Social Phishing

Tom N. JagaticNathaniel A. Johnson

Markus JakobssonFilippo Menczer

Presenter: Ieng-Fat LamDate: 2007/4/1

Paper to present Jagatic, T.N. and Johnson, N.A. and Jakobsson, M. and

Menczer, F. “Social Phishing”, Communications of the ACM, V0l. 50, No. 10, pp. 94—100, ACM Press New York, NY, USA , 2007

Tom N. Jagatic Massachusetts Institute of Technology

Nathaniel A. Johnson Indiana University, Bloomington

Markus Jakobsson Indiana University, Bloomington

Filippo Menczer Indiana University, Bloomington

2

Outline

Motivation Method Experiment Results Conclusion

3

Motivation

Phishing case are growing 19% clicked on link to phishing site 3% admitted provided financial information

Phishers are getting smarter Notifying the victim of a “Security Threat”

And ask for personal information to “solve the problem”

Spear phishing and context-aware phishing Gain trust of victim by showing

bidding history shopping preference Inferred browse history and mother’s maiden name

4

Motivation (cont.)

Growing number of social networking sites

Myspace Facebook Orkut LinkedIn Identified “Circles of friends” Allow a phisher to harvest large amounts of

reliable social network information

5

Motivation (cont.)

Phishing Attacks take advantage of Both technical and social vulnerabilities

We discuss How phishing attacks can be honed

By means of publicity available personal information from social networks ?

The question we ask is How easily and effectively can a phisher exploit

social network found on the Internet to increase the yield of a phishing attack ?

6

Motivation (cont.)

The answer is Very easily and very effectively Internet users

May be over four times as likely to become a victim

If they are solicited by someone appearing to be a known acquaintance

7

Method

Harvested freely available acquaintance data Crawl social networking sites

Using Perl LWP library (libwww-perl)

Focused on a subset of targets Affiliated with Indiana University (IU) Cross-correlating the data with IU’s address book

DB

Launch an actual (but harmless) phishing attack Targeting IU students aged 18 to 24 years old Sampled to represent typical phishing victims To quantify, in an ethical manner

How reliable social context would increase the success of phishing attack

8

Method (cont.)

9Figure1: Illustration of phishing experiment

Method (cont.)

Phishing experiment1. Blogging, social network, and other public data is

harvested2. Data is correlated and stored in a relational database3. Heuristics are used to craft spoofed email message by

Eve “as Alice” to Bob (a friend)4. Message is sent to Bob5. Bob follows the link contained within the email

message and is sent to an unchecked redirect6. Bob is sent to attacker whuffo.com site7. Bob is prompted for his University credentials8. Bob’s credentials are verified with the University

authenticator9. a. Bob is successfully phished

b. Bob is not phished in this session; he could try again.10

Method (cont.)

Social Network Group Spoofed email between two friends, Alice and Bob Bob was redirected to a phishing site with domain

name distinct from IU The site prompt Bob to enter university credentials.

Control Group Subjects received same message

From unknown fictitious (虛構 ) person with university email

11

Result

Relatively high success in control group (16%) Subtle (狡猾 ) context, sender’s email address,

hyperlink showed

Social network group is much higher (72%) Consistent with “grade report” experiment (Ferguson,

2005) 80% cadet were deceived by link of grade report

12

Table1: Results of the social network phishing attack and control experiment. From t-test, the difference is very significant (p < 10-25)

Result (cont.)

Phisher site’s access log 70% of successful authentication occurred in

first 12 hours Supports the importance of rapid takedown Some user visited the site over 80 times

Social context of the attack leads peoples to overlook important rules

13

Result (cont.)

14

Figure2• Unique visits and authentications per hour. • Distributions of repeat authentications and refreshes of authenticated users.

(victims who successfully authenticated were shown a fake message indicating the server was overloaded and asking them to try again later.)

Result (cont.)

Gender of the subjects who fell victim Females were more likely to become victims The attack is more successful if spoof message

sent by opposite gender

15

Table2: Gender effects. The harvest profiles of potential subjects identified a male/female ratio close

to that of the general student population (18,294 males and 19,527 females)

X2 test: gender of the sender did not have significant effect on success rate (p = 0.3), gender of receiver was significant ( p <0.005), combination of sender-receiver genders also significant (p < 0.004)

Result (cont.)

Demographics Younger targets being slightly more vulnerable Students in science major seemed to be the least

vulnerable group

Subjects and participants Are invited to project web site and blog 30 complains (1.7%)

16

Result (cont.)

17

Figure3• Success rate of phishing attack by target class.

t-test: Difference in success rates are significant for all classes (p <= 0.01)• Success rate of phishing attack by target major.

t-test: Difference in success rates are significant for all majors (p <= 0.02)

Result (cont.)

Reactions from victims Anger

Called for the researchers conducting the study to be fired

Revealed that phishing also a significant psychological cost to victims

Denial No posted comments included an admission that

become victim Many post states that they would never fall in

such attack People are difficult to admit their own

vulnerability Making phishing success rates from surveys

severely underestimated

18

Result (cont.)

Reactions from victims (cont.) Misunderstanding of email

Their email account is hacked Overestimate the security and privacy of email

Underestimate the dangers of publicity posted personal information Don’t know how research obtain their email

address Or object that privacy had been violated by access

their posted information Some believe the information on social network

sites is not public

19

Conclusion To reduce the success rate of social phishing

Digitally signed email Using browser toolbar Need for extensive educational campaigns

Phishing has become such a prevalent problem due to Huge profit margins Easy in performing an attack Difficulty bringing those responsible to justice

Social networks Can provide phishers with a wealth of information about

unsuspecting victims20

Thank you!

For more information about this paper, please visit:http://www.indiana.edu/~phishing/social-network-experiment/

21