Risk
8/14/2013
11:53 AM
Connect Directly
RSS
E-Mail
50%
50%

3 Signs You're Phishing Bait

Beware, introverts and overconfident people. Phishers love to fool you, email security researchers say.

"I am cautious about making too much of the gender difference because we also found that there were differences between computer science and psychology students in terms of phishing susceptibility," he said, noting that "most psychology students were female and most of the CS students were male." In other words, CS students in general, thanks to their computing expertise -- relative to the rest of society -- might be better at avoiding phishing attacks.

Going forward, the researchers plan to expand their research beyond the tested students -- who were all aged 18 and 27 -- to cover professionals in the workplace. They already conducted related studies of employees of an unnamed government agency, although have yet to analyze the results.

How might these findings be applied? Hong's academic profile notes that the goal of the phishing research project is to develop better "phishing susceptibility profiles and anti-phishing tools."

"Many of the anti-phishing tools that are currently available are not based on research with human users, so we think we can do better in developing an effective tool that can be personalized to meet the needs of individual users," said Mayhorn. Such a training tool might require users to respond to a short survey taking 15 minutes or less that gauges their phishing awareness. Another option might be a system along the lines of Amazon.com's artificial intelligence predictive buying algorithms, only tailored to assess what types of risky behaviors people might exhibit as they handle their email.

Either approach would allow a training tool to build a better profile of individual users and target any risky behavior. "If one person is susceptible due to trust-based issues, but another is susceptible due to attacks that cater to their personality traits, it would be useful to have systems that can address specific needs -- not 'one size fits all' systems ... that attempt to address everything, which may not be necessary," said Mayhorn.

Some information security experts, however, have argued that in general, attempting to train users in security is a waste of time. But given the quantity and severity of phishing attacks -- now a favored tool of today's advanced persistent threat (APT) attackers -- as well as the inability of security tools to block all phishing attacks, might not related training be a necessity?

Mayhorn argued that training and technological defenses must supplement each other. "Unfortunately, technological approaches will not always be responsive to new threats," he said. "Cyber-criminals will continue to come up with new ways to attack and security measures will always be reactive rather than proactive. As long as there is a human in the loop, there is always going to be the potential for security breaches so we need to use both approaches -- training and security approaches -- to combat efforts to exploit computer systems."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/21/2013 | 3:17:42 PM
re: 3 Signs You're Phishing Bait
David, the answer is yes. So far, they're planning follow-on studies with professionals, and have preliminary (though as yet unanalyzed) data from a government agency.
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
8/16/2013 | 2:59:20 PM
re: 3 Signs You're Phishing Bait
I have developed special methodologies for automatically detecting pfishing attempts and am launching a company that is sure to make millions of dollars as a cloud service. I have several investors lined up, but we need a bit more venture capital to complete development. An investment of just $10,000 will secure you a 51% stake in the company and a guaranteed profit stream of hundreds of thousands of dollars per year. If you would just respond with your name and social security number...
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/16/2013 | 1:31:56 PM
re: 3 Signs You're Phishing Bait
Do the researchers plan to do a follow up study with a broader pool of people?
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
8/14/2013 | 9:12:18 PM
re: 3 Signs You're Phishing Bait
I wonder how many man hours we all put in advising family members about phishes. I know some of them look quite convincing to my parents, who are not introverted or overconfident. Age surely factored into this study as well.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/14/2013 | 8:10:54 PM
re: 3 Signs You're Phishing Bait
I know an older woman who fell for a phishing scheme and got money taken from a bank account. I had wondered who fell for such things...

A nice lady and more, I think, naive than overconfident. This was several years ago, and I'd say the phishing attempts I've received have gotten MUCH more sophisticated since then. (Her identity also was stolen for a Twitter account recently, but that's another story.)

Jim Donahue
Managing Editor
InformationWeek
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6649
Published: 2014-09-23
The MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application 3.9.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6650
Published: 2014-09-23
The NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application 3.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio