Usable Privacy and Security: Protecting People from Online Phishing Scams

1
Usable Privacy and Security Protecting People
from Online Phishing Scams
Alessandro AcquistiLorrie CranorJulie
DownsJason HongNorman SadehCarnegie Mellon
University
2
Everyday Security ProblemsInstall this software?
3
Everyday Security ProblemsSetting File
Permissions

• In 2003, one Senate Judiciary staffer found
  that files were readable to all users, rather
  than just to Democrats or Republicans
• See Reeder et al CHI 2008

4
Everyday Security ProblemsMany Laptops with
Sensitive Data being Lost or Stolen
5
Costs of Unusable Privacy Security High

• Spyware, viruses, worms
• Too many passwords!!!
• People not updating software with patches
• Firewalls, WiFi boxes, and other systems easily
  misconfigured
• Less potential adoption of ubicomp systems (e.g.
  location-based services)

6
Usable Privacy and Security

• Give end-users security controls they can
  understand and privacy they can control forthe
  dynamic, pervasive computing environments of the
  future.
• - Grand Challenges in Information Security
  Assurance
• Computing Research Association (2003)
• More research needed on how cultural and social
  influences can affect how people use computers
  and electronic information in ways that increase
  the risk of cybersecurity breaches.
• - Grand Challenges for Engineering
  National Academy of Engineering (2008)

7
Everyday Privacy and Security Problem
8
This entire process known as phishing
9
Phishing is a Plague on the Internet

• Estimated 350m-3b direct losses a year
• Does not include damage to reputation, lost
  sales, etc
• Does not include response costs (call centers,
  recovery)
• Rapidly growing
• Spear-phishing and whaling attacks escalating
• Steal sensitive corporate or military information

10
(No Transcript)
11
Phishing Becoming Pervasive

• Universities
• Online social networking sites (Facebook,
  MySpace)
• Social media (Twitter, World of Warcraft)

12
Project Supporting Trust Decisions

• Goal help people make better online trust
  decisions
• Specifically in context of anti-phishing
• Large multi-disciplinary team project at CMU
• Economics, computer science, public policy,
  human-computer interaction, social and decision
  sciences, machine learning, computer security

13
Our Multi-Pronged Approach

• Human side
• Interviews and surveys to understand
  decision-making
• PhishGuru embedded training
• Anti-Phishing Phil game
• Understanding effectiveness of browser warnings
• Computer side
• PILFER email anti-phishing filter
• CANTINA web anti-phishing algorithm
• Machine learning of blacklists

Automate where possible, support where necessary
14
Impact of Our Work

• Game teaching people about phish played 100k
  times, featured in over 20 media articles
• Study on browser warnings -gt Internet Explorer 8
• Our filter is labeling several million emails per
  day
• Our evaluation of anti-phishing toolbars cited by
  several companies, presented to Anti-Phishing
  Working Group (APWG)
• PhishGuru embedded training undergone field
  trials at three companies, variant in use by
  large email provider, and used in APWGs takedown
  page

15
Our Multi-Pronged Approach

• Human side
• Interviews and surveys to understand
  decision-making
• PhishGuru embedded training
• Anti-Phishing Phil game
• Understanding effectiveness of browser warnings
• Computer side
• PILFER email anti-phishing filter
• CANTINA web anti-phishing algorithm

What do users know about phishing? Why do they
fall for phish?
16
Interview Study

• Interviewed 40 Internet users (35 non-experts)
• Mental models interviews included email role
  play and open ended questions
• Brief overview of results (see papers for
  details)
• J. Downs et al. Decision Strategies and
  Susceptibility to Phishing. Symposium on Usable
  Privacy and Security 2006.
• J. Downs et al. Behavioral Response to Phishing
  Risk. eCrime 2007.

17
Little Knowledge of Phishing

• Only about half knew meaning of the term
  phishing
• Something to do with the band Phish, I take it.

18
Little Attention Paid to URLs

• Only 55 of participants said they had ever
  noticed an unexpected or strange-looking URL
• Most did not consider them to be suspicious

19
Some Knowledge of Scams

• 55 of participants reported being cautious when
  email asks for sensitive financial info
• But very few reported being suspicious of email
  asking for passwords
• Knowledge of financial phish reduced likelihood
  of falling for these scams
• But did not transfer to other scams, such as an
  amazon.com password phish

20
Naive Evaluation Strategies

• The most frequent strategies dont help much in
  identifying phish
• This email appears to be for me
• Its normal to hear from companies you do
  business with
• Reputable companies will send emails
• I will probably give them the information that
  they asked for. And I would assume that I had
  already given them that information at some point
  so I will feel comfortable giving it to them
  again.

