The Experts below are selected from a list of 10596 Experts worldwide ranked by ideXlab platform
Nasir Memon - One of the best experts on this subject based on the ideXlab platform.
-
Financial Cryptography Workshops - X-Platform Phishing: Abusing Trust for Targeted Attacks Short Paper
Financial Cryptography and Data Security, 2017Co-Authors: Hossein Siadati, Toan Van Nguyen, Nasir MemonAbstract:The goal of anti-Phishing techniques is to reduce the delivery rate of phishemails, and anti-Phishing training aims to decrease the Phishing click-through rates. This paper presents the X-Platform Phishing Attack, a deceptive Phishing attack with an alarmingly high delivery and click-through rates, and highlights a subclass of Phishing attacks that existing anti-Phishing methods do not seem to be able to address. The main characteristic of this attack is that an attacker is able to embed a malicious link within a legitimate message generated by service providers (e.g., Github, Google, Amazon) and sends it using their infrastructure to his targets. This technique results in the bypassing of existing anti-Phishing filters because it utilizes reputable service providers to generate seemingly legitimate emails. This also makes it highly likely for the targets of the attack to click on the Phishing link as the email id of a legitimate provider is being used. An X-Platform Phishing attack can use email-based messaging and notification mechanisms such as friend requests, membership invitations, status updates, and customizable gift cards to embed and deliver Phishing links to their targets. We have tested the delivery and click-through rates of this attack experimentally, based on a customized Phishing email tunneled through GitHub’s pull-request mechanism. We observed that 100% of X-Platform Phishing emails passed the anti-Phishing systems and were delivered to the inbox of the target subjects. All of the participants clicked on Phishing messages, and in some cases, forwarded the message to other project collaborators who also clicked on the Phishing links.
-
Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks
SSRN Electronic Journal, 2015Co-Authors: Tzipora Halevi, Nasir MemonAbstract:Recent research has begun to focus on the factors that cause people to respond to Phishing attacks. In this study a real-world spear-Phishing attack was performed on employees in organizational settings in order to examine how users’ personality, attitudinal and perceived efficacy factors affect their tendency to expose themselves to such an attack. Spear-Phishing attacks are more sophisticated than regular Phishing attacks as they use personal information about their intended victim and present a stronger challenge for detection by both the potential victims as well as email Phishing filters.While previous research showed that certain Phishing attacks can lure a higher response rate from people with a higher level of the personality trait of Neuroticism, other traits were not explored in this context. The present study included a field-experiment which revealed a number of factors that increase the likelihood of users falling for a Phishing attack: the factor that was found to be most correlated to the Phishing response was users’ Conscientiousness personality trait. The study also found gender-based difference in the response, with women more likely to respond to a spear-Phishing message than men. In addition, this work detected negative correlation between the participants subjective estimate of their own vulnerability to Phishing attacks and the likelihood that they will be phished. Put together, the finding suggests that vulnerability to Phishing is in part a function of users’ personality and that vulnerability is not due to lack of awareness of Phishing risks. This implies that real-time response to Phishing is hard to predict in advance by the users themselves, and that a targeted approach to defense may increase security effectiveness.
Ilango Krishnamurthi - One of the best experts on this subject based on the ideXlab platform.
-
PhishTackle—a web services architecture for anti-Phishing
Cluster Computing, 2014Co-Authors: R. Gowtham, Ilango KrishnamurthiAbstract:Phishing is web based criminal activity of making innocent online users to reveal sensitive information into fake web sites. Such fake web sites lead to fraudulent charges against individuals and corporations. Phishers have a lot of methods to design and host phished web pages, so in reality there cannot be a single solution that can help us combat Phishing. As technology advances, the Phishing techniques being used are also getting advanced and hence it demands the anti-Phishing techniques also to be upgraded and the new techniques are to be included along with the existing methods. But most of the anti-Phishing techniques today do not satisfy these criteria. In this paper, we propose service oriented three-layer architecture model for detecting and identifying Phishing web sites as it overcomes the shortcomings of existing anti-Phishing solutions. This model enables us to separate the user interface layer from the anti-Phishing components layer. This is done through web service middleware layer, which provides us with the freedom of building our own anti-Phishing components layer in an efficient and flexible way, independent of other layers. Anti-Phishing components layer provides a set of reusable components to convert webpage into feature vectors using finest heuristic methods and external repositories of information. The feature vectors act as an input to trained support vector machine classifier to generate Phishing label which determines whether a webpage is legitimate or a Phishing page. This when experimented, displayed the significance and importance of three-layered architecture model along with combination of heuristics in detection of Phishing webpage. This results in high accuracy of 99 % with less than 1 % of false positive rate.
