Visible to the public Phishing 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo




Phishing remains a primary method for social engineering access to computers and information. Much research work has been done in this area in recent years. For the Science of Security community, phishing is relevant to the hard problem of human behavior. The works cited here were presented in 2015.

Lew May Form, Kang Leng Chiew, San Nah Sze, and Wei King Tiong, “Phishing Email Detection Technique by Using Hybrid Features,” IT in Asia (CITA), 2015 9th International Conference on, Kota Samarahan, 2015, pp. 1-5. doi:10.1109/CITA.2015.7349818
Abstract: Phishing emails is growing at an alarming rate in this few years. It has caused tremendous financial losses to internet users. Phishing techniques getting more advance everyday and this has created great challenge to the existing anti-phishing techniques. Hence, in this paper, we proposed to detect phishing emails through hybrids features. The hybrid features consist of content-based, URL-based, and behavior-based features. Based on a set of 500 phishing emails and 500 legitimate emails, the proposed method achieved overall accuracy of 97.25% and error rate of 2.75%. This promising result verifies the effectiveness of the proposed hybrid features in detecting phishing email.
Keywords: Internet; computer crime; feature extraction; unsolicited e-mail; Internet users; URL-based features; antiphishing techniques; behavior-based features; content-based features; error rate; financial loss; hybrid features; phishing email detection technique; Browsers; Electronic mail; Feature extraction; IP networks; Security; Uniform resource locators; Anti-phishing; behavior-based; classification; emails (ID#: 16-10562)


B. Harrison, A. Vishwanath, Y. J. Ng, and R. Rao, “Examining the Impact of Presence on Individual Phishing Victimization,” System Sciences (HICSS), 2015 48th Hawaii International Conference on, Kauai, HI, 2015, pp. 3483-3489. doi:10.1109/HICSS.2015.419
Abstract: Research on phishing has implicated users’ heuristic processing as the reason why they fail to recognize deception cues and fall prey to phishing attacks. Other research on online behavior has found that the attributes of the medium activate heuristics that contribute to feelings of presence and enhance the persuasiveness of presented information. The deception literature has, however, yet to examine how such medium attributes lead to victimization in a phishing attack. The present research thus fills an important gap in the literature. The study explores how perceptions of presence in a phishing attack influence its victimization rate. This is examined using an experiment in which participants are subjected to a phishing attack where the amount of social presence in the email is manipulated. In contrast to subjects in the lean information conditions, those in the information-rich condition were more likely to heuristically process presence cues, leading to their victimization.
Keywords: behavioural sciences; computer crime; unsolicited e-mail; deception cues recognition; email; individual phishing victimization; medium activate heuristics; medium attributes; online behavior; phishing attack; presence impact; social presence; users heuristic processing; victimization rate; Analysis of variance; Context; Electronic mail; Graphics; Information processing; Media; Systematics; cognitive processing; heuristic processing; heuristic-systematic processing; information richness; lean media; online consumer psychology; online deception; online victimization; phishing; rich media (ID#: 16-10563)


M. L. Hale, R. F. Gamble, and P. Gamble, “CyberPhishing: A Game-Based Platform for Phishing Awareness Testing,” System Sciences (HICSS), 2015 48th Hawaii International Conference on, Kauai, HI, 2015, pp. 5260-5269. doi:10.1109/HICSS.2015.670
Abstract: Phishing attacks sap billions of dollars annually from unsuspecting individuals while compromising individual privacy. Companies and privacy advocates seek ways to better educate the populace against such attacks. Current approaches examining phishing include test-based techniques that ask subjects to classify content as phishing or not and inthe- wild techniques that directly observe subject behavior through distribution of faked phishing attacks. Both approaches have issues. Test-based techniques produce less reliable data since subjects may adjust their behavior with the expectation of seeing phishing stimuli, while in-the-wild studies can put subjects at risk through lack of consent or exposure of data. This paper examines a third approach that seeks to incorporate game-based learning techniques to combine the realism of in-thewild approaches with the training features of testing approaches. We propose a three phase experiment to test our approach on our CyberPhishing simulation platform, and present the results of phase one.
Keywords: Internet; computer crime; computer games; data privacy; unsolicited e-mail; CyberPhishing; game-based learning technique; in-the-wild approach; phishing awareness testing; privacy; test-based technique; Browsers; Degradation; Electronic mail; Games; Media; Testing; Training (ID#: 16-10564)


