TY - GEN
T1 - The highly insidious extreme phishing attacks
AU - Zhao, Rui
AU - John, Samantha
AU - Karas, Stacy
AU - Bussell, Cara
AU - Roberts, Jennifer
AU - Six, Daniel
AU - Gavett, Brandon
AU - Yue, Chuan
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/9/14
Y1 - 2016/9/14
N2 - One of the most severe and challenging threats to Internet security is phishing, which uses spoofed websites to steal users' passwords and online identities. Phishers mainly use spoofed emails or instant messages to lure users to the phishing websites. A spoofed email or instant message provides the first-layer context to entice users to click on a phishing URL, and the phishing website further provides the second-layer context with the look and feel similar to a targeted legitimate website to lure users to submit their login credentials. In this paper, we focus on the second-layer context to explore the extreme of phishing attacks; we explore the feasibility of creating extreme phishing attacks that have the almost identical look and feel as those of the targeted legitimate websites, and evaluate the effectiveness of such phishing attacks. We design and implement a phishing toolkit that can support both the traditional phishing and the newly emergent Web Single Sign-On (SSO) phishing; our toolkit can automatically construct unlimited levels of phishing webpages in real time based on user interactions. We design and perform a user study to evaluate the effectiveness of the phishing attacks constructed from this toolkit. The user study results demonstrate that extreme phishing attacks are indeed highly effective and insidious. It is reasonable to assume that extreme phishing attacks will be widely adopted and deployed in the future, and we call for a collective effort to effectively defend against them.
AB - One of the most severe and challenging threats to Internet security is phishing, which uses spoofed websites to steal users' passwords and online identities. Phishers mainly use spoofed emails or instant messages to lure users to the phishing websites. A spoofed email or instant message provides the first-layer context to entice users to click on a phishing URL, and the phishing website further provides the second-layer context with the look and feel similar to a targeted legitimate website to lure users to submit their login credentials. In this paper, we focus on the second-layer context to explore the extreme of phishing attacks; we explore the feasibility of creating extreme phishing attacks that have the almost identical look and feel as those of the targeted legitimate websites, and evaluate the effectiveness of such phishing attacks. We design and implement a phishing toolkit that can support both the traditional phishing and the newly emergent Web Single Sign-On (SSO) phishing; our toolkit can automatically construct unlimited levels of phishing webpages in real time based on user interactions. We design and perform a user study to evaluate the effectiveness of the phishing attacks constructed from this toolkit. The user study results demonstrate that extreme phishing attacks are indeed highly effective and insidious. It is reasonable to assume that extreme phishing attacks will be widely adopted and deployed in the future, and we call for a collective effort to effectively defend against them.
UR - http://www.scopus.com/inward/record.url?scp=84991753406&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84991753406&partnerID=8YFLogxK
U2 - 10.1109/ICCCN.2016.7568582
DO - 10.1109/ICCCN.2016.7568582
M3 - Conference contribution
AN - SCOPUS:84991753406
T3 - 2016 25th International Conference on Computer Communications and Networks, ICCCN 2016
BT - 2016 25th International Conference on Computer Communications and Networks, ICCCN 2016
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 25th International Conference on Computer Communications and Networks, ICCCN 2016
Y2 - 1 August 2016 through 4 August 2016
ER -