-
PhishTackle--a web services architecture for anti-Phishing
Cluster Computing, 2013Co-Authors: R. Gowtham, Ilango KrishnamurthiAbstract:Phishing is web based criminal activity of making innocent online users to reveal sensitive information into fake web sites. Such fake web sites lead to fraudulent charges against individuals and corporations. Phishers have a lot of methods to design and host phished web pages, so in reality there cannot be a single solution that can help us combat Phishing. As technology advances, the Phishing techniques being used are also getting advanced and hence it demands the anti-Phishing techniques also to be upgraded and the new techniques are to be included along with the existing methods. But most of the anti-Phishing techniques today do not satisfy these criteria. In this paper, we propose service oriented three-layer architecture model for detecting and identifying Phishing web sites as it overcomes the shortcomings of existing anti-Phishing solutions. This model enables us to separate the user interface layer from the anti-Phishing components layer. This is done through web service middleware layer, which provides us with the freedom of building our own anti-Phishing components layer in an efficient and flexible way, independent of other layers. Anti-Phishing components layer provides a set of reusable components to convert webpage into feature vectors using finest heuristic methods and external repositories of information. The feature vectors act as an input to trained support vector machine classifier to generate Phishing label which determines whether a webpage is legitimate or a Phishing page. This when experimented, displayed the significance and importance of three-layered architecture model along with combination of heuristics in detection of Phishing webpage. This results in high accuracy of 99 % with less than 1 % of false positive rate.
R. Gowtham - One of the best experts on this subject based on the ideXlab platform.
-
PhishTackle—a web services architecture for anti-Phishing
Cluster Computing, 2014Co-Authors: R. Gowtham, Ilango KrishnamurthiAbstract:Phishing is web based criminal activity of making innocent online users to reveal sensitive information into fake web sites. Such fake web sites lead to fraudulent charges against individuals and corporations. Phishers have a lot of methods to design and host phished web pages, so in reality there cannot be a single solution that can help us combat Phishing. As technology advances, the Phishing techniques being used are also getting advanced and hence it demands the anti-Phishing techniques also to be upgraded and the new techniques are to be included along with the existing methods. But most of the anti-Phishing techniques today do not satisfy these criteria. In this paper, we propose service oriented three-layer architecture model for detecting and identifying Phishing web sites as it overcomes the shortcomings of existing anti-Phishing solutions. This model enables us to separate the user interface layer from the anti-Phishing components layer. This is done through web service middleware layer, which provides us with the freedom of building our own anti-Phishing components layer in an efficient and flexible way, independent of other layers. Anti-Phishing components layer provides a set of reusable components to convert webpage into feature vectors using finest heuristic methods and external repositories of information. The feature vectors act as an input to trained support vector machine classifier to generate Phishing label which determines whether a webpage is legitimate or a Phishing page. This when experimented, displayed the significance and importance of three-layered architecture model along with combination of heuristics in detection of Phishing webpage. This results in high accuracy of 99 % with less than 1 % of false positive rate.
-
PhishTackle--a web services architecture for anti-Phishing
Cluster Computing, 2013Co-Authors: R. Gowtham, Ilango KrishnamurthiAbstract:Phishing is web based criminal activity of making innocent online users to reveal sensitive information into fake web sites. Such fake web sites lead to fraudulent charges against individuals and corporations. Phishers have a lot of methods to design and host phished web pages, so in reality there cannot be a single solution that can help us combat Phishing. As technology advances, the Phishing techniques being used are also getting advanced and hence it demands the anti-Phishing techniques also to be upgraded and the new techniques are to be included along with the existing methods. But most of the anti-Phishing techniques today do not satisfy these criteria. In this paper, we propose service oriented three-layer architecture model for detecting and identifying Phishing web sites as it overcomes the shortcomings of existing anti-Phishing solutions. This model enables us to separate the user interface layer from the anti-Phishing components layer. This is done through web service middleware layer, which provides us with the freedom of building our own anti-Phishing components layer in an efficient and flexible way, independent of other layers. Anti-Phishing components layer provides a set of reusable components to convert webpage into feature vectors using finest heuristic methods and external repositories of information. The feature vectors act as an input to trained support vector machine classifier to generate Phishing label which determines whether a webpage is legitimate or a Phishing page. This when experimented, displayed the significance and importance of three-layered architecture model along with combination of heuristics in detection of Phishing webpage. This results in high accuracy of 99 % with less than 1 % of false positive rate.
