A Toolkit for Security Awareness Training Against Targeted Phishing
- 99 Downloads
Abstract
The attack landscape is evolving, and attackers are employing new techniques to launch increasingly targeted and sophisticated social engineering attacks that exploit human vulnerabilities. Many organizations provide their employees with security awareness training to counter and mitigate such threats. However, recent studies have shown that current embedded phishing training programs and tools are often ineffective or incapable of addressing modern, tailored social engineering attacks. This paper presents a toolkit for the deployment of sophisticated, tailored phishing campaigns at scale (e.g., to deploy specific training within an organization). We enable the use of highly customizable phishing email templates that can be instantiated with a large range of information about the specific target and a semi-automated process for the selection of the phishing domain name. We demonstrate our tool by showing how tailored phishing campaigns proposed in previous studies can be enhanced to increase the credibility of the phishing email, effectively addressing the very limitations identified in those studies.
Supplementary material
References
- 1.dnstwist. https://github.com/elceef/dnstwist. Accessed 13 July 2020
- 2.Gophish - Open-Source Phishing Framework. https://getgophish.com. Accessed 13 July 2020
- 3.nslookup(1) - Linux man page. https://linux.die.net/man/1/nslookup. Accessed 13 July 2020
- 4.Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Network and Distributed System Security Symposium. Internet Society (2015)Google Scholar
- 5.Allodi, L., Chotza, T., Panina, E., Zannone, N.: The need for new anti-phishing measures against spear-phishing attacks. IEEE Secur. Priv. 18(2), 23–34 (2020)CrossRefGoogle Scholar
- 6.Bullee, J.-W.: Experimental social engineering: investigation and prevention. Ph.D. thesis, University of Twente (2017)Google Scholar
- 7.Burda, P., Allodi, L., Zannone, N.: Don’t forget the human: a crowdsourced approach to automate response and containment against spear phishing attacks. In: Proceedings of Workshop on Attackers and Cyber-Crime Operations. IEEE (2020)Google Scholar
- 8.Burda, P., Chotza, T., Allodi, L., Zannone, N.: Testing the effectiveness of tailored phishing techniques in industry and academia: a field experiment. In: International Conference on Availability, Reliability and Security. ACM (2020)Google Scholar
- 9.Burns, A., Johnson, M., Caputo, D.: Spear phishing in a barrel: insights from a targeted phishing campaign. J. Organ. Comput. Electron. Commer. 29, 24–39 (2019)CrossRefGoogle Scholar
- 10.Hadnagy, C.: Social Engineering: The Science of Human Hacking. Wiley, Hoboken (2018)CrossRefGoogle Scholar
- 11.Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: USENIX Security Symposium, pp. 1095–1112. USENIX Association (2018)Google Scholar
- 12.Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
- 13.Jensen, M., Dinger, M., Wright, R., Thatcher, J.: Training to mitigate phishing attacks using mindfulness techniques. J. Manage. Inf. Syst. 34(2), 597–626 (2017)CrossRefGoogle Scholar
- 14.Karumbaiah, S., Wright, R.T., Durcikova, A., Jensen, M.L.: Phishing training: a preliminary look at the effects of different types of training. In: Proceedings of the 11th Pre-ICIS Workshop on Information Security and Privacy, pp. 1–10 (2016)Google Scholar
- 15.Kucherawy, M., Zwicky, E.: Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489, IETF (2015)Google Scholar
- 16.Le Blond, S., Uritesc, A., Gilbert, C., Chua, Z.L., Saxena, P., Kirda, E.: A look at targeted attacks through the lense of an \(\{\)NGO\(\}\). In: 23rd \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 14, pp. 543–558 (2014)Google Scholar
- 17.National Institute of Standards and Technology. Framework for improving critical infrastructure cybersecurity. Technical report (2018)Google Scholar
- 18.Oliveira, D., et al.: Dissecting spear phishing emails for older vs young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: Conference on Human Factors in Computing Systems, pp. 6412–6424. ACM (2017)Google Scholar
- 19.Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: USENIX Security Symposium, pp. 191–206. USENIX Association (2014)Google Scholar
- 20.Tsow, A., Jakobsson, M.: Deceit and Deception: A Large User Study of Phishing. Technical report TR649, Indiana University (2007)Google Scholar
- 21.Wash, R., Cooper, M.M.: Who provides phishing training? Facts, stories, and people like me. In: Conference on Human Factors in Computing Systems, pp. 1–12. ACM (2018)Google Scholar
- 22.Wash, R., Rader, E.: Influencing mental models of security: a research agenda. In: Proceedings of New Security Paradigms Workshop, pp. 57–66 (2011)Google Scholar
- 23.Wright, R.T., Jensen, M.L., Thatcher, J.B., Dinger, M., Marett, K.: Research note-influence techniques in phishing attacks: an examination of vulnerability and resistance. Inf. Syst. Res. 25(2), 385–400 (2014)CrossRefGoogle Scholar
- 24.Wright, R.T., Marett, K.: The influence of experiential and dispositional factors in phishing: an empirical investigation of the deceived. J. Manage. Inf. Syst. 27(1), 273–303 (2010)CrossRefGoogle Scholar