Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish

Everyday Privacy and Security Problem

This entire process known as phishing

How Bad Is Phishing? Consumer Perspective Estimated ~0.5% of Internet users per year fall for phishing attacks Conservative $1B+ direct losses a year to consumers –Bank accounts, credit card fraud –Doesn’t include time wasted on recovery of funds, restoring computers, emotional uncertainty Growth rate of phishing –30k+ reported unique s / month –45k+ reported unique sites / month Social networking sites now major targets

How Bad Is Phishing? Perspective of Corporations Direct damage –Loss of sensitive customer data

How Bad Is Phishing? Perspective of Corporations Direct damage –Loss of sensitive customer data –Loss of intellectual property

How Bad Is Phishing? Perspective of Corporations Direct damage –Loss of sensitive customer data –Loss of intellectual property –Fraud –Disruption of network services Indirect damage –Damage to reputation, lost sales, etc –Response costs (call centers, recovery) One bank estimated it cost them $1M per phishing attack

General Patton is retiring next week, click here to say whether you can attend his retirement party Phishing Increasing in Sophistication Targeting Your Organization Spear-phishing targets specific groups or individuals Type #1 – Uses info about your organization

Phishing Increasing in Sophistication Targeting Your Organization Around 40% of people in our experiments at CMU would fall for s like this (control condition)

Phishing Increasing in Sophistication Targeting You Specifically Type #2 – Uses info specifically about you –Social phishing Might use information from social networking sites, corporate directories, or publicly available data Ex. Fake from friends or co-workers Ex. Fake videos of you and your friends

Phishing Increasing in Sophistication Targeting You Specifically Here’s a video I took of your poster presentation.

Phishing Increasing in Sophistication Targeting You Specifically Type #2 – Uses info specifically about you –Whaling – focusing on big targets Thousands of high-ranking executives across the country have been receiving messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. -- New York Times Apr

Phishing Increasing in Sophistication Combination with Malware Malware and phishing are becoming combined –Poisoned attachments (Ex. custom PDF exploits) –Links to web sites with malware (web browser exploits) –Can install keyloggers or remote access software

Protecting People from Phishing Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Micro-games for security training –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists –Social web + machine learning to combat scams

Results of Our Research Startup –Customers of micro-games featured include governments, financials, universities –Our filter is labeling several million s per day Study on browser warnings -> MSIE8 Elements of our work adopted by Anti-Phishing Working Group (APWG) Popular press article in Scientific American

Outline of Rest of Talk Rest of talk will focus on educating end-users PhishGuru embedded training Anti-Phishing Phil micro-game Anti-Phishing Phyllis micro-game

User Education is Challenging Users are not motivated to learn about security Security is a secondary task Difficult to teach people to make right online trust decision without increasing false positives “User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.” Martin Overton, IBM security specialist

But Actually, Users Are Trainable Our research demonstrates that users can learn techniques to protect themselves from phishing… if you can get them to pay attention to training P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report CMU CyLab07003, 2007.

How Do We Get People Trained? Solution –Find “teachable moments”: PhishGuru –Make training fun: Anti-Phishing Phil, Anti-Phishing Phyllis –Use learning science principles

PhishGuru Embedded Training Send s that look like a phishing attack If recipient falls for it, show intervention that teaches what cues to look for in succinct and engaging format Multiple user studies have demonstrated that PhishGuru is effective Delivering same training via direct is not effective!

Subject: Revision to Your Amazon.com Information

Please login and enter your information

Evaluation of PhishGuru Is embedded training effective? –Study 1: Lab study, 30 participants –Study 2: Lab study, 42 participants –Study 3: Field trial at company, ~300 participants –Study 4: Field trial at CMU, ~500 participants Studies showed significant decrease in falling for phish and ability to retain what they learned P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training System. CHI P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007.

Study #4 at CMU Investigate effectiveness and retention of training after 1 week, 2 weeks, and 4 weeks Compare effectiveness of 2 training messages vs 1 training message Examine demographics and phishing P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training SOUPS 2009.

Study design Sent to all CMU students, faculty and staff to recruit participants (opt-in) 515 participants in three conditions –Control / One training message / Two messages s sent over 28 day period –7 simulated spear-phishing messages –3 legitimate (cyber security scavenger hunt) Campus help desks and IT departments notified before messages sent

Effect of PhishGuru Training ConditionN% who clicked on Day 0 % who clicked on Day 28 Control Trained

Discussion of PhishGuru PhishGuru can teach people to identify phish better –People retain the knowledge People trained on first day less likely to be phished Two training messages work better –People weren’t less likely to click on legitimate s –People aren’t resentful, many happy to have learned 68 out of 85 surveyed said they recommend CMU continue doing this sort of training in future “I really liked the idea of sending CMU students fake phishing s and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....” Contrast to US DOJ and Guam

APWG Landing Page CMU and Wombat helped Anti-Phishing Working Group develop landing page for taken down sites –Already in use by several takedown companies –Seen by ~200,000 people in past 20 months

Anti-Phishing Phil A micro-game to teach people not to fall for phish –PhishGuru about , this game about web browser –Also based on learning science principles Goals –How to parse URLs –Where to look for URLs –Use search engines for help Try the game! –Search for “phishing game” S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In SOUPS 2007, Pittsburgh, PA, 2007.

