210 likes | 327 Vues
Social Phishing. Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1. Paper to present.
E N D
Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter:Ieng-Fat Lam Date: 2007/4/1
Paper to present • Jagatic, T.N. and Johnson, N.A. and Jakobsson, M. and Menczer, F. “Social Phishing”, Communications of the ACM, V0l. 50, No. 10, pp. 94—100, ACM Press New York, NY, USA , 2007 • Tom N. Jagatic • Massachusetts Institute of Technology • Nathaniel A. Johnson • Indiana University, Bloomington • Markus Jakobsson • Indiana University, Bloomington • Filippo Menczer • Indiana University, Bloomington 2
Outline • Motivation • Method • Experiment • Results • Conclusion 3
Motivation Phishing case are growing 19% clicked on link to phishing site 3% admitted provided financial information Phishers are getting smarter Notifying the victim of a “Security Threat” And ask for personal information to “solve the problem” Spear phishing and context-aware phishing Gain trust of victim by showing bidding history shopping preference Inferred browse history and mother’s maiden name 4
Motivation (cont.) Growing number of social networking sites Myspace Facebook Orkut LinkedIn Identified “Circles of friends” Allow a phisher to harvest large amounts of reliable social network information 5
Motivation (cont.) Phishing Attacks take advantage of Both technical and social vulnerabilities We discuss How phishing attacks can be honed By means of publicity available personal information from social networks ? The question we ask is How easily and effectively can a phisher exploit social network found on the Internet to increase the yield of a phishing attack ? 6
Motivation (cont.) The answer is Very easily and veryeffectively Internet users May be over four times as likely to become a victim If they are solicited by someone appearing to be a known acquaintance 7
Method Harvested freely available acquaintance data Crawl social networking sites Using Perl LWP library (libwww-perl) Focused on a subset of targets Affiliated with Indiana University (IU) Cross-correlating the data with IU’s address book DB Launch an actual (but harmless) phishing attack Targeting IU students aged 18 to 24 years old Sampled to represent typical phishing victims To quantify, in an ethical manner How reliable social context would increase the success of phishing attack 8
Method (cont.) 9 Figure1: Illustration of phishing experiment
Method (cont.) Phishing experiment Blogging, social network, and other public data is harvested Data is correlated and stored in a relational database Heuristics are used to craft spoofed email message by Eve “as Alice” to Bob (a friend) Message is sent to Bob Bob follows the link contained within the email message and is sent to an unchecked redirect Bob is sent to attacker whuffo.com site Bob is prompted for his University credentials Bob’s credentials are verified with the University authenticator a. Bob is successfully phishedb. Bob is not phished in this session; he could try again. 10
Method (cont.) Social Network Group Spoofed email between two friends, Alice and Bob Bob was redirected to a phishing site with domain name distinct from IU The site prompt Bob to enter university credentials. Control Group Subjects received same message From unknown fictitious (虛構) person with university email 11
Result Relatively high success in control group (16%) Subtle (狡猾) context, sender’s email address, hyperlink showed Social network group is much higher (72%) Consistent with “grade report” experiment (Ferguson, 2005) 80% cadet were deceived by link of grade report Table1: Results of the social network phishing attack and control experiment. From t-test, the difference is very significant (p < 10-25) 12
Result (cont.) Phisher site’s access log 70% of successful authentication occurred in first 12 hours Supports the importance of rapid takedown Some user visited the site over 80 times Social context of the attack leads peoples to overlook important rules 13
Result (cont.) • Figure2 • Unique visits and authentications per hour. • Distributions of repeat authentications and refreshes of authenticated users.(victims who successfully authenticated were shown a fake message indicating the server was overloaded and asking them to try again later.) 14
Result (cont.) Gender of the subjects who fell victim Females were more likely to become victims The attack is more successful if spoof message sent by opposite gender Table2: Gender effects. The harvest profiles of potential subjects identified a male/female ratio close to that of the general student population (18,294 males and 19,527 females) X2 test: gender of the sender did not have significant effect on success rate (p = 0.3), gender of receiver was significant ( p <0.005), combination of sender-receiver genders also significant (p < 0.004) 15
Result (cont.) Demographics Younger targets being slightly more vulnerable Students in science major seemed to be the least vulnerable group Subjects and participants Are invited to project web site and blog 30 complains (1.7%) 16
Result (cont.) • Figure3 • Success rate of phishing attack by target class.t-test: Difference in success rates are significant for all classes (p <= 0.01) • Success rate of phishing attack by target major.t-test: Difference in success rates are significant for all majors (p <= 0.02) 17
Result (cont.) Reactions from victims Anger Called for the researchers conducting the study to be fired Revealed that phishing also a significant psychological cost to victims Denial No posted comments included an admission that become victim Many post states that they would never fall in such attack People are difficult to admit their own vulnerability Making phishing success rates from surveys severely underestimated 18
Result (cont.) Reactions from victims (cont.) Misunderstanding of email Their email account is hacked Overestimate the security and privacy of email Underestimate the dangers of publicity posted personal information Don’t know how research obtain their email address Or object that privacy had been violated by access their posted information Some believe the information on social network sites is not public 19
Conclusion To reduce the success rate of social phishing Digitally signed email Using browser toolbar Need for extensive educational campaigns Phishing has become such a prevalent problem due to Huge profit margins Easy in performing an attack Difficulty bringing those responsible to justice Social networks Can provide phishers with a wealth of information about unsuspecting victims 20
Thank you! For more information about this paper, please visit:http://www.indiana.edu/~phishing/social-network-experiment/ 21