they were more ID: 507281
Download Pdf The PPT/PDF document "PHISH PHODDER: IS USER EDUCATION HELPING..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
PHISH PHODDER: IS USER EDUCATION HELPING OR HINDERING? they were more persuaded by design (favicons,certification indicators/non-indicators.These indicators of trustworthiness were poorlyunderstood or totally unnoticed. The authors were ableto fool even their most knowledgeable subjects, usingsimple spoofing techniques to counterfeit suchLegitimate sites that enforced restricted access fromSSL-protected pages were actually perceived as trustworthy.Protecting people from phishing: the design and evaluationaluationinteresting alternative approaches to quizzes, using: (1) asimple text and graphics intervention illustratingself-protection; (2) a similar intervention, but in cartoon form.In fact, as long ago as 2000, one of the authors implemented acompany-wide modification of the email client to include aSend to virus alert team button along with the usual Reply,Forward etc. This was geared more toward cutting downhoax traffic (by filtering through the security team). However,because it was backed with a general program of educationaround security and malware, along with an extensivesecurity-dedicated intranet, it was quite effective in thatpeople often checked out phishes and scams by using thatbutton.Best practices for businesses to avoid being phished is adocument being developed by the Anti-Phishing WorkingGroup, the Mail Anti-Abuse Working Group, and the USHomeland Security Identity Theft Technology Consortium.Rather than relying purely on educating the user, it takes theapproach of educating the kind of business that is liable to bephished in the kind of best practices that make it less easy forthe phishing gang. We have a good deal of sympathy for thatapproach. The continued use of such poor practices asphish-like text, inadequate personalization, and unnecessaryURL redirects into a very different domain, is referred to byyprimes potential victims to accept bad practice as legitimate.However, part of the task of educating the banks (etc.) is topersuade them to take on the responsibility of educating, inend-user education. These are usually:Multiple-choice questionnaires aimed at raisingEmail or website recognition tests where the participantare genuine. These are, however, of highly variablequality. Sometimes the testing sites own analysis ofsuspicious attributes is inadequate or misleading.date) as to the knowledge of the compilers, and we dontconsider them at length here. We would point out, though,that general questions along the lines of How many phishingmails are sent out every month? have little mitigating impacton the participants vulnerability to those mails.The most common type of phishing quiz weve encountered isthe type where the subject is shown a number of sampleemails and invited to categorize them as either phishing mailsor legitimate communications. Informal discussion with anthey generally:Pick up all the real phishes.Correctly assess some mails as legitimate.Fail to recognize some legitimate mails as such. Webelieve that this often results because, lacking sufficientcontextual information to assess their legitimacy, they erron the side of caution.Anecdotal evidence suggests that even the general publicscore better on phish recognition than they do on legitimate,but phish-like mails. But is that problem, or that of theinstitution that sends out phish-like emails? We have come tothe following conclusions, based on fairly informal researchQuizzes based on categorizing sample emails as phishor legitimate are based on or give rise to the assumptionthat the participant can make an accurate assessment,irrespective of the legitimacy of the mail, simply byviewing a screenshot. However, they often supplyinsufficient information to make an accurate decision.Its still common for quizzes not to indicate whetherembedded URLs were exactly as shown, obfuscated, orotherwise deceptive as when the apparent and realtarget link are quite different. Thus, the subject loses theadvantage of an important visual cue for identifyingThe use of static screenshots of sample messagesdeprives the subject of other visual cues such as access toHTML source code or knowledge of whether themessage has been sent to a legitimate email address often phishes are so convincing, that only knowing thatyou dont use a particular email address or that particularexplicitly address a heuristic Do I have a businessthat may be key to the individual recipient, but is lesshelpful to support staff, email administrators and so on.Quizzes dont support (or, at any rate, encourage) the useof tools like to check the bona fides of a referencedsite, so how do you reach a conclusion on whether a sitethat doesnt use the organizations primary domain isnevertheless genuine? Indeed, if the message purports tocome from an institution you dont know or deal withpersonally, how can you be sure what their primarydomain is? The quiz usually makes the implicitassumption of an existing relationship, for the purposeof the quiz (Imagine that you are a customer ) butdoesnt give that contextual information.How do you legislate for other attacks such as DNSmisdirection, cybersquatting or typosquatting? We haveseen quiz samples where the apparent and real targetReal phish emails are relatively easy to categorize assuch for a practised observer. Its not always so easy foreven a hardened phish-watcher to confirm that mail isgenuine without using other resources. Sometimes its PHISH PHODDER: IS USER EDUCATION HELPING OR HINDERING? Too often in security, we see a problem exacerbated bywell-meant but ill-founded advice from sources that theeveryday user might assume to be authoritative: for example,some of the phished institutions, government agencies, themedia and law enforcement agencies. Phished institutionsCommunicating with their customers using personalizedmessages, expressed in ways that make it harder forphishing gangs to make fraudulent messages lookgenuine. Can we perhaps suggest exclusive use of snailmail or properly secured electronic channels for sensitivecommunications? (However, these measures are onlyuseful if the customer is aware that they are in place.)Never using email to ask for personal identificationMaking it easier for customers to get