics + taken down
T otal phish
Figures 4.5 and 4.6 present our findings. We found that at hour 0, tools that use heuristics
to complement blacklists offered much better protection than tools that use only blacklists. By
hour 48 a large fraction of phishing sites are taken down, and the tools we tested detected most
of thelive phishing sites. In the December test we found that by hour 48 most tools offered nearperfect protection.
90
Figure 4.6 Protection Rate for the December run of 101 phishing URLs. Protection rate is
defined as total number of phish caught by blacklist or heuristic plus phish taken down divided by
the total number of phish.
91
4.4
Discussion
4.4.1
Limitations
There are a few limitations to our study. First, all of our URLs came from a single anti-spam
vendor, therefore the URLs received may not be representative of all phish. Second, all the URLs
were detected by a spam vendor and presumably never reached users protected by that vendor.
However, as not all users are protected by commercial spam filters, it is important that browsers
also detect these phishing URLs. Second, these URLs were extracted only from email and did not
include other attack vectors such as Internet messenger phishing.
4.4.2
Opportunities for Defenders
The window of opportunity for defenders can be defined as the length of the phishing campaign
plus the time lapse between the time a user receives a phishing email and the time the user opens
the email. Users are protected if they either do not receive any phish or if, by the time they click
on a phish, the website is blocked by browsers or taken down.
As shown in Section 4.1, 44% of phishing campaigns lasted less than 2 hours. Recent research
shows that, for a non-negligible portion of the Internet population, the time between when a user
receives and opens a phishing email is less than two hours. For example, Kumaraguru et al. sent
simulated phishing emails to students and staff at a U.S. University and educated them once they
clicked on the link in the email. They found that 2 hours after the phishing emails were sent,
at least half the people who would eventually click on the phishing link had already done so;
after 8 hours, nearly everyone (90%) who would click had already done so [66]. Their study also
found that people with technical skills were equally likely to fall for phish than their non-technical
counterparts. In a recent national survey, AOL asked 4,000 email users aged 13 and older about
their email usage. The survey found that 20% of respondents check their email more than 10 times
a day, and 51% check their email four or more times a day (up from 45% in 2007) [9]. Assuming
that those who check their emails do so at a uniform rate, 20% of people check their emails once
92
Figure 4.7 High-level view of sources of URLs for phishing blacklists. Potential phishing URLs
can be collected from (1) URLs extracted from spam and phishing filters at mail exchange
gateways, (2) URLs extracted from user reports of phishing email, (3) phishing websites
identified by heuristics, and finally (4) user reports of phishing websites.
every hour and half, and 51% check their email once every four hours4. These findings suggest
that the critical window of opportunity for defense is between the start of a phishing campaign and
2 to 4 hours later.
Our findings have several implications for phishing countermeasures. First, anti-phishing efforts should be more focussed on upstream protections such as blocking phish at the email gateway level. At the browser level, this effort should be focused on updating the blacklist more
quickly or making better use of heuristic detection. Secondly, more research and industry development efforts to effectively educate users (eg. [68, 127]) and to design trusted user interfaces
(eg. [22, 116, 145, 146]) are needed to overcome the initial limited blacklist coverage problem.
4
Assuming eight hour sleep time.
93
4.4.3
Improving blacklists
The first step to improving blacklists is earlier detection of more phishing URLs. As shown in
Figure4.7, potential phishing URLs can be gathered from URLs extracted from spam and phishing
filters at e-mail gateways, URLs extracted from users’ reports of phishing emails or websites, and
phishing websites identified by toolbar heuristics (Figure4.7). Each of these sources have different
coverage. We first discuss ways to improve each source.
E-mail gateway filters are the first point of contact with phishing emails. Given the limited
window of opportunity for defenders, as discussed in section 4.1, vendors should focus their gathering efforts here. However, regular spam filters are not sufficient as they contain a lot of spam
that would require much human effort to filter. To improve detection of phish at this level, we
recommend using spam filters as the first line of defense, and then applying heuristics developed
to detect phishing websites as a second layer. Once a suspicious URL is marked by both sources, it
should be submitted for human review. As residential email accounts and business email accounts
receive a different distribution of emails, to get the widest coverage vendors should collect URLs
from a variety of sources.
User reports of phishing emails and websites are likely to contain phish that spam filters missed.
Therefore user reports should be use to complement email gateway spam filter data. However,
users may lack incentives to report and verify phish. User incentives (e.g. points, prizes) may help
overcome this problem.
Finally, we recommend browser anti-phishing tools use heuristics to improve their blacklists.
This method is analogous to early warning systems for disease outbreaks. When a user visits a
possible phish that is detected by heuristics and is not on the blacklist, the tool can send the URL
for human review and adds the URL to the blacklist once verified. This system would be likely to
succeed based on the fact that some users check their email much more frequent than others [9].
94
4.4.4
Use of heuristics
As shown in Section 4.4 and 4.5, the two tools using heuristics to complement blacklists caught
significantly more phish initially than those using only blacklists. Given the short length of phishing campaigns, there is great value in using heuristics. However, vendors may be concerned about
the greater possibility of false positives when using heuristics and potential liability for mislabeling
websites.
In a court case in 2005, Associated Bank-Corp sued Earthlink after the Earthlink anti-phishing
software ScamBlocker blocked the bank’s legitimate page [11]. Earthlink was able to fend off the
suit on the basis that it was using a blacklist of phish provided by a third party, thus it cannot be held
liable as a publisher when that information is erroneous under a provision in the Communication
Decency Act. However, if a toolbar uses heuristics to detect and block a phish that turns out to
be a false positive, the toolbar vendor may be regarded as “a publisher” under CDA, and thus not
immunized.
In our testing, we did not detect any false positives triggered by either the blacklists or heuristics. However, it is the potential of false positives that worries vendors. To overcome this liability
issue, we recommend vendors first use heuristics to detect phish and then have experts verify them.
We also encourage more discussion about the liability associated with providing phishing blacklists and heuristics. So far, there has been no test case on this matter. Lack of clarity on these
matters could further reduce vendors’ incentives to apply heuristics. Major vendors such as Microsoft or Firefox, which offer protection to the majority of users, do not lose money directly from
phishing. However, if they implement heuristics and get sued, they could potentially lose millions
of dollars in restitution and legal fees.
95
Chapter 5
Anti-Phishing Phil: A Case study in User education
This chapter is joint work with Alessandro Acquisti, Lorrie Cranor, Jason Hong, and
Ponnurangam Kumaraguru. An earlier version of the content in this chapter was published at SOUPS 2007 [127] .
5.1
Introduction
Phishing is a kind of attack in which criminals use spoofed emails and fraudulent web sites to
trick people into giving up personal information. Victims perceive these emails as associated with
a trusted brand, while in reality they are the work of con artists interested in identity theft [57].
These increasingly sophisticated attacks not only spoof email and web sites, but they can also
spoof parts of a user’s web browser [55].
Phishing is part of a larger class of attacks known as semantic attacks. Rather than taking
advantage of system vulnerabilities, semantic attacks take advantage of the way humans interact
with computers or interpret messages [123], exploiting differences between the system model and
the user model [139]. In the phishing case, attacks exploit the fact that users tend to trust email
messages and web sites based on superficial cues that actually provide little or no meaningful trust
information [26, 55].
Automated systems can be used to identify some fraudulent email and web sites. However,
these systems are not completely accurate in detecting phishing attacks. In a recent study, only
one of the ten anti-phishing tools tested was able to correctly identify over 90% of phishing web
sites, and that tool also incorrectly identified 42% of legitimate web sites as fraudulent [147]. It
96
Figure 5.1 Anti-Phishing Phil game screen. Phil, the small fish near the top of the screen, is asked
to examine the URL next to the worm he is about to eat and determine whether it is associated
with a legitimate web site or a phishing site. Phils father (lower right corner) offers some advice.
The game is available at: http://cups.cs.cmu.edu/antiphishing_phil/
is also unlikely that any system will ever be completely accurate in detecting phishing attacks,
especially when detection requires knowledge of contextual information. While it makes sense to
use automated detection systems as one line of defense against semantic attacks, our philosophy is
that there will still remain many kinds of trust decisions that users must make on their own, usually
with limited or no assistance. The goal of our research is not to make trust decisions for users,
but rather to develop a complementary approach to supportusers so that they can make better trust
decisions. More specifically, one goal of our research is to find effective ways to train people to
identify and avoid phishing web sites.
In this paper we present the design, implementation, and evaluation of Anti-Phishing Phil,
a game we developed to teach people how to protect themselves from phishing attacks. AntiPhishing Phil teaches people how to identify phishing URLs, where to look for cues in web
browsers, and how to use search engines to find legitimate sites. In Section 2, we present background information and related work on why people fall for phishing, and approaches to protecting
97
them. In Section 3, we describe the design of Anti-Phishing Phil, and present the ways in which
we applied learning principles in designing the game. In Section 4, we present the methodology
we used to evaluate the game. In Section 5, we present the results of our evaluation, which shows
that the game is more effective than a tutorial we created or existing online training materials at
teaching people to identify phishing web sites accurately. We discuss the effect of anti-phishing
training in Section 6. Finally, we present our conclusions in Section 7.
5.2
Background and Related Work
In this section, we present background on anti-phishing research, why people fall for phishing,
and approaches to protecting people from falling for phishing attacks. Previous work on phishing
falls into three categories: studies to understand why people fall for phishing attacks, tools to
protect people from such attacks, and methods for training people not to fall for phishing attacks.
5.2.1
Why people fall for phishing
Downs et al have described the results of an interview and role-playing study aimed at understanding why people fall for phishing emails and what cues they look for to avoid such attacks.
There were two key findings in their work. First, while some people are aware of phishing, they do
not link that awareness to their own vulnerability or to strategies for identifying phishing attacks.
Second, while people can protect themselves from familiar risks, people tend to have difficulties
generalizing what they know to unfamiliar risks [26].
Dhamija et al showed twenty-two participants twenty web sites and asked them to determine
which were fraudulent. Participants made mistakes on the test set 40% of the time. The authors
noted that 23% of their participants ignored all cues in the browser address bar and status bar
as well as all security indicators [23]. This study did not present users with the email messages
that might lead users to visit the web sites presented, so it provides no data on whether users pay
attention to, or how they interpret, email cues.
Wu et al. studied three simulated anti-phishing toolbars to determine how effective they were
at preventing users from visiting web sites the toolbars had determined to be fraudulent. They
98
found that many study participants ignored the passive toolbar security indicators and instead used
the site’s content to decide whether or not it was a scam. In some cases participants did not notice
warning signals, and in other cases they noticed them but assumed the warnings were invalid.
In a follow-up study, the authors tested anti-phishing toolbars that produced pop-up warnings that
blocked access to fraudulent web sites until overridden by the user. These pop-up warnings reduced
the rate at which users fell for fraudulent sites, but did not completely prevent all users from falling
for these sites. The authors concluded that Internet users are not very good at interpreting security
warnings and are unfamiliar with common phishing attacks, and recommended educating users
about online safety practices [140].
Our work builds on these previous studies. We incorporated many of the lessons learned from
this past work into our game. For example, we teach people not to trust the content of the web
page but examine the URL instead. Our evaluation methodology is also closely based on Dhamija
et al.’s work [23].
5.2.2
Tools to protect people from phishing
Anti-phishing services are now provided by Internet service providers, built into mail servers
and clients, and available as web browser toolbars. However, these services and tools do not effectively protect against all phishing attacks, as attackers and tool developers are engaged in a continuous arms race [147]. Furthermore, Internet users who are unaware of the phishing threat will be
unlikely to install and use an anti-phishing tool, and may ignore warnings from anti-phishing tools
provided by their ISPs or built into their web browsers. Even users who understand anti-phishing
warnings may ignore them [140]. Where possible, anti-phishing tools should be applied, but—as
noted in the introduction—there will always be cases where people have to make trust decisions
on their own.
Other research has focused on the development of tools to help users determine when they are
interacting with a trusted site. Ye et al. [145] and Dhamija and Tygar [22] have developed prototype
“trusted paths” for the Mozilla web browser that are designed to assist users in verifying that
their browser has made a secure connection to a trusted site. Herzberg and Gbara have developed
99
TrustBar, a browser add-on that uses logos and warnings to help users distinguish trusted and
untrusted web sites [51]. Other tools, such as PassPet and WebWallet, try to engage users by
requiring them to interact actively with the tool before giving out sensitive information [139],
[141], [140]. However, even these solutions ultimately rely on the user’s ability to make the right
decision. In addition, these approaches require either end-users, web servers, or both to install
special software. In contrast, our training method only relies on teaching people what cues to look
for in existing web browsers.
5.2.3
Anti-phishing education
Despite claims by security and usability experts that user education about security does not
work [31], there is evidence that well designed user security education can be effective [68]. Webbased training materials, contextual training, and embedded training have all been shown to improve users’ ability to avoid phishing attacks.
A number of organizations have developed online training materials to educate users about
phishing [28], [32]. In a previous study, we tested the effectiveness of some of these online materials and found that, while these materials could be improved, they are surprisingly effective when
users actually read them [70].
Several studies have adopted a contextual training approach in which users are sent simulated
phishing emails by the experimenters to test users’ vulnerability to phishing attacks. At the end
of the study, users are given materials that inform them about phishing attacks. This approach has
been used in studies involving Indiana University students [53], West Point cadets [33], and New
York State employees [104]. In the New York State study, employees who were sent the simulated
phishing emails and follow-up notification were better able to avoid subsequent phishing attacks
than those who were given a pamphlet containing information on how to combat phishing.
A related approach, called embedded training, teaches users about phishing during their regular
use of email. In a previous laboratory experiment to evaluate our prototype embedded training
system, we asked our participants to role play and respond to the messages in an email inbox that
included two training emails designed to look like phishing emails. If a participant clicked on a
100
link in a training email, we immediately presented an intervention designed to train them not to fall
for phishing attacks. We created several intervention designs based on learning sciences, and found
that our interventions were more effective than standard security notices that companies email to
their customers [68].
We designed our anti-phishing game to complement the embedded training approach, which
trains people while they are performing their primary task (checking email). If users are interested
in devoting some additional time to learning more about phishing, they can play the Anti-Phishing
Phil game. The embedded training approach trains users to identify phishing emails, while the
game teaches users to identify phishing web sites. The game emphasizes that phishing web sites
often can be identified by looking at their URLs, and teaches users about the various parts of a
URL. This training may also help users analyze URLs in suspicious email messages.
5.3
Design of Anti-phishing Phil
In this section we present: the objectives of the game; learning science principles that we
applied in designing the game; the story, mechanics, and technology of the game; and results from
some of the pilot studies that we conducted, as we iterated on the game design.
We used an iterative design process to develop the game. Our early iterations made use of paper
and Flash prototypes to explore various design alternatives. After a great deal of play-testing and
feedback from our research group, both on the content of the game (what to teach) and the game
design itself (presentation), we developed a working prototype that we tested with actual users. We
then iterated on the design several more times based on user feedback and behavior, focusing on
improving the game mechanics and messages. Finally, we created a more polished look and feel
using attractive images and enticing sounds.
5.3.1
Game Design Principles
In this section, we present the objectives for the game and the learning science principles that
we applied in implementing these objectives.
101
Our objective in developing the anti-phishing game was to teach users three things: (1) how to
identify phishing URLs, (2) where to look for cues for trustworthy or untrustworthy sites in web
browsers, and (3) how to use search engines to find legitimate sites. We believe that search engines
can be an effective tool in identifying phishing web sites. For example, users can search for a
brand name in a search engine and see whether the link that appears in the top search results is the
same as a potentially suspicious link received in an email. By far, the top search engine results are
legitimate web sites [148].
To achieve the above-mentioned objectives, we applied several learning science principles to
the game design. Learning sciences theory suggests that training will be effective if the training methodology is goal-oriented, challenging, contextual, and interactive [110]. In goal-oriented
training, learners have a specific goal to achieve and in the process of achieving the goal they are
challenged and trained. Training is most effective if the materials are presented in a context users
can relate to, and if the materials are presented in an interactive form. There also exists a large
body of literature on the effectiveness of games for interactively teaching conceptual and procedural knowledge [44]. Conceptual knowledge is knowledge about concepts or relationships that
can be expressed as propositions (e.g., URLs have a protocol part and a domain name part). In
contrast, procedural knowledge (also referred as declarative knowledge) is the step-by-step knowledge that one uses to solve a given problem (e.g., check the URL in the address bar, and if it
contains an IP addresses, you are likely visiting a phishing site) [3]. The Anti-Phishing Phil game
conveys both conceptual and procedural knowledge. Research in learning science has established
that interactive environments, in particular games, are one of the most effective training methods
and are highly motivational for users, especially when they adhere to design principles for educational games [44], [110], [113]. We applied three learning science principles to the design of the
Anti-Phishing Phil game: reflection, story-based agent, and conceptual–procedural.
Reflection principle. Reflection is the process by which learners are made to stop and think
about what they are learning. Studies have shown that learning increases if educational games
include opportunities for learners to reflect on the new knowledge they have learned [18]. This
principle is employed in our anti-phishing game by displaying, at the end of each round, a list of
102
web sites that appeared in that round and whether the user correctly or incorrectly identified each
one (as shown in Figure 2). This helps users reflect on the knowledge gained from the round they
just completed.
Story-based agent environment principle. Agents are characters that help in guiding learners
through the learning process. These characters can be represented visually or verbally and can
be cartoon-like or real-life characters. The story-based agent environment principle states that
using agents as part of story-based content enhances learning. We applied this principle in the
game by having the user control a young fish named Phil, who has to learn anti-phishing skills to
survive. People learn from stories because stories organize events in a meaningful framework and
tend to stimulate the cognitive process of the reader [64], [83]. Studies have demonstrated that
students in story-based agent conditions perform better in learning than in non-story-based agent
conditions [79], [96].