C. Schäfer, “Detection of Compromised Email Accounts Used for Spamming in Correlation with Mail User Agent Access Activities Extracted from Metadata,” Computational Intelligence for Security and Defense Applications (CISDA), 2015 IEEE Symposium on, Verona, NY, 2015, pp. 1-6. doi:10.1109/CISDA.2015.7208641
Abstract: Every day over 29 billion spam and phishing messages are sent. Commonly the spammers use compromised email accounts to send these emails, which accounted for 57.9 percent of the global email traffic in September 2014. Previous research has primarily focused on the fast detection of abused accounts to prevent the fraudulent use of servers. State-of-the-art spam detection methods generally need the content of the email to classify it as either spam or a regular message. This content is not available within the new type of encrypted phishing emails that have become prevalent since the middle of 2014. The object of the presented research is to detect the anomaly with Mail User Agent Access Activities, which is based on the special behaviour of how to send emails without the knowledge of the email content. The proposed method detects the abused account in seconds and therefore reduces the sent spam per compromised account to less than one percent.
Keywords: authorisation; computer crime; cryptography; meta data; unsolicited e-mail; abused account detection; compromised e-mail account detection; encrypted phishing e-mails; fraudulent server use prevention; global e-mail traffic; mail user agent access activity extraction; meta data; phishing messages; spamming; Authentication; Cryptography; IP networks; Postal services; Servers; Unsolicited electronic mail; MUAAA; Mail User Agent Access Activities; compromised email account; encrypted phishing; hacked; phishing; spam (ID#: 16-10565)


J. Jansen and R. Leukfeldt, “How People Help Fraudsters Steal Their Money: An Analysis of 600 Online Banking Fraud Cases,” Socio-Technical Aspects in Security and Trust (STAST), 2015 Workshop on, Verona, 2015, pp. 24-31. doi:10.1109/STAST.2015.12
Abstract: This paper presents an analysis of 600 phishing and malware incidents obtained from a Dutch bank. We observed from these cases that the behavior of customers in the fraudulent process entails giving away personal information to fraudsters. Phishing victimization occurred by responding to a false e-mail, a fraudulent phone call or a combination of these. Malware victimization occurred by responding to a pop-up and by installing a malicious application on a mobile device. Customers cooperated because the fraudulent messages were perceived professional and because they were not sufficiently suspicious. Our data suggests that customers have an active role in the fraudulent process. An interesting finding is that customers not always trusted the intention of the fraudster, but were mentally unable to stop the process. They did not read or pay attention to information on their screens that might have prevented the incident. We conclude this paper with recommendations for fraud mitigation strategies.
Keywords: Internet; bank data processing; computer crime; consumer behaviour; fraud; invasive software; unsolicited e-mail; customer behavior; fraud mitigation strategy; malware victimization; online banking fraud; phishing victimization; Databases; Electronic mail; Law enforcement; Malware; Online banking; cognitive aspects; customer behavior; deception; intervention; malware; phishing; victimization (ID#: 16-10566)


