ABSTRACT
We study how to design experiments to measure the success rates of phishing attacks that are ethical and accurate, which are two requirements of contradictory forces. Namely, an ethical experiment must not expose the participants to any risk; it should be possible to locally verify by the participants or representatives thereof that this was the case. At the same time, an experiment is accurate if it is possible to argue why its success rate is not an upper or lower bound of that of a real attack -- this may be difficult if the ethics considerations make the user perception of the experiment different from the user perception of the attack. We introduce several experimental techniques allowing us to achieve a balance between these two requirements, and demonstrate how to apply these, using a context aware phishing experiment on a popular online auction site which we call "rOnl". Our experiments exhibit a measured average yield of 11% per collection of unique users. This study was authorized by the Human Subjects Committee at Indiana University (Study #05-10306).
- Mailfrontier phishing IQ test. http://survey.mailfrontier.com/survey/quiztest.html.Google Scholar
- Know your enemy : Phishing. behind the scenes of phishing attacks. http://www.honeynet.org/papers/phishing/, 2005.Google Scholar
- Garfinkel, S., and Miller, R. Johnny 2: A user test of key continuity management with S/MIME and Outlook Express. Symposium on Usable Privacy and Security. Google ScholarDigital Library
- Jakobsson, M. Modeling and preventing phishing attacks. In Financial Cryptography (2005). Google ScholarDigital Library
- Lester, A. WWW::Mechanize - handy web browsing in a perl object. http://search.cpan.org/ petdance/WWW-Mechanize-1.16/lib/WWW/Mechanize.p%m, 2005.Google Scholar
- Litan, A. Phishing attack victims likely targets for identity theft. FT-22-8873, Gartner Research (2004).Google Scholar
- M. Jakobsson, T. Jagatic, S. S. Phishing for clues. www.browser-recon.info.Google Scholar
- T. Jagatic, N. Johnson, M. J., and Menczer, F. Social phishing. 2006.Google Scholar
Index Terms
- Designing ethical phishing experiments: a study of (ROT13) rOnl query features
Recommendations
Defending against phishing attacks: taxonomy of methods, current issues and future directions
Internet technology is so pervasive today, for example, from online social networking to online banking, it has made people's lives more comfortable. Due the growth of Internet technology, security threats to systems and networks are relentlessly ...
Why and How to Perform Fraud Experiments
The authors argue that user studies are vital in order to improve our understanding of online fraud and other sociotechnical security problems. They then provide an overview of common approaches and describe how to carry out the approach that they ...
Methodologies and Ethical Considerations in Phishing Research: A Comprehensive Review
CHIGREECE '23: Proceedings of the 2nd International Conference of the ACM Greek SIGCHI ChapterPhishing is a significant security threat that causes financial and reputational losses to end-users and service providers in modern information systems. Current anti-phishing research is fragmented and does not address the issue from a pervasive ...
Comments