0
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/1
CyLab Usable Privacy and Security Laboratory
http://...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 2
User Education is Challenging
 Users are not motiva...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 3
But Actually, Users Are Trainable
 Our research dem...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 4
How Do We Get People Trained?
 Solution
– Find “tea...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 5
PhishGuru Embedded Training
 Send emails that look ...
Subject: Revision to Your Amazon.com Information
Subject: Revision to Your Amazon.com Information
Please login and enter your information
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 9
APWG Landing Page
 Taking the “teachable moment” co...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 10
How the Landing Page Works
 Brand owner or phish s...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 11
APWG Landing Page
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 12
Landing Page Data Collection
 APWG server logs all...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 13
Lots of noisy data!
 20 months of data (Sept 2008-...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 14
Filtering Out the Noise
 We filtered the data set ...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 15
Filtered Data
 201,084 hits
– estimate of actual w...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 16
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 17
Analysis of Time
 Monitoring time period of each o...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 18
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 19
April 2010
Top 20 countries hit landing page
 Unit...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 20
Analysis of Brands
 7 brands have requested brand ...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 21
Ongoing Work
 Will soon be posting monthly reports...
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 22
For more information
 Learn how to participate in ...
http://wombatsecurity.com
CyLab Usable Privacy
and Security Laboratory
http://cups.cs.cmu.edu/
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 24
Other countries that sometimes
make top 20
 Italy
...
Statistical Analysis of Phished Email Users, Intercepted by the APWG/CMU Phishing Education Landing Page, at APWG CeCOS 2010
Upcoming SlideShare
Loading in...5
×

Statistical Analysis of Phished Email Users, Intercepted by the APWG/CMU Phishing Education Landing Page, at APWG CeCOS 2010

149

Published on

Slides from APWG CeCOS 2010 meeting, presenting the results of the APWG landing page. The landing page is meant to replace fake phishing web pages, teaching people that the site that they are visiting is fake. This presentation looks at the design rationale behind the landing page and some basic stats as to how many people have seen it.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
149
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Statistical Analysis of Phished Email Users, Intercepted by the APWG/CMU Phishing Education Landing Page, at APWG CeCOS 2010"

