Researchers fight phishing attacks with phishing tactics

Oct 02, 2007

Early findings by Carnegie Mellon University researchers suggest that people who are suckered by a spoof email into visiting a counterfeit Web site are also people who are ready to learn their lesson about “phishing” attacks.

Phishing attacks have become a common method for stealing personal identification information, such as bank account numbers and passwords. Lorrie Cranor, associate research professor of computer science, said phishing often is successful because many people ignore educational materials that otherwise might help them recognize such frauds.

But in a laboratory study, the researchers fought “phire with phire” and found that when they sent their own spoof email to users and tricked them into visiting an educational Web site, those people tended to learn and retain more of the lesson about how to spot phishing sites.

Ponnurangam Kumaraguru, a graduate student in the School of Computer Science’s Institute for Software Research, will present the study results Friday, Oct. 5 at the Anti-Phishing Working Group’s (APWG) eCrime Researchers Summit in Pittsburgh. The summit, sponsored by the APWG and hosted by Carnegie Mellon CyLab, includes leading industrial and academic practitioners in the field of electronic crime research.

In the study, three groups of 14 volunteers participated in role-playing exercises in which they processed email, which included a mix of phishing, spam and legitimate email. Those in the “embedded training” group, who were given anti-phishing educational materials after they had fallen for a phishing email, spent more than twice as much time studying the materials than those who were presented the materials without first being tricked. Those who were presented the materials without being tricked were no better at identifying phishing emails than those who received no anti-phishing educational materials. A week later, when the exercise was repeated, those in the embedded training group were significantly more successful in identifying phishing emails than those in the other two groups — 64 percent of phishing emails identified by the embedded training group versus 7 percent identified by the other two groups.

Cranor, director of the Carnegie Mellon Usable Privacy and Security Lab, said additional testing will be necessary to confirm these results. But the initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating computer users to protect themselves.

In addition to Cranor and Kumaraguru, the study team included faculty members Jason Hong and Alessandro Acquisti and graduate students Yong Rhee, Steve Sheng and Sharique Hasan. Their paper is available at www.ecrimeresearch.org/2007/pr… s/p70_kumaraguru.pdf .

According to the latest trend report for June, APWG detected 31,709 phishing Web sites, a drop of 6,000 from May, and 146 brands were hijacked, a slight decrease from May. But the number of unique phishing reports was 28,888 in June, up by more than 5,000 over May. The vast majority of attacks were in the financial services sector.

Source: Carnegie Mellon University

Explore further: Pinterest buys startup with image organizing skills

add to favorites email to friend print save as pdf

Related Stories

Physicists discuss quantum pigeonhole principle

11 hours ago

The pigeonhole principle: "If you put three pigeons in two pigeonholes at least two of the pigeons end up in the same hole." So where's the argument? Physicists say there is an important argument. While the ...

Giant crater in Russia's far north sparks mystery

13 hours ago

A vast crater discovered in a remote region of Siberia known to locals as "the end of the world" is causing a sensation in Russia, with a group of scientists being sent to investigate.

NASA Mars spacecraft prepare for close comet flyby

14 hours ago

NASA is taking steps to protect its Mars orbiters, while preserving opportunities to gather valuable scientific data, as Comet C/2013 A1 Siding Spring heads toward a close flyby of Mars on Oct. 19.

Recommended for you

Teens love vacation selfies; adults, not so much

12 hours ago

(AP)—Jacquie Whitt's trip to the Galapagos with a group of teenagers was memorable not just for the scenery and wildlife, but also for the way the kids preserved their memories. It was, said Whitt, a "selfie ...

US spy agency patents car seat for kids

15 hours ago

Electronic eavesdropping is the National Security Agency's forte, but it seems it also has a special interest in children's car seats, Foreign Policy magazine reported Wednesday.

Country Web domains can't be seized

17 hours ago

The Internet's regulatory authority said Wednesday that country-specific Web domains cannot be seized in court proceedings, as it sought to quash an effort to recover assets in terrorism-related lawsuits.

User comments : 0