A Toolkit for Security Awareness Training Against Targeted Phishing

Simone Pirocca; Luca Allodi; Nicola Zannone

doi:10.1007/978-3-030-65610-2_9

International Conference on Information Systems Security

ICISS 2020: Information Systems Security pp 137-159 | Cite as

A Toolkit for Security Awareness Training Against Targeted Phishing

Authors
Authors and affiliations

Simone Pirocca
Luca Allodi
Nicola Zannone

Conference paper

First Online: 06 December 2020

99 Downloads

Part of the Lecture Notes in Computer Science book series (LNCS, volume 12553)

Abstract

The attack landscape is evolving, and attackers are employing new techniques to launch increasingly targeted and sophisticated social engineering attacks that exploit human vulnerabilities. Many organizations provide their employees with security awareness training to counter and mitigate such threats. However, recent studies have shown that current embedded phishing training programs and tools are often ineffective or incapable of addressing modern, tailored social engineering attacks. This paper presents a toolkit for the deployment of sophisticated, tailored phishing campaigns at scale (e.g., to deploy specific training within an organization). We enable the use of highly customizable phishing email templates that can be instantiated with a large range of information about the specific target and a semi-automated process for the selection of the phishing domain name. We demonstrate our tool by showing how tailored phishing campaigns proposed in previous studies can be enhanced to increase the credibility of the phishing email, effectively addressing the very limitations identified in those studies.

This is a preview of subscription content, to check access.

Supplementary material

Open image in new window

Open image in new window

A Phishing Email Templates

A.1 Liking and Security Template

The Liking and Security template aims to exploit the liking principle by letting the target believe that the email sender is someone like the victim. Figure 8a presents the template proposed by Olivera et al. [18] for their experiment and Fig. 8b shows how the template can be enhanced to exploit target information. In particular, we have enhanced the template in [18] to strengthen the liking weapon and to avoid possible mismatches between the spelling used in the email and the one typically used by the target, which may raise suspicion in the target.

Table 6.

Target fields in the Liking and Security template

Target field	Description
gender	The gender of the target
american-spelling	Based on if the country of the victim is USA, easy to know. If yes, that field should be set to true, the conditional block of the template understands whether to use American spelling or British English
neighbourhood	The neighbourhood of the target
owns	What the target owns (a car, a shop, etc.). This field can be derived, for instance, by observing the photos posted on the social networks by the target

To emulate the spelling typically used by the victim, we use target field american-spelling to determine, for instance, from the country of the target and from previous communications that the target had, whether he usually communicates in American English or not, and, based on this field, customize the email using the proper spelling (e.g., neighbor vs. neighbour). We also use variable fake-name to choose a name for the email sender that reflects the gender of the target, as it has been shown that people are more inclined to respond to persons of the same gender [6]. If the gender of the victim is unknown, a gender-neutral name is used for the sender (default option in Table 7). Other target fields (Table 6) and variables (Table 7) are used to customize the email based on information about the target. For instance, variable break-into and incident-event are used to customize the pretext based on the target field own.

