Tuesday, January 14, 2014

Phishing: Why Are Some People More Affected?

This is from a really good ad campaign on security awareness from Southern Methodist University.
Scamming method used to elicit information from uninformed computer users through impersonation of trusted sources;  respelling of fishing used to evade scans and filters by mainstream servers policing the internet.
 Email messages will contain: 
2.Company Logo or Name
4.+/- misspelled words and typos
Why do some people seem to fall for phishing?
Are users:
On autopilot? Not engaged or passive in their online activities? Cowed by perceived authority? Lacking critical thinking abilities? Other? 
This is an example we get sent to the Campus Help Desk about once a month: 

And according to Educause we are the #2 most phished industry:
Early in 2013 the Syrian Electronic Army successfully phished several news media Twitter accounts. One of them was the Onion (which took some time to discover because their tweets are already strange).
The Onion was the only hacked account that later released information on exactly how it happened. Their staff were sent this email multiple times over the course of a week. Eventually a staff member clicked the link and entered the requested information (if a user clicks the link they are most likely going to continue on entering what is asked if given no warning from their browser or mail client).
Emotional Triggers Exploited by Phishing
There are certain personality types that are the most susceptible to phishing. 
  • Greed
  • Fear
  • Heroism
  • Desire to be Liked
  • Authority
Date: Mon, 5 Jan 2004 09:30:13
From: chika_williams@tiscali.co.uk
To: gullible@yahoo.com
Subject: URGENT

Heroism/Desire to be Liked
Victim Personality Traits:
There are certain victim personality traits when combined with a cognitive bias that can result in a user who will fall for phishing attacks. Remember that each of these traits are completely normal in small amounts.
  • Neuroticism: causes people to be more upset when being lied to and prefer to believe people are more truthful.
  • Impulsivity: read,  decide and  click as fast as possible.
  • Introversion: prefer online communication.
Cognitive Bias:
We are bad at detecting deception in others but good at detecting honesty.
We tend to overestimate our abilities and underestimate risk.
We believe what we want to believe (cognitive dissonance).
Research Study #1: Unnamed University
An 8 week study was done on 446 undergrads in an Intro to Information Systems course. They were given a Super Secret Code (SSC) and told to never give it out to anyone. The SSC was printed on official university letterhead with the title disclaimer “Do Not Disclose This Code.” It was used to access grades, quizzes, professor/ta email info communicating that the SSC is important and private. Giving it out would affect grades and violate the student conduct code. A nondisclosure agreement was signed.
For the 8 Weeks of the class they were instructed on internet security,phishing, hacking, etc.,  all lectures began with reminder displayed on PowerPoint:
Week 6: The unexpected, but not really. A real, unplanned phishing attack occurred with IT warning students. It was written up in the student paper.
Week 8 they were emailed the following message. Notice that there is no link or logo present.
From: Jason Roth Database Administrator
 This e‑mail is to inform you of a problem we are having with the information technology database. Due to a data collision we have lost some information and are unable to recover it. In order to get the database back up and working we need you to forward us your “super-secure code.” Please respond to this e‑mail with your code. Sorry for the inconvenience.
Out of 299  [final] participants*:
•57% ignored (170)
•32% replied with SSC (97)
•9% alerted IT (26)
•1% responded with a question/comment (4)
•<1% responded with incorrect info (2)
*147 students were excluded because they dropped class, didn’t receive the email/couldn’t find it, didn’t take the post instruction test, didn’t complete all items on final survey.
What were the responses?
  • here is my SSC xxxxxx. I hope that the database will get fixed very soon. Best of luck to you on fixing the database.
  •  My Network ID is xxxxx, My Student Number is xxxxx, my super secure Code is xxxxx, my home number is xxxxx.
  • I think this is my code: xxxx, but I’m not sure. you can call my mom at xxx- xxxx if this isn’t it as she will have it for you.
  •  I was told to never give out my super secrete (sic) code. . . . So how do I know this isn’t a scam?
  •  I’m sorry to hear about your problems, but I will not be able to assist you.
What happened?!
Research Study #2: West Point 2004
 A random sampling of 512 cadets were phished. West Point is unique in that the students have an average SAT score in the top 25%. The school was the first to be certified by the Center of Academic Excellence in Information Assurance Education (NSA), have a Security Emergency Response Team and security awareness training at the beginning of each semester. 
 (note: the article mainly focused on the intelligence of the cadets and the issues that would arise from betraying their trust with this study)
There was no discussion on ongoing IT security training. The following email was sent to the cadets with a link, replying email address and physical location of the sender. When the link was clicked on it returned a 404 error so there is no data on how many entered in their personal information.
The name is not found in the global address book, Washington Hall does not have a 7th floor and the building is used by all cadets on a regular basis. This is all information that is easily independently verified.
Out of 512 cadets, 80% clicked the link   (~400). And their reasons: 
  • ‘The email looked suspicious but it was from an Army colonel so I figured it must be legitimate.’ 
  • ‘Any e-mail that contains the word ‘grade’ in it gets my immediate attention and action!’
What happened?!
Data Analysis
Experience Factors:
•Lack of Computer self confidence
•Lack of  Web experience
•Lack of  Security policy knowledge
Personality Factors
•Victim personality traits (neurotic, impulsive, introverted)
Phishing and Social Engineering works better on naive and vulnerable users. 
What Made the Difference?
  • Reinforced  and Ongoing Training
  • Security Awareness
  • Communication from IT on Actual Phishing Attacks
Back to the original questions.Are users:
  • On autopilot? no
  • Not engaged or passive in their online activities? no
  • Cowed by perceived authority? A bit
  • Lacking critical thinking abilities? No
  • Other? yes :Of the personality type that phishing exploits? yes!
They are engaging in these emails critically but do not have the experience, security knowledge and confidence to correctly asses the threat.
IT Managers
Be aware of potential victim users:
•Oversharing on Facebook (content and quality)
•New to the web
•Victim Personality Traits
Talk about it (think of a personal story that relates):  my mom once told me she replies to spam asking them to take her off their mailing list. Yes I told her to stop doing that and why.
Journal of management information systems [0742-1222] Wright, Ryan yr:2010 vol:27  iss:1 pg:273 -303
2007 IEEE Intelligence and Security Informatics Tiantian Qi, Tiantian yr:2007 pg:152 -159
EDUCAUSE quarterly [1528-5324] Ferguson, Aaron yr:2005 vol:28 iss:1 pg:54 -57
Communications of the ACM [0001-0782] Hong, Jason yr:2012 vol:55 iss:1 pg:74 -81
Halevi, Tzipora yr:2013
Telling Lies: Clues to Deceit in the Marketplace, Politics, and Marriage
Paul Ekman; c1985 New York : Norton

No comments:

Post a Comment