That Ain’t You: Blocking Spearphishing Through Behavioral Modelling

Stringhini, Gianluca; Thonnard, Olivier

doi:10.1007/978-3-319-20550-2_5

Cited by 49 publications

(30 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Lynch (2005) analyses phishing, where criminals send fake emails that seem to be official online services and make their victims type in their credentials on a fake site. Likewise, spear phishing attacks include fraudulent emails which are aimed at one or a specific group of users (Stringhini and Thonnard 2015). Another method used is to infect users with malware that steals information because their devices are not properly prepared to counter the threat (Stone-Gross et al 2009).…”

Section: Background and Related Workmentioning

confidence: 99%

Under and over the surface: a comparison of the use of leaked account credentials in the Dark and Surface Web

et al. 2018

Self Cite

View full text Add to dashboard Cite

The world has seen a dramatic increase in cybercrime, in both the Surface Web, which is the portion of content on the World Wide Web that may be indexed by popular engines, and lately in the Dark Web, a portion that is not indexed by conventional search engines and is accessed through network overlays such as the Tor network. For instance, theft of online service credentials is an emerging problem, especially in the Dark Web, where the average price for someone's online identity is £820. Previous research studied the modus operandi of criminals that obtain stolen account credentials through Surface Web outlets. As part of an effort to understand how the same crime unfolds in the Surface Web and the Dark Web, this study seeks to compare the modus operandi of criminals acting on both by leaking Gmail honey accounts in Dark Web outlets. The results are compared to a previous similar experiment performed in the Surface Web. Simulating operating activity of criminals, we posted 100 Gmail account credentials on hidden services on the Dark Web and monitored the activity that they attracted using a honeypot infrastructure. More specifically, we analysed the data generated by the two experiments to find differences in the activity observed with the aim of understanding how leaked credentials are used in both Web environments. We observed that different types of malicious activity happen on honey accounts depending on the Web environment they are released on. Our results can provide the research community with insights into how stolen accounts are being manipulated in the wild for different Web environments.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Under and over the surface: a comparison of the use of leaked account credentials in the Dark and Surface Web

et al. 2018

Self Cite

View full text Add to dashboard Cite

show abstract

“…Masquerade attacks on written documents have been studied previously [1], but in the email context have not been studied previously to our knowledge. Cues in the context of phishing and spear-phishing were studied previously in [46,40]. The authors in [46] also studied cognitive load indirectly through a survey question.…”

Section: Related Workmentioning

confidence: 99%

“…Researchers in [40] used user behavioral model for distinguishing a real email and an email which is written by someone pretending to be the actual author. This model includes frequent interactions with certain people, sending emails at specific hours of the day, and using certain greetings and modal words in their emails.…”

Section: Related Workmentioning

confidence: 99%

Scaling and Effectiveness of Email Masquerade Attacks

Baki

Verma

Mukherjee

et al. 2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

We focus on email-based attacks, a rich field with wellpublicized consequences. We show how current Natural Language Generation (NLG) technology allows an attacker to generate masquerade attacks on scale, and study their effectiveness with a within-subjects study. We also gather insights on what parts of an email do users focus on and how users identify attacks in this realm, by planting signals and also by asking them for their reasoning. We find that: (i) 17% of participants could not identify any of the signals that were inserted in emails, and (ii) Participants were unable to perform better than random guessing on these attacks. The insights gathered and the tools and techniques employed could help defenders in: (i) implementing new, customized anti-phishing solutions for Internet users including training next-generation email filters that go beyond vanilla spam filters and capable of addressing masquerade, (ii) more effectively training and upgrading the skills of email users, and (iii) understanding the dynamics of this novel attack and its ability of tricking humans.

show abstract

“…The system proposed, Monarch, performs realtime filtering of scam, phishing and malware URLs that are submitted to web services through the use of linear classification with the combination of iterative parameter mixing and subgradient L1-regularisation; calculating an overall accuracy of 91% and 0.87% false positive margin. Stringhini and Thonnard [2015] have recently developed a system for classifying and blocking spear phishing emails from compromised email accounts by training a support vector machine based system with a behavioural model based on a user's email habits. The system collects and profiles behavioural features associated to writing (e.g., character/word frequency, punctuation, stylus), composition and sending (e.g., time/date, URL characterises, email chain content) and interaction (e.g., email contacts).…”

Section: Technicalmentioning

confidence: 99%

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks

2015

View full text Add to dashboard Cite

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed websites and scareware to name a few. This paper presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial.

show abstract

That Ain’t You: Blocking Spearphishing Through Behavioral Modelling

Cited by 49 publications

References 19 publications

Under and over the surface: a comparison of the use of leaked account credentials in the Dark and Surface Web

Under and over the surface: a comparison of the use of leaked account credentials in the Dark and Surface Web

Scaling and Effectiveness of Email Masquerade Attacks

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks

Contact Info

Product

Resources

About