Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1."— Presentation transcript:

1 Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1

2 Paper to present Jagatic, T.N. and Johnson, N.A. and Jakobsson, M. and Menczer, F. “Social Phishing”, Communications of the ACM, V0l. 50, No. 10, pp. 94—100, ACM Press New York, NY, USA, 2007 Tom N. Jagatic Massachusetts Institute of Technology Nathaniel A. Johnson Indiana University, Bloomington Markus Jakobsson Indiana University, Bloomington Filippo Menczer Indiana University, Bloomington 2

3 Outline Motivation Method Experiment Results Conclusion 3

4 Motivation Phishing case are growing 19% clicked on link to phishing site 3% admitted provided financial information Phishers are getting smarter Notifying the victim of a “Security Threat” And ask for personal information to “solve the problem” Spear phishing and context-aware phishing Gain trust of victim by showing bidding history shopping preference Inferred browse history and mother’s maiden name 4

5 Motivation (cont.) Growing number of social networking sites Myspace Facebook Orkut LinkedIn Identified “Circles of friends” Allow a phisher to harvest large amounts of reliable social network information 5

6 Motivation (cont.) Phishing Attacks take advantage of Both technical and social vulnerabilities We discuss How phishing attacks can be honed By means of publicity available personal information from social networks ? The question we ask is How easily and effectively can a phisher exploit social network found on the Internet to increase the yield of a phishing attack ? 6

7 Motivation (cont.) The answer is Very easily and very effectively Internet users May be over four times as likely to become a victim If they are solicited by someone appearing to be a known acquaintance 7

8 Method Harvested freely available acquaintance data Crawl social networking sites Using Perl LWP library (libwww-perl) Focused on a subset of targets Affiliated with Indiana University (IU) Cross-correlating the data with IU’s address book DB Launch an actual (but harmless) phishing attack Targeting IU students aged 18 to 24 years old Sampled to represent typical phishing victims To quantify, in an ethical manner How reliable social context would increase the success of phishing attack 8

9 Method (cont.) 9 Figure1: Illustration of phishing experiment

10 Method (cont.) Phishing experiment 1. Blogging, social network, and other public data is harvested 2. Data is correlated and stored in a relational database 3. Heuristics are used to craft spoofed email message by Eve “as Alice” to Bob (a friend) 4. Message is sent to Bob 5. Bob follows the link contained within the email message and is sent to an unchecked redirect 6. Bob is sent to attacker whuffo.com site 7. Bob is prompted for his University credentials 8. Bob’s credentials are verified with the University authenticator 9. a. Bob is successfully phished b. Bob is not phished in this session; he could try again. 10

11 Method (cont.) Social Network Group Spoofed email between two friends, Alice and Bob Bob was redirected to a phishing site with domain name distinct from IU The site prompt Bob to enter university credentials. Control Group Subjects received same message From unknown fictitious ( 虛構 ) person with university email 11

12 Result Relatively high success in control group (16%) Subtle ( 狡猾 ) context, sender’s email address, hyperlink showed Social network group is much higher (72%) Consistent with “grade report” experiment (Ferguson, 2005) 80% cadet were deceived by link of grade report 12 Table1: Results of the social network phishing attack and control experiment. From t-test, the difference is very significant (p < 10 -25 )

13 Result (cont.) Phisher site’s access log 70% of successful authentication occurred in first 12 hours Supports the importance of rapid takedown Some user visited the site over 80 times Social context of the attack leads peoples to overlook important rules 13

14 Result (cont.) 14 Figure2 Unique visits and authentications per hour. Distributions of repeat authentications and refreshes of authenticated users. ( victims who successfully authenticated were shown a fake message indicating the server was overloaded and asking them to try again later.)

15 Result (cont.) Gender of the subjects who fell victim Females were more likely to become victims The attack is more successful if spoof message sent by opposite gender 15 Table2: Gender effects. The harvest profiles of potential subjects identified a male/female ratio close to that of the general student population (18,294 males and 19,527 females) X 2 test: gender of the sender did not have significant effect on success rate (p = 0.3), gender of receiver was significant ( p <0.005), combination of sender-receiver genders also significant (p < 0.004)

16 Result (cont.) Demographics Younger targets being slightly more vulnerable Students in science major seemed to be the least vulnerable group Subjects and participants Are invited to project web site and blog 30 complains (1.7%) 16

17 Result (cont.) 17 Figure3 Success rate of phishing attack by target class. t-test: Difference in success rates are significant for all classes (p <= 0.01) Success rate of phishing attack by target major. t-test: Difference in success rates are significant for all majors (p <= 0.02)

18 Result (cont.) Reactions from victims Anger Called for the researchers conducting the study to be fired Revealed that phishing also a significant psychological cost to victims Denial No posted comments included an admission that become victim Many post states that they would never fall in such attack People are difficult to admit their own vulnerability Making phishing success rates from surveys severely underestimated 18

19 Result (cont.) Reactions from victims (cont.) Misunderstanding of email Their email account is hacked Overestimate the security and privacy of email Underestimate the dangers of publicity posted personal information Don’t know how research obtain their email address Or object that privacy had been violated by access their posted information Some believe the information on social network sites is not public 19

20 Conclusion To reduce the success rate of social phishing Digitally signed email Using browser toolbar Need for extensive educational campaigns Phishing has become such a prevalent problem due to Huge profit margins Easy in performing an attack Difficulty bringing those responsible to justice Social networks Can provide phishers with a wealth of information about unsuspecting victims 20

21 Thank you! For more information about this paper, please visit: http://www.indiana.edu/~phishing/social-network-experiment/ 21

Download ppt "Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1."

Similar presentations

Using the Self Service BMC Helpdesk

Using the Self Service BMC Helpdesk
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.

All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Miscreant of Social Networks Paper1: Social Honeypots, Making Friends With A Spammer Near You Paper2: Social phishing Kai and Isaac.

Miscreant of Social Networks Paper1: Social Honeypots, Making Friends With A Spammer Near You Paper2: Social phishing Kai and Isaac.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
 2010 - Dr. Yair Levy & Dr. Michelle Ramim – Chais 2010, Israel – February 10, 2010. 1 Students’ Perceived Ethical Severity of e-Learning Security Attacks.

 Dr. Yair Levy & Dr. Michelle Ramim – Chais 2010, Israel – February 10, Students’ Perceived Ethical Severity of e-Learning Security Attacks.
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Information Assurance Outreach. Overview Survey Results Password Security E-mail Safety Internet Privacy Social Media Privacy and Safety Technology Demonstration.

Information Assurance Outreach. Overview Survey Results Password Security Safety Internet Privacy Social Media Privacy and Safety Technology Demonstration.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Chat with a librarian 24/7!. What is AskAway? AskAway is an interactive online service that allows you to chat with a librarian, much like Instant Messaging.

Chat with a librarian 24/7!. What is AskAway? AskAway is an interactive online service that allows you to chat with a librarian, much like Instant Messaging.
Website Content, Forms and Dynamic Web Pages. Electronic Portfolios Portfolio: – A collection of work that clearly illustrates effort, progress, knowledge,

Website Content, Forms and Dynamic Web Pages. Electronic Portfolios Portfolio: – A collection of work that clearly illustrates effort, progress, knowledge,
Friends of Switzerland1 The Changing Landscape of Programming Technology Karl Lieberherr Northeastern University.

Friends of Switzerland1 The Changing Landscape of Programming Technology Karl Lieberherr Northeastern University.
PHISHING AND SPAM EMAIL INTRODUCTION There’s a good chance that in the past week you have received at least one email that pretends to be from your bank,

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Similar presentations

Ads by Google