  1. 1. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/1 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu Statistical Analysis of Phished eMail Users, Intercepted by the APWG/CMU Phishing Education Landing Page Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies May 2010
  2. 2. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 2 User Education is Challenging  Users are not motivated to learn about security  Security is a secondary task  Difficult to teach people to make right online trust decision without increasing false positives “User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.” Martin Overton, IBM security specialist http://news.cnet.com/21007350_361252132.html
  3. 3. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 3 But Actually, Users Are Trainable  Our research demonstrates that users can learn techniques to protect themselves from phishing… if you can get them to pay attention to training P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report CMUCyLab07003, 2007.
  4. 4. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 4 How Do We Get People Trained?  Solution – Find “teachable moments”: PhishGuru – Make training fun: AntiPhishing Phil, AntiPhishing Phyllis – Use learning science principles
  5. 5. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 5 PhishGuru Embedded Training  Send emails that look like a phishing attack  If recipient falls for it, show intervention that teaches what cues to look for in succinct and engaging format  Multiple user studies have demonstrated that this is effective  Delivering same training via direct email is not effective!
  6. 6. Subject: Revision to Your Amazon.com Information
  7. 7. Subject: Revision to Your Amazon.com Information Please login and enter your information
  8. 8. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 9 APWG Landing Page  Taking the “teachable moment” concept one step further  Provide education (instead of 404) when users click on real phishing links and arrive at real phishing sites that have been taken down P. Kumaraguru, L. Cranor, and L. Mather. AntiPhishing Landing Page: Turning a 404 into a Teachable Moment for End Users. CEAS 2009. http://www.ceas.cc/papers2009/ceas2009paper37.pdf http://education.apwg.org/
  9. 9. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 10 How the Landing Page Works  Brand owner or phish site takedown provider identifies phish site  ISP or registrar is asked to redirect disabled phish site to APWG redirect page  Consumer receives phishing email and clicks  Consumer is shown APWG education message instead of 404 page – Page available in many languages – Automatic redirect to appropriate language based on browser language code to happen soon
  10. 10. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 11 APWG Landing Page
  11. 11. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 12 Landing Page Data Collection  APWG server logs all requests to landing page – Time stamp – IP address (to determine country) – Language (will redirect to page in user’s language)  We’ve asked sites to embed info in redirect URL to track how people end up on landing page – Original URL taken down – Brand code (optional)  CMU CUPS Lab and Wombat Security Technologies have been analyzing the data
  12. 12. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 13 Lots of noisy data!  20 months of data (Sept 2008-April 2010)  840K hits on 15,000 unique redirected URLs  But this data contains lots of noise – Brand monitors checking up on sites to make sure they stay down – Random web crawlers – People testing landing page – Incorrectly redirected sites  We used heuristics to filter out most of the noise
  13. 13. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 14 Filtering Out the Noise  We filtered the data set by removing: – Hits that don’t identify the original phishing site (brand) – Hits that seem to be for testing only • URLs appearing only once • IPs that hit multiple URLs per day • IPs that hit same URL for more than a month – Hits from bots (e.g., specific IPs, 'bot', 'plurk', etc) – Hits from wonderdogsoftware (server misconfiguration that linked to homepage)  Filtering not perfect – Some noise remains – Improperly redirected sites don’t get counted
  14. 14. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 15 Filtered Data  201,084 hits – estimate of actual would-be phishing victims visiting landing page over 20 month period  1285 unique URLs redirected – Note that this is URLs, not domains  Number of hits per URL varies a lot – URL with most hits after filtering had 17,911 hits – Monthly mean hits per URL typically 100-300 – Monthly median hits per URL 2-7
  15. 15. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 16
  16. 16. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 17 Analysis of Time  Monitoring time period of each observed URL may give us insights into length of phishing campaigns  Time observed for each URL is number of days between first observation and last observation  Limitations – Our first observation is time when site was redirected; we don’t know how long it was live before being redirected – Some URLs are observed across month boundaries – Once browsers start blocking URL we may not have hits – Some redirects are removed after a period of time
  17. 17. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 18
  18. 18. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 19 April 2010 Top 20 countries hit landing page  United States 11,159  Canada 3,819  United Kingdom 1,790  Netherlands 725  Germany 650  Spain 600  France 470  Japan 452  Australia 449  India 417  Singapore 292  Mexico 238  Egypt 212  NA 184  Russian Federation 184  Austria 174  Sweden 145  China 137  Brazil 126  Norway 101
  19. 19. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 20 Analysis of Brands  7 brands have requested brand codes  Only 2 have shown up in logs  April 2010 brand data – Brand 1 • Total Hits: 2715 • Total unique URLs: 52 – Brand 2 • Total Hits: 370 • Total unique URLs: 3  We supplied each brand with a report showing list of their URLs and number of hits for each
  20. 20. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 21 Ongoing Work  Will soon be posting monthly reports at http://education.apwg.org/  Redirecting landing page automatically to show correct language (soon)  Encouraging more brands to redirect to landing page – If you sign up for a brand code we can provide you with monthly brand reports – laura.mather@antiphishing.org  Continuing to automate log processing, report generation, report distribution
  21. 21. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 22 For more information  Learn how to participate in the initiative: http://education.apwg.org/  View the landing page: http://education.apwg.org/r/en/
  22. 22. http://wombatsecurity.com CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/
  23. 23. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 24 Other countries that sometimes make top 20  Italy  Romania  Czech Republic  Finland  Ireland  India  EU  Turkey  Belgium  Switzerland  Colombia  Israel  Morocco  Saudi Arabia  Argentina  Indonesia  Thailand  Tunisia  Poland  Greece  Korea  Chile  Pakistan
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×