Anti-Phishing Phil

Evaluation of Anti-Phishing Phil Is Phil effective? Yes! –Study 1: 56 people in lab study –Study 2: 4517 people in field trial Brief results of Study 1 –Phil about as effective in helping people detect phishing web sites as paying people to read training material –But Phil has significantly fewer false positives overall Suggests that existing training material making people paranoid about phish rather than differentiating

Evaluation of Anti-Phishing Phil Study 2: 4517 participants in field trial –Randomly selected from people Conditions –Control: Label 12 sites then play game –Game: Label 6 sites, play game, then label 6 more, then after 7 days, label 6 more (18 total) Participants –2021 people in game condition, 674 did retention portion

Anti-Phishing Phil: Study 2 Novices showed most improvement in false negatives (calling phish legitimate)

Anti-Phishing Phil: Study 2 Improvement all around for false positives

Anti-Phishing Phyllis New micro-game just released by Wombat Security Focuses on teaching people about what cues to look for in s –Some s are legitimate, some fake –Have to identify cues as dangerous or harmless

Summary Phishing is already a plague on the Internet –Seriously affects consumers, businesses, governments –Criminals getting more sophisticated End-users can be trained, but only if done right –PhishGuru embedded training uses simulated phishing –Anti-Phishing Phil and Anti-Phishing Phyllis micro-games Can try PhishGuru, Phil, and Phyllis at: Will show free demo of Phil and Phyllis to anyone who can explain to me what’s going on in Lost

Acknowledgments Ponnurangam Kumaraguru Steve Sheng Lorrie Cranor Norman Sadeh

Screenshots Internet Explorer – Passive Warning

Screenshots Internet Explorer – Active Block

Screenshots Mozilla FireFox – Active Block

How Effective are these Warnings? Tested four conditions –FireFox Active Block –IE Active Block –IE Passive Warning –Control (no warnings or blocks) “Shopping Study” –Setup some fake phishing pages and added to blacklists –We phished users after purchases (2 phish/user) –Real accounts and personal information S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.

How Effective are these Warnings? Almost everyone clicked, even those with technical backgrounds

How Effective are these Warnings?

Discussion of Phish Warnings Nearly everyone will fall for highly contextual phish Passive IE warning failed for many reasons –Didn’t interrupt the main task –Slow to appear (up to 5 seconds) –Not clear what the right action was –Looked too much like other ignorable warnings (habituation) –Bug in implementation, any keystroke dismisses

Screenshots Internet Explorer – Passive Warning

Discussion of Phish Warnings Active IE warnings –Most saw but did not believe it “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad” –Some element of habituation (looks like other warnings) –Saw two pathological cases

Screenshots Internet Explorer – Active Block

Internet Explorer 8 Re-design

A Science of Warnings See the warning? Understand? Believe it? Motivated? Can and will act? Refining this model for computer warnings

Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Can we improve phish detection of web sites?

Detecting Phishing Web Sites Industry uses blacklists to label phishing sites –But blacklists slow to new attacks Idea: Use search engines –Scammers often directly copy web pages –But fake pages should have low PageRank on search engines –Generate text-based “fingerprint” of web page keywords and send to a search engine Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In NDSS Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval. In WWW 2009.

Robust Hyperlinks Developed by Phelps and Wilensky to solve “404 not found” problem Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed –Ex. How to generate signature? –Found that TF-IDF was fairly effective Informal evaluation found five words was sufficient for most web pages

Fake eBay, user, sign, help, forgot

Real eBay, user, sign, help, forgot

Evaluating CANTINA PhishTank

Machine Learning of Blacklists Human-verified blacklists maintained by Microsoft, Google, PhishTank –Pros: Reliable, extremely low false positives –Cons: Slow to respond, can be flooded with URLs (fast flux) Observation #1: many phishing sites similar –Constructed through toolkits Observation #2: many phishing sites similar –Fast flux (URL actually points to same site) Idea: Rather than just examining URL, compare content of a site to known phishing sites

Machine Learning of Blacklists Approach #1: Use hashcodes of web page –Simple, good against fast flux –Easy to defeat (though can allow some flexibility) Approach #2: Use shingling –Shingling is an approach used by search engines to find duplicate pages –“connect with the eBay community” -> {connect with the, with the eBay, the eBay community} –Count the number of common shingles out of total shingles, set threshold

Machine Learning of Blacklists Use Shingling Protect against false positives –Phishing sites look a lot like real sites –Have a small whitelist (ebay, paypal, etc) –Use CANTINA too

Tells people why they are seeing this message, uses engaging character

Tells a story about what happened and what the risks are

Gives concrete examples of how to protect oneself

Explains how criminals conduct phishing attacks