Conceptual–Procedural principle.This principle states that conceptual knowledge and procedural knowledge influence one another in mutually supportive ways and build in an iterative
process [60]. In the first version of our game, we taught users specific procedural tips such as
“URLs with numbers in the front are generally scams,” or “a company name followed by a hyphen
is generally a scam.” We did not teach any conceptual knowledge in the game. Users were able to
remember the procedural tips, but without a full conceptual understanding of URLs. Hence, some
users applied the lessons learned from the game incorrectly. For example, some users misapplied
the rule about IP addresses and thought www4.usbank.com was a phishing site because the URL
contained the number 4. Other users misapplied the rule “company name followed by hyphen
usually means it is a scam” to web-da.us.citibank.com (a legitimate site). In the most recent
version of our game, we added conceptual knowledge of URLs, explaining the different parts of
an URL and which parts are the most important.
We also applied this principle by providing information about how to search for a brand or
domain and how to decide which of the search results are legitimate (procedural knowledge) after mentioning that search engines are a good method to identify phishing web sites (conceptual
knowledge). In this way, we present conceptual and procedural knowledge iteratively.
103
5.3.2
Game Description
Here, we describe our game in three parts: story, mechanics, and technology.
Story
The main character of the game is Phil, a young fish living in the Interweb Bay. Phil wants
to eat worms so he can grow up to be a big fish, but has to be careful of phishers that try to trick
him with fake worms (representing phishing attacks). Each worm is associated with a URL, and
Phil’s job is to eat all the real worms (which have URLs of legitimate web sites) and reject all the
bait (which have phishing URLs) before running out of time. The other character is Phil’s father,
who is an experienced fish in the sea. He occasionally helps Phil out by giving Phil some tips on
how to identify bad worms (and hence, phishing web sites).
Mechanics
The game is split into four rounds, each of which is two minutes long. In each
round, Phil is presented with eight worms, each of which carries a URL that is shown when Phil
moves near it (see Figure 1). The player uses a mouse to move Phil around the screen. The player
uses designated keys to “eat” the real worms and “reject” the bait. Phil is rewarded with 100
points if he correctly eats a good worm or correctly rejects a bad one. He is slightly penalized for
rejecting a good worm (false positive) by losing 10 seconds off the clock for that round. He is
severely penalized if he eats a bad worm and is caught by phishers (false negative), losing one of
his three lives. We developed this scoring scheme to match the real-world consequences of falling
for phishing attacks, in that correctly identifying real and fake web sites is the best outcome, a
false positive the second best, and a false negative the worst. The consequences of Phil’s actions
are summarized in Table 2.
There are four rounds in the game, each one harder than the previous and focusing on a different
type of deceptive URL. Table 1 shows the focus of each round. Our implementation selects eight
URLs from a pool of twenty for each round, including 12 URLs consistent with the round’s focus.
The eight URLs illustrate concepts from other rounds to maintain continuity between rounds.
To make the game more engaging and challenging, Phil has to avoid enemy fish while moving
around the screen. If Phil comes in contact with an enemy, it eats him and he loses a life. Early
104
Table 5.1 This table shows the scoring scheme and consequences of the user’s actions (through
Phil)
Good worm
Phil Eats
Correct,
points
Round
1
2
3
4
Phishing worm
gains 100 False negative, gets
phished and loses life
Phil
False positive, loses Correct,
Rejects
10 seconds
gains 100
points
Table 5.2 Focus of each round of the game with examples
Focus
Examples
Bumper Sticker Message
IP address http://147.46.236.55/PayPal/
“Don’t trust URLs with all
URLS
numbers in the front”
Sub do- http://signin.ebay.com.ttps.us “Don’t be fooled by the word
main
ebay.com in there, this site beURLs
longs to ttps.us.”
Similar
http://www.msn-verify.com/
“A company name followed
and de- http://www.ebay-accept.com/
by a hyphen usually means it
ceptive
is a scam site” “Companies
domains
don’t use security related keywords in their domains”
All pre- eBay sites combining all of above.
vious
methods
together
105
versions of the game included several fast-moving enemies in each round. However, we found that
players became distracted by the enemies and had trouble learning. We reduced the number of
enemies to one and made them slower so that they did not interfere with learning in later versions
of the game.
Players have to correctly recognize at least six out of eight URLs within two minutes to move
on to the next round. As long as they still have lives, they can repeat a round until they are able to
recognize at least six URLs correctly. If a player loses all three lives the game is over. The game
includes brief tutorials before each round and end of round summary, as shown in Figure 3.
Technology
The game is implemented in Flash 8. The content for the game, including URLs
and training messages, are loaded from a separate data file at the start of the game. This provides
us with a great deal of flexibility and makes it easy to quickly update the content. In each round
of the game, four good worms and four phishing worms are randomly selected from the twenty
URLs in the data file for that round. We also use sound and graphics to engage the user better.
This includes sound effects to provide feedback on actions, background music, and underwater
background scenes.
5.3.3
Training Messages
In this section, we discuss details about the training messages that were shown to the users, and
the presentation of these training messages.
What to teach Our main focus is to teach users how to identify phishing URLs, where to look
for cues in web browsers, and how to use search engines to find legitimate sites.
To teach users to distinguish phishing URLs from legitimate ones, we first sampled a representative list of phishing URLs from the millersmiles.co.uk phishing archive [91], and organized
them into three categories: IP-based phishing URLs, long URLs (with sub-domains), and similar
and deceptive domains. Next we designed training messages for each type of URL. We iterated on
these messages using the philosophy that they should be messages one could place on a bumper
106
Table 5.3 List of training messages in between rounds; these information helped users to perform
better and connect these information with the information presented when they were playing the
game.
In Between #
of Concepts
How to do it?
Round Tip
printed
pages
Tip 1: Don’t 1
- Highlight and point to the
forget about
address bar in the browser.
the URL.
Tip 2: The 5
- Highlight the different parts - Look at the text between the
Middle part
of the URL (Prefix, address http:// and the first /.The
of the URL
and file name).
text before the first / (this
tells you the
might be with a .com or .org)
name of the
is the main domain name.
site.
Tip 3: When 6
- A search engine is a useful - Type the domain name or
in doubt, use
tool to check the legitimacy of the organization name into
a search ena web site.
Google search engine. The
gine!
top result is usually legitimate
website.
Tip 4: Know 1
- Scammers register domains - Design and logos can be
the enemies
similar to real sites.
spoofed. Links in the fraudtricks!
- They copy logos and con- ulent website might take to letents from real sites to draw gitimate website.
you attention.
- They request sensitive information.
- They point all links to real
sites to deceive you.
107
Figure 5.2 An example training message in between rounds. In this message, Phils father (left)
teaches Phil (right) how to identify different parts of a URL and which parts are important.
sticker on a car. For example, for IP-based phishing URLs, we teach “Don’t trust URLs with all
numbers in the front.” Table 1 shows a list of bumper sticker messages in the game. To teach users
where to look for cues in the browsers, we created a tip that highlighted the browser’s address bar.
To teach users how to use search engines to find legitimate sites, we originally used help messages
from Phil’s father during the game play. However, as will be discussed in the next section, we
found that this was not very effective, so we used a tutorial in between rounds instead.
Where to teach them
Training messages are embedded in the following places in the game: (1)
feedback during the game, (2) help messages from Phil’s Father during the game, (3) end of the
round score sheets, and (4) anti-phishing tips in between rounds.
Feedback during the game: When Phil eats a good URL or rejects a phishing one, we provide
some visual feedback such as “yummy” and “got ya” to tell Phil that he got it right. When he eats
a phishing URL, he gets phished and is drawn upward by a fishing line and hook. At this point,
Phil’s father provides a short tip explaining why the URL is a phishing URL.
108
Figure 5.3 “Round over screen”. This screen reviews the URLs shown in the round with an
indication as to which ones the player identified correctly. The screen also shows a tip to figure
out whether the URL is legitimate. This helps provide an opportunity for self-reflection.
Messages from Phil’s Father’s: Phil can also ask his father for help at any time (by pressing
T in the game). His father will provide hints as to what to look for to differentiate good worms
from bad ones. Phil’s father will also occasionally use a “search engine” and tell Phil the results
of the search based on the URL. This is to show Phil how to use a search engine properly to
determine the legitimate domain name for a company. This also provides the information players
need to determine whether to eat or reject a worm, even if they do not know what the legitimate
domain name is for a particular company. In pilot tests of the game, we found that not many users
used this option, suggesting that this may not be the most effective way to deliver training.
End of round score sheets: We provide players with an opportunity to reflect on what they
learned at the end of each round with a score sheet, as shown in Figure 2. This screen reviews the
URLs used in that round, indicates whether or not the player identified each URL correctly, and
displays a tip that explains how to figure out whether the URL is legitimate. In our pilot and user
109
study, we found that people often spent a great deal of time on this screen looking over the things
they missed. This applies the reflection principle described in Section 3.1.
In previous iterations of the game, we focused solely on teaching people how to discriminate
between legitimate and phishing URLs. However, we observed that people needed more scaffolding to help them understand issues like what to look for in the web browser, and how specifically
they could use search engines to find real sites. In our current iteration, we added several short tutorials between each round to teach them these kinds of topics. This applies conceptual-procedural
principle described in Section 3.1.
5.3.4
Pilot Test
We pilot tested our game with eight users recruited by posting flyers around the Carnegie Mellon University campus. We tested our participants’ ability to identify phishing web sites from a set
of real and phishing web sites before and after playing the game. The study is a think aloud study
where participants talked about strategies they use. The results were encouraging, but highlighted
some areas where the game needed improvements.
We found that the game was somewhat effective at teaching users to look at the URL in their
browser’s address bar when evaluating a web site. Users looked at the address bar when evaluating
14% of the web sites before playing the game and 41% of the web sites after playing the game.
The false negative rate decreased from 31% to 17% after users played the game. However, the
false positive rate increased from 37% to 48%, in part due to users misinterpreting the URLs they
examined.
We observed that users learned some of the URL-related concepts we tried to teach, but not all
of them. For example, most users seemed to understand that URLs that have all numbers in the
front are usually a sign of scam. However, many users could not properly parse a long URL and
did not seem to understand that the most important part of the URL is the right hand side of the
domain name. This led them to mis-identify wellsfargo.com.wfcnet.net as a legitimate site
and scgi.ebay.com and onlineast1.bankofamerica.com as phishing sites.
110
We also observed that some users applied the lessons learned from the game incorrectly. For example, some users misapplied the rule about IP addresses (in Table 1) and thought www4.usbank.com
was a phishing site because the URL contained the number 4. Other users misapplied the rule
“company name followed by hyphen usually means it is a scam” to web-da.us.citibank.com.
Finally, many participants used wrong strategies to determine the web site legitimacy. For
example, one common strategy consisted of checking whether the web site was designed professionally. However, this is not a useful strategy as many phishing sites are exact replicas of professionally designed legitimate sites. Although participants adopted this technique less frequently
after the game, some of them still employed a variant of this strategy while using a search engine:
they compared the two sites’ design (logos, colors) and the exact match of the URL to determine
the legitimacy. We believe this is due to users not knowing exactly what to look for to determine
web site legitimacy when they use search engines. To summarize, from the pilot test we observed
that it is insufficient to teach users how to look for in the URL. We modified our game according
to the lessons learned from the pilot testing.
5.3.5
Modified Game
We realized that the initial version of the game focused almost entirely on procedural knowledge. However, some conceptual knowledge about the parts of a URL might have helped users
avoid some of the mistakes they made. We added animated messages in between each round of
the game to address some of the problems we observed in the pilot study. These messages teach
users about the parts of URLs, how to use a search engine to check a suspicious URL, and common
tricks used by scam web sites. We designed these messages in a story-like format, in which Phil’s
father teaches him about URLs at home before he can explore Interweb Bay on his own. Table 3
presents the summary of the training messages that were provided to the user in between rounds,
and Figure 4 gives a screenshot of one of the training messages.
111
5.4
Evaluation 1: Lab Study
In this section, we describe the methodology we used to test the game for its effectiveness in
training users in a laboratory study.
5.4.1
Study design
We based the design of our user study on Dhamija et al.’s study, trying to recreate their experiment as much as possible (however, the original materials for Dhamija’s study have been lost) [23].
Participants were given the following scenario: “You have received an email message that asks you
to click on one of its links. Imagine that you have clicked on the link to see if it is a legitimate web
site or a spoofed web site.” We then presented participants with ten web sites and asked them to
state whether a web site was legitimate or phishing, and to tell us how confident they were in their
judgments (on a scale of 1 to 5, where 1 means not confident at all, and 5 means very confident).
After evaluating the ten URLs, participants were given fifteen minutes to complete an anti-phishing
training task. Finally, participants were shown ten more web sites to evaluate. After finishing this
evaluation, participants were asked to complete an exit survey.
We selected twenty web sites (shown in Table 5) to test our participants’ ability to identify
phishing web sites before and after training. Ten of the sites we selected were phishing sites from
popular brands. The other ten were legitimate web sites from popular financial institutions and
online merchants, as well as random web sites. We divided the twenty web sites into two groups
(A and B), with five phishing sites and five legitimate sites in each group. We randomized the order
in which the two groups of URLs were presented so that half the participants saw group A first,
and half saw group B first. We hosted the phishing web sites on the local computer by modifying
the host DNS file. Thus, our participants were not actually at risk and we were able to show them
phishing sites even after they had been taken down.
We told participants that they could use any means to determine a web sites’ legitimacy other
than calling the company. We also let participants use a separate web browser if they wanted,
without prompting them about how or why this might be useful. Some participants used this other
112
web browser to access a search engine to help determine whether a web site was legitimate or not.
We used Camtasia Studio to record our participants’ computer screens and spoken comments.
We used a between-subjects experimental design to test three training conditions:
1. Existing training material condition:In this condition, participants were asked to spend
fifteen minutes reading eBay’s tutorial on spoofed emails [28], Microsoft’s Security tutorial
on Phishing [89], the Phishing E-card from the U.S. Federal Trade Commission [32], and
a URL tutorial from the MySecureCyberspace portal [97]. We reused the training material
condition from our previous study as a control group [70].
2. Tutorial condition: In this condition, participants were asked to spend up to fifteen minutes
reading an anti-phishing tutorial we created based on the Anti-Phishing Phil game. We
include this condition to test the effectiveness of the training messages separate from the
game. The tutorial included printouts of all of the between-round training messages. It also
included lists of the URLs used in the game with explanations about which were legitimate
and which were phishing, similar to the game’s end-of-round screens. The 17-page tutorial
was printed in color. We designed the tutorial to resemble the game as closely as possible.
3. Game condition: In this condition, participants played the Anti-Phishing Phil game for
fifteen minutes.
This study was conducted in two phases, separated by five months. For the existing training materials condition, we used data collected during a previous study in September 2006 that
measured participants’ improvements after reading existing training materials, as compared with
a control group that spent fifteen minutes playing solitaire [70]. For the tutorial and game conditions participants were recruited in February 2007 and randomly assigned to these groups. The
same procedures were used in September and February for recruiting, screening, and conducting
the experiments, although it is possible that the five month delay between the two phases of the
experiment introduced some selection bias..
113
Table 5.4 Participant demographics in each condition
hello
Existing
Tutorial
Game
Training
Group
Group
Material
Gender
Male
29%
36%
50%
Female
71%
64%
50%
Age
18-34
93%
100%
100%
>34
Education
High School
College Undergrad
College graduate
Post.
Graduate
school
Years on the Internet
3- 5 years
6-10 years
> 11 years
5.4.2
7%
0%
0%
14%
50%
7%
78%
7%
50%
14%
21%
7%
7%
21%
21%
23%
69%
8%
23%
70%
7%
14%
78%
7%
Participant Recruitment and Demographics
In this section, we present the process that we used in recruiting participants for the study; we
also describe the demographics of the participants.
We recruited fourteen people for each condition via flyers posted around campus, and with
recruitment email on university bulletin boards, and on craigslist.com. We screened participants
with respect to their knowledge of computers in general, aiming to recruit only participants who
could be considered “non-experts.” We recruited users who answered “no” to two or more of the
following screening questions: 1) whether they had ever changed preferences or settings in their
web browser, 2) whether they had ever created a web page, and 3) whether they had ever helped
someone fix a computer problem. These questions have served as good filters to recruit non-experts
in other phishing-related studies [26], [68]. A summary of demographics is shown in Table 4.
114
5.4.3
Results
In this section, we present the results from the user study. We found that participants in the
game condition performed better than the other two conditions in correctly identifying the web
sites. We also found that there was no significant difference in false negatives among the three
groups. However, the participants in the game group performed better overall than the other two
groups.
5.4.3.1
Correlation between Demographics and Susceptibility to Phishing
In this section we present results regarding the correlation between demographics and susceptibility to phishing, user performance, user confidence rating, user feedback, and places where game
can be improved.
We found no significant correlation between the participants’ performance (measured by total
correctnesss) and gender (rho = -0.2, n = 42, p = 0.19), age (spearman rho = 0.008, n = 42, p =
0.96), education (spearman rho = 0.06, n = 42, p = 0.708), race (spearman rho = 0.13, n = 42, p =
0.406), number of hours spent online per week (rho = -0.10, n = 42, p =0.588). Other studies have
also found no correlation between these demographics and susceptibility to phishing [23], [140].
The score is positively correlated with years on the Internet (rho = 0.341, n = 42, p = 0.031).
5.4.3.2
User Performance
We measured the effectiveness of user training by examining false positives and false negatives
as well as the total percentage of correct sites identified before and after the test. A false positive is
when a legitimate site is mistakenly judged as a phishing site. A false negative is when a phishing
site is incorrectly judged to be a legitimate site.
Our game condition performed best overall. It performed roughly as well as the existing training material condition in terms of false negatives, and better on false positives. The tutorial condition also performed better than the existing training material in terms of false positives and total
correctness. However, these latter results were not statistically significant.
