Spear Phishing Attacks

Really interesting research: "Unpacking Spear Phishing Susceptibility," by Zinaida Benenson, Freya Gassmann, and Robert Landwirth.

Abstract: We report the results of a field experiment where we sent to over 1200 university students an email or a Facebook message with a link to (non-existing) party pictures from a non-existing person, and later asked them about the reasons for their link clicking behavior. We registered a significant difference in clicking rates: 20% of email versus 42.5% of Facebook recipients clicked. The most frequently reported reason for clicking was curiosity (34%), followed by the explanations that the message fit recipient's expectations (27%). Moreover, 16% thought that they might know the sender. These results show that people's decisional heuristics are relatively easy to misuse in a targeted attack, making defense especially challenging.

Black Hat presentation on the research.

Posted on June 6, 2017 at 6:11 AM • 15 Comments

Comments

keinerJune 6, 2017 8:01 AM

"The most frequently reported reason for clicking was curiosity (34%), followed by the explanations that the message fit recipient's expectations (27%). "

Ehhm, what was the underlying theory to test by this "experiment"?

Humans are dumb?

This is not "science", this is the nonsense that KILLS science.

keinerJune 6, 2017 8:05 AM

Aha, Mr. Landwirth is affiliated to the Dep. of Sociology. That fit's into the mould...

Dan HJune 6, 2017 8:57 AM

@keiner

You have a null hypothesis (no relationship between quantities) which the researcher tries to disprove, reject or nullify. This is the common view. There is also the research hypothesis, the working hypothesis, also called the alternate hypothesis, that the researcher thinks is the real cause. Not testing a null hypothesis is wrong.

keinerJune 6, 2017 9:37 AM

@Dan H

Thanks for the 101 of statics and experimental design. What'S the message?

albertJune 6, 2017 4:09 PM

More blather from the social 'sciences'.

Most users are stupid.

Let's keep reinforcing that idea.

"...making defense especially challenging..." Yes, especially since the user is to blame. How convenient for the industry.

Let's keep using and promoting crap software.

---------
P.S. Hypotheses aren't necessary in order to do research like this. The object is to determine why folks respond (or don't respond) to phishing attempts. Now, I can't see how this is useful in mitigation, but it certainly is useful for the phishers:)

. .. . .. --- ....

ArclightJune 6, 2017 7:49 PM

I don't blame users nearly to the extent I used to. Phishing e-mails have become much more credible and sophisticated than even 2-3 years ago. At the same time, normal companies are getting more desperate about trying to "engage" and connect with their customer base.

So the volume of e-mail you receive that is nominally legit, and the quality of it is worse. And many real outfits are outsourcing e-mail blasts and other notifications to some random third party.

At some point, we'll reach the singularity, where the rise of e-mail attack quality and the decline of real communications makes them indistinguishable.

DroneJune 6, 2017 11:24 PM

Expected results when your test population (1200 university students) consists of a bunch of coddled brainwashed children. Try the same experiment on a population of functional adults and publish a comparison. Now that would be interesting.

Zinaida BenensonJune 7, 2017 12:47 AM

Arclight, thanks, this is exactly my point: "At some point, we'll reach the singularity, where the rise of e-mail attack quality and the decline of real communications makes them indistinguishable."

A targeted attack is so easy for the attacker to execute, and so difficult for the users to spot. Our attack was targeted at students, and of course if one would target another population, such as employees in a particular department, one would choose another bait.

I would like to establish evidence-based guidelines on anti-phishing defense for organizations: by how much anti-phishing measure X reduces the risk of a successful phishing attack? And simultaneously, how does X affect productivity?

X can be: education and training, simulated phishing attacks, digital signatures, various filtering techniques, marking incoming emails from "outside"

Zinaida BenensonJune 7, 2017 12:52 AM

I'm looking for cooperation with companies on the above research question (evidence-based anti-phishng defense). if you somebody is interested, please contact me.

My hypothesis would be that anti-phishing training, for example, does not help much, excatly because of the issue described by Arclight, ad digital signatures do not work because quite a lot of things goes wrong with the technical details when companies try to implement them, and non-experts misunderstand the guaratntees provided by digital signaturer, and/or do not notice them. But I don't have the data.

A test population of "functional" adultsJune 7, 2017 1:04 AM

https://wikileaks.org/podesta-emails/emailid/34899#source
Fear ("Someone has broken into your email/bank/porn account! Send us your login credentials immediately!") is a powerful motivator. Anyone can fall for this sort of thing, unless they are educated...
In the above example, the link – to a URL shortening service – ought to have been a dead giveaway. Also, the phishing emal sent to Podesta was riddled with errors.
@Arclight
"At some point, we'll reach the singularity, where the rise of e-mail attack quality and the decline of real communications makes them indistinguishable."
Some phishing attacks already look far more professional than real communications from the same companies. But as you can see from the Podesta case, quality or even credibility is unimportant if you can get the target to panic.

SlagJune 7, 2017 9:00 AM

Zinaida,

You may want to reach out to Proofpoint. One of their main products is a phishing defense that relies on testing of embedded links in order to avoid the human judgement issues. I would expect them to be both interested in assisting with research and with pulling in additional organizations.


*I do not work for Proofpoint, this is not an endorsement of their products or services, I am merely aware of this product and that it might be applicable to this specific research concept.*

albertJune 7, 2017 2:00 PM

@Arclight,
"...I don't blame users nearly to the extent I used to..."

I blame users only if they send personal information like user names and passwords. Everything else should be protected automatically, and malware should be blocked as well. It's the height of absurdity to allow alien code to be executed by an OS, especially in attachment to an email.

. .. . .. --- ....

Zinaida BenensonJune 7, 2017 10:48 PM

Slag, thanks for the tip, I'll see if I can get introduced to somebody there.

WillJune 8, 2017 2:56 AM

A friend got a call from someone in finance, wanting to double-check an email finance had just received instructing them to wire some money. My friend never sent it. It was a spoof, and apparently this thing is very common, with scammers going through the exec bios on company websites to get the names of the parties to involve, and luckily the clerk in finance was on the ball - they didn't notice nor probably even look to see if the mail headers were slightly wrong, nor did they think it strange to get email instructions as that's routine, they just thought it strange that my friend asked them.

On inspection, the mail headers were slightly wrong.

One very small thing that mail servers and readers can do is spot that an apparently internal mail seems to have come from outside.

Of course my friend's company uses Outlook and the amount of spam that the filters miss is horrific. I bet gmail is ahead of the game on filtering out a lot of the phishing attempts and simple stuff like headers would be what they did years ago.

AnonJune 8, 2017 1:16 PM

Whitelists! Under-estimated, but very powerful. It either matches, or it doesn't.

I think corporate IT has been too dumb for years when it comes to e-mail.

Should accounts be receiving e-mails from new customers? NO! Highlight it!

etc..

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.