R. Divya and S. Muthukumarasamy, “An Impervious QR-Based Visual Authentication Protocols to Prevent Black-Bag Ccryptanalysis,” Intelligent Systems and Control (ISCO), 2015 IEEE 9th International Conference on, Coimbatore, 2015, pp. 1-6. doi:10.1109/ISCO.2015.7282330
Abstract: Black-bag cryptanalysis is used to acquire the cryptographic secrets from the target computers and devices through burglary or covert installation of keylogging and Trojan horse hardware/software. To overcome black-bag cryptanalysis, the secure authentication protocols are required. It mainly focuses on keylogging where the keylogger hardware or software is used to capture the client's keyboard strokes to intercept the password. They considers various root kits residing in PCs (Personnel Computers) to observe the client's behavior that breaches the security. The QR code can be used to design the visual authentication protocols to achieve high usability and security. The two authentication protocols are Time based One-Time-Password protocol and Password-based authentication protocol. Through accurate analysis, the protocols are proved to be robust to several authentication attacks. And also by deploying these two protocols in real-world applications especially in online transactions, the strict security requirements can be satisfied.
Keywords: QR codes; cryptographic protocols; invasive software; message authentication; QR code; QR-based visual authentication protocol; Trojan horse hardware/software; authentication attack; black-bag cryptanalysis; burglary; covert installation; cryptographic secret; keylogger hardware; keylogger software; keylogging; online transaction; password-based authentication protocol; personnel computer; secure authentication protocol; time based one-time-password protocol; Encryption; Hardware; Keyboards; Personnel; Protocols; Robustness; Android; Attack; Authentication; Black-bag cryptanalysis; Keylogging; Malicious code; Pharming; Phishing; Session hijacking; visualization (ID#: 16-10567)


W. R. Flores, H. Holm, M. Ekstedt, and M. Nohlberg, “Investigating the Correlation Between Intention and Action in the Context of Social Engineering in Two Different National Cultures,” System Sciences (HICSS), 2015 48th Hawaii International Conference on, Kauai, HI, 2015, pp. 3508-3517. doi:10.1109/HICSS.2015.422
Abstract: In this paper, we shed a light on the intention-action relationship in the context of external behavioral information security threats. Specifically, external threats caused by employees’ social engineering security actions were examined. This was done by examining the correlation between employees’ reported intention to resist social engineering and their self-reported actions of hypothetical scenarios as well as observed action in a phishing experiment. Empirical studies including 1787 employees pertaining to six different organizations located in Sweden and USA laid the foundation for the statistical analysis. The results suggest that employees’ intention to resist social engineering has a significant positive correlation of low to medium strength with both self-reported action and observed action. Furthermore, a significant positive correlation between social engineering actions captured through written scenarios and a phishing experiment was identified. Due to data being collected from employees from two different national cultures, an exploration of potential moderating effect based on national culture was also performed. Based on this analysis we identified that the examined correlations differ between Swedish, and US employees. The findings have methodological contribution to survey studies in the information security field, showing that intention and self-reported behavior using written scenarios can be used as proxies of observed behavior under certain cultural contexts rather than others. Hence, the results support managers operating in a global environment when assessing external behavioral information security threats in their organization.
Keywords: behavioural sciences computing; cultural aspects; human factors; personnel; security of data; social sciences computing; statistical analysis; Sweden; Swedish employees; US employees; USA; employee intention; employee social engineering security actions; external behavioral information security threats; information security field; intention-action correlation; intention-action relationship; national cultures; phishing experiment; self-reported action; self-reported behavior; statistical analysis; Context; Correlation; Cultural differences; Information security; Organizations; Resists (ID#: 16-10568)


Tien-Sheng Lin, I-Long Lin, and Fang-Yie Leu, “Constructing Military Smartphone Usage Criterion of Cloud-DEFSOP for Mobile Security,” Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2015 9th International Conference on, Blumenau, 2015, pp. 420-425. doi:10.1109/IMIS.2015.90
Abstract: Currently, several cloud security threats on smartphones can be found. They often cause users serious financial loss or bring bad reputation to a company or a institute. To detect malicious behaviors on the smartphones, Taiwan military office sets up a measure on cloud-based instruction detection to prevent mobile devices from possible attacks, for example, phishing and man-in-the-middle attacks. This study designs information security measures which are derived from digital evidence forensics standard operating procedure (DEFSOP) and construct military smartphone usage criterion. In cloud computing, digital forensics on smartphones deals with device-related preservation, identification, collection, record and interpretation of digital evidences. In order to keep the original digital evidences on the smartphone so as to be accepted by court judge, the identification process needs to be legal since the integrity of forensic result will be the major referenced evidences in the court. Basically, the process that we developed in the previous study satisfies the principle of ISO 27001. But our newly developed mobile DEFSOP has met ISO 27037 with IACC principle, including integrity, accuracy, consistency, and compliance.
Keywords: cloud computing; digital forensics; military communication; smart phones; IACC principle; ISO 27037; Taiwan military office; cloud security threats; cloud-based instruction detection; construct military smartphone usage criterion; digital evidence forensics standard operating procedure; forensic result integrity; information security measures; malicious behaviors; man-in-the-middle attacks; mobile DEFSOP; mobile devices; phishing; Computers; Forensics; Information security; Military computing; Mobile handsets; Object recognition; Cloud security threats; DEFSOP; IACC; instruction detection (ID#: 16-10569)