21
Summary of Findings

• People generally not good at identifying scams
  they havent specifically seen before
• People dont use good strategies to protect
  themselves

22
Outline

• Human side
• Interviews and surveys to understand
  decision-making
• PhishGuru embedded training
• Anti-Phishing Phil game
• Understanding effectiveness of browser warnings
• Computer side
• PILFER email anti-phishing filter
• CANTINA web anti-phishing algorithm
• Machine learning of blacklists

How to train people not to fall for phish?
23
PhishGuru Embedded Training

• A lot of training materials are boring and/or
  ignored
• Can we train people during their normal use of
  email to avoid phishing attacks?
• Periodically, people get sent a training email by
  admins
• Training email looks same as a phishing attack
• If person falls for it, intervention warns and
  highlights what cues to look for in succinct and
  engaging format

24
Everyday Privacy and Security Problem
25
Everyday Privacy and Security Problem
26
Everyday Privacy and Security Problem

• Learning science principles
• Learning by Doing
• Immediate feedback
• Conceptual-Procedural Knowledge

27
Evaluation of PhishGuru

• Is embedded training effective? Yes!
• Study 1 Lab study, 30 participants
• Study 2 Lab study, 42 participants
• Study 3 Field evaluation at company, 300
  participants
• Study 4 Ongoing at CMU, 500 participants
• Will highlight first two studies
• P. Kumaraguru et al. Protecting People from
  Phishing The Design and Evaluation of an
  Embedded Training Email System. CHI 2007.
• P. Kumaraguru et al. Getting Users to Pay
  Attention to Anti-Phishing Education Evaluation
  of Retention and Transfer. eCrime 2007.

28
Intervention 1 Diagram
29
Intervention 1 Diagram
Explains why they are seeing this message
30
Intervention 1 Diagram
Explains what a phishing scam is
31
Intervention 1 Diagram
Explains how to identify a phishing scam
32
Intervention 1 Diagram
Explains simple things you can do to protect self
33
Intervention 2 Comic Strip
34
Intervention 2 Comic Strip
35
Intervention 2 Comic Strip
36
Embedded Training Evaluation 1

• Lab study comparing our prototypes to standard
  security notices
• Group A Standard eBay, PayPal notices
• Group B Diagram that explains phishing
• Group C Comic strip that tells a story
• 10 participants in each condition (30 total)
• Screened so we only have novices
• Go through 19 emails, 4 phishing attacks
  scattered throughout, 2 training emails too
• Role play as Bobby Smith at Cognix Inc

37
Embedded Training Results
38
Embedded Training Results

• Existing practice of security notices not
  effective
• Diagram intervention somewhat better
• Though people still fell for final phish
• Comic strip intervention worked best
• Statistically significant
• Combination of less text, graphics, story

39
Evaluation 2

• New questions
• Have to fall for phishing email to be effective?
• How well do people retain knowledge?
• Roughly same experimental protocol as before
• Role play as Bobby Smith at Cognix Inc, go thru
  16 emails
• Embedded condition means have to fall for our
  email
• Non-embedded means we just send the comic strip
• Suspicion means got a warning about phish from
  friend
• Control means they got no warnings or training
• Also had people come back after 1 week

40
(No Transcript)
41
Results of Evaluation 2

• Have to fall for phishing email to be effective?
• How well do people retain knowledge after a week?

42
Results of Evaluation 2

• Have to fall for phishing email to be effective?
• How well do people retain knowledge after a week?

43
Results of Evaluation 2

• Have to fall for phishing email to be effective?
• How well do people retain knowledge after a week?

44
Discussion of PhishGuru

• Act of falling for phish is teachable moment
• Just sending intervention not effective
• PhishGuru can teach people to identify phish
  better
• People retain the knowledge well
• People arent resentful, many happy to have
  learned
• 68 out of 85 surveyed said they recommend CMU
  continue doing this sort of training in future
• I really liked the idea of sending CMU students
  fake phishing emails and then saying to them,
  essentially, HEY! You could've just gotten
  scammed! You should be more careful -- here's
  how....

