CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/1

CyLab Usable Privacy and Security Laboratoryhttp://cups.cs.cmu.edu

Statistical Analysis of Phished eMail Users, Intercepted by the APWG/CMU Phishing Education Landing PageJason Hong, PhDCarnegie Mellon UniversityWombat Security Technologies

May 2010

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 2

User Education is Challenging Users are not motivated to learn about security Security is a secondary task Difficult to teach people to make right online

trust decision without increasing false positives

“User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.”

Martin Overton, IBM security specialist http://news.cnet.com/21007350_361252132.html

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 3

But Actually, Users Are Trainable

Our research demonstrates that users can learn techniques to protect themselves from phishing… if you can get them to pay attention to training

P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report CMUCyLab07003, 2007.

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 4

How Do We Get People Trained? Solution

– Find “teachable moments”: PhishGuru

– Make training fun: AntiPhishing Phil, AntiPhishing Phyllis

– Use learning science principles

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 5

PhishGuru Embedded Training Send emails that look like a phishing attack If recipient falls for it, show intervention that

teaches what cues to look for in succinct and engaging format

Multiple user studies have demonstrated that this is effective

Delivering same training via direct email is not effective!

Subject: Revision to Your Amazon.com Information

Subject: Revision to Your Amazon.com Information

Please login and enter your information

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 9

APWG Landing Page Taking the “teachable moment” concept

one step further Provide education (instead of 404) when users

click on real phishing links and arrive at real phishing sites that have been taken down

P. Kumaraguru, L. Cranor, and L. Mather. AntiPhishing Landing Page: Turning a 404 into a Teachable Moment for End Users. CEAS 2009. http://www.ceas.cc/papers2009/ceas2009paper37.pdf

http://education.apwg.org/

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 10

How the Landing Page Works Brand owner or phish site takedown provider

identifies phish site ISP or registrar is asked to redirect disabled

phish site to APWG redirect page Consumer receives phishing email and clicks Consumer is shown APWG education message

instead of 404 page– Page available in many languages– Automatic redirect to appropriate language based

on browser language code to happen soon

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 11

APWG Landing Page

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 12

Landing Page Data Collection APWG server logs all requests to landing page

– Time stamp– IP address (to determine country)– Language (will redirect to page in user’s language)

We’ve asked sites to embed info in redirect URL to track how people end up on landing page– Original URL taken down– Brand code (optional)

CMU CUPS Lab and Wombat Security Technologies have been analyzing the data

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 13

Lots of noisy data! 20 months of data (Sept 2008-April 2010) 840K hits on 15,000 unique redirected URLs But this data contains lots of noise

– Brand monitors checking up on sites to make sure they stay down

– Random web crawlers– People testing landing page– Incorrectly redirected sites

We used heuristics to filter out most of the noise

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 14

Filtering Out the Noise We filtered the data set by removing:

– Hits that don’t identify the original phishing site (brand)– Hits that seem to be for testing only

• URLs appearing only once• IPs that hit multiple URLs per day• IPs that hit same URL for more than a month

– Hits from bots (e.g., specific IPs, 'bot', 'plurk', etc)– Hits from wonderdogsoftware (server misconfiguration

that linked to homepage) Filtering not perfect

– Some noise remains– Improperly redirected sites don’t get counted

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 15

Filtered Data

201,084 hits – estimate of actual would-be phishing victims

visiting landing page over 20 month period 1285 unique URLs redirected

– Note that this is URLs, not domains Number of hits per URL varies a lot

– URL with most hits after filtering had 17,911 hits– Monthly mean hits per URL typically 100-300– Monthly median hits per URL 2-7

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 16

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 17

Analysis of Time Monitoring time period of each observed URL may

give us insights into length of phishing campaigns Time observed for each URL is number of days

between first observation and last observation Limitations

– Our first observation is time when site was redirected; we don’t know how long it was live before being redirected

– Some URLs are observed across month boundaries– Once browsers start blocking URL we may not have hits– Some redirects are removed after a period of time

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 18

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 19

April 2010Top 20 countries hit landing page United States

11,159 Canada

3,819 United Kingdom

1,790 Netherlands

725 Germany

650 Spain

600 France

470 Japan

452 Australia

449 India

417

Singapore 292

Mexico 238

Egypt 212

NA 184

Russian Federation 184 Austria

174 Sweden

145 China

137 Brazil

126 Norway

101

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 20

Analysis of Brands

7 brands have requested brand codes Only 2 have shown up in logs April 2010 brand data

– Brand 1• Total Hits: 2715• Total unique URLs: 52

– Brand 2• Total Hits: 370• Total unique URLs: 3

We supplied each brand with a report showing list of their URLs and number of hits for each

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 21

Ongoing Work Will soon be posting monthly reports at

http://education.apwg.org/ Redirecting landing page automatically

to show correct language (soon) Encouraging more brands to redirect to

landing page– If you sign up for a brand code we can provide

you with monthly brand reports– laura.mather@antiphishing.org

Continuing to automate log processing, report generation, report distribution

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 22

For more information

Learn how to participate in the initiative:http://education.apwg.org/

View the landing page: http://education.apwg.org/r/en/

http://wombatsecurity.com

CyLab Usable Privacyand Security Laboratory

http://cups.cs.cmu.edu/

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu 24

Other countries that sometimes make top 20 Italy Romania Czech Republic Finland Ireland India EU Turkey Belgium Switzerland Colombia Israel

Morocco Saudi Arabia Argentina Indonesia Thailand Tunisia Poland Greece Korea Chile Pakistan