reliable advice andinformation from customer support facilities in cases ofCertainly, anyone presuming to give advice on good practiceBe more specific than Be careful and Dont go toTry not to mislead with poor advice or partialinformation that may be inadequate in some contexts.Whats the of a phishing quiz? Even a poorlydesigned quiz raises awareness of the problem, but may beworse than useless if it reinforces wrong assumptions on theservice: Discrimination is too difficult for your tiny brain;buy our product, or even use our free toolbar/site verificationservice/whatever. Thats not wrong in itself; a vendor is inthe business of selling products or services. If the product orservice in question is free, it seems even more churlish tocriticize, but there is a problem in that this message fostersdependence, not awareness; worse, that dependence is on atechnical solution that is likely to rely on detecting specificguessed) correctly without any further explanation is, it seemsto us, of little use. If its found on a vendor site, it even carriesThe best quizzes are, in our humble opinion, those that leavethe participant knowing more than they did when they started.The following useful things to know are summarized from a are summarized from aIf you dont have a pre-existing relationship with theapparent sender of the message, they shouldnt besending you requests for sensitive information about anaccount you dont have (or anything else!).Use a specific (dedicated) email address for internetUntoward urgency (You must log in within 24 hours orpanic you into responding inappropriately.Requests for sensitive data (credit card numbers, accountdetails, social security numbers, PINs the moredetailed, the more suspicious) sent by email andThe more data requested, the more suspicious; these dataamount to a substantial definition of financial/socialidentity. However, an attacker can acquire byte-sizelumps of apparently insignificant data over time toaggregate into a full-strength ID theft package.If no one complains about bad practice, it wont stop.If you respond, do so out-of-band: e.g. go to thelegitimate site directly (not following links from email),branch to verify authenticity. There have been (incrediblyrare) cases where scams have been elaborate (or bankstaff ill-informed or ill-advised) enough for even thesemeasures to be compromised. However, unless youre agullible billionaire caught up in an elaborate negotiationwith the wife of the ex-president of Nigeria, you shouldImpersonal is suspicious. Dear Citibank customer orDear fredbloggs@bigfoot.com doesnt qualify aspersonalized. Even Dear John or Dear Donald Trumpisnt proof of personalization: there are many ways toprocess can be automated. If another identifier is used(e.g. an account number or eBay registered name), checkit isnt just made up.Multiple addressees, a generic mailing list addressee(e.g. Client-list) or no addressee (i.e. a blind copy) allAny message apparently from someone you already dealalso suspicious. Always use known valid numbers andPidgin English or poor spelling is suspicious, butimpeccable presentation doesnt prove legitimacy.There are many techniques for misdirection to aecho poor practice by legitimate sites (secondarydomains, outsourced web pages, tiny URLs, overlengthURLS): verify or discard.Look for trust indicators such as https:// and digitalcertificates, but verify them. In particular, padlock iconsare not proof of authenticity.Technical tricks to evade standard detection technologies[2] such as image spam, hashbuster graphics or text,obfuscating text and tags, font colour tricks, divergent Some of these indicators, however, are of more use andinterest to the security professional than to the everydayA final thought: is it helpful to talk about ID theft IQ, orPhishing IQ? An educationalist correspondent has pointedrespondent has pointedwere and are vulnerable because the internet is in their ownhomes. Its also been pointed out that phishing risks are not PHISH PHODDER: IS USER EDUCATION HELPING OR HINDERING? FaviconAbbreviation for favourites icon: icon associatedin many current web browsers.HashbusterSome spam filters use a database of hashes tofingerprint of a message. It has long been commonfor spammers (among others) to include random textrandom changes from one spam iteration to another,thus throwing off filters that rely on checksums orhashes. Similar techniques have been applied toKeyloggerAs applied to phishing, a form of spyware or trojanthat records a computer users keystrokes without hisor her knowledge and passes the information on to ainvolved with money laundering by receiving andforwarding fraudulently acquired funds, goods orDNS spoofing is a term applied to the malicious,covert redirection [1] of a web browser from alegitimate site to a different, illegitimate IP address/web page. This simple technique is effective, becauseit works even when the user directly enters thecorrect URL into a browser. A form of stock fraud in which the value of stock isartificially inflated so that dishonest speculators canmake a profit by selling off when the price is high.This works well for the scammer, but not for the(usually small) company, or for the scam victimswhose contribution to the raising of stock value isrewarded by a plummet in value.Term applied to a wide range of techniques forcausing a desired change in behaviour or gainingsome advantage by psychological manipulation of anindividual or grPhishes aim to hook the users of specific services bypretending to come from a service provider, but thebait is usually distributed more or less randomly after all, a phishing gang isnt usually able to tellthat service. Sometimes, though, deceptive mails canbe highly targeted as, for example, in some instancesSpywareGeneric term for a range of malware such askeyloggers, remote access trojans, backdoor trojansand so on. Malware used for frankly criminalactivities such as phishing may also be referred to ascrimeware.Tsunami scamsA range of charity scams and hoaxes allegedlyExamples include many 419s and phishing mails. TyposquattingVariations on the cybersquatting theme include usingslightly misspelt names like Barc1ays.com, whichmay look authentic to a careless observer, but mayVishingThe use of VoIP as a vector for phishing attacks:spoofed phone number to verify sensitive data, as