45
APWG Landing Page

• CMU helped Anti-Phishing Working Group develop
  landing page for phishing sites taken down
• Also a new data source for us
• How long people keep going to phishing sites,
  where from

46
Phishguru.org

• Our site to teach general public more about
  phishing

47
Anti-Phishing Phil

• A game to teach people not to fall for phish
• Embedded training about email, this game about
  web browser
• Based on learning science
• Goals
• How to parse URLs
• Where to look for URLs
• Use search engines for help
• Try the game!
• http//cups.cs.cmu.edu/antiphishing_phil
• S. Sheng et al. Anti-Phishing Phil The Design
  and Evaluation of a Game That Teaches People Not
  to Fall for Phish. In Proceedings of the 2007
  Symposium On Usable Privacy and Security,
  Pittsburgh, PA, July 18-20, 2007.

48
Anti-Phishing Phil
49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53

54
Evaluation of Anti-Phishing Phil

• Is Phil effective?
• Study 1 56 people in lab study
• Study 1 protocol
• Label 10 web sites as phish or legitimate
• For 15 minutes (four conditions)
• Read printed materials on training
• Read printed copies of Phils tutorials
• Play Anti-Phishing Phil
• Check email or play solitaire (control)
• Label 10 more web sites

55
Anti-Phishing Phil Study 1

• No statistical difference in false negatives
  (calling phish legitimate) between first three
  conditions

56
Anti-Phishing Phil Study 1

• Our game has significantly fewer false positives
  (labeling legitimate site as phish)

57
Evaluation of Anti-Phishing Phil

• Study 2 4517 participants in field trial
• Randomly selected from 80000 people
• Conditions
• Control Label 12 sites then play game
• Game Label 6 sites, play game, then label 6
  more, then after 7 days, label 6 more (18 total)
• Participants
• 2021 people in game condition, 674 did retention
  portion

58
Anti-Phishing Phil Study 2

• Novices showed most improvement in false
  negatives (calling phish legitimate)

59
Anti-Phishing Phil Study 2

• Improvement all around for false positives

60
Discussion of Anti-Phishing Phil

• For false negatives, Phil at least as effective
  as existing training, but much more fun
• Much better in terms of false positive rate
• Dont want people to delete all mails from
  Citibank
• Just telling people about phish tends to make
  them paranoid, without ability to differentiate

61
Outline

• Human side
• Interviews to understand decision-making
• PhishGuru embedded training
• Anti-Phishing Phil game
• Understanding effectiveness of browser warnings
• Computer side
• PILFER email anti-phishing filter
• CANTINA web anti-phishing algorithm

Do people see, understand, and believe web
browser warnings?
62
Screenshots
Internet Explorer Passive Warning
63
Screenshots
Internet Explorer Active Block
64
Screenshots
Mozilla FireFox Active Block
65
How Effective are these Warnings?

• Tested four conditions
• FireFox Active Block
• IE Active Block
• IE Passive Warning
• Control (no warnings or blocks)
• Shopping Study
• Setup some fake phishing pages and added to
  blacklists
• We phished users after purchases (2 phish/user)
• Real email accounts and personal information
• S. Egelman, L. Cranor, and J. Hong. You've Been
  Warned An Empirical Study of the Effectiveness
  of Web Browser Phishing Warnings. CHI 2008.

66
How Effective are these Warnings?
Almost everyone clicked, even those with
technical backgrounds
67
How Effective are these Warnings?
68
Discussion of Phish Warnings

• Nearly everyone will fall for highly contextual
  phish
• Passive IE warning failed for many reasons
• Didnt interrupt the main task
• Slow to appear (up to 5 seconds)
• Not clear what the right action was
• Looked too much like other ignorable warnings
  (habituation)
• Bug in implementation, any keystroke dismisses

69
Screenshots
Internet Explorer Passive Warning
70
Discussion of Phish Warnings

• Active IE warnings
• Most saw but did not believe it
• Since it gave me the option of still proceeding
  to the website, I figured it couldnt be that
  bad
• Some element of habituation (looks like other
  warnings)
• Saw two pathological cases

71
Screenshots
Internet Explorer Active Block
72
Internet Explorer 8 Re-design
73
A Science of Warnings

• See the warning?
• Understand?
• Believe it?
• Motivated?
• Refining this model for computer warnings