N. Stembert, A. Padmos, M. S. Bargh, S. Choenni, and F. Jansen, “A Study of Preventing Email (Spear) Phishing by Enabling Human Intelligence,” Intelligence and Security Informatics Conference (EISIC), 2015 European, Manchester, 2015, pp. 113-120. doi:10.1109/EISIC.2015.38
Abstract: Cyber criminals use phishing emails in high-volume and spear phishing emails in low volume to achieve their malicious objectives. Hereby they inflict financial, reputational, and emotional damages on individuals and organizations. These (spear) phishing attacks get steadily more sophisticated as cyber criminals use social engineering tricks that combine psychological and technical deceptions to make malicious emails as trustworthy as possible. Such sophisticated (spear) phishing emails are hard for email protection systems to detect. Security researchers have studied users’ ability to perceive, identify and react upon email (spear) phishing attacks. In this study we have surveyed recent works on understanding how to prevent end-users from falling for email (spear) phishing attacks. Based on the survey we design and propose a novice method that combines interaction methods of reporting, blocking, warning, and embedded education to harness the intelligence of expert and novice users in a corporate environment in detecting email (spear) phishing attacks. We evaluate the design based on a qualitative study, in three experimental steps, by using a mockup prototype, and with 24 participants. We report on the insights gained, indicating that the proposed combination of the interaction methods is promising, and on future research directions.
Keywords: computer crime; human computer interaction; unsolicited e-mail; blocking; embedded education; human intelligence; interaction methods; reporting; spear phishing attacks; spear phishing emails; warning; Context; Electronic mail; Security; Sensors; Software; Training (ID#: 16-10577)


Chih-Hung Lin, Chin-Wei Tien, Chih-Wei Chen, Chia-Wei Tien, and Hsing-Kuo Pao, “Efficient Spear-Phishing Threat Detection Using Hypervisor Monitor,” Security Technology (ICCST), 2015 International Carnahan Conference on, Taipei, 2015,
pp. 299-303. doi:10.1109/CCST.2015.7389700
Abstract: In recent years, cyber security threats have become increasingly dangerous. Hackers have fabricated fake emails to spoof specific users into clicking on malicious attachments or URL links in them. This kind of threat is called a spear-phishing attack. Because spear-phishing attacks use unknown exploits to trigger malicious activities, it is difficult to effectively defend against them. Thus, this study focuses on the challenges faced, and we develop a Cloud-threat Inspection Appliance (CIA) system to defend against spear-phishing threats. With the advantages of hardware-assisted virtualization technology, we use the CIA to develop a transparent hypervisor monitor that conceals the presence of the detection engine in the hypervisor kernel. In addition, the CIA also designs a document pre-filtering algorithm to enhance system performance. By inspecting PDF format structures, the proposed CIA was able to filter 77% of PDF attachments and prevent them from all being sent into the hypervisor monitor for deeper analysis. Finally, we tested CIA in real-world scenarios. The hypervisor monitor was shown to be a better anti-evasion sandbox than commercial ones. During 2014, CIA inspected 780,000 mails in a company with 200 user accounts, and found 65 unknown samples that were not detected by commercial anti-virus software.
Keywords: cloud computing; computer crime; document handling; invasive software; unsolicited e-mail; virtualisation; CIA; PDF format structures; URL links; antievasion sandbox; cloud-threat inspection appliance; commercial antivirus software; cyber security threats; detection engine; document prefiltering algorithm; fake emails; hackers; hardware-assisted virtualization technology; hypervisor kernel; malicious activities; malicious attachments; spear-phishing attack; spear-phishing threat detection; transparent hypervisor monitor; user accounts; Electronic mail; Malware; Monitoring; Portable document format; Virtual machine monitors; Virtualization; cyber security; hardware-assisted virtualization; hypervisor monitor; spear-phishing (ID#: 16-10578)


