 |
|
Carnegie Mellon researchers fight phishing attacks with phishing tactics
October 03, 2007Results will be presented this week at eCrime researchers summit
PITTSBURGH - Early findings by Carnegie Mellon University researchers suggest that people who are suckered by a spoof email into visiting a counterfeit Web site are also people who are ready to learn their lesson about "phishing" attacks.
Phishing attacks have become a common method for stealing personal identification information, such as bank account numbers and passwords. Lorrie Cranor, associate research professor of computer science, said phishing often is successful because many people ignore educational materials that otherwise might help them recognize such frauds.
But in a laboratory study, the researchers fought "phire with phire" and found that when they sent their own spoof email to users and tricked them into visiting an educational Web site, those people tended to learn and retain more of the lesson about how to spot phishing sites.
Ponnurangam Kumaraguru, a graduate student in the School of Computer Science's Institute for Software Research, will present the study results Friday, Oct. 5 at the Anti-Phishing Working Group's (APWG) eCrime Researchers Summit in Pittsburgh. The summit, sponsored by the APWG and hosted by Carnegie Mellon CyLab, includes leading industrial and academic practitioners in the field of electronic crime research.
In the study, three groups of 14 volunteers participated in role-playing exercises in which they processed email, which included a mix of phishing, spam and legitimate email. Those in the "embedded training" group, who were given anti-phishing educational materials after they had fallen for a phishing email, spent more than twice as much time studying the materials than those who were presented the materials without first being tricked. Those who were presented the materials without being tricked were no better at identifying phishing emails than those who received no anti-phishing educational materials. A week later, when the exercise was repeated, those in the embedded training group were significantly more successful in identifying phishing emails than those in the other two groups - 64 percent of phishing emails identified by the embedded training group versus 7 percent identified by the other two groups.
Cranor, director of the Carnegie Mellon Usable Privacy and Security Lab, said additional testing will be necessary to confirm these results. But the initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating computer users to protect themselves.
In addition to Cranor and Kumaraguru, the study team included faculty members Jason Hong and Alessandro Acquisti and graduate students Yong Rhee, Steve Sheng and Sharique Hasan. Their paper is available at http://www.ecrimeresearch.org/2007/proceedings/p70_kumaraguru.pdf.
According to the latest trend report for June, APWG detected 31,709 phishing Web sites, a drop of 6,000 from May, and 146 brands were hijacked, a slight decrease from May. But the number of unique phishing reports was 28,888 in June, up by more than 5,000 over May. The vast majority of attacks were in the financial services sector.
Carnegie Mellon University
But in a laboratory study, the researchers fought "phire with phire" and found that when they sent their own spoof email to users and tricked them into visiting an educational Web site, those people tended to learn and retain more of the lesson about how to spot phishing sites.
Ponnurangam Kumaraguru, a graduate student in the School of Computer Science's Institute for Software Research, will present the study results Friday, Oct. 5 at the Anti-Phishing Working Group's (APWG) eCrime Researchers Summit in Pittsburgh. The summit, sponsored by the APWG and hosted by Carnegie Mellon CyLab, includes leading industrial and academic practitioners in the field of electronic crime research.
In the study, three groups of 14 volunteers participated in role-playing exercises in which they processed email, which included a mix of phishing, spam and legitimate email. Those in the "embedded training" group, who were given anti-phishing educational materials after they had fallen for a phishing email, spent more than twice as much time studying the materials than those who were presented the materials without first being tricked. Those who were presented the materials without being tricked were no better at identifying phishing emails than those who received no anti-phishing educational materials. A week later, when the exercise was repeated, those in the embedded training group were significantly more successful in identifying phishing emails than those in the other two groups - 64 percent of phishing emails identified by the embedded training group versus 7 percent identified by the other two groups.
Cranor, director of the Carnegie Mellon Usable Privacy and Security Lab, said additional testing will be necessary to confirm these results. But the initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating computer users to protect themselves.
In addition to Cranor and Kumaraguru, the study team included faculty members Jason Hong and Alessandro Acquisti and graduate students Yong Rhee, Steve Sheng and Sharique Hasan. Their paper is available at http://www.ecrimeresearch.org/2007/proceedings/p70_kumaraguru.pdf.
According to the latest trend report for June, APWG detected 31,709 phishing Web sites, a drop of 6,000 from May, and 146 brands were hijacked, a slight decrease from May. But the number of unique phishing reports was 28,888 in June, up by more than 5,000 over May. The vast majority of attacks were in the financial services sector.