74
Outline

• Human side
• Interviews and surveys to understand
  decision-making
• PhishGuru embedded training
• Anti-Phishing Phil game
• Understanding effectiveness of browser warnings
• Computer side
• PILFER email anti-phishing filter
• CANTINA web anti-phishing algorithm
• Machine learning of blacklists

Can we automatically detect phish emails?
75
PILFER Email Anti-Phishing Filter

• Goal Create email filter that detects phishing
  emails
• Spam filters well-explored, but how good for
  phishing?
• Can we do better?
• Example heuristics combined in Random Forest
• IP addresses in link (http//128.23.34.45/blah)
• Age of linked-to domains (younger domains likely
  phishing)
• Non-matching URLs (ex. most links point to
  PayPal)
• Click here to restore your account
• I. Fette, N. Sadeh, A. Tomasic. Learning to
  Detect Phishing Emails. In W W W 2007.

76
PILFER Evaluation

• PILFER better at detecting phish, few false
  positives
• Implemented as a SpamAssassin plugin
• Large-scale field trial with underway
• Millions of emails per day
• Currently evaluating effectiveness of filter

77
Outline

• Human side
• Interviews and surveys to understand
  decision-making
• PhishGuru embedded training
• Anti-Phishing Phil game
• Understanding effectiveness of browser warnings
• Computer side
• PILFER email anti-phishing filter
• CANTINA web anti-phishing algorithm
• Machine learning of blacklists

Can we improve phish detection of web sites?
78
Detecting Phishing Web Sites

• Industry uses blacklists to label phishing sites
• But blacklists slow to new attacks
• Idea Use search engines
• Scammers often directly copy web pages
• But fake pages should have low PageRank on search
  engines
• Generate text-based fingerprint of web page
  keywords and send to a search engine
• Y. Zhang, S. Egelman, L. Cranor, and J. Hong
  Phinding Phish Evaluating Anti-Phishing Tools.
  In NDSS 2007.
• Y. Zhang, J. Hong, and L. Cranor. CANTINA A
  content-based approach to detecting phishing web
  sites. In WWW 2007.
• G. Xiang and J. Hong. A Hybrid Phish Detection
  Approach by Identity Discovery and Keywords
  Retrieval. In WWW 2009.

79
Robust Hyperlinks

• Developed by Phelps and Wilensky to solve 404
  not found problem
• Key idea was to add a lexical signature to URLs
  that could be fed to a search engine if URL
  failed
• Ex. http//abc.com/page.html?sigword1word2...
  word5
• How to generate signature?
• Found that TF-IDF was fairly effective
• Informal evaluation found five words was
  sufficient for most web pages

80
Fake
eBay, user, sign, help, forgot
81
Real
eBay, user, sign, help, forgot
82
(No Transcript)
83
(No Transcript)
84
Evaluating CANTINA
PhishTank
85
Our Ongoing Work in Anti-Phishing

• Machine Learning of Blacklists
• Given blacklists of URLs, can we apply
  content-based and URL-based approaches to
  accurately detect new phish?
• Blacklists can be thought of as labeled data
• Early results show 87 true positive rate and
  0.04 false positives, far better than any other
  heuristics
• Social Web Machine Learning
• PhishTank is a community site where people can
  submit and verify phish, five votes to verify
• Can we use machine learning approaches to augment
  peoples votes?
• Currently collecting data through Mechanical Turk

86
Summary

• Usable Privacy and Security
• Grand challenge for computer science
• Whirlwind tour of our work on anti-phishing
• Human side effective training mechanisms
• Computer side better algorithms for detecting
  phish
• Lots more info at cups.cs.cmu.edu

87
Acknowledgments

• Alessandro Acquisti
• Lorrie Cranor
• Sven Dietrich
• Julie Downs
• Mandy Holbrook
• Norman Sadeh
• Anthony Tomasic
• Umut Topkara

• Serge Egelman
• Ian Fette
• Ponnurangam Kumaraguru
• Bryant Magnien
• Elizabeth Nunge
• Yong Rhee
• Steve Sheng
• Yue Zhang

Supported by NSF, ARO, CyLab, Portugal Telecom
88
http//cups.cs.cmu.edu/
CMU Usable Privacy and Security Laboratory
89
(No Transcript)
90
Everyday Security Problems