S. Zafar and M. B. Tiwana, “Discarded Hard Disks — A Treasure Trove for Cybercriminals: A Case Study of Recovered Sensitive Data from a Discarded Hard Disk,” Anti-Cybercrime (ICACC), 2015 First International Conference on, Riyadh, 2015, pp. 1-6. doi:10.1109/Anti-Cybercrime.2015.7351956
Abstract: The modern malware poses serious security threats because of its evolved capability of using staged and persistent attack while remaining undetected over a long period of time to perform a number of malicious activities. The challenge for malicious actors is to gain initial control of the victim's machine by bypassing all the security controls. The most favored bait often used by attackers is to deceive users through a trusting or interesting email containing a malicious attachment or a malicious link. To make the email credible and interesting the cybercriminals often perform reconnaissance activities to find background information on the potential target. To this end, the value of information found on the discarded or stolen storage devices is often underestimated or ignored. In this paper, we present the partial results of analysis of one such hard disk that was purchased from the open market. The data found on the disk contained highly sensitive personal and organizational data. The results from the case study will be useful in not only understanding the involved risk but also creating awareness of related threats.
Keywords: data protection; digital forensics; hard discs; invasive software; unsolicited e-mail; background information; cybercriminals; discarded hard disks; discarded storage devices; e-mail credibility; malicious activities; malicious actors; malicious attachment; malicious link; malware; reconnaissance activities; recovered sensitive data; security controls; security threats; sensitive-personal organizational data; stolen storage devices; trust management; Electronic mail; Hard disks; Malware; Media; Organizations; Software; Advanced Persistent Threat; Cybercrime; Data Recovery; Digital Forensics; Security and Privacy Awareness; Social Network Analysis; Spear-phishing (ID#: 16-10579)


M. C. Kotson and A. Schulz, “Characterizing Phishing Threats with Natural Language Processing,” Communications and Network Security (CNS), 2015 IEEE Conference on, Florence, 2015, pp. 308-316. doi:10.1109/CNS.2015.7346841
Abstract: Spear phishing is a widespread concern in the modern network security landscape, but there are few metrics that measure the extent to which reconnaissance is performed on phishing targets. Spear phishing emails closely match the expectations of the recipient, based on details of their experiences and interests, making them a popular propagation vector for harmful malware. In this work we use Natural Language Processing techniques to investigate a specific real-world phishing campaign and quantify attributes that indicate a targeted spear phishing attack. Our phishing campaign data sample comprises 596 emails - all containing a web bug and a Curriculum Vitae (CV) PDF attachment - sent to our institution by a foreign IP space. The campaign was found to exclusively target specific demographics within our institution. Performing a semantic similarity analysis between the senders’ CV attachments and the recipients’ LinkedIn profiles, we conclude with high statistical certainty (p <; 10-4) that the attachments contain targeted rather than randomly selected material. Latent Semantic Analysis further demonstrates that individuals who were a primary focus of the campaign received CVs that are highly topically clustered. These findings differentiate this campaign from one that leverages random spam.
Keywords: computer crime; computer network security; invasive software; natural language processing; statistical analysis; unsolicited e-mail; Web bug; curriculum vitae PDF attachment; foreign IP space; latent semantic analysis; malware; modern network security landscape; natural language processing; propagation vector; recipient LinkedIn profiles; semantic similarity analysis; sender CV attachments; spear phishing emails; spear phishing threat characterization; statistical certainty; Reconnaissance (ID#: 16-10580)