115
Table 5.5 Percentage of total correct answers for the training group before and after the game
Website
Real
Description
Pre
Post
or
Game % Game
Fake
Correct
%correct
(average
(average
conficonfidence)
dence)
Paypal
Real
Paypal login page
83 (4.6)
100 (4.7)
Bank
of Real
Bank of America home page; URL: onlin- 66 (3.5)
100 (4.3)
America
east.bankofamerica.com
Wellsfargo Spoof Faked Wellsfargo home page; layered informa- 83 (3.6)
87 (4.5)
bank
tion request; sub domain deception with URL online.wellsfargo.wfosec.net
Citibank
Real
Citibank login Page; URL: web-da.us.citibank.com
83 (3.6)
75 (4.5)
Barclays
Spoof Faked Barclays login page; layered information re- 83 (4.2)
100 (4.7)
quest; IP address URL
AOL
Spoof AOL account update, deceptive domain myaol.com
100 (3.3)
75 (3.4)
Etrade
Real
Etrade home page
100 (4.0)
100 (4.3)
PNC Bank
Spoof Bank account update; pop-up window over the real 66 (4.0)
50 (5.0)
PNC Bank web site; security lock; requesting credit
card number
eBay
Real
eBay register page; requesting lots of information
66 (4.2)
62 (4.0)
Halifax
Spoof Halifax bank login page; deceptive domain halifax- 83 (2.8)
100 (4.5)
Bank
cnline.co.uk.
Card Finan- Real
Card Financial Online (part of MBNA); domain 50 (3.5)
66 (4.5)
cials Online
name has nothing to do with MBNA.
Citicards
Spoof Citicard account update; lock on the page; requesting 50 (4.0)
100 (4.6)
a lot of information
Chase
Real
Online banking login page; URL: chaseon- 100 (4.2)
100 (4.1)
online
line.chase.com
Desjardins
Real
Account login page; unfamiliar foreign bank
50 (3.0)
83 (3.8)
Royal Bank Spoof Sign in online banking page; layered information re- 37 (4.0)
100 (4.1)
of Canada
quest; URL has no resemblance with the bank.
Chase Stu- Real
Primitive looking page with few graphics and links
37 (3.0)
66 (3.7)
dent
HSBC
Spoof Internet banking login page; layered information re- 50 (4.0)
100 (5.0)
quest; IP address URL
US Bank
Real
Online
banking
login
page;
URL: 75 (3.5)
100 (4.6)
www4.usbank.com
eBay
Spoof Faked eBay login page; IP address URL
75 (3.8)
100 (5.0)
PayPal
Spoof Fake URL bar displaying the real Paypal URL; not 50 (3.2)
0 (4.0)
requesting much information
116
Figure 5.4 User performance in the experimental conditions: existing training materials, tutorial
only, game, and control condition. N=14 in all conditions. The graph on the left shows false
negative rates.The existing training material performed best on false negatives. However, the
difference is not statistically significant. The graph on the right shows False Positive Rate. The
false positives increased in the existing materials condition, and decreased in both the tutorial and
game condition, with the game condition showing the highest reduction.
Post test false negative rates in all three groups decreased significantly from the pre test values.
For the existing training materials condition, the false negative rate fell from 0.38 to 0.12 (paired
t-test: 1=0.38, 2=0.12, p = 0.01); for the tutorial condition, it changed from 0.43 to 0.19 (paired
t-test: 1=0.43, 2=0.19, p < 0.03); for the game condition, it changed from 0.34 to 0.17 (paired ttest: 1=0.34, 2=0.17, p <0.02). There is no statistical difference between the three groups in either
the pre test (oneway ANOVA, F(2,41)=0.52, p=0.60), or post test (oneway ANOVA, F(2,41)=0.81,
p=0.45). These results are shown in Figure 5.
Post test false positive rates decreased significantly in the game condition (paired t-test: 1=0.30,
2=0.14, p < 0.03). The one-way ANOVA revealed that false positive rates differed significantly in
117
the post test (F(2, 41) = 4.64, p < .02). The Tukey post-hoc test revealed that the game condition
has significantly lower false positives than the existing training materials. No other specific posthoc contrasts were significant. The results are shown in Figure 6.
Combining false positive and false negatives we derived a measure for the total correctness. We
found in the post test that the game condition performed better than the existing training material
condition (2 sample t test, p<0.02). We did not find the tutorial condition improvement to be
significant over the existing training material condition; however, this is likely due to our small
sample size. These results are shown in Figure 7.
False negative rates. N = 14 in all conditions. The existing training material performed best on
false negatives. However, the difference is not statistically significant.
False Positive Rate. N = 14 in all conditions. The false positives increased in the existing
materials condition, and decreased in both the tutorial and game condition, with the game condition
showing the highest reduction.
Total correctness for the test groups. N = 14 in all conditions. The game condition shows the
greatest improvements.
5.4.3.3
User Confidence Rating
Users became more confident about their judgments after the game or the tutorial conditions.
We did not observe the existing training material improving user confidence in a statistically significant way.
The average user confidence rating in the game condition increased from 3.72 (variance =
0.09) to 4.42 (variance = 0.10). This change is statistical significant (paired t –test, p < 0.001). In
contrast, user confidence in the existing training material condition did not improve in a statistically
significant way: the average confidence rating was 4.18 pre test (variance = 0.18) and 4.32 post
test (variance = 0.15).
118
5.4.3.4
User Feedback
In the post test, we asked participants to measure on a 5- point Likert scale how much they felt
they had learnt and how important was the information they learnt. Ninety-three percent of the
users either agreed or strongly agreed that they had learned a lot (u = 4.21, std = 0.58), and 100%
of them agreed or strongly agreed that they had learned a lot of important information (u = 4.36
std=0.50). On a five point scale, we also asked them to rate the educational and fun levels of the
game. Ninety-three percent of the user felt the educational value of the game was very good or
excellent (u=4.28, var = 0.61). Fifty percent of the users considered the fun level of the game as
very good or excellent (u = 3.7 var = 0.78).
We asked similar questions about educational value and fun level in the existing training material condition. Ninety-three percent of the users also felt the educational value of the existing
training material was very good or excellent (u=4.28 var = 0.59), where as only twenty-nine percent of the users considered the fun level of the existing training materials to be very good or
excellent (u = 2.8 var = 1.36).
5.4.3.5
Where the Game is Failing
We found that users in the game group and the tutorial group performed worse when examining
two websites. The first website is a fake address bar attack, where we showed users a Paypal
website with the address bar spoofed. Six of the users in the game condition were unable to identify
this attack in the post test, whereas only three users in the existing training material condition fell
for it. We hypothesize that users are more prone to this kind of attacks because, after the training,
they look specifically for clues in the URL, and if the clues confirm their belief, they do not look
further. (Luckily, current browsers now address this kind of vulnerability.)
Two users also fell for the “similar domain attack” after the game condition, in which we
showed them myaol.com for account updates. This is an easy attack to identify if users notice the
large amount of information requested, because of this reason, none of the users fall for it in the
pre test. This problem highlights two lessons: first, some users still have problems with phishing
119
domains that are similar to the real ones; second, they tend to look less for other clues other than
the URL, and if the URL does not raise suspicion, they do not look further.
5.4.3.6
Effect of Training
Security education plays an important role in increasing users’ alertness towards security threats.
Alert users are cautious, and less likely to make mistakes that will leave them vulnerable to attack
(false negatives). However, cautious users tend to misjudge non-threats as threats (false positives)
unless they have learned how to distinguish between the two. Thus, good user security education
should not only increase users’ alertness, but also teach them how to distinguish threats from nonthreats. In this section we use signal detection theory (SDT) [78, 120] to quantify the ability to
discern between signal (phishing websites) and non-signal or noise (legitimate websites).
We use two measures: sensitivity (d’) and criterion (C). In our user studies, we define sensitivity
to be the ability to distinguish phishing websites from legitimate websites, which is measured by
the distance between the mean of signal and non-signal distributions. The larger the value of d’,
the better the user is at separating signal from noise. Criterion is defined as the tendency of users
towards caution when making a decision. More cautious users are more likely to have few false
negatives and many false positives, while less cautious users are likely to have many false negatives
and few false positives. Figure 5.5 shows example distributions of user decisions about legitimate
and phishing websites. The criterion line divides the graph into four sections representing true
positives, true negatives, false positives, and false negatives. Training may cause users to become
more cautions, increasing C and moving the criterion line to the right. Alternatively, training may
cause users to become more sensitive, separating the two means. In some cases training may result
in both increased caution and increased sensitivity or in decreased caution but increased sensitivity.
We calculated C and d’ for the participants in our user study, Table 5.6 presents the results.
We found that in the existing training material condition, the sensitivity increases from 0.81 in pre
test to 1.43 in post test. This increase is significant (p < 0.05). We also found that users became
cautious after the training, as the d’ changes from 0.03 in pre test to -0.51 in post test (p <0.025).
This result (users becoming more cautious) was also shown by Jackson et. al [2]. In contrast
120
Figure 5.5 Applying signal detection theory (SDT) to anti-phishing education We treat
legitimate websites as “non signal,” and phishing websites as “signal.” Sensitivity (d’) measures
users’ ability to distinguish signal from non-signal. Criterion (C) measures users’ decision
tendency (C < 0 indicates cautious users , C = 0 indicates neutral users, C > 0 indicates liberal
users). As a result of training users may a) become more cautious, increasing C; b) become more
sensitive, increasing d’; or c) a combination of both.
to the existing training material condition, the sensitivity increased from 0.93 to d’ post = 2.02
(p<0.025) in the game condition. Also, the decision criterion did not change significantly (C pre
= 0.06, C post = 0.06) in the game condition. This shows that the improvement in the performance
is due to learned ability to better distinguish phishing websites and real websites.
Table 5.6 Results from the Signal Detection Theory analysis. This shows that users had a greater
sensitivity with Anti-Phishing Phil, meaning that they were better able to distinguish between
phishing and legitimate sites. Consequently, users were able to make better decisions in the game
condition compared to the users becoming conservative in the other condition.
Sensitivity (d’)
Criterion (C)
Pre test
Post test Delta
Pre test
Post test Delta
Existing train- 0.81
1.43
0.62
0.03
-0.51
ing materials
*
0.54
**
Anti-phishing 0.93
2.02
1.09
0.06
0.06
0
Phil
**
* p <0.05, **
p < 0.025
121
5.5
Evaluation 2: Anti-Phishing Phil Field Study
In this section, we discuss new results from data we collected in a real-world deployment of
Anti-Phishing Phil. Our results provide more evidence that Anti-Phishing Phil is effective for
knowledge acquistion and knowledge retention.
5.5.1
Study design
We recruited participants for an online study through online mailing lists postings offering
participants a chance to win a raffle for a $100 Amazon gift certificate. We used a between-subjects
design to test two conditions. In the control condition, participants saw 12 websites and were asked
to identify whether each website seen was phishing or not. After doing this, the participants were
taken to the game. In the game condition, participants were shown six websites before playing the
game (pre-test) and another six websites after they finished playing the game (immediate post-test).
To measure retention, we emailed participants seven days later and asked them to take a similar
test (delayed post-test). In total, we tested each participant in the game condition on 18 websites
divided into three groups of three phishing websites and three legitimate websites. We randomized
the order of websites within each group, and the order in which the groups were shown to each
participant.
5.5.2
Participants
Over the course of two weeks (Sep 25, 2007 to Oct 10, 2007), 4,517 people participated in the
study. In the game condition, 2,021 users completed both pre-test and immediate post-test, 674 of
whom also came back one week later for the delayed post-test. In our analysis we focus on people
who completed pre-test, immediate post-test, and delayed post-test. We had 2,496 participants in
the control condition. Among the total participants, there were 78% male, 15.6% female, and 6.4%
did not give their gender; 4.8% were 13 - 17 years old, 43.7% were 18 - 34 years old, 44.3% were
35 - 64 years old, 0.5% were more than 65 years, and 6.8% did not provide their age.
122
Figure 5.6 False negative and false positive for Anti-Phishing Phil in the real-world. Novice users
show greatest improvement in false negative and false positive
5.5.3
Results
Our results demonstrate that users are able to more accurately and quickly distinguish phishing
websites from legitimate websites after playing the game, and that they retain knowledge learned
from the game for at least one week.
We classified the game condition participants into three categories based on their pre-test
scores: novice (0 - 2 correct), intermediate (3 - 4 correct) and expert (5 - 6 correct). As illustrated
in Figure 5.6, novice users showed the greatest improvement, with false positive rate decreasing
from 42% to 11.2% (paired t-test, p < 0.0001), and false negative rate decreasing from 28.3%
to 11.2% (paired t-test, p < 0.0001). The intermediate group also showed statistically significant
improvements, although not as large as the novice group. Finally, we did not observe any statistically significant improvements for the expert group. Delayed post-test scores did not decrease
from immediate post-test scores; demonstrating that participants retained their knowledge after
one week.
Participants were able to determine website legitimacy more quickly after playing the game.
The mean time users in the game group took to determine a webwebsite’s legitimacy before the
game was 21.2 seconds. After the game, it decreased to 11.2 seconds (paired t-test, p < 0.0001).
The mean scores for the control group does not change in a statistically significant way (pre - 18.5
seconds, post - 18.6 seconds).
Those who did not come back for the delayed post-test performed slightly worse than those
who did come back. Their immediate post-test score is 83.8% for those who did not come back
123
and 89.1% for those who did come back one week later (two sample t-test, p < 0.001). One
possible explanation is that those who were more confident in their performance were more likely
to come back. To validate this hypothesis, we conducted a Chi-square test of the percentage of
novice, intermediate and expert users completed the immediate post-test, or delayed post-test. We
found that there were more experts and fewer intermediate and novices in the delayed post-test
group (p < 0.001).
Before playing the game mean accuracy scores for males were significantly higher than for
females (males = 75.5%, females = 64.4%, two sample t-test, t = 8.48, p < 0.0001). However, the
two groups improved similarly after playing the game (two proportion test, 14.2% versus 12.4%,
p = 0.192). There was also a significant difference in pre-test performance between different age
groups (one way ANOVA F = 7.29, p < 0.01). A Turkey simultaneous 95% confidence interval
test reveals that participants whose age is less than 18 performed worse than those who are between
18 and 64. There is no statistical difference in performance between the ages groups 18-35 and
36-64. We observed similar trends in immediate post-test performance (one way ANOVA, F =
23.05, p < 0.01). These results suggest that teenagers may be particularly susceptible to phishing
attacks. The mean scores for the age group 13-17 years was 3.9 while the mean score was 4.6 for
both 18-34 and 35-64 age groups.
We used the data from the game to determine which types of URLs are most difficult for people to identify correctly. Especially challenging ones are the URLs longer than the address bar and
deceptive URLs that look similar to legitimate URLs with some added text (e.g. http://www.msnverify.com/). The more challenging the URL, the more likely game players are to use the game’s
help feature (r = -0.645, p < 0.001). From the game data, we found that users are most confused with long URLs. This confusions makes them susceptible to sub-domain attacks such as
(https://citibusinessonline.da-us.citibahnk.com/cbusol/signon.do). Users are also confused with
very similar URLs. For example, www.citicards.net (as opposed to www.citicards.com), www.eztrade.com
(as opposed to www.etrade.com). This suggests for further investigation on ways to teach to remove these confusions among users.
124
5.5.3.1
Effect of Training
Using the Signal detection method that we introduced in section 5.4.3.6. We calculated C
and d’ for our evaluation of existing online training materials, PhishGuru retention and transfer
study, Anti-Phishing Phil laboratory study, and Anti-Phishing Phil field study, as summarized in
Table 5.7. We found that after reading existing training materials, users became significantly more
cautious without becoming significantly more sensitive. Thus these materials serve to increase
alertness, but do not teach users how to distinguish legitimate websites from fraudulent ones. After
playing Anti-Phishing Phil, users became both significantly more sensitive and liberal, indicating
that performance improvements from playing the game are due to learning. (Note, in the laboratory
study we did not observe the Criterion change that we observed in the field study.) PhishGuru
embedded training increased both sensitivity and caution, but these results are not statistically
significant due to the small number of user decisions considered in the analysis. The pre-test
Criterion for the existing training and Anti-Phishing Phil studies indicate these users started off
more cautious than those in the PhishGuru study. This is likely due to the fact that users were
primed to think about security in the former studies and not in the latter study.
Table 5.7 Signal Detection Theory analysis. PhishGuru and Anti-Phishing Phil increased user’s
sensitivity, while existing training materials made users more cautious. * indicates statistically
significant differences (p <0.05).
Sensitivity (d’)
Criterion (C)
Prepost- Delay Prepost- Delay
test
test
test
test
Existing train- 0.81
1.43
–
0.03
–
ing materials
0.51*
Anti-Phishing 0.93
2.02* –
0.06
0.06
–
Phil laboratory
study
Anti-Phishing 1.49
2.46* 2.47
-0.35 0.02* 0.0
Phil
field
study
125
Conclusions and Future Work
In this paper, we presented the design and evaluation of Anti-Phishing Phil, a game that teaches
users not to fall for phishing attacks. Our objective in developing the anti-phishing game was to
teach users three things: (1) how to identify phishing URLs, (2) where to look for cues in web
browsers, and (3) how to use search engines to find legitimate sites. In particular, the game teaches
users about identifying three types of phishing URL’s: IP based URLs, sub domain, and deceptive.
We conducted two user studies. In the first study, we compared the effectiveness of the game
with existing online training materials and a tutorial we created based on the game. We found
that participants who played the game performed better at identifying phishing websites than participants who completed the two other types of training. Using signal detection theory, we also
showed that while existing online training materials increase awareness about phishing (which can
help people avoid attacks), our game also makes users more knowledgeable about techniques they
can use to identify phishing web sites.
In the second study, we tested Phil from data we collected in a real-world deployment of AntiPhishing Phil. Our results provide more evidence that Anti-Phishing Phil is effective for knowledge
acquistion and knowledge retention.
