Social Phishing
Tom N. JagaticNathaniel A. Johnson
Markus JakobssonFilippo Menczer
Presenter: Ieng-Fat LamDate: 2007/4/1
Paper to present Jagatic, T.N. and Johnson, N.A. and Jakobsson, M. and
Menczer, F. “Social Phishing”, Communications of the ACM, V0l. 50, No. 10, pp. 94—100, ACM Press New York, NY, USA , 2007
Tom N. Jagatic Massachusetts Institute of Technology
Nathaniel A. Johnson Indiana University, Bloomington
Markus Jakobsson Indiana University, Bloomington
Filippo Menczer Indiana University, Bloomington
2
Motivation
Phishing case are growing 19% clicked on link to phishing site 3% admitted provided financial information
Phishers are getting smarter Notifying the victim of a “Security Threat”
And ask for personal information to “solve the problem”
Spear phishing and context-aware phishing Gain trust of victim by showing
bidding history shopping preference Inferred browse history and mother’s maiden name
4
Motivation (cont.)
Growing number of social networking sites
Myspace Facebook Orkut LinkedIn Identified “Circles of friends” Allow a phisher to harvest large amounts of
reliable social network information
5
Motivation (cont.)
Phishing Attacks take advantage of Both technical and social vulnerabilities
We discuss How phishing attacks can be honed
By means of publicity available personal information from social networks ?
The question we ask is How easily and effectively can a phisher exploit
social network found on the Internet to increase the yield of a phishing attack ?
6
Motivation (cont.)
The answer is Very easily and very effectively Internet users
May be over four times as likely to become a victim
If they are solicited by someone appearing to be a known acquaintance
7
Method
Harvested freely available acquaintance data Crawl social networking sites
Using Perl LWP library (libwww-perl)
Focused on a subset of targets Affiliated with Indiana University (IU) Cross-correlating the data with IU’s address book
DB
Launch an actual (but harmless) phishing attack Targeting IU students aged 18 to 24 years old Sampled to represent typical phishing victims To quantify, in an ethical manner
How reliable social context would increase the success of phishing attack
8
Method (cont.)
Phishing experiment1. Blogging, social network, and other public data is
harvested2. Data is correlated and stored in a relational database3. Heuristics are used to craft spoofed email message by
Eve “as Alice” to Bob (a friend)4. Message is sent to Bob5. Bob follows the link contained within the email
message and is sent to an unchecked redirect6. Bob is sent to attacker whuffo.com site7. Bob is prompted for his University credentials8. Bob’s credentials are verified with the University
authenticator9. a. Bob is successfully phished
b. Bob is not phished in this session; he could try again.10
Method (cont.)
Social Network Group Spoofed email between two friends, Alice and Bob Bob was redirected to a phishing site with domain
name distinct from IU The site prompt Bob to enter university credentials.
Control Group Subjects received same message
From unknown fictitious (虛構 ) person with university email
11
Result
Relatively high success in control group (16%) Subtle (狡猾 ) context, sender’s email address,
hyperlink showed
Social network group is much higher (72%) Consistent with “grade report” experiment (Ferguson,
2005) 80% cadet were deceived by link of grade report
12
Table1: Results of the social network phishing attack and control experiment. From t-test, the difference is very significant (p < 10-25)
Result (cont.)
Phisher site’s access log 70% of successful authentication occurred in
first 12 hours Supports the importance of rapid takedown Some user visited the site over 80 times
Social context of the attack leads peoples to overlook important rules
13
Result (cont.)
14
Figure2• Unique visits and authentications per hour. • Distributions of repeat authentications and refreshes of authenticated users.
(victims who successfully authenticated were shown a fake message indicating the server was overloaded and asking them to try again later.)
Result (cont.)
Gender of the subjects who fell victim Females were more likely to become victims The attack is more successful if spoof message
sent by opposite gender
15
Table2: Gender effects. The harvest profiles of potential subjects identified a male/female ratio close
to that of the general student population (18,294 males and 19,527 females)
X2 test: gender of the sender did not have significant effect on success rate (p = 0.3), gender of receiver was significant ( p <0.005), combination of sender-receiver genders also significant (p < 0.004)
Result (cont.)
Demographics Younger targets being slightly more vulnerable Students in science major seemed to be the least
vulnerable group
Subjects and participants Are invited to project web site and blog 30 complains (1.7%)
16
Result (cont.)
17
Figure3• Success rate of phishing attack by target class.
t-test: Difference in success rates are significant for all classes (p <= 0.01)• Success rate of phishing attack by target major.
t-test: Difference in success rates are significant for all majors (p <= 0.02)
Result (cont.)
Reactions from victims Anger
Called for the researchers conducting the study to be fired
Revealed that phishing also a significant psychological cost to victims
Denial No posted comments included an admission that
become victim Many post states that they would never fall in
such attack People are difficult to admit their own
vulnerability Making phishing success rates from surveys
severely underestimated
18
Result (cont.)
Reactions from victims (cont.) Misunderstanding of email
Their email account is hacked Overestimate the security and privacy of email
Underestimate the dangers of publicity posted personal information Don’t know how research obtain their email
address Or object that privacy had been violated by access
their posted information Some believe the information on social network
sites is not public
19
Conclusion To reduce the success rate of social phishing
Digitally signed email Using browser toolbar Need for extensive educational campaigns
Phishing has become such a prevalent problem due to Huge profit margins Easy in performing an attack Difficulty bringing those responsible to justice
Social networks Can provide phishers with a wealth of information about
unsuspecting victims20