The document discusses a study analyzing data collected from a phishing education landing page run by APWG/CMU. Over 20 months, 201,084 hits were identified as likely phishing victims redirected from taken-down phishing sites. The top countries visiting the page were the US, Canada, UK, and others. Analysis found phishing campaigns lasted a median of 2-7 days. The study aims to provide monthly reports to brands and continue improving the landing page and data collection.
Statistical Analysis of Phished Email Users, Intercepted by the APWG/CMU Phishing Education Landing Page, at APWG CeCOS 2010
1. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/1
CyLab Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu
Statistical Analysis of Phished
eMail Users, Intercepted by the
APWG/CMU Phishing Education
Landing Page
Jason Hong, PhD
Carnegie Mellon University
Wombat Security Technologies
May 2010
2. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 2
User Education is Challenging
Users are not motivated to learn about security
Security is a secondary task
Difficult to teach people to make right online
trust decision without increasing false positives
“User education is a complete waste of time. It is
about as much use as nailing jelly to a wall….
They are not interested…they just want to do
their job.”
Martin Overton, IBM security specialist
http://news.cnet.com/21007350_361252132.html
3. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 3
But Actually, Users Are Trainable
Our research demonstrates that users can learn
techniques to protect themselves from phishing…
if you can get them to pay attention to training
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny
Not to Fall for Phish. CyLab Technical Report CMUCyLab07003, 2007.
4. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 4
How Do We Get People Trained?
Solution
– Find “teachable moments”:
PhishGuru
– Make training fun:
AntiPhishing Phil,
AntiPhishing Phyllis
– Use learning science
principles
5. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 5
PhishGuru Embedded Training
Send emails that look like a phishing attack
If recipient falls for it, show intervention that
teaches what cues to look for in succinct and
engaging format
Multiple user studies have demonstrated
that this is effective
Delivering same training via direct email is
not effective!
7. Subject: Revision to Your Amazon.com Information
Please login and enter your information
8.
9. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 9
APWG Landing Page
Taking the “teachable moment” concept
one step further
Provide education (instead of 404) when users
click on real phishing links and arrive at real
phishing sites that have been taken down
P. Kumaraguru, L. Cranor, and L. Mather. AntiPhishing Landing Page:
Turning a 404 into a Teachable Moment for End Users. CEAS 2009.
http://www.ceas.cc/papers2009/ceas2009paper37.pdf
http://education.apwg.org/
10. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 10
How the Landing Page Works
Brand owner or phish site takedown provider
identifies phish site
ISP or registrar is asked to redirect disabled
phish site to APWG redirect page
Consumer receives phishing email and clicks
Consumer is shown APWG education message
instead of 404 page
– Page available in many languages
– Automatic redirect to appropriate language based
on browser language code to happen soon
12. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 12
Landing Page Data Collection
APWG server logs all requests to landing page
– Time stamp
– IP address (to determine country)
– Language (will redirect to page in user’s language)
We’ve asked sites to embed info in redirect URL
to track how people end up on landing page
– Original URL taken down
– Brand code (optional)
CMU CUPS Lab and Wombat Security
Technologies have been analyzing the data
13. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 13
Lots of noisy data!
20 months of data (Sept 2008-April 2010)
840K hits on 15,000 unique redirected URLs
But this data contains lots of noise
– Brand monitors checking up on sites to make
sure they stay down
– Random web crawlers
– People testing landing page
– Incorrectly redirected sites
We used heuristics to filter out most of the noise
14. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 14
Filtering Out the Noise
We filtered the data set by removing:
– Hits that don’t identify the original phishing site (brand)
– Hits that seem to be for testing only
• URLs appearing only once
• IPs that hit multiple URLs per day
• IPs that hit same URL for more than a month
– Hits from bots (e.g., specific IPs, 'bot', 'plurk', etc)
– Hits from wonderdogsoftware (server misconfiguration
that linked to homepage)
Filtering not perfect
– Some noise remains
– Improperly redirected sites don’t get counted
15. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 15
Filtered Data
201,084 hits
– estimate of actual would-be phishing victims
visiting landing page over 20 month period
1285 unique URLs redirected
– Note that this is URLs, not domains
Number of hits per URL varies a lot
– URL with most hits after filtering had 17,911 hits
– Monthly mean hits per URL typically 100-300
– Monthly median hits per URL 2-7
17. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 17
Analysis of Time
Monitoring time period of each observed URL may
give us insights into length of phishing campaigns
Time observed for each URL is number of days
between first observation and last observation
Limitations
– Our first observation is time when site was redirected; we
don’t know how long it was live before being redirected
– Some URLs are observed across month boundaries
– Once browsers start blocking URL we may not have hits
– Some redirects are removed after a period of time
19. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 19
April 2010
Top 20 countries hit landing page
United States 11,159
Canada 3,819
United Kingdom 1,790
Netherlands 725
Germany 650
Spain 600
France 470
Japan 452
Australia 449
India 417
Singapore 292
Mexico 238
Egypt 212
NA 184
Russian Federation 184
Austria 174
Sweden 145
China 137
Brazil 126
Norway 101
20. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 20
Analysis of Brands
7 brands have requested brand codes
Only 2 have shown up in logs
April 2010 brand data
– Brand 1
• Total Hits: 2715
• Total unique URLs: 52
– Brand 2
• Total Hits: 370
• Total unique URLs: 3
We supplied each brand with a report showing
list of their URLs and number of hits for each
21. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 21
Ongoing Work
Will soon be posting monthly reports at
http://education.apwg.org/
Redirecting landing page automatically
to show correct language (soon)
Encouraging more brands to redirect to
landing page
– If you sign up for a brand code we can provide
you with monthly brand reports
– laura.mather@antiphishing.org
Continuing to automate log processing,
report generation, report distribution
22. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 22
For more information
Learn how to participate in the initiative:
http://education.apwg.org/
View the landing page:
http://education.apwg.org/r/en/
24. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 24
Other countries that sometimes
make top 20
Italy
Romania
Czech Republic
Finland
Ireland
India
EU
Turkey
Belgium
Switzerland
Colombia
Israel
Morocco
Saudi Arabia
Argentina
Indonesia
Thailand
Tunisia
Poland
Greece
Korea
Chile
Pakistan