Our results show that interactive games can be a promising way of teaching people about strategies to avoid falling for phishing attacks. Our results suggest that applying learning science principles to training materials can stimulate effective learning. Finally, our results strongly suggest that
educating users about security can be a reality rather than just a myth [48].
126
Chapter 6
Phishing Susceptibility Study
This chapter is joint work with Mandy Holbrook, Julie Downs, Lorrie Cranor, and
Ponnurangam Kumaraguru. An earlier version of the content in this chapter was submitted to CHI 2010 [125].
Phishing attacks, in which scammers send emails and other messages to con victims into providing their login credentials and personal information, snare millions of victims each year [43].
A variety of efforts aim to combat phishing through law enforcement, automated detection, and
end-user education. Researchers have studied why people fall for phishing attacks; however, little
research has been done to study demographic factors in susceptibility to phishing. By determining
which groups are most susceptible to phishing, we can determine how best to focus anti-phishing
education.
In this paper, we present the results of our roleplay phishing study, administered to 1001 online
survey respondents in order to study demographics and phishing susceptibility. The rest of the
paper is organized as follows. In the next section, we present background and related work on why
people fall for phishing. Then we describe the design of our experiment and present the results of
our study, identifying several important demographic factors that affect phishing susceptibility and
describing the effects of education in bridging these gaps. Finally we discuss the implications of
our study for designing anti-phishing tools and improving public policy.
127
6.1
Background and related work
Research has shown that people are vulnerable to phishing for several reasons. First, people
tend to judge a website’s legitimacy by its “look and feel,” which attackers can easily replicate [23].
Second, many users do not understand or trust the security indicators in web browsers [140]. Third,
although some consumers are aware of phishing, this awareness does not reduce their vulnerability
or provide useful strategies for identifying phishing attacks [26]. Fourth, the perceived severity of
the consequences of phishing does not predict users’ behavior [27].
6.1.1
Demographics and Phishing Susceptibility
To the best of our knowledge, there has been no study dedicated to understanding what demographic factors correlate with falling for phishing, and the effectiveness of educational interventions in bridging the demographic divide. We highlight here a few studies that have measured
susceptibility to specific types of phishing attacks or have studied the effectiveness of anti-phishing
education while reporting at least some data on gender and other demographic factors.
Jagatic et al. performed a spear phishing experiment at Indiana University to quantify how
reliable social context would increase the success of a phishing attack. They launched an actual
(but harmless) phishing attack targeting college students aged 18–24 years old by using information
harvested from social networking sites. In their study of 487 participants, female students fell for
77% of the spear phishing attacks, while male students fell for 65% [53].
In a related study, Kumaraguru et al. conducted a real-world phishing study with 515 participants to study the long-term retention of PhishGuru anti-phishing training [69]. They did not find
significant differences based on gender, but did find that participants in the 18-25 age group were
consistently more vulnerable to phishing attacks. They also did not explain the reason behind this
finding.
Finally, Kumaraguru et al. [71] conducted a study of 5182 Internet users measuring the effectiveness of Anti-Phishing Phil, an interactive game that teaches people not to fall for phish. They
found that men were more likely to correctly distinguish phishing and legitimate websites than
128
women (75.5% correct vs. 64.4% correct). They collected only very coarse-grained information
on the age of participants, but found that people under the age of 18 performed worse than those
above 18.
Although past studies have found differences in phishing susceptibility based on gender and
age, they generally did not collect enough information about study participants to isolate these
variables from other potentially confounding factors. In addition, previous studies did not address
why these demographic factors correlate with falling for phishing. In our paper, we address these
research questions.
6.1.2
Susceptibility vs. Risk Behavior
The risk literature has shown reliable demographic differences in risk perceptions on various
topics, with relatively oppressed groups (e.g., women, racial and ethnic minorities, and less wealthy
people) perceiving more risk in the world around them [37, 129]. Such perceptions may be linked
to these groups’ experiences of a riskier world, perhaps due to lower degrees of control over risky
processes. Age has also been linked to risky behavior, with adolescents tending to engage in
riskier behaviors on average, perhaps as a function of their ongoing learning about the world around
them [25,114]. Because real-world risk behaviors are complex and subject to such varied predictors
as knowledge, goals, and benefits associated with what is perceived to be risky behavior, there have
been relatively few studies with the power to assess multiple mediators of demographic effects on
risky behavior. The current paper takes a specific, well-defined behavior as a context in which to
identify content-specific factors that may explain effects of age, gender, and ethnic background.
6.1.3
Security User Education
Despite claims by some security and usability experts that user education about security does
not work [48], there is evidence that well-designed user security education can be effective in the
real world [67, 127]. Web-based training materials, contextual training, embedded training, and
interactive games have all been shown to improve users’ ability to avoid phishing attacks.
129
A number of organizations have developed online training materials to educate users about
phishing [28, 32]. In a previous study, Kumaraguru et al. tested the effectiveness of some of these
online materials and found that, while these materials could be improved, they are surprisingly
effective when users actually read them [70].
Several studies have adopted a contextual training approach in which users are sent simulated
phishing emails by the experimenters to test users’ vulnerability to phishing attacks. At the end
of the study, users are given materials that inform them about phishing attacks. This approach has
been used in studies involving Indiana University students [53], West Point cadets [33], and New
York State employees [104].
A related approach, called embedded training, teaches users about phishing during their regular use of email. This trainer sends phishing email to users and, if users click on phishing links,
immediately presents an intervention designed to train them not to fall for phishing attacks. Kumaraguru et al. created several intervention designs based on learning sciences, and found that
these interventions were more effective than standard security notices that companies email to
their customers [68]. The researchers continued to refine the most successful intervention, a comic
strip featuring a character named PhishGuru. A follow-up study showed that people were able to
retain what they learned from this training [69].
Finally, Sheng et al. designed Anti-Phishing Phil, an online game that teaches users good habits
to help them avoid phishing attacks. The researchers used learning science principles to design and
iteratively refine the game. Their evaluation showed that participants who played the game were
better able to identify fraudulent web sites compared to participants in other conditions [127].
We studied the effectiveness of several of these educational approaches in bridging the demographic divide. The materials we tested included a set of popular web-based training materials, Anti-Phishing Phil, a PhishGuru cartoon, and the combination of Anti-Phishing Phil and a
PhishGuru cartoon.
130
6.2
Study Design
In this online study, participants provided demographic information, answered survey questions
to assess their knowledge about phishing, and completed a roleplay task to assess their behavioral
susceptibility to phishing, prior to receiving one of several possible forms of training. Participants
then completed a second roleplay task to assess reductions in phishing susceptibility as well as
any changes in participants’ tendencies to be suspicious of legitimate emails. Participants were
assigned randomly to a control condition or one of four experimental conditions. The conditions
varied based on the type of training participants were exposed to (or no training). The ordering of
the survey questions relative to the initial roleplay was also counterbalanced.
6.2.1
Recruitment
Participants were recruited through Amazon.com’s Mechanical Turk (mTurk), a marketplace
for work requiring human intelligence. In this online environment, requesters post tasks known as
HITs (Human Intelligence Tasks), and workers are paid for completing these HITs. We offered to
pay participants four dollars for those that qualified and twenty cents to those who did not. In total,
1001 participants qualified and completed the entire study as detailed in Table ??.
To disqualify people who were hoping to earn money for completing the study without actually
paying attention to the study tasks, we asked all participants a series of questions about an email
message that discussed an upcoming meeting. We used two of these questions, both of which could
be answered correctly by a careful reading of the email, to screen out those participants who were
not paying attention to the email content. We also asked basic demographic questions (such as
occupation and age) so that participants would not be able to easily identify qualifying questions.
6.2.2
Roleplay
Behavior was measured by performance in a roleplay task, with two equivalent exercises administered before and after training (the order of which was counterbalanced). This task is based
131
Table 6.1 Participant demographics by conditions. There is no statistical significant of
demographics between different conditions.
Characteristics
Control Popular AntiPhishGuru Antitraining Phishing Cartoon
Phishing
materi- Phil
Phil with
als
PhishGuru
Sample Size
218
217
166
201
199
Gender
Male
50%
48%
54%
45%
45%
Female
50%
52%
46%
55%
55%
Average age in
30
30
29
30
31
years
Education
High school or
10%
8%
7%
7%
8%
less
Some college
33%
32%
37%
39%
36%
Competed 4-year 29%
29%
30%
30%
27%
college degree
Some
11%
12%
10%
6%
10%
Post-graduate
education
Have master or
17%
19%
16%
18%
17%
Ph.d degree
Percentage from 74%
71%
73%
78%
80%
US?
Percentage
25%
26%
31%
20%
25%
student?
Average years on 13
12
12
13
13
the Internet
Average emails
44
44
32
57
43
per day
on an established roleplay exercise that has been shown to have good internal and external validity. [27]. Participants were told to assume the role of Pat Jones, who works at Baton Rouge
University and uses the email address [email protected] for both work and personal emails. Each
roleplay showed participants fourteen images of emails along with context about Pat Jones that
may help to interpret the emails. Images matched the participant’s operating system and browser
(e.g. Firefox on a Mac or Internet Explorer on a PC) so that all images and cues would be familiar
132
Figure 6.1 One of the emails that Pat encounters in her email box
to the participant. Participants were asked to indicate how they would handle the emails if they received them in their own email inbox, whether that would be forwarding the email to someone else,
replying by email, or any other action from a list of responses generated through earlier qualitative
work [26]. Table 6.2 details the list of possible responses.
The first email was created to familiarize the participant with the procedure. It was a short
message from the same domain as Pat’s email address. This message from the BRU Information
Security Office announced a scavenger hunt for National Cyber Security month. The participants
continued through the roleplay task by viewing a combination of real, phishing, malware and spam
133
email images. Table 6.3 lists a representative sample of the emails that Pat encounters in one of
the roleplays.
Each email contained a link to a web page (e.g. Figure 6.1), shown with the mouse pointer
positioned on the link and the actual URL destination displayed in the status bar, as it would be if
users prepared to actually click on the link on their own computer. For individuals who indicated
that they would click on the link or otherwise end up at the web page, an image of that web page
was displayed. Each web page requested information to be entered and participants were asked
to indicate if they would click on a link on the page, enter the requested information, bookmark
the page, visit another related web page, close the website, or take other action. No matter what
other actions the user indicated, those who said that they would enter the requested information
Figure 6.2 The corresponding website is shown when Pat chooses to the “click on the link”
option in the email
134
Table 6.2 List of possible responses for emails in the role play survey
reply by email
contact the sender by phone or in person
forward the email to someone else
delete the email
keep, save or archive the email
click on the selected link in the email (the one that the
browser hand is pointing to)
copy and paste the selected URL (the www address) from the
email into a web browser, if a URL is selected in this email
type the selected URL into a web browser, if a URL is selected in this email
click on a different link in the email (please specify which
link(s) you would click on)
Other (please specify)
were coded as having fallen for phishing or complied with a legitimate email, corresponding to the
legitimacy of the email in question.
6.2.3
Education Materials
Participants were randomly assigned to the control condition, or to view one of four types of
educational materials on ways to avoid falling for phishing attacks: a PhishGuru cartoon, AntiPhishing Phil, several popular web-based training materials, and a combination of Anti-Phishing
Phil plus a PhishGuru cartoon.
For popular web-based training, we selected three consumer oriented education materials from
the first page of search results from google using keyword “phishing.” They are Microsoft Online
safety [89], OnGuardOnline phishing tips [106], and National Consumer League Fraud tips [99].
In total, these materials have 3107 words, and would take roughly 15 minutes to complete reading
with a scanning speed of 250 words per minute.
In the Anti-Phishing Phil conditions, participants were taken through three levels of the game
and allowed to exit at any point. For the educational web page conditions, participants were asked
at the end of each of three pages if they would like to read more information or move to the next
135
Table 6.3 A representative sample of emails in Pat’s inbox from one of the roleplays
Email Subject
Legitimacy Relevant features of email and websites
Earn Bonus
real
win a prize in an online scavenger hunt
Points #1
from BRU Information Security Office
link: https://www.bru.edu/iso/aware/ncsam/hunt/bonus
Picture from last possible
impersonal greeting
weekend’s party malware
link:http://picasaweb.google.com/stevewulitzer/Partypics/
actual url: http://128.3.72.234/Partypics.jpg.exe
No obligation
spam
text of link: “Apply online now”
bankruptcy
actual url: https://www.bankruptcylawyerfinder.com/...
consultation
Bandwidth
phishing
misspelling in url and .org domain
Quota Offer
link http://wwwbrubandwithamnesty.org/bandwidth/agree.htm
actual url: same
eBay Accounts
phishing
threatens account suspension
Security
link: https://signin.eBay.com/ws/...
actual url: http://www.security-validation-your-account.com/
Your
real
problem with shipping
Amazon.com
link: www.amazon.com/help/confirmation
Order
actual url: same
(#103-06075556895008)
Your eBay item real
text of link: “Send Invoice Now”
sold!
actual url: http://payments.ebay.com/eBayISAPI...
part of the study. The PhishGuru conditions provided participants with one page of materials and
then participants moved on to the next part of the study.
All participants who viewed any of the educational materials were asked how likely they would
be to visit that specific educational tool again and how likely they would be to recommend it to
someone else, on a scale ranging from 1 (not at all likely) to 7 (extremely likely).
6.2.4
Previous Experiences and Demographics
Along with asking participants extensive demographic related questions, all participants were
asked to complete a series of questions about their online experiences, including questions about
their choice of websites for recent purchases, their use of online banking and their prior exposure
to anti-phishing educational materials. Participants also indicated any negative consequences such
136
as having information stolen or compromised in some way by entering it into a web site. Table 3
presents basic demographics of the sample.
6.2.5
Knowledge and Technical Background
Knowledge questions asked participants to choose the best definition for four terms related to
computer security: ‘cookie,’ ‘phishing,’ ‘spyware,’ and ‘virus.’ Participants were given the same
list of eight possible definitions to choose from for each, as well as choices to indicate lack of
familiarity with the word. Each term had one correct answer on the list. The options included:
1. Something that protects your computer from unauthorized communication outside the network
2. Something that watches your computer and send that information over the Internet (spyware)
3. Something websites put on your computer so you don’t have to type in the same information
the next time you visit (cookie)
4. Something put on your computer without your permission, that changes the way your computer works (virus)
5. Email trying to trick you into giving your sensitive information to thieves (phishing)
6. Email trying to sell you something
7. Other software that can protect your computer
8. Other software that can hurt your computer
9. I have seen this word before but I don’t know what it means for computers
10. I have never seen this word before
11. Decline to answer
12. Other (please specify)
To assess the level of their technology background, participants were asked if they had an
Information Technology-related degree and any experience with programming languages, and they
self-rated how technologically savvy they were on a scale ranging from 1(not at all savvy) to 7
(extremely savvy).
137
6.2.6
Risk Perceptions
To evaluate participants’ risk perceptions, we presented them with a series of statements taken
from the Domain-Specific Risk-Taking scale of adult populations (DOSPERT) [13], drawing on
the categories of financial risk and health & safety risk. These questions asked participants to rate
the risk associated with statements such as betting a day’s income at the horses races and riding a
motorcycle without a helmet, on a scale ranging from 1 (not at all risky) and 7 (extremely risk).
6.3
Results
6.3.1
Measuring User Performance
We measured participants’ susceptibility to phishing by examining two kinds of errors before
and after education interventions: falling for phish and false positives. A false positive is when a
legitimate email or website is mistakenly judged as a phish and users refuse to follow the desired
actions. Falling for phish occurs when a phishing email or website is incorrectly judged to be
legitimate and users click on the email and submit information to the website. In our analysis, we
consider falling for phishing as giving information to phishing websites, unlike previous studies
that have used the close correlate of clicking on links in phishing emails. In previous studies and
this one, around 90% of the participants who clicked on the phishing link end up giving information
to the phishing website [68, 69]. We used giving information to phishing sites as a stricter measure
for falling for phishing.
6.3.2
Regression Analysis
To explore factors that predict phishing susceptibility, we performed a multivariate linear regression. This section explains the steps we took to build the model and discusses the results from
the linear regression.
We used factor analysis to reduce the dimensionality of our variables on participants’ online
experience (eight variables), participants’ technical knowledge and experience (5 variables), and
138
Table 6.4 Regression analysis with parameters that are significant at p < 0.01
Model Parameters
Standardized
Coefficients
Ever seeing information on avoiding .19
phish before this test
Gender
.14
Age
-.12
Participants’ technical knowledge
-.10
Risk perception of financial invest- -.08
ment
participants’ risk perception(12 variables). The factor analysis using principle component and
varimax rotation reduced our list of variables from 40 to 22.
We then ran the regression predicting falling for phish from the 22 variables. In Table 6.4,
we report variables that are statistically significant at p <= 0.01. Participants’ degree of prior
experience with phishing education significantly predicts how much phishing they will fall for (B
= 0.189, p <0.01). Participants who have seen training material before (56.6% of total participants)
fell for 2.4 phishing websites (40%), whereas those who have not seen training before fell for 3.6
phishing websites (60%), t = -9.02, p < 0.001. This factor had the most impact on phishing
susceptibility, suggesting that exposure to education may play a larger role than other important
factors.
Women fall for more phish than men (B = 0.140, t = 3.98, p < 0.01), an average of 53.1%
phishing emails, compared to just 41% for men, t(981) = -5.48, p < 0.001. We explore reasons for
women’s greater susceptibility in the next section.
Participants’ age linearly predicts their susceptibility to phishing (B = -0.116, p < 0.01). An
analysis of variance (ANOVA) comparing age groups found a significant overall effect, F(4, 996)
= 9.65, p < 0.001, driven by participants aged 18 to 25 falling for phishing more than other age
groups (all post-hoc tests comparing this group to other groups significant at p<.01; no other
groups significantly different from one another).
139
Participants’ self-rated knowledge about technology also significantly predicts whether they
will fall for phishing. For each standard deviation higher the tech knowledge score, participants
fell for [how many: raw number] fewer phish (3.6%).
