Home   >   CSC-OpenAccess Library   >    Manuscript Information
Full Text Available

(130.04KB)
This is an Open Access publication published under CSC-OpenAccess Policy.
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Attacks and Quantifying Attack Efficacy
Narasimha Karpoor Shashidhar, Lei Chen
Pages - 15 - 23     |    Revised - 30-06-2015     |    Published - 31-07-2015
Volume - 9   Issue - 2    |    Publication Date - July 2015  Table of Contents
MORE INFORMATION
KEYWORDS
Phishing, Email Fraud, Data Hiding, Identity Linking, Social Engineering.
ABSTRACT
Phishing is a growing threat to Internet users and causes billions of dollars in damage every year. While there are a number of research articles that study the tactics, techniques and procedures employed by phishers in the literature, in this paper, we present a theoretical yet practical model to study this menacing threat in a formal manner. While it is common folklore knowledge that a successful phishing attack entails creating messages that are indistinguishable from the natural, expected messages by the intended victim, this concept has not been formalized. Our model attempts to capture a phishing attack in terms of this indistinguishability between the natural and phishing message probability distributions. We view the actions performed by a phisher as an attempt to create messages that are indistinguishable to the victim from that of “normal” messages. To the best of our knowledge, this is the first study that places phishing on a concrete theoretical framework and offers a new perspective to analyze this threat. We propose metrics to analyze the success probability of a phishing attack taking into account the input used by a phisher and the work involved in creating deceptive email messages. Finally, we study and apply our model to a new class of phishing attacks called collaborative spear phishing that is gaining momentum. Recent examples include Operation Woolen-Goldfish in 2015, Rocket Kitten in 2014 and Epsilon email breach in 2011. We point out fundamental flaws in the current email-based marketing business model which enables such targeted spear phishing collaborative attacks. In this sense, our study is very timely and presents new and emerging trends in phishing.
CITED BY (1)  
1 Casmir, R. O. (2015). DETERMINING APPROPRIATE SECURITY PROTECTION FOR ENTERPRISE INFORMATION RESOURCES. Business Education Journal, 1(1).
1 Directory of Open Access Journals (DOAJ)
2 Google Scholar
3 CiteSeerX
4 refSeek
5 Scribd
6 slideshare
7 PdfSR
1 Anti-Phishing Working Group. “Phishing activity trends report”. In APWG Global Response to Cybercrime, http://docs.apwg.org/reports/apwg_trends_report_q1_2014.pdf, March 2014. Retrieved 2 April, 2015.
2 Christian Cachin. “An information-theoretic model for steganography”. In Information Hiding, pages 306–318. Springer, 1998.
3 Rachna Dhamija and J Doug Tygar. “The battle against phishing: Dynamic security skins”. In Proceedings of the 2005 symposium on Usable privacy and security, pages 77–88. ACM, 2005.
4 Rachna Dhamija, J Doug Tygar, and Marti Hearst. “Why phishing works”. In Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 581–590. ACM, 2006.
5 Ke Ding, Nicholas Pantic, You Lu, Sukanya Manna, Mohammad Husain, et al. “Towards building a word similarity dictionary for personality bias classification of phishing email contents”. In Semantic Computing (ICSC), IEEE International Conference on, pages 252– 259. IEEE, 2015.
6 Julie S Downs, Mandy B Holbrook, and Lorrie Faith Cranor. “Decision strategies and susceptibility to phishing”. In Proceedings of the second symposium on Usable privacy and security, pages 79–90. ACM, 2006.
7 Christine E Drake, Jonathan J Oliver, and Eugene J Koontz. “Anatomy of a phishing email”. In CEAS, 2004.
8 Ian Fette, Norman Sadeh, and Anthony Tomasic. “Learning to detect phishing emails”. In Proceedings of the 16th international conference on World Wide Web, pg 649–656. ACM, 2007.
9 Nicholas Hopper, Luis von Ahn, and John Langford. “Provably secure steganography”. IEEE Transactions on Computers, (5):662–676, 2008.
10 Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. “Social phishing”. Communications of the ACM, 50(10):94–100, 2007.
11 Markus Jakobsson. “Modeling and preventing phishing attacks”. In Financial Cryptography, volume 5. Citeseer, 2005.
12 Anjali Jose and S Vinoth Lakshmi. “Web security using visual cryptography against phishing”. Middle-East Journal of Scientific Research, 20(12):2626–2632, 2014.
13 Daniel Lemire and Anna Maclachlan. “Slope one predictors for online rating-based collaborative filtering”. In SDM, volume 5, pages 1–5. SIAM, 2005.
14 Trend Micro. “Rocket kitten showing its claws: Operation woolen-goldfish and the ghole campaign”. In Trend Micro Security Intelligence Reports, Retrieved 8 April, 2015. http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish when-kittens-go-phishing, March 2015.
15 ABC News News/Technology. “Epsilon email breach: What you should know”. In Epsilon email breach, Retrieved 12 Mar, 2014. http://abcnews.go.com/Technology/epsilon-email breach/story?id=13291589, 2011.
16 Mathew J. Schwartz. “Epsilon fell to spear-phishing attack”. In Information Week, Retrieved 15 Mar, 2014. http://www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear phishing-attack/d/d-id/1097119?, 2011.
17 Saranya Shaji et al. “Anti phishing approach using visual cryptography and iris recognition”. IJRCCT, 3(3):088–092, 2014.
18 Victor Shoup. A computational introduction to number theory and algebra. Cambridge University Press, 2009.
19 SlashDot. “Malicious app in android market”. In The epsilon phishing model, Retrieved Mar 12,2014. http://mobile.slashdot.org/-story/10/01/10/2036222/Malicious-App-In-Android Market.
20 RSA Fraud Report Team. “Phishing kits - the same wolf, just a different sheep’s clothing”. In RSA Monthly Online Fraud Report, EMC, pages Retrieved 8 April, 2015. http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012013.pdf, February 2013.
21 Rakesh Verma, Narasimha Shashidhar, and Nabil Hossain. “Detecting phishing emails the natural language way”. In Computer Security–ESORICS 2012, pages 824–841. Springer, 2012.
22 Gary Warner. “Cybercrime and doing time. In The epsilon phishing model”, Retrieved 12 Mar, 2014. http://garwarner.blogspot.com/2011/04/epsilon-phishing-model.html, 2011.
23 Min Wu, Robert C Miller, and Simson L Garfinkel. “Do security toolbars actually prevent phishing attacks?” In Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 601–610. ACM, 2006.
24 Min Wu, Robert C Miller, and Greg Little. “Web wallet: preventing phishing attacks by revealing user intentions”. In Proceedings of the second symposium on Usable privacy and security, pages 102–113. ACM, 2006.
25 Ka-Ping Yee and Kragen Sitaker. “Passpet: convenient password management and phishing protection”. In Proceedings of the second symposium on Usable privacy and security, pages 32–43. ACM, 2006.
26 Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong. “Phinding phish: Evaluating anti-phishing tools”. ISOC, 2006.
27 Yue Zhang, Jason I Hong, and Lorrie F Cranor. “Cantina: a content-based approach to detecting phishing web sites”. In Proceedings of the 16th international conference on World Wide Web, pages 639–648. ACM, 2007.
Dr. Narasimha Karpoor Shashidhar
Sam Houston State University - United States of America
nks001@shsu.edu
Dr. Lei Chen
Georgia Southern University - United States of America