Cate Jerram - One of the best experts on this subject based on the ideXlab platform.
-
The design of Phishing studies
Computers & Security, 2015Co-Authors: Kathryn Parsons, Agata Mccormac, Malcolm Robert Pattinson, Marcus A. Butavicius, Cate JerramAbstract:In this paper, a role play scenario experiment of people's ability to differentiate between Phishing and genuine emails demonstrated limitations in the generalisability of Phishing studies. This involves issues around the priming of participants and the diversity of emails used. Only half of our 117 participants were explicitly informed that the study was assessing the ability to identify Phishing emails. Results indicate that the informed participants were significantly better at discriminating between Phishing and genuine emails than the uninformed participants. This has implications for the interpretation of Phishing studies. Specifically, studies where participants are directly asked to identify Phishing emails may not represent the performance of real world users, because people are rarely reminded about the risks of Phishing emails in real life. Our study also used emails from a larger number and greater diversity of industries than previous Phishing studies. Results indicate that participants' performance differs greatly in terms of category (e.g., type of sender) of emails. This demonstrates that caution should be used when interpreting the results of Phishing studies that rely on only a small number of emails and/or emails of limited diversity. Hence, when designing and interpreting Phishing studies, researchers should carefully consider the instructions provided to participants and the types of emails used.
-
Phishing for the Truth: A Scenario-Based Experiment of Users’ Behavioural Response to Emails
2013Co-Authors: Kathryn Parsons, Agata Mccormac, Malcolm Pattinson, Marcus Butavicius, Cate JerramAbstract:Using a role play scenario experiment, 117 participants were asked to manage 50 emails. To test whether the knowledge that participants are undertaking a Phishing study impacts on their decisions, only half of the participants were informed that the study was assessing the ability to identify Phishing emails. Results indicated that the participants who were informed that they were undertaking a Phishing study were significantly better at correctly managing Phishing emails and took longer to make decisions. This was not caused by a bias towards judging an email as a Phishing attack, but instead, an increase in the ability to discriminate between Phishing and real emails. Interestingly, participants who had formal training in information systems performed more poorly overall. Our results have implications for the interpretation of previous Phishing studies, the design of future studies and for training and education campaigns, as it suggests that when people are primed about Phishing risks, they adopt a more diligent screening approach to emails.
Christopher K. Chepken - One of the best experts on this subject based on the ideXlab platform.
-
A new approach to modelling the effects of cognitive processing and threat detection on Phishing susceptibility
Computers in Human Behavior, 2019Co-Authors: Paula M. W. Musuva, Katherine W. Getao, Christopher K. ChepkenAbstract:Abstract Phishing threats are real and are ever increasing in their reach and devastating effects. This study delves into the role of cognitive processing in detecting and curtailing Phishing attacks. The proposed model is grounded on the Elaboration Likelihood Model and is tested empirically using data from 192 cases. Data was collected through direct observations of Phishing susceptibility and self-reported questionnaires after staging a Phishing attack targeting a university population in Nairobi, Kenya. The model was found to have excellent fit and was able to account for 50.8% of a person's cognitive processing of a Phishing attack, 69.5% of their ability to detect Phishing threats and could predict 28% of their actual Phishing susceptibility. Analysis was done to test 25 hypothesis, and to examine the mediating effects of cognitive processing and threat detection. In addition, multi-group moderation analysis was done to examine if the model was invariant based on the level of knowledge. Results indicate that threat detection has the strongest effect in reducing Phishing susceptibility. Threat detection was found to be what explains why people who expend cognitive effort processing Phishing communication are less likely to fall for Phishing threats.