Finally, participants’ risk aversion, as measured by reactions to risks of financial investments,
also predicts whether they will fall for phishing. The more risk-averse a participant is, the less
likely he or she will fall for phish. For each standard deviation increase in their risk perception
score, participants fell for [how many: raw number] fewer phish (2.8%).
6.3.3
Gender and Falling for Phish
In order to better understand why women appear to be more susceptible to phishing, we examined clicking on phish, giving information to phish, clicking on legitimate URLs, and giving
information to legitimate websites with respect to gender.
We found that, before training, women were more likely than men to click on phishing links
and enter information on phishing websites. On average, women clicked on 54.7% of phishing
emails, compared to just 49% for men, t(981) = 2.69, p < 0.01. After clicking on a phishing link,
women continued on to give information to the corresponding phishing website 97% of the time,
compared to 84% for men, t = 5.42, p< 0.001. This further exacerbates the gender differences in
clicking on links.
These results are consistent with previous real world phishing studies [67], where 52.3% of
participants clicked on the simulated spear phishing emails they sent and subsequently 40.1% gave
information to phishing sites. The similarity in our results suggested the validity of the roleplay
survey instrument.
In an attempt to explain these gender effects, we did a mediation analysis using all the key
predictors as potential mediators. Mediation analysis explains “how” an effect occurred by hypothesizing a causal sequence. The basic mediation model is a causal sequence in which the
independent variable (X) causes the mediator(s) (M) which in turn causes the dependent variable
(Y), therefore explaining how X had its’ effect on Y [76, 77]. Mediational processes are common
in basic and applied psychology.
140
tech
training
0.49**
0.23**
Total effect: 0.72 **
falling
for
phish
sex
Direct effect: 0.43**
-0.71**
tech
knowle
dge
-0.25**
Figure 6.3 Mediation of the effect of gender on falling for phishing through participants’
tech knowledge and tech training.
Table 6.5 Mediation analysis for gender. Each path is quantified with unstandardized regression
coefficients. The direct effect of gender on phishing susceptibility (measured by number of
phishing websites participants’ giving information to) is calculated as total effect minus all the
effect through each of the mediators, which is calculated as the product of coefficients in the
paths.
Point
Percentile
estimates
95% CI
Lower Upper
Total Effect of gender on falling for 0.72
phishing
Total effect of various mediators
0.29
0.18
0.42
tech knowledge
0.17
0.10
0.27
tech training
0.12
0.02
0.21
We used the multiple mediator model developed by Preacher and Hayers [63] for our mediation
analysis. For gender, we used tech knowledge and tech training as mediators; our hypothesis is that
women have less technical experience than men and therefore fall for phishing more. We report
the mediation statistics in Table 6.5 and Figure 6.3 shows the results of the analysis, which are
consistent with the hypothesis.
141
As shown in Figure 2, the effect of being female on falling for phishing drops from a total effect
of 0.72, p<0.01, down to a direct effect of just 0.43, p<0.01. The difference between these effects
represents the total indirect effect through the two mediators, with a point estimate of 0.29, and a
95% CI of 0.18 to 0.42 (see Table 6.5). Thus, women in our study have less technical training
and have less technical knowledge than men, which appears to partially account for their greater
susceptibility to phishing.
The mediation relationship is only partial, as the direct effect is still statistically significant.
This partiality suggests that there are other factors that are not captured by our survey instruments;
these factors might be explored in future work.
We included several other predictors that did not mediate this relationship. For example,
women may fall for phishing more because they have fewer opportunities or are less motivated
to learn about phishing. However, prior exposure to phishing education did not turn out to be significant mediator. In fact, in our sample, more women than men claimed to have seen phishing
education before the study. Neither were income or education significant mediators for the effect
of gender on phishing susceptibility.
Other factors that we did not measure might potentially explain the remaining tendency for
women in our study to be more susceptible to phishing than men. Factors that may be worth
further exploration include differences in the way men and women use the Internet, differences in
the way men and women make trust decisions, and differences in the tendency of men and women
to be cooperative or comply with instructions.
6.3.4
Age and Falling for Phish
As described above, people in the 18 – 25 age group were more likely to fall for phish than
people of other ages. We used the multiple mediator model to determine why younger people are
more frequently falling for phishing. We report the mediation statistics in Table 6.6 and Figure
6.4.
Taken as a set, participants’ prior exposure to phishing, numbers of years on the Internet,
financial risk perception, and education mediate the effect of age on falling for phishing. As can
142
Exposed
to
training
before
1.00**
0.078**
-0.30*
-0.30**
Education
-0.16**
0 16**
Total effect: 0.34
4 **
age
bracket
falling
for
phish
Direct effect: 0.12
-1.31**
-1.31
Year on
internet
-0.06*
0.06
-0.14**
-0.13*
financial
_risk_
investing
Figure 6.4 Mediating the effect of age with prior exposure to training, education, years on the
Internet and risk perception for financial investment. Each of the paths is quantified with
unstandardized regression coefficients.
Table 6.6 Total effect of age on falling for phishing and the effect of various mediators that are
statistically significant at p<0.01.
Point
Percentile
estimates
95% CI
Lower Upper
Total Effect of age on falling for 0.34
phishing
Total effect of various mediators
0.23
0.16
0.29
Prior exposure
0.08
0.04
0.12
years on Internet
0.08
0.03
0.13
education
0.05
0.02
0.08
risk financial investing
0.02
0.00
0.04
143
be seen in Figure 3, the total effect of age on falling for phishing fell from 0.34, p < 0.01, down to
0.12 (not significant). The difference between the total and direct effects is the total indirect effect
through the four mediators, with a point estimate of 0.23, and a 95% CI of 0.16 to 0.29 (see Table
6). Because younger people have a lower level of education, fewer years of experience with the
Internet, less exposure to training material, and less of an aversion to financial risks, they tend to
be more susceptible to phishing.
6.3.5
Effects of Education
All of the training materials we tested reduced participants’ tendency to click on phishing links
in emails by 13-17 percentage points. There is no statistical difference between each education
material, F(3,779) = 1.28, p = 0.28. The control group, which received no training during the
study, showed no statistically significant improvement between the first and second roleplay. We
also did not find the ordering of the knowledge survey affected the users’ performance, so in our
analysis we collapsed across orders.
All training materials reduced participants’ tendency to enter information into phishing webpages by about 16-21 percentage points, and there is no statistically significant improvement for
the control group.
Anti-Phishing Phil, Phishguru cartoon and Anti-Phishing Phil with Phishguru cartoon did not
decrease participants’ tendency to click on legitimate links and go to legitimate websites. However
in the popular training condition, participants’ tendency to click on legitimate links was slightly
reduced, t(216) = 2.01, p< 0.05, suggesting that improvements in avoiding phish may merely
reflect an avoidant strategy and not better detection.
Since the various education materials perform similarly in reducing people not falling for phishing, to study the effect of education in bridging the demographic gaps, we combined all the training
conditions together.
Before the training, participants on average fell for 2.8 phishing websites out of 6, or 47%. After the training, this number is reduced to 1.6 out of 6, or 26%, a 21 percentage point improvement
or 42% improvement. In terms of demographics, we found that women learned more than men
144
during the training about avoiding phishing links (t (767) = 5.63 p < 0.01); after training women
and men perform equally well in not clicking on phishing links in emails t(767) = -0.05, p = 0.96
).
In entering information into phishing sites, women and men learned similarly, t(767) = -1.51,
p = 0.13). Women’s higher rate of entering this information before the training carried over, and
they still fell for more phish after the training than men, t(767) = -4.22, p< 0.001).
Finally, people of different age groups learned similarly in training, leaving no statistical difference between age groups’ performance increase, F(4,778) = 1.66, p = 0.16. Participants between
ages 18 and 25 were the most susceptible group in pretest, and they remained more susceptible to
phishing in posttest. People in different education groups also learned similarly, F(5,763) = 1.4, p
= 0.20). We also found no significant effect for education or race.
We also analyzed the amount of time user spent on education materials. We found that users
in the game conditions (Anti-phishing phil alone and Anti-Phihing Phil with Phishguru cartoon)
spent the longest time, averaging 8.6 minutes. Although the popular education were designed to
last as long as the game condition, users only spent 1.8 minutes on average (Table 6.7).
Table 6.7 Time user spent on education materials
Education
Materials
Popular
training
materials
Anti-Phishing
Phil
PhishGuru
Cartoon
Anti-Phishing
Phil with
PhishGuru
Cartoon
Estimate time
user would
spent
12 min
Average time
user spent
10 min
8.68 min
(SD = 5.70)
.50 min
(SD = 1.05)
8.55 min
(SD = 5.50)
2 min
12 min
1.80 min
(SD = 2.09)
145
6.4
DISCUSSION
6.4.1
Limitations
There are several limitations to the current study. First, the sample was drawn from mTurk
users and is not expected to be representative of the larger population of email users. Our sample
of mTurk users tends to be younger, more educated and more tech savvy than the general public.
A second limitation of this study is the lack of direct consequences for user behavior. Participants might be more willing to engage in risky behavior in this roleplay if they feel immune to any
negative outcomes that may ensue. Similarly, participants are not risking opportunity costs from
being too conservative in their behavior. However, performance on this roleplay has been validated
with real-world behavior, showing that, if anything, people are more conservative in their roleplay
responses than they are with their actual email inboxes [121]. Furthermore, there is no reason to
believe that the predictors described here should differ in their relationship to roleplay behavior
compared to real-world behavior.
6.4.2
Summary of findings
Prior exposure to phishing education is associated with less susceptibility to phishing, suggesting that phishing education may be an effective tool. Also, more risk-averse participants tended to
fall for fewer phish.
Gender and age are two key demographics that predict phishing susceptibility. Specifically,
women click on links in phishing emails more often than men do, and also are much more likely
than men to continue to give information to phishing websites. In part, this appears to be because women have less technical training and less technical knowledge than men. There is also
a significant effect for age, in which participants aged between 18 and 25 are much more likely
than others to fall for phishing. This group appears to be more susceptible because participants in
this age group have a lower level of education, fewer years on the Internet, less of an exposure to
training materials, and are less of an aversion to risks. Educators can bridge this gap by providing
anti-phishing education to high school and college students.
146
All the education materials in our study reduce users’ tendency to enter information into phishing webpages by about 16-21 percentage points. However, some education material decreased
participants’ tendency to click on legitimate links, this suggests that educator need to do a better
job of teaching people how to distinguish phish from non-phish so that they avoid false positives.
Demographics such as age, gender, race, and education do not affect the amount of learning,
suggesting that training can provide some benefit for all groups, if provided with the right materials. Although the 46% reduction in phishing susceptibility after training is substantial, even after
training participants fell for 26% of the phishing messages in our roleplay. This finding shows
that education is effective and needed but is not a cure all. In our study, 61% of the U.S participants have seen phishing education before; the task for the various stakeholders is to reach out to
the 39% of the population who have not been exposed to training. However, even with the best
educational materials, participants in our study still fell for around 28% of phish after training.
Women and younger populations such as college students are especially vulnerable. These findings show that education should be complemented with other countermeasures such as filtering
and law enforcement.
6.4.3
Role of education
As phishing continues to evolve, what is the role of education in combating it? Specifically,
what problems can education solve, and how does education fit into a layered approach to combat
phishing? We discuss these questions in the concluding section of this chapter.
Generally speaking, strategies for protecting people from phishing fall into three major categories: silently eliminating the threat, warning users about the threat, and training users not to
fall for attacks. These categories of anti-phishing strategy mirror the three high-level approaches
to usable security: build systems that just work” without requiring intervention on the part of
users, make security intuitive and easy to use, and teach people how to perform security-critical
functions [19].
Our view is that these three approaches should complement each other. Today, the majority of
phishing emails are filtered at email gateways, and forwarding the future more efforts are needed to
147
filter as many phishing emails as possible, as quickly as possible, and with as few false positives as
possible. Without this first layer of defense, even the best-educated users would be inundated with
phishing messages that could paralyze their decision-making. It is also important to strengthen
the browser, OS, and application security. Since it would be very difficult even for the experts to
notice a compromised browser URL bar, user education would do little to alleviate the problem. In
the same vein, users’ computers can be infected with malware even without any user action. As a
result, where possible, the first layer of defense should always be automated solutions to filter and
increase the default security offered to users’ computers and web applications.
However, we also need to acknowledge that these systems are not completely accurate in detecting phishing attacks. It is unlikely that any system will ever be completely accurate in detecting
phishing attacks, especially when detection requires knowledge of contextual information. While
it makes sense to use automated detection systems as one line of defense against semantic attacks,
there will still remain many kinds of trust decisions that users must make on their own, usually
with limited or no assistance. Thus, the second line of defense is to develop a complementary
approach to support users so that they can make better trust decisions. There are two options for
this approach: teach people not to fall for phish, or build easy-to-use software and interfaces that
prevent users from falling for phishing.
User education is a low-hanging fruit. In our study, 61% of the U.S participants have seen
phishing education before, and those who have seen education on average fell for 40-50% less
phishing. Therefore efforts to reach out to the 39% of the population who have not been exposed
to training would be likely to quickly reduce phishing susceptibility.
Finally, User education has its limits as well. Even with the best educational materials, participants in our study still fell for around 28% of phish after training. Women and younger populations
such as college students are especially vulnerable. Therefore, the last step of defense is to build
easy-to-use software and interfaces. Examples such as integrated web browser warnings [29] and
foolproof phishing solutions are promising [108].
Appendix
148
Email
contest
Legitimacy Relevant features of email and sites
real
Win a price in an online scavenger hunt
From BRU Information Security Office
link: https://www.bru.edu/iso/aware/ncsam/hunt/bonus
National
real
Pat has an account.
City
text of link: “view your statement”
actual url: http://www.nationalcity.com/statements
party
possible
impersonal greeting
malware
link: http://picasaweb.google.com/stevewulitzer/Partypics/
actual url: http://128.3.72.234/Partypics.jpg.exe
verify email phishing
threatens account deactivation
account
asks for password in text of email
no link in email
bankruptcy spam
text of link: “Apply online now”
actual url: https://www.bankruptcylawyerfinder.com/
bandwidth
phishing
misspelling in url
link http://wwwbrubandwithamnesty.org/bandwidth/agree.htm
actual url: same
eBay
phishing
threatens account suspension
link: https://signin.eBay.com/ws/eBayISAPI.dll...
actual url: http://www.security-validation-your-account.com/...
Amazon
real
problem with shipping
link: www.amazon.com/help/confirmation
actual url: same
National
phishing
system upgrade
City
link: http://service-nationcity.org
actual url: http://210.7.78.331/SITE/natcity/
summary
real
sender from bru.edu and in Pat’s address book.
report
summaryreport.doc attached
help desk
phishing
threatens account termination
link: http://bruwebmail.org/password/change.htm
actual url: same
eBay
real
text of link: “Send Invoice Now”
actual url: http://payments.ebay.com/eBayISAPI...
networking: phishing
.org domain
link: http://batonrougenetworking.org/summer09/register.html
actual url: same
As seen of spam
dot com written out in email text
Television
Table 6.8 Emails in Pat Jones’ Inbox: Roleplay A
149
Rotated
Component
Matrix
Component
1
2
purchased anything .804
.024
on the web
online banking: ever .258
.842
used online banking
bills online: ever -.177
.885
paid bills online
credit card stolen: .339
.115
ever happen
ssn stolen: ever hap- .240
.086
pen
info stolen: ever hap- .284
.162
pen
lose money: did you -.113
-.009
permanently
lose
money
paypal account: ever .754
.020
had a paypal account
3
-.057
4
-.039
-.136
-.027
.070
.113
.168
.670
.810
.081
-.705
.120
-.147
.832
.049
.140
Table 6.9 Factor analysis for various Internet experience variables. Rotation Method: Varimax
with Kaiser Normalization. Rotation converged in 5 iterations. They are (1) “web purchase
experience” (averaging purchasing at the web or whether had a paypal account); (2)
“online banking” by averaging ever used online banking and online bill pay; (3) “ssn stolen”
that is whether they had their ssn stolen, and (4) and “creditcard stolen” that averages the credit
card stolen and ever lose money.
150
Rotated
Component
Matrixa
Component
1
programming -.254
languages
techology
.850
spectrum
tech savvy
.820
security
-.569
preference
adjusted
computers
-.153
daily
IT degree
.047
2
.733
-.170
-.288
.032
.376
.861
Table 6.10 Factor analysis for various Internet experience variables. Rotation Method: Varimax
with Kaiser Normalization. Rotation converged into two factors in five iterations. They are (1)
”tech knowledge” by averaging tech spectrum and tech savvy, and(2) called ”tech training” by
averaging programming languages and IT degree (for tech training, lower numbers mean more
training).
151
Rotated
Component
Matrixa
Component
1
2
risk: Betting a days .083
.901
income at the horse
races
risk: Investing 10 of -.008
-.030
your annual income
in a moderate growth
mutual fund
risk: Drinking heav- .446
.415
ily at a social function
risk: Betting a days .132
.911
income at a high
stake poker game
risk: Investing 5 of .051
.082
your annual income
in a very speculative
stock
risk: Betting a days .140
.894
income on the outcome of a sporting
event
risk: Engaging in un- .628
.179
protected gender
risk: Driving a car .800
.062
without wearing a
seat belt
risk: Investing 10 of .154
.142
your annual income
in a new business
venture
risk: Riding a motor- .681
.120
cycle without a helmet
risk:
Sunbathing .755
.042
without sunscreen
risk: Walking home .740
.065
alone at night in an
unsafe area of town
3
.059
.701
-.042
.058
.829
.129
-.045
.019
.764
.218
.068
.073
Table 6.11 Principle Component analysis for various Internet experience variables. Rotation
Method: Varimax with Kaiser Normalization. Rotation converged in 5 iterations.