Carnegie Mellon University
UC-San Diego computer scientists shed light on Internet scams
Computer scientists from UC San Diego have found striking differences between the infrastructure used to distribute spam and the infrastructure used to host the online scams advertised in these unwanted email messages. This discovery should aid in the fight to reduce spam volume and shut down illegal online businesses and malware sites.
More Internet users may be taking phishing bait than thought
A higher-than-expected percentage of Internet users are likely to fall victim to scam artists masquerading as trusted service providers.
More Phishing Current Events and Phishing News Articles
 | Scams & Swindles: Phishing, Spoofing, ID Theft, Nigerian Advance Schemes Investment Frauds: How to Recognize And Avoid Rip-Offs In The Internet Age Phishing. Spoofing. Spyware. Swoop and squat. Malicious spam. Chain letters. Ponzi schemes. ID theft. The Internet Era has created a whole class of frauds and schemes that separate people from their money. It's also given new life to older cons and scams. This book organizes various rip-offs by type and severity. Then it explains how each type of scam works -- and how an ordinary person can... |
 | Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft Phishing and Counter-Measures discusses how and why phishing is a threat, and presents effective countermeasures. Showing you how phishing attacks have been mounting over the years, how to detect and prevent current as well as future attacks, this text focuses on corporations who supply the resources used by attackers. The authors subsequently deliberate on what action the government can take to... |
 | Phishing: Cutting the Identity Theft Line by Rachael Lininger, Russell Dean Vines "Phishing" is the hot new identity theft scam. An unsuspecting victim receives an e-mail that seems to come from a bank or other financial institution, and it contains a link to a Web site where s/he is asked to provide account details. The site looks legitimate, and 3 to 5 percent of people who receive the e-mail go on to surrender their information-to crooks. One e-mail monitoring organization... |
 | Internet Safety and Your Family: A parent's best guide to phishing, spoofing, spam, filters, blogs, gaming, social networking and online worlds by Linda Carlson Protect yourself and your children from spam, spoofing, cyber-bullying, phishing, hacking and predators with the practical advice in Internet Safety and Your Family. Today, when most kids have 24/7 access to the Internet, we need to think about more than pornography filters and Facebook. As important, what risks are we adults creating---and what risks are we vulnerable to? With seemingly... |
 | The Phishing Manual: Compendium to the Music of Phish by Dean Budnick Brings together a lively account of Phish's compositions and performances, reviews of legendary Phish shows, extensive concert tape recommendations, photographs, and a variety of set lists, into a comprehensive, one-stop study of the popular band.... |
 | Phishing Exposed by Lance James Uncover Secrets from the Dark Side Phishing Exposed provides an in-depth, high-tech view from both sides of the phishing playing field. In this unprecedented book, world-renowned phishing expert Lance James exposes the technical and financial techniques used by international clandestine phishing gangs to steal billions of dollars every year. The book is filled with technically detailed... |
 | Internet Survival Guide: Protecting Your Financial Information by James Christiansen TAKE CONTROL of your PERSONAL INFORMATION ... NOW With the dangers of fraudsters and identity thieves, there are 7 Things You Have To Do NOW To Protect Your Financial Information. The ever increasing numbers of identity theft, phishing attacks, and Spam fraud schemes can lead to complete fear of the Internet and online shopping, but with a few simple procedures and precautions the world... |
 | Phishing Scams in Plain English by Lee & Sachi LeFever Phishing scams, designed to fool you into handing over sensitive information via email, are a growing threat on the Internet. Common Craft explains in simple and understandable terms how to recognize and avoid phishing scams. This book, like all Common Craft Kindle Books, is presented in the Paperworks style - simple explanations along with whiteboard and paper illustrations. Common Craft's goal... |
| Anti-Phishing Bill likely to be reintroduced in Congress.(Tech Trends): An article from: National Underwriter Life & Health by Matt Brady This digital document is an article from National Underwriter Life & Health, published by The National Underwriter Company on February 7, 2005. The length of the article is 762 words. The page length shown above is based on a typical 300-word page. The article is delivered in HTML format and is available in your Amazon.com Digital Locker immediately after purchase. You can view it with any web... | |
| El phishing: segunda y última entrega.: An article from: E Semanal by Agustín Astorga This digital document is an article from E Semanal, published by Thomson Gale on October 2, 2006. The length of the article is 780 words. The page length shown above is based on a typical 300-word page. The article is delivered in HTML format and is available in your Amazon.com Digital Locker immediately after purchase. You can view it with any web browser.Citation DetailsTitle: El phishing:... |
| © 2008 BrightSurf.com |