P. Wood, “A Simulated Criminal Attack,” Cyber Security for Industrial Control Systems, London, 2015, pp. 1-21. doi:10.1049/ic.2015.0007
Abstract: Presents a collection of slides covering the following topics: advanced attack; threat analysis; remote information gathering; on-site reconnaissance; spear phishing plan; spear phishing exercise; branch office attack plan; branch office attack exercise; head office attack plan; head office attack exercise.
Keywords: computer crime; firewalls; Red Team exercise; a simulated criminal attack; advanced attack; branch office attack exercise; branch office attack plan; head office attack exercise; head office attack plan; on-site reconnaissance; remote information gathering; spear phishing exercise; spear phishing plan; threat analysis (ID#: 16-10581)


N. Nassar and Li-Chiou Chen, “Multi Seed Authentication Using S/Key Scheme,” High Performance Computing and Communications (HPCC), 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International Conferen on Embedded Software and Systems (ICESS), 2015 IEEE 17th International Conference on, New York, NY, 2015, pp. 1225-1229. doi:10.1109/HPCC-CSS-ICESS.2015.104
Abstract: Although using both user name and password is predominantly the main solution for online authentication, it has several drawbacks such as user necessity to memorize different complex passwords, the need to renew password periodically, and the possibility of being victim of spear phishing or social engineering. Most importantly, many users end up saving their passwords in plain text file that could potentially be exploited. In this paper we propose a new method for web applications to enhance user authentication that is less dependent on end users’ memory of passwords. Our approach is to split the login process into two phases, identification phase and authentication phase. Both phases will depend mainly on multiple counts of random numbers to identify and authenticate the user. In this paper, we discussed our proposed method in section III. Section IV detailed our experiment and also analyzed the effectiveness of the proposed method based on the simulation of a hypothesized corporate environment in section V.
Keywords: Internet; message authentication; S/Key scheme; Web applications; authentication phase; identification phase; login process; multiseed authentication; one-time password system; plain text file; social engineering; spear phishing; user authentication; Authentication; Computer science; Generators; Servers; Synchronization; Uniform resource locators; S/Key; authentication; information security; one-time password; pseudo random numbers; user identification (ID#: 16-10582)


A. Nappa, R. Johnson, L. Bilge, J. Caballero, and T. Dumitras, “The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching,” Security and Privacy (SP), 2015 IEEE Symposium on, San Jose, CA, 2015, pp. 692-708. doi:10.1109/SP.2015.48
Abstract: Vulnerability exploits remain an important mechanism for malware delivery, despite efforts to speed up the creation of patches and improvements in software updating mechanisms. Vulnerabilities in client applications (e.g., Browsers, multimedia players, document readers and editors) are often exploited in spear phishing attacks and are difficult to characterize using network vulnerability scanners. Analyzing their lifecycle requires observing the deployment of patches on hosts around the world. Using data collected over 5 years on 8.4 million hosts, available through Symantec's WINE platform, we present the first systematic study of patch deployment in client-side vulnerabilities. We analyze the patch deployment process of 1,593 vulnerabilities from 10 popular client applications, and we identify several new threats presented by multiple installations of the same program and by shared libraries distributed with several applications. For the 80 vulnerabilities in our dataset that affect code shared by two applications, the time between patch releases in the different applications is up to 118 days (with a median of 11 days). Furthermore, as the patching rates differ considerably among applications, many hosts patch the vulnerability in one application but not in the other one. We demonstrate two novel attacks that enable exploitation by invoking old versions of applications that are used infrequently, but remain installed. We also find that the median fraction of vulnerable hosts patched when exploits are released is at most 14%. Finally, we show that the patching rate is affected by user-specific and application-specific factors, for example, hosts belonging to security analysts and applications with an automated updating mechanism have significantly lower median times to patch.
Keywords: invasive software; software reliability; Symantec WINE platform; application-specific factors; automated updating mechanism; malware delivery; network vulnerability scanners; shared code; software lifecycle analysis; software updating mechanisms; spear phishing attacks; user-specific factors; vulnerability patching; Databases; Delays; Libraries; Security; Sociology; Software; Statistics; client applications; patch deployment; software vulnerabilities; vulnerability exploits
(ID#: 16-10583)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.