152
Model Summary
Model R
1
.440a
R
Square
.194
Adjusted R Std. Error
Square
of the Estimate
.174
1.90464
Table 6.12 Regression statistics
ANOVA
Model
Sum
of
Squares
1
Regression 799.840
Residual
3330.196
Total
4130.036
b.
Dependent Variable:
pre test phish giveinfo
df
22
918
940
Mean
Square
36.356
3.628
F
Sig.
10.022
.000a
153
Table 6.13: Complete list of variables for regression
Variable
age numeric
sexsurvey
education recode
OCCU student
hispanic
racewhite
countryindia
countryusa
income
avoidphish
Descriptions
What is your age?
What is your gender?
1 = Male
0 = Female
What is your highest education?
1 = High school or less
2 = Some college
3 = Completed 4-year college degree
4 = Some Post-graduate education
5 = Have masters or Ph.D degree
6 = Decline to answer
Are you currently a student?
1 = YES
0 = NO
Are you Hispanic?
1 = YES
2 = NO
What’s your race (white or Caucasian?)
1 = YES
2 = NO
Do you currently reside in India?
1 = YES
2 = NO
Do you currently reside in US?
1 = YES
2 = NO
What is your annual household income?
1 = < $20,000
2 = $20,000 - $39,000
3 = $40,000 - $59,000
4 = $60,000 - $79,000
5 = $80,000 - $99,000
6 = >100,000
7 = Decline to answer
Have you ever seen information to avoid phish before
this study?
1 = YES
Statistics
M = 30.1 SD = 10.6
475
508
79
349
284
97
169
5
247
736
66
842
641
342
145
838
739
244
203
196
181
99
74
74
156
556
154
Table 6.13: Complete list of variables for regression
Variable
Descriptions
1.5 = NOT SURE
2 = NO
computersdaily
Do you use computers daily?
1 = YES
2 = NO
emailperday numericOn average, how many emails do you receive a day?
tech knowledge
Tech knowledge scale from Factor analysis (1 – 7)
tech training
Tech training scale from factor analysis (1 – 2)
risk health safty
How do you perceive the following risks (1– 7)?
risk financial bettingHow do you perceive the following risks?
risk financial investing
How do you perceive the following risks?
magcomputer
What magazines do you frequently read (computers
and electronics?)
1 = YES
2 = NO
internet numeric
At what year did you first use Internet?
online banking
Online banking scale from Factor analysis (1 – 2)
creditcard stolen Have you ever had your creditcard stolen online?
1 = YES
1.5 = NOT SURE
2 = NO
web purchase
Web purchase experience scale from factor analysis
(1 – 2)
Statistics
85
342
867
116
M = 44, SD = 81
M = 5.3 SD = 1.2
M = 1.7 SD = 0.36
M = 5.5, SD = 1.0
M = 5.8 SD = 1.3
M = 4.1 SD = 1.1
335
648
M = 1996, SD = 3.7
M = 1.17 SD = 0.33
34
25
924
M = 1.12 SD = 0.27
155
Coefficients
Model
1
(Constant)
age numeric
sexsurvey
education
OCCU student
hispanic
racewhite
countryindia
countryus
income
avoidphish
computersdaily
emailperday numeric
tech knowledge
tech training
risk health safty
risk financial betting
risk financial investing
magcomputer
internet numeric
online banking
creditcard stolen
web purchase
Unstandardized Coefficients
B
Std. Error
-90.519
40.864
-.023
.007
.586
.148
-.126
.053
-.090
.170
.068
.173
-.324
.162
.074
.292
.018
.222
-.060
.031
.851
.147
.100
.201
-.002
.001
-.173
.061
.496
.208
.103
.067
.110
.054
-.153
.061
.213
.156
.046
.020
-.084
.222
-.102
.324
-.250
.287
Standardized
Coefficients
Beta
-.116
.140
-.080
-.019
.012
-.074
.012
.004
-.060
.189
.015
-.073
-.103
.085
.050
.067
-.080
.048
.083
-.013
-.010
-.032
Table 6.14 Complete output of the regression analysis.
t
Sig.
-2.215
-3.142
3.964
-2.391
-.533
.390
-2.005
.253
.080
-1.942
5.787
.495
-2.324
-2.840
2.388
1.530
2.055
-2.518
1.366
2.275
-.377
-.315
-.871
.027
.002
.000
.017
.594
.697
.045
.801
.936
.052
.000
.621
.020
.005
.017
.126
.040
.012
.172
.023
.706
.753
.384
156
Chapter 7
Conclusions
As phishing and related crimeware continue to evolve, what should be the US government’s
role? In the concluding chapter of this thesis, we answer this question based on our analysis of the
interests of phishing stakeholders, experts’ recommendations, and insights from case studies. We
discuss several measures that the US government can take to combat phishing.
First, experts in our study agreed that catching criminals would provide a strong deterrent as it
shows the determination and capability of law enforcement. However, in our interviews with law
enforcement, we found that they face three major challenges: lack of necessary analytical capabilities in determining investigative priorities (including qualified investigators and software tools),
the international nature of the crime, and sophistication of criminals to hide their traces. To address
the first challenge, we recommend the US government invest in tools for better case management
and better digital evidence processing. To attract more talent, the US government could provide
incentives to recruit from top computer science programs around the country for digital forensics
and analysis, possibly through the expansion of DHS scholarship program. To address the second
challenge of the international nature of the crime, we recommend the US government fund international operations and facilitate the communication and connection of law enforcement in various
countries. To address the third challenge we recommend that the US government facilitate greater
information sharing between law enforcement and industry.
Second, botnets are major pieces of crimeware infrastructure that have greatly enabled spamming and phishing operations. Our analysis shows that Internet service providers, who are in the
best position to address this issue, do not have enough incentives to address this problem. In
the short run, we recommend the US government institute a notice and takedown regime which
157
mandates ISPs or upstream providers to disconnect bot command and controls once they were
identified. Such policies will relieve the ISPs of potential liability and will be applied to all ISPs. It
is not wise for the government to set standards for ISPs to clean up the compromised machines as
currently such methods are costly and will have little benefits unless a majority of the compromised
machines are fixed. To secure this key piece of infrastructure, the government can also leverage
some of the technologies used in national defense and apply them to fixing ISP networks. In the
long term, research is needed on automatically cleaning compromised machines. Finally, fixing
botnets in the US alone will not be likely to solve the problem, as there are compromised machines
overseas as well. To address this issue, relevant agencies in the US government need to establish
close working relationship with other countries to share intelligence of the botnets.
Third, experts in our study agreed that better statistics about phishing and related electronic
crime are necessary for law enforcement to prioritize and for corporations to manage their security
risks better. However, as of today, little accurate statistical information exists because financial
institutions are not required to report, and they have little incentives to do so, thus making loss
estimates differ by orders of magnitude. To correct this misalignment of incentives, we recommend
that the US government institute some mandatory reporting.
Fourth, our case study showed that the window of opportunity for defenders is limited as close
to half of the phishing campaigns lasted less than 2 hours. Although leveraging heuristics is a key
solution, experts in our study pointed out major legal issues with false positives that hinder the
use of heuristics. However in our case study we found that the group of heuristics that we tested
yielded extremely low false positives. Therefore, we conclude it is the “fear” of false positives, not
“actual” false positives that is hindering the adoption of heuristics. We recommend that legislators
step in to clarify the legal issues surrounding the false positives, and provide incentives such as
safe harbor legislation.
Fifth, experts in our study disagreed on the effectiveness of user education. In our mTurk study
and other studies, we showed that currently the best education materials could reduce the number
of people falling for phishing by 40 - 50%. This finding shows that education is effective and
needed but is not a cure all. In our study, 61% of the US participants have seen phishing education
158
before; the task for the various stakeholders is to reach out to those 39% of the population who
have not been exposed to training. However, even with the best educational materials, participants
in our study still fall for around 28% of phish after training. Women and younger populations
such as college students are especially vulnerable. These findings show that education should be
complemented with other countermeasures such as filtering and law enforcements.
Last but not least, we detailed the recommendations that various stakeholders should take to
better fight for phishing as summarized in Table 7.1. By implementing these measures, we can
drastically reduce phishing and other related electronic crimes that use the same infrastructure.
159
Stakeholders
Financial Institutions
OS vendors
Web browser vendors
ISPs
US Government
US Government
US Government
Corporations
Various stakeholders
Academic researchers
and industry
Academic researchers
and industry
Legal Community
Table 7.1 Summary of Recommendations
Recommendations
Produce more accurate estimates of phishing losses and report these statistics
Continue to secure operating systems by implementing secure coding practices, investing in secure vulnerability patching, and building anti-malware
capability directly into the operating systems to enhance default security
Continue to improve the performance of integrated browser anti-phishing
warning systems in order to catch 85-95% of phishing URLs within an hour
after they go online
Develop or deploy better techniques to quickly identify botnets and proxies,
shut down botnet command and control, and clean compromised machines
Develop notice and takedown regimes for botnet C&C removal
Invest in international cooperations through funding joint operations, facilitating the communication and connection of law enforcement in various
countries
Invest in tools for better case management and better digital evidence processing; Expand DHS Scholarship program to recruit master students from
top computer science schools
Aggregate fraud data (proxies) and submit to law enforcement to identify
proxies
Focus on improving the security of web applications
Continue to make education engaging and up to date
Focus heuristic research on reducing false positives
Clarify the legal issues of the false positives of blacklists and heuristics
160
LIST OF REFERENCES
[1] A BU -N IMEH , S., NAPPA , D., WANG , X., AND NAIR , S. A comparison of machine learning techniques for phishing detection. In eCrime ’07: Proceedings of the anti-phishing
working groups 2nd annual eCrime researchers summit (New York, NY, USA, 2007), ACM,
pp. 60–69.
[2] A NANDPARA , V., D INGMAN , A., JAKOBSSON , M., L IU , D., AND ROINESTAD ,
H. Phishing IQ tests measure fear, not ability. Usable Security (USEC’07) (2007).
http://usablesecurity.org/papers/anandpara.pdf.
[3] A NDERSON , J. R. Rules of the Mind. Lawrence Erlbaum Associates, Inc., 1993.
[4] A NDERSON , R., AND M OORE , T. The economics of information security. Science 314,
5799 (2006), 610–613.
[5] A NDY
PATRIZIO.
Symantec
readies
phishing
tion
software,
august
7,
2006.
visited
jan
1,
http://www.smallbusinesscomputing.com/news/article.php/3624991.
protec2009.
[6] A NTI -P HISHING
WORKING
G ROUP.
Anti-phishing
Practices
Recommendations
for
Registrars.
Report,
http://www.apwg.org/reports/APWG_RegistrarBestPractices.pdf.
Best
2008.
[7] A NTI -P HISHING
WORKING
G ROUP.
Global
Phishing
Survey:
Trends and Domain name use in 2H 2008.
Report, 2008.
http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf.
[8] A NTI -P HISHING
WORKING
G ROUP.
What
to
Website
Has
Been
Hacked
by
Phishers.
http://www.apwg.org/reports/APWG_WTD_HackedWebsite.pdf.
Do
If
Report,
Your
2008.
[9] AOL
P RESS
R ELEASE.
It’s
3
a.m.
–
are
you
checking your email again?
july 30,
2008. visited jan 1,
2009.
http://corp.aol.com/press-releases/2008/07/it-s-3-am-are-you-checking-your-email-a
[10] A PPLE I NC . . New features in safari. http://www.apple.com/safari/features.html#security.
161
[11] ASSOCIATED BANK-CORP V. EARTHLINK, INC. Memorandum and order, 05-c0233-s. http://www.iplawobserver.com/cases/2005-09-14_Associated_Banc_Corp_CDA_Sectio
[12] AVANTGARDE.
Time to Live on the Network.
http://www.avantgarde.com/xxxxttln.pdf.
Tech. rep., Avantgarde, 2004.
[13] B LAIS , A.-R., AND W EBER , E. U. A domain-specific risk-taking (dospert) scale for adult
populations. Judgment and Decision Making 1, 1 (2006), 33–47 KW –.
[14] C ALMAN , C. Bigger phish to fry: California’s antiphishing statute and its potential imposition of secondary liability on internet service providers. Richmond Journal of Law and
Technology XIII, 1 (2006).
[15] C AVUSOGLU , H., AND R AGHUNATHAN , S. Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches. Decision Analysis 1, 3 (2004), 131–148.
[16] C HOU , N., L EDESMA , R., T ERAGUCHI , Y., AND M ITCHELL , J. C. Client-side defense
against web-based identity theft. In Proceedings of The 11th Annual Network and Distributed System Security Symposium (NDSS ’04). (2004).
[17] C LOUDMARK I NC . Visited jan 1, 2009. http://www.cloudmark.com/desktop/download/.
[18] C OMMITTEE ON D EVELOPMENTS IN THE S CIENCE OF L EARNING AND NATIONAL R E SEARCH C OUNCIL. How People Learn: Bridging Research and Practice. National
Academies Press, 2000.
[19] C RANOR , L. F. A framework for reasoning about the human in the loop. In UPSEC’08:
Proceedings of the 1st Conference on Usability, Psychology, and Security (Berkeley, CA,
USA, 2008), USENIX Association, pp. 1–15.
[20] DANCHEV, D. Google: Spam volume for q1 back to pre-mccolo levels. CBS Interactive,
April 2 2009.
[21] DANCHEV, D. Microsoft study debunks phishing profitability. ZDNet, January 8 2009.
[22] D HAMIJA , R., AND T YGAR , J. D. The battle against phishing: Dynamic Security Skins.
In SOUPS ’05: Proceedings of the 2005 symposium on Usable privacy and security (New
York, NY, USA, 2005), ACM Press, pp. 77–88.
[23] D HAMIJA , R., T YGAR , J. D., AND H EARST, M. Why phishing works. In CHI ’06:
Proceedings of the SIGCHI conference on Human Factors in computing systems (New York,
NY, USA, 2006), ACM Press, pp. 581–590.
[24] DKIM
S IGNATURES ,
RFC
4871
.
http://dkim.org/specs/rfc4871-dkimbase.html.
Visited
jan
1,
2009.
162
[25] D OWNS , J., AND F ISCHHOFF , B. Adolescent Health: Understanding and Preventing Risk
Behaviors. John Wiley and Sons, 2009, ch. 5.
[26] D OWNS , J. S., H OLBROOK , M. B., AND C RANOR , L. F. Decision strategies and susceptibility to phishing. In SOUPS ’06: Proceedings of the second symposium on Usable privacy
and security (New York, NY, USA, 2006), ACM Press, pp. 79–90.
[27] D OWNS , J. S., H OLBROOK , M. B., AND C RANOR , L. F. Behavioral Response to Phishing. In eCrime ’07: Proceedings of the 2007 e-Crime Researchers summit (New York, NY,
USA, 2007), ACM Press, pp. 79–90.
[28]
E B AY
I NC .
Tutorial:
Spoof(fake)
http://pages.ebay.com/education/spooftutorial/.
Emails,
2006.
[29] E GELMAN , S., C RANOR , L. F., AND H ONG , J. You’ve been warned: an empirical study of
the effectiveness of web browser phishing warnings. In CHI ’08: Proceeding of the twentysixth annual SIGCHI conference on Human factors in computing systems (New York, NY,
USA, 2008), ACM, pp. 1065–1074.
[30] E VERETT-C HURCH , R. Mccolo and the difficulty of fighting spam. Internet.com, November 20 2008. http://itmanagement.earthweb.com/features/print.php/3786296..
[31] E VERS , J. Security expert: User education is pointless.
http://news.com.com/2100-7350_3-6125213.html.
CNet News.com, 2006.
[32] F EDERAL T RADE C OMMISSION. How Not to Get Hooked by a Phishing Scam, 2006.
http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.htm.
[33] F ERGUSON , A. J. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly, 2005. http://www.educause.edu/ir/library/pdf/eqm0517.pdf.
[34] F ETTE , I., S ADEH , N., AND TOMASIC , A. Learning to detect phishing emails. In WWW
’07: Proceedings of the 16th international conference on World Wide Web (New York, NY,
USA, 2007), ACM Press, pp. 649–656.
[35] F INANCIAL
S ERVICES
T ECHNOLOGY
C ONSORTIUM.
Understanding and Countering the Phishing Threat.
White Paper,
2005.
http://www.fstc.org/projects/docs/FSTC_Counter_Phishing_Project_Whitepaper.pdf.
[36] F LORENCIO , D., AND H ERLEY, C. EVALUATING A TRIAL DEPLOYMENT OF PASSWORD RE-USE FOR PHISHING PREVENTION. In eCrime ’07: Proceedings of the
2007 e-Crime Researchers summit (New York, NY, USA, 2007), ACM Press, pp. 26–37.
[37] F LYNN , J., S LOVIC , P., AND M ERTZ , C. K. Gender, race, and perception of environmental
health risks. Risk Analysis 14, 6 (1994), 1101–1108.
163
[38] F RANKLIN , J., P ERRIG , A., PAXSON , V., AND S AVAGE , S. An inquiry into the nature
and causes of the wealth of internet miscreants. In CCS ’07: Proceedings of the 14th ACM
conference on Computer and communications security (New York, NY, USA, 2007), ACM,
pp. 375–388.
[39] F REE E MAIL P ROVIDERS G UIDE.
Free email providers list.
http://www.fepg.net/providers.html.
fepg.net, 2004.
[40] FU, A. Y. WEB IDENTITY SECURITY: ADVANCED PHISHING ATTACKS AND
COUNTER MEASURES. PhD thesis, CITY UNIVERSITY OF HONG KONG, 2007.
[41] G ARERA , S., P ROVOS , N., C HEW, M., AND RUBIN , A. D. A framework for detection and
measurement of phishing attacks. In WORM ’07: Proceedings of the 2007 ACM workshop
on Recurring malcode (New York, NY, USA, 2007), ACM, pp. 1–8.
[42] G ARTNER R ESEARCH.
Number of Phishing
Adults Nearly Doubles in Just Two Years.
http://www.gartner.com/it/page.jsp?id=498245.
