Carnegie Mellon researchers fight phishing attacks with phishing tactics

October 02, 2007

PITTSBURGH -- Early findings by Carnegie Mellon University researchers suggest that people who are suckered by a spoof email into visiting a counterfeit Web site are also people who are ready to learn their lesson about "phishing" attacks.

Phishing attacks have become a common method for stealing personal identification information, such as bank account numbers and passwords. Lorrie Cranor, associate research professor of computer science, said phishing often is successful because many people ignore educational materials that otherwise might help them recognize such frauds.

But in a laboratory study, the researchers fought "phire with phire" and found that when they sent their own spoof email to users and tricked them into visiting an educational Web site, those people tended to learn and retain more of the lesson about how to spot phishing sites.

Ponnurangam Kumaraguru, a graduate student in the School of Computer Science's Institute for Software Research, will present the study results Friday, Oct. 5 at the Anti-Phishing Working Group's (APWG) eCrime Researchers Summit in Pittsburgh. The summit, sponsored by the APWG and hosted by Carnegie Mellon CyLab, includes leading industrial and academic practitioners in the field of electronic crime research.

In the study, three groups of 14 volunteers participated in role-playing exercises in which they processed email, which included a mix of phishing, spam and legitimate email. Those in the "embedded training" group, who were given anti-phishing educational materials after they had fallen for a phishing email, spent more than twice as much time studying the materials than those who were presented the materials without first being tricked. Those who were presented the materials without being tricked were no better at identifying phishing emails than those who received no anti-phishing educational materials. A week later, when the exercise was repeated, those in the embedded training group were significantly more successful in identifying phishing emails than those in the other two groups -- 64 percent of phishing emails identified by the embedded training group versus 7 percent identified by the other two groups.

Cranor, director of the Carnegie Mellon Usable Privacy and Security Lab, said additional testing will be necessary to confirm these results. But the initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating computer users to protect themselves.

In addition to Cranor and Kumaraguru, the study team included faculty members Jason Hong and Alessandro Acquisti and graduate students Yong Rhee, Steve Sheng and Sharique Hasan. Their paper is available at http://www.ecrimeresearch.org/2007/proceedings/p70_kumaraguru.pdf.

According to the latest trend report for June, APWG detected 31,709 phishing Web sites, a drop of 6,000 from May, and 146 brands were hijacked, a slight decrease from May. But the number of unique phishing reports was 28,888 in June, up by more than 5,000 over May. The vast majority of attacks were in the financial services sector.
-end-
The eCrime Researchers Summit is Oct. 4-5 at the Holiday Inn Select University Center. Gary McGraw, chief technology officer of Cigital Inc., a software security and quality consulting firm in Washington, D.C., will present a keynote address describing controversial security issues surrounding Massive Multiplayer Online Role-Playing Games (MMORPGs), such as World of Warcraft and Everquest. The summit will also feature a panel on political "phishing" -- the use of email phishing tactics to sabotage political opponents. For more information on the program, visit http://www.ecrimeresearch.org/2007/program.html.

About Carnegie Mellon: Carnegie Mellon is a private research university with a distinctive mix of programs in engineering, computer science, robotics, business, public policy, fine arts and the humanities. More than 10,000 undergraduate and graduate students receive an education characterized by its focus on creating and implementing solutions for real problems, interdisciplinary collaboration, and innovation. A small student-to-faculty ratio provides an opportunity for close interaction between students and professors. While technology is pervasive on its 144-acre Pittsburgh campus, Carnegie Mellon is also distinctive among leading research universities for the world-renowned programs in its College of Fine Arts. A global university, Carnegie Mellon has campuses in Silicon Valley, Calif., and Qatar, and programs in Asia, Australia and Europe. For more, see www.cmu.edu.

Carnegie Mellon University

Related Phishing Articles from Brightsurf:

The Phish scale: NIST's new tool helps IT staff see why users click on fraudulent emails
Researchers at the National Institute of Standards and Technology (NIST) have developed a new tool called the Phish Scale that could help organizations better train their employees to avoid a particularly dangerous form of cyber attack known as phishing.

'Deepfakes' ranked as most serious AI crime threat
Fake audio or video content has been ranked by experts as the most worrying use of artificial intelligence in terms of its potential applications for crime or terrorism, according to a new UCL report.

We believe we're less likely than others are to fall for online scams
We believe we are less likely than others are to fall for phishing scams, thereby underestimating our own exposure to risk, a new cybersecurity study has found.

Researchers expose vulnerabilities of password managers
Researchers at the University of York have shown that some commercial password managers may not be a watertight way to ensure cyber security.

Tinder a good example of how people use technology for more than we think
From multilevel marketing to political and health campaigning to promoting local gigs, Tinder users are appropriating the platform for their own purposes.

Organized cybercrime -- not your average mafia
Research from Michigan State University is one of the first to identify common attributes of cybercrime networks, revealing how these groups function and work together to cause an estimated $445-600 billion of harm globally per year.

Columbia professor develops a detector that stops lateral phishing attacks
To alleviate this growing problem of email scams, Data Science Institute member Asaf Cidon helped develop a prototype of a machine-learning based detector that automatically detects and stops lateral phishing attacks.

Protecting smart machines from smart attacks
Machines' ability to learn by processing data gleaned from sensors underlies automated vehicles, medical devices and a host of other emerging technologies.

Tech companies not doing enough to protect users from phishing scams
Just over 15 years after the first reported incident of phishing, new research from the University of Plymouth suggests tech companies could be doing more to protect users from the threat of scams.

People more likely to trust machines than humans with their private information
Not everyone fears our machine overlords. In fact, according to Penn State researchers, when it comes to private information and access to financial data, people tend to trust machines more than people, which could lead to both positive and negative online behaviors.

Read More: Phishing News and Phishing Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.