E-Mails Sent to U.S.
Press Release, 2006.
[43] G ARTNER R ESEARCH. Gartner survey shows phishing attacks escalated in 2007. Press
Release, 2007. http://www.gartner.com/it/page.jsp?id=565125.
[44] G EE , J. P. What Video Games Have to Teach Us About Learning and Literacy. Palgrave
Macmillan, Hampshire, England, 2003.
[45] G OLDMAN ,
L.
Cybercon.
http://www.forbes.com/forbes/2004/1004/088.html.
Forbes.com,
2004.
[46] G OOGLE I NC .
Google safe browsing for firefox. visited jan 1, 2009, 2007.
http://www.google.com/tools/firefox/safebrowsing/.
[47] G ORDON , L. A., AND L OEB , M. P. The economics of information security investment.
ACM Trans. Inf. Syst. Secur. 5, 4 (2002), 438–457.
[48] G ORLING , S. The myth of user education. In Proceedings of the 16th Virus Bulletin
International Conference (2006).
[49] G RIMES , R. A. Malicious Mobile Code: Virus Protection for Windows, first ed. O’Reilly
& Associates, Inc., Sebastopol CA, USA, 2001.
[50] H ERLEY, C., AND F LOR ÊNCIO , D. A profitless endeavor: phishing as tragedy of the
commons. In NSPW ’08: Proceedings of the 2008 workshop on New security paradigms
(New York, NY, USA, 2008), ACM, pp. 59–70.
[51] H ERZBERG , A., AND G BARA , A. Protecting (even) naive web users, or: preventing spoofing and establishing credentials of web sites. Cryptology ePrint Archive, Report 2004/155,
2004. http://eprint.iacr.org/2004/155.
164
[52] I DENTITY
T HEFT T ECHNOLOGY
C OUNCIL.
Online
Phishing technology, chokepoints and countermeasures.
http://www.antiphishing.org/Phishing-dhs-report.pdf.
[53] JAGATIC , T. N., J OHNSON , N. A., JAKOBSSON , M.,
Commun. ACM 50, 10 (2007), 94–100.
AND
identity
Report,
theft:
2005.
M ENCZER , F. Social Phishing.
[54] JAKOBSSON ,
M.
The
Human
Factor
in
http://www.informatics.indiana.edu/markus/papers/aci.pdf, 2006.
Phishing.
[55] JAKOBSSON , M., AND M YERS , S. Phishing and Countermeasures: Understanding the
Increasing Problem of Electronic Identity Theft. Wiley-Interscience, 2006.
[56] JAKOBSSON , M., AND S TAMM , S. Invasive browser sniffing and countermeasures. In
WWW ’06: Proceedings of the 15th international conference on World Wide Web (New
York, NY, USA, 2006), ACM Press, pp. 523–532.
[57] JAMES , L. Phishing Exposed, 1 edition ed. Syngress, 2005.
[58] J EFF M AKEY.
Blacklists compared, april 11, 2009. retrieved april 14, 2009.
http://www.sdsc.edu/~ jeff/spam/cbc.html.
[59] J OHN
E.
D UNN.
Ie
7.0
tops study of
anti-phishing tools
,
29
september
2006,
techworld.
retrieved
april
1,
2009.
http://www.techworld.com/security/news/index.cfm?newsID=6995&pagtype=sam.
[60] J OHNSON , B. R., AND KOEDINGER , K. R. Comparing instructional strategies for integrating conceptual and procedural knowledge. In Proceedings of the Annual Meeting [of
the] North American Chapter of the International Group for the Psychology of Mathematics
Education (October 2002), vol. 1–4, pp. 969–978.
[61] J UNG , J., AND S IT, E. An empirical study of spam traffic and the use of dns black lists.
In IMC ’04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
(New York, NY, USA, 2004), ACM, pp. 370–375.
[62] K EIZER , G. Phishers Beat Bank’s Two-factor Authentication. Information Week, 2006.
http://www.informationweek.com/news/showArticle.jhtml?articleID=190400362.
[63] KJ, P., AND AF., H. Asymptotic and resampling strategies for assessing and comparing
indirect effects in multiple mediator models. Behavior research methods 40, 3 (Aug 2008),
879–91.
[64] K LEIN , G. Sources of power : How people make decisions? The MIT Press Cambridge,
Massachusetts The MIT Press, Cambridge, Massachusetts, London, England, February
1999.
165
[65] K REBS , B. Host of Internet Spam Groups Is Cut Off. Washington Post, November 12
2008.
[66] K UMARAGURU , P., C RANSHAW, J., ACQUISTI , A., C RANOR , L., H ONG , J., B LAIR ,
M. A., AND P HAM , T. School of phish: a real-word evaluation of anti-phishing training.
In SOUPS ’09: Proceedings of the 5th Symposium on Usable Privacy and Security (New
York, NY, USA, 2009), ACM, pp. 1–12.
[67] K UMARAGURU , P., C RANSHAW, J., ACQUISTI , A., C RANOR , L. F., H ONG , J., B LAIR ,
M. A., AND P HAM , T. School of phish: A real-word evaluation of anti-phishing training.
In SOUPS ’09: Proceedings of the 5rd symposium on Usable privacy and security (New
York, NY, USA, 2009), ACM.
[68] K UMARAGURU , P., R HEE , Y., ACQUISTI , A., C RANOR , L. F., H ONG , J., AND N UNGE ,
E. Protecting people from phishing: the design and evaluation of an embedded training
email system. In CHI ’07: Proceedings of the SIGCHI conference on Human factors in
computing systems (New York, NY, USA, 2007), ACM Press, pp. 905–914.
[69] K UMARAGURU , P., R HEE , Y., S HENG , S., H ASAN , S., ACQUISTI , A., C RANOR , L. F.,
AND H ONG , J. Getting users to pay attention to anti-phishing education: evaluation of
retention and transfer. In eCrime ’07: Proceedings of the anti-phishing working groups 2nd
annual eCrime researchers summit (New York, NY, USA, 2007), ACM, pp. 70–81.
[70] K UMARAGURU , P., S HENG , S., ACQUISTI , A., C RANOR , L. F., AND H ONG , J. Teaching
Johnny not to Fall for Phish. Tech. rep., Carnegie Mellon University, 2006.
[71] K UMARAGURU , P., S HENG , S., ACQUISTI , A., C RANOR , L. F., AND H ONG , J. Teaching
Johnny not to Fall for Phish. Transactions on Internet Technology (2009).
[72] K UNREUTHER ,
H.,
AND
H EAL ,
G.
Interdependent
http://citeseer.ist.psu.edu/kunreuther02interdependent.html.
security.
[73] L EYDEN , J. Florida man indicted over Katrina phishing scam. The Register, 2006.
http://www.theregister.co.uk/2006/08/18/hurricane_k_phishing_scam/.
[74] L ICHTMAN , D., AND P OSNER , E.
Holding Internet Service Providers Accountable. CHICAGO JOHN M. OLIN LAW and ECONOMICS WORKING PAPER, 2004.
http://www.law.uchicago.edu/Lawecon/index.html.
[75] L UDL , C., M CALLISTER , S., K IRDA , E., AND K RUEGEL , C. On the effectiveness of
techniques to detect phishing sites. In DIMVA ’07: Proceedings of the 4th international
conference on Detection of Intrusions and Malware, and Vulnerability Assessment (Berlin,
Heidelberg, 2007), Springer-Verlag, pp. 20–39.
[76] M ACKINNON , D. P., AND DWYER , J. H. Estimating Mediated Effects in Prevention Studies. Eval Rev 17, 2 (1993), 144–158.
166
[77] M AC K INNON , D. P., FAIRCHILD , A. J., AND F RITZ , M. S. Mediation analysis. Annual
Review of Psychology 58, 1 (12 2006), 593–614.
[78] M ACMILLAN , N. A., AND C REELMAN , C. D.
Lawrence Erlbaum, 2004.
Detection Theory: A User’s Guide.
[79] M ALDONADO , H., L EE , J.-E. R., B RAVE , S., NASS , C., NAKAJIMA , H., YAMADA ,
R., I WAMURA , K., AND M ORISHIMA , Y. We learn better together: enhancing elearning
with emotional characters. In CSCL ’05: Proceedings of th 2005 conference on Computer
support for collaborative learning (2005), International Society of the Learning Sciences,
pp. 408–417.
[80] M ANNAN , M., AND VAN O ORSCHOT, P. C. On instant messaging worms, analysis and
countermeasures. In WORM ’05: Proceedings of the 2005 ACM workshop on Rapid malcode (New York, NY, USA, 2005), ACM, pp. 2–11.
[81] M ARK M ONITOR.
Rock
Phishing:
Characterization
of
the
Threat
and
Recommended
Countermeasures.
whitepaper,
2007.
http://www.markmonitor.com/resources/docs/wp-rockphish-070824.pdf.
[82] M ATTHEW
B ROERSMA.
Firefox 2 tops ie 7 in anti-phishing
study,
15
november
2006,
techworld.
retrieved
april
1,
2009.
http://www.techworld.com/security/news/index.cfm?newsid=7353.
[83] M AYER , R. E. Multimedia Learning. New York Cambridge University Press, 2001.
[84] M ERCHANT
R ISK
C OUNCIL.
Annual
e-commerce
fraud
survey
results.
Press
Release,
March
2009.
https://www.merchantriskcouncil.org/index.cfm?fuseaction=Feature.showFeature&Featur
[85] M ESSAGE A NTI -A BUSE WORKING G ROUP , AND A NTI -P HISHING WORKING G ROUP.
Anti-Phishing Best Practices for ISPs and Mailbox Providers.
Report, 2006.
http://www.apwg.org/reports/bestpracticesforisps.pdf.
[86] M ESSAGE L ABS.
Messagelabs
Intelligence:
2007
Annual
Security
Report.
MessageLabs
Intelligence,
2007.
http://www.messagelabs.com/mlireport/MLI_2007_Annual_Security_Report.pdf.
[87] M ESSAGE L ABS.
Messagelabs Intelligence May 2009.
http://www.messagelabs.com/intelligence.aspx.
Report, May 2009.
[88] M ICHAEL S UTTON. A tour of the google blacklist, august 7, 2006. visited jan 1, 2009.
http://www.communities.hp.com/securitysoftware/blogs/msutton/archive/2007/01/04/A-T
[89] M ICROSOFT C ORPORATION. Consumer awareness page on phishing, 2006. Retrieved Sep
10, 2006. http://www.microsoft.com/athome/security/email/phishing.mspx.
167
[90] M ICROSOFT C ORPORATION. Phishing filter: Help protect yourself from online scams,
2008. http://www.microsoft.com/protect/products/yourself/phishingfilter.mspx.
[91] M ILLERSMILES . CO . UK. The web’s dedicated anti-phishing service. Retrieved April 15,
2006, http://millersmiles.co.uk/.
[92] M OORE , T., AND C LAYTON , R. Examining the Impact of Website Take-down on Phishing.
In eCrime ’07: Proceedings of the 2007 e-Crime Researchers summit (New York, NY, USA,
2007), ACM Press, pp. 1–13.
[93] M OORE , T., AND C LAYTON , R. The Consequence of Non-Cooperation in the Fight
Against Phishing. In eCrime ’08: Proceedings of the 2008 e-Crime Researchers summit
(New York, NY, USA, 2008), ACM Press.
[94] M OORE , T., AND C LAYTON , R. Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing. In 13th International Conference on Financial Cryptography and
Data Security (February 23-26, 2009 2009).
[95] M OORE , T., C LAYTON , R., AND S TERN , H. Temporal Correlations between Spam and
Phishing Websites. In 2nd USENIX Workshop on Large-Scale Exploits and Emergent
Threats (LEET ‘09) (2009).
[96] M ORENO , R., M AYER , R. E., S PIRES , H. A., AND L ESTER , J. C. The case for social
agency in computer-based teaching: Do students learn more deeply when they interact with
animated pedagogical agents? Cognition and Instruction 19, 2 (2001), 177–213.
[97] M Y S ECURE C YBERSPACE . Uniform resource locator (URL), 2007. Retrieved Feb 4, 2007,
http://www.mysecurecyberspace.com/encyclopedia/index/uniform-resource-locator-url-.
[98] N ATIONAL C ONFERENCE OF S TATE L EGISLATURES. 2007 state legislation relating to
phishing. Report, 2007. http://www.ncsl.org/programs/lis/phishing07.htm.
[99] N ATIONAL C ONSUMERS L EAGUE. Avoid getting ’hooked’ by phishers, 2006.
[100] N ATIONAL C ONSUMERS L EAGUE.
A Call for Action:
Report from
National Consumers League Anti-Phishing Retreat.
Report,
2006.
http://www.nclnet.org/news/2006/Final%20NC%20Phishing%20Report.pdf.
[101] N ET A PPLICATIONS . I NC . . Browser market share q4, 2008. visited jan 1, 2009.
http://marketshare.hitslink.com/report.aspx?qprid=0&qpmr=15&qpdt=1&qpct=3&qpcal=1&q
[102] N ETCRAFT I NC .
Netcraft anti-phishing
http://toolbar.netcraft.com/.
toolbar.
visited
jan
1,
2009.
[103] N EW M EXICO L EGISLATURE – 2005 SESSION.
Sb 720.
Law, 2005.
http://legis.state.nm.us/Sessions/05%20Regular/final/SB0720.pdf.
168
[104] N EW YORK S TATE O FFICE OF C YBER S ECURITY & C RITICAL I NFRASTRUCTURE C O ORDINATION . Gone Phishing: A Briefing on the Anti-Phishing Exercise Initiative for New
York State Government. Aggregate Exercise Results for public release, 2005.
[105]
H OMELAND S ECURITY, U. D., C OUNCIL , S. I. I. T. T., AND
A NTI - PHISHING
WORKING
G ROUP.
The
crimeware
landscape:malware,
phishing, identity theft and beyond.
Report,
2006.
http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf.
OF
THE
[106] O N G UARD O NLINE. Phishing quickfacts, 2008.
[107] PAN , Y., AND D ING , X. Anomaly based web phishing page detection. Computer Security
Applications Conference, Annual 0 (2006), 381–392.
[108] PARNO , B., K UO , C., AND P ERRIG , A. Phoolproof phishing prevention. In Proceedings
of the 10th International Conference on Financial Cryptography and Data Security (FC’06)
(Feb. 2006).
[109] P ENDLETON , B., X IANG , G., AND H ONG , J. Augmenting the Crowds: Fighting Phishing
on a Budget. Under Submission, 2009.
[110] Q UINN , C. N. Engaging Learning: Designing e-Learning Simulation Games. Pfeiffer,
2005.
[111] R AMACHANDRAN , A., AND F EAMSTER , N. Understanding the network-level behavior
of spammers. In SIGCOMM ’06: Proceedings of the 2006 conference on Applications,
technologies, architectures, and protocols for computer communications (New York, NY,
USA, 2006), ACM, pp. 291–302.
[112] R EBBAPRAGADA , N.
New VoIP Phishing Scams.
PCWorld,
http://blogs.pcworld.com/staffblog/archives/001921.html.
2006.
[113] R EPENNING , A., AND L EWIS , C. Playing a game: The ecology of designing, building and
testing games as educational activities. In ED-Media, World Conference on Educational
Multimedia, Hypermedia & Telecommunications (2005), Association for the Advancement
of Computing in Education.
[114] R EYNA , V. F., AND FARLEY, F. Risk and rationality in adolescent decision making: Implications for theory, practice, and public policy. Psychological Science in the Public Interest
7, 1 (2006), 1–44.
[115] ROSENTHAL , R., AND ROSNOW, R. L. Essentials of Behavioral Research, third ed. McGraw Hill, New York, NY, USA, 2008.
[116] ROSS , B., JACKSON , C., M IYAKE , N., B ONEH , D., AND M ITCHELL , J. C. Stronger
password authentication using browser extensions. In Usenix security (2005).
169
[117] ROWE , B. R., AND G ALLAHER , M. P. Private sector cyber security investment: An empirical analysis. In WEIS 2006 - Fifth Workshop on Economics of Information Security (2006),
pp. 18–41. http://weis2006.econinfosec.org/docs/18.pdf.
[118] RUSCH , J. J. Phishing and Federal Law Enforcement. Presentation at ABA, 2004.
http://www.abanet.org/adminlaw/annual2004/Phishing/PhishingABAAug2004Rusch.ppt.
[119] S. DYNES , H. B RECHBUHL AND M. E. J OHNSON. Information Security in the Extended
Enterprise: Some Initial Results From a Field Study of an Industrial Firm. In Fourth Workshop on the Economics of Information Security (2006), Harvard University.
[120] S ALKIND , N. J. Encyclopedia of Measurement and Statistics. Sage Publications, 2006.
[121] S CHECHTER , ., D HAMIJA , ., O ZMENT, .,
indicators. sp 00 (2007), 51–65.
AND
F ISCHER , . The emperor’s new security
[122] S CHNEIDER , F., P ROVOS , N., M OLL , R., C HEW, M., AND R AKOWSKI ,
B.
Phishing protection:
Design documentation. visited jan 1, 2009.
https://wiki.mozilla.org/Phishing_Protection:_Design_Documentation.
[123] S CHNEIER , B. Inside risks: semantic network attacks. Commun. ACM 43, 12 (2000), 168.
[124] S ENDER P OLICY F RAMEWORK S PECIFICATIONS (RFC 4408).
http://www.openspf.org/Specifications.
Visited jan 1, 2009.
[125] S HENG , S., H OLBROOK , M., K UMARAGURU , P., C RANOR , L. F., AND D OWNS , J. Who
falls for phish? a demographic analysis of phishing susceptibility and effectiveness of interventions. In Submission: CHI ’10: Proceedings of the SIGCHI conference on Human
factors in computing systems (2010).
[126] S HENG , S., K UMARAGURU , P., ACQUISTI , A., C RANOR , L., AND H ONG , J. Improving
phishing countermeasures: An analysis of expert interviews. In eCrime Researchers Summit
2009 (Tacoma, WA, USA, 10 2009).
[127] S HENG , S., M AGNIEN , B., K UMARAGURU , P., ACQUISTI , A., C RANOR , L. F., H ONG ,
J., AND N UNGE , E. Anti-phishing phil: the design and evaluation of a game that teaches
people not to fall for phish. In SOUPS ’07: Proceedings of the 3rd symposium on Usable
privacy and security (New York, NY, USA, 2007), ACM, pp. 88–99.
[128] S HENG , S., WARDMAN , B., WARNER , G., C RANOR , L., H ONG , J., AND Z HANG , C.
An empirical analysis of phishing blacklists. In 6th Conference in Email and Anti-Spam
(Mountain view, CA, July 16 - 17 2009).
[129] S LOVIC , P. The Perception of Risk. The Earthscan Risk in Society Series. Earthscan Publications Ltd, 2000.
170
[130] S TATE OF N EW YORK L EGISLATURE – 2007 SESSION.
http://assembly.state.ny.us/leg/?bn=A08025&sh=t.
A.b 8025.
Law, 2007.
[131] S YMANTEC .
I NC .
.
Symantec
Global
Internet
Security
Threat
Report.
Tech.
rep.,
Symantec.,
2009.
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_sec
[132] T HERMOS , P., AND TAKANEN , A. Securing VoIP Networks: Threats, Vulnerabilities, and
Countermeasures, first ed. Addison Wesley Professional, 2007.
[133] US
H OUSE
OF
R EPRESENTATIVES.
Internet
spyware
(ispy)
prevention
act
of
2004.
H.
R.
4661,
2004.
http://thomas.loc.gov/cgi-bin/query/D?c108:5:./temp/~ mdbsui94q6::.
[134] US
H OUSE
OF
R EPRESENTATIVES.
Internet
spyware
(ispy)
prevention
act
of
2005.
H.
R.
744,
2005.
http://thomas.loc.gov/cgi-bin/query/D?c109:11:./temp/~ mdbsGYDwP7::.
[135] US
H OUSE
OF
R EPRESENTATIVES.
Internet
spyware
(ispy)
prevention
act
of
2007.
H.
R.
1525,
2007.
http://thomas.loc.gov/cgi-bin/query/D?c110:7:./temp/~ mdbs2yQuGo::.
[136] VARIAN , H.
Managing Online Security Risks, June 2000.
New York Times.
http://people.ischool.berkeley.edu/~ hal/people/hal/NYTimes/2000-06-01.html.
[137] VIRGINIA ACTS OF ASSEMBLY – 2005 SESSION. Chapter 827. Law, 2005.
http://leg1.state.va.us/cgi-bin/legp504.exe?051+ful+CHAP0827.
[138] WARD , M.
Criminals exploit net phone calls.
http://news.bbc.co.uk/2/hi/technology/5187518.stm.
BBC
News,
2006.
[139] W U ,
M.
Fighting
Phishing
at
the
Interface
Level.
PhD
thesis,
Massechusets
Institute
of
Technology,
2006.
http://groups.csail.mit.edu/uid/projects/phishing/minwu-thesis.pdf.
[140] W U , M., M ILLER , R. C., AND G ARFINKEL , S. L. Do security toolbars actually prevent
phishing attacks? In CHI ’06: Proceedings of the SIGCHI conference on Human Factors in
computing systems (New York, NY, USA, 2006), ACM Press, pp. 601–610.
[141] W U , M., M ILLER , R. C., AND L ITTLE , G. Web wallet: preventing phishing attacks by
revealing user intentions. In SOUPS ’06: Proceedings of the second symposium on Usable
privacy and security (New York, NY, USA, 2006), ACM Press, pp. 102–113.
[142] X, S. Inside the Spam Cartel, first ed. Syngress Publishing, Inc., Rockland, MA , USA,
2004.
171
[143] X IANG , G., AND H ONG , J. An Adaptive Shingling-based Approach using Search Engines
for Zero False Positive Phish Detection. Under Submission, 2009.
[144] X IANG , G., AND H ONG , J. I. A hybrid phish detection approach by identity discovery
and keywords retrieval. In WWW ’09: Proceedings of the 18th international conference on
World wide web (New York, NY, USA, 2009), ACM, pp. 571–580.
[145] Y E , Z. E., S MITH , S., AND A NTHONY, D. Trusted paths for browsers. ACM Trans. Inf.
Syst. Secur. 8, 2 (2005), 153–186.
[146] Y EE , K.-P., AND S ITAKER , K. Passpet: convenient password management and phishing
protection. In SOUPS ’06: Proceedings of the second symposium on Usable privacy and
security (New York, NY, USA, 2006), ACM Press, pp. 32–43.
[147] Z HANG , Y., E GELMAN , S., C RANOR , L., AND H ONG , J. Phinding Phish: An Evaluation of Anti-Phishing Toolbars. In Proceedings of the ISOC Symposium on Network and
Distributed System Security (2007), Internet Society.
[148] Z HANG , Y., H ONG , J. I., AND C RANOR , L. F. Cantina: a content-based approach to detecting phishing web sites. In WWW ’07: Proceedings of the 16th international conference
on World Wide Web (New York, NY, USA, 2007), ACM Press, pp. 639–648.
[149] Z ONE A LARM. Smart Defense System, 2004. http://smartdefense.zonealarm.com/tmpl/Advisory
172
APPENDIX
Appendix I: List of Recommendations
This section lists the full list of recommendations that I discussed with experts during
my interviews.
A.1 Recommendations
This section makes a set of recommendations based on the insights from the phishing analysis
(chapter 2) and preliminary stakeholder analysis (chapter 3). The recommendations are categorized
into the following framework: prevention, detection, block emails/websites, shutdown, and warn
user (see graph 2.9).
The overall objectives are:
1. Catch phishers before they launch attacks
2. Detect attacks as early and accurately as possible
3. Block phishing emails at mail gateways
Figure A.1 Taxonomy of phishing technical countermeasures
173
4. Takedown phishing websites as soon as possible
5. Improve mutual authentication between financial institutions and consumers
6. Minimize money laundering due to phishing
7. Warn and educate users effectively
In the section that follows, I outline recommendations to achieve these objectives.
A.1.1 Prevention
As shown in Figure 2.9, the first step to fight phishing is to prevent attacks before they materialize. Effective law enforcements will reduce the phishers incentive to commit crimes, and will
lower the probability of phishers launch attacks after securing personal and corporate resources.
Corporate that handle incidents better will be less attractive targets for phishers, and finally proactive measures of anti-phishing from registrars will make setting up phishing attacks much harder.
We list the recommendations below.
A.1.1.1
Recommendations for effective law enforcement
1. Law enforcement: Continue operations to identify and catch phishing gangs such as
the Rock Phish gang. As the underground phishing market improves its efficiency, phishing operations will consolidate and a few organizations will be responsible for most of the
phishing. It is estimated that phishing gangs such as Rock Phish are responsible for up to
to 50% of phishing. Therefore efforts spent on catching them is necessary. In my interview
with law enforcement and other experts, I will consolidate their advice on catching Rock
Phish.
2. Law enforcement, industrial organization, and academia: Provide a more accurate
measure of the loss due to phishing in general and particular incident. There is a lack of
data on the monetary losses caused by phishing attacks. It is hard to get for a variety of reasons: banks do not know whether a fraud charge is due to phishing or other activities such as
174
dumpster driving or malware and the number of people entering information does not mean
that the information is correct and can be used by phishers–attacks may not convert to actual
losses because banks have sophisticated fraud systems. Confident estimates are important
because it is difficult for law enforcement to open cases if they do not have a good idea of the
loss. I suggest three possible directions to gather the data: first collect and preserve forensics
data when the phishing server is seized, provide a detailed information about the accounts
stolen and collaborate with banks to double check these fraud cases; second, study the internet phishing black market for prices of the stolen goods.1 and lastly, conduct empirical
measures, not surveys. Recent efforts by Moore and Clayton [92], Florencio and Herley [36]
provide innovative ways to investigate this issue–their methods can be easily shared with law
enforcements on a case by case basis to measure the monetary loss both in general and in
specific phishing cases.
3. Regulators: Push the adoption of the cybercrime conventions around the world. Criminals work their way through the countries that do not comply with the cybercrime convention. To close the loophole, efforts need to be made for countries to ratify the cybercrime
convention–a model regulation framework proposed by the European Union.
4. Law Enforcement: Disrupt the underground black market economy. As mentioned
in Chapter 2.2, phishers, spammers, botnet herders, and pay loaders collaborate to commit
crimes and make trades in the Internet black market. Efforts to disrupt the Internet black
market will sever the criminals ability to connect with each other. The paper by Perrig and
Franklin [38] has outlined a few possible ways to disrupt the market. I recommend further
research and action in this area.
In my expert interviews, I will ask law enforcement experts to comment on these proposals
and make suggestions that could enhance phishing law enforcement.
1
Economics predicts that markets at equilibrium supply equals demand. It is therefore possible to infer the loss
due to phishing from the prices of these commodities sold on blackmarkets
175
A.1.1.2
Recommendations for securing personal and corporate computing resources for anti-phishing
Today, phishing attacks are launched through compromised personal and corporate computers
around the world. Spam emails are sent through vulnerable open mail relays and susceptible web
forms. Hacked machines host half of the phishing websites. Securing personal and corporate
computing environments will make it harder for phishers to launch attacks. Below is a list of
security recommendations.
1. Technology Vendors: Protect host files on user computers. Some phishing attacks poison
DNS records by altering local DNS look up files (except for Windows Vista). Currently,
local hosts files are not protected by Windows or by anti-virus software. Protecting these
files will help eliminate the DNS poisoning problem and reduce phishing attacks.
2. Website operators: Check and fix the web form vulnerability for mail injection attacks.
Mail injection attacks can compromise web mail forms, a means for spammers to relay mail.
CERT or APWG can also help by producing a toolkit to discover this vulnerability.
3. Academic institution, CERT, vendors and law enforcement: Continue research and
operations to shutdown botnets. Botnet is the crucial machinery for criminals to launch
and evade phishing attacks. Shutting down botnets will not only help eliminate phishing,
but a variety of other attacks such as DDOS and spam. However, many have argued that
shutting down botnets is not worthwhile for three reasons: vulnerabilities in computers are
numerous and it only takes one exploit to control computers; users are careless and are
easily fooled into installing malware on their computer; there are hundreds of millions of
potentially vulnerable computers connected to the Internet. I think all of these are valid
points that acknowledge the difficulty of the task, however, it has been shown in the past that
it can be done.
4. Researchers, Vendors: Research into secure patching for vulnerabilities. Many computers become infected because of zero day exploits which hackers reverse engineer a patch
176
and produce exploits and infect computers that are not patched. It can be as little as six hours
for an exploit to be created from a patch. Although we would like to see software secure by
design, it is unlikely that patches will not be needed. Research into secure patching (possibly
using public cryptography) would help alleviate the problem of zero day exploits.
5. CERT or APWG: Produce a list of most frequently hacked websites and notify the
website operators of their vulnerability. Provide toolkits and educational resources to
help website operators secure themselves. Because about 50% of phishing today is on
hacked websites2 , this will give incentive for operators to investigate why the websites are
hacked and provide them with tools to fix it.
A.1.1.3
Recommendations for improving risk management and incident handling for phishing
1. Institutions: If frequently targeted, review security procedures and security processes
and establish phishing countermeasures. If a bank is continually being robbed, it means
that the security measures in place are inadequate. In the same vein, if phishers continually target an institution, it means that the security measures at the institution need to be
improved.
2. Institutions: Identify a list of high-risk clients and provide education and additional
measures to protect them. Clients such as account executives and business account holders
will be at special risk due of phishing because of their networth and their inexperience.
3. Banking Regulators: Obtain and monitor statistics of the targeted institutions for fraud
losses and press the corporations about their security practices if necessary. As mentioned earlier, there is little data available about fraud losses in banks. Banks do not want
to disclose these numbers because they do not have any incentives to do so. Without accurate reporting of these fraud losses, regulators would not know the banks’ performance and
would find it hard to provide guidance. Requiring banks to report quarterly fraud losses for
2
According the data we compiled from Phishtank during the two week period in July.
177
regulator review will help the banks examine their internal processes of control and also help
them better manage the process. The data may not need to be public.
A.1.1.4
Recommendations for proactive measures from registrars
1. Academic Institutions or industry groups: Conduct a study on registrars’ preparedness
for phishing and other frauds. Produce best practices for registrars and compile case
studies for registrars that prevented phishing.
2. Regulators (ICANN): Provide guidance and help registrars to detect phishing registrations. If necessary, issue security standards about phishing for registrars.
A.1.2 Detection
The earlier the detection of attacks, the shorter the response time for shutdown and blocking.
1. Email Services: Automatically forward suspected phishing emails to antiphishing services at mail gateway level. Since the email gateway is the first point of contact to phishing
emails, phishing emails are freshest here. The difficulty is that mail providers lack incentives to report phishing, because their primary concern is spam. Since most filters do not
treat spam and phishing differently, reporting phishing emails at the gateway level means
manual work to separate phishing from spam first.
2. Academic institutions or open source community: Provide a good set of open source
phishing filters to integrate with spamassassin. There are many email providers on the Internet. While large mail providers can deploy sophisticated email filters, smaller and medium
size providers usually rely on open source spam filters such as spamassassin. The standard
configuration of spam assassin only catches about 70% of phishing emails [34]. To raise the
bar for phishing protection, phishers filters should be released to the public domain for free.
178
A.1.3 Filter email / websites
1. Encourage mail providers to scan for phishing at mail storage. In some instances, doing
filtering at the mail storage level is preferable–gathering and updating the phishing email
signatures take time and some phishing detection techniques require network query (DNS
lookup), which would slow down the filter performance dramatically if implemented at gateway (it takes roughly four seconds to process a 10kb email if running network lookup). There
is usually a 12-hour lapse between the time mail is in mail storage to the time mail is downloaded to clients computers [100]. Between these stages, some filtering can be applied and
mails can be tagged or removed before the client ever downloads them. However, there may
be legal and privacy concerns regarding provider examinations of users personal inboxes.
2. Mail clients could be the next step to combating the problem. Regular software clients
such as Outlook and Thunderbird can run some phishing tests and warn users when the
emails are opened. The benefits of doing it here are that there would be no privacy and legal
concerns, and mail clients have more information about senders and others for sophisticated
filtering.
3. Web browser vendors: Continue to improve browser anti-phishing toolbar performances, with a goal to catch 85-95% of phishing URLs within an hour. As shown in
Figure 9, Internet Explorer 7 was only able to detect less than 50% of phishing websites
within 12 hours, and Safari does not have any phishing protection yet. More efforts here are
needed in this area.
4. Email Providers: Support email authentication SPF and DKIM. Although email authentication will not solve the problem of email fraud, it does provide accountability in email
when used properly. For companies to adopt these methods, email clients must first support
them natively.
179
A.1.4 Shutdown / block phishing websites
1. CERT or APWG: Produce a list of most frequently hacked websites and constantly
monitor websites’ security for improvements. Roughly 50% of phishing is hosted on
hacked websites. By producing these statistics, website holders will be aware of their vulnerabilities. Whenever websites are hosted on hacked sites, site owners should be directly
notified so that they can take it down and fix its vulnerabilities.
2. Registrars: Examine solutions to shutdown and suspend Rock Phish domains quickly.
A.1.5 Warn and educate user
1. Email clients: Provide effective and integrated warnings for users about phishing messages, and research ways to better present warnings.
2. Government, education, and industry groups: Educate consumers about the risks of
instant messaging networks.
A.1.6 Minimize money laundering
The final step is to minimize money loss due to phishing.
To do this, we need to make it harder for third parties to use stolen credentials to commit
fraud, and make it more difficult for phishers to launder money even with stolen credentials. My
recommendations are:
1. Financial institutions: Work closely with anti-money laundering communities to ensure
that anti-money laundering systems are used to detect phishing related fraud. Antimoney laundering systems have been used worldwide for many years. To the best of my
knowledge, they have not been used to detect phishing fraud. I recommend that phishing
rules be added to the AML systems and focus on phishing gangs behaviors. In my expert
interviews, I will ask their opinions on these issues.
180
2. Regulators (FTC): Launch education campaign to educate the public about mules.
Mules are a crucial element in the underground market, as they transfer money or redirect
goods to criminals. Many of the money mules are unaware that the activities they engage in
are illegal. As companied with phishing, there are few educational materials in the media
about money mules. I recommend regulators such as the FTC organize a campaign against
money mules The campaign could either be a standalone campaign or a combined campaign.
The format could be testimonials, actual police cases, and recommendations on how not to
become a money mule3 .
3. Industry association: Study money wiring practice of Western Union and Money Gram,
especially their security practices about wiring money outside the country. Western
Union and Money Gram are one of the key tools that mules use to transfer money. The
system is designed to make money transfer easy, which also makes it easy for criminals. I
propose a simple study: to investigate security practice validations and authentications, investigators should visit a dozen local Western Union and Money Gram branches and try to
transfer money to Eastern Europe.
A.1.7 Other recommendations
1. Financial institutions: Implement better mutual authentication systems. Better mutual
authentication means banks can be certain that customers they are dealing with are actually
customers, and vise versa. Better-implemented systems will make it difficult for phishers
to gain access to accounts even though they may have credential such as usernames and
passwords. However, better authentication will not make it impossible to eliminate fraud
because we can assume that attackers can gain access to all the credentials that regular customers have (in extreme cases). Although this comes at a higher cost to the attacker, it is not
impossible.
2. Academia Continue research on mutual authentication.
3
Recently, Phil H. at Verisign also had the idea of a mule-fool campaign.
181
3. Internet service providers: Implement egress and ingress filtering.
4. Internet service providers: monitor outbound network traffic from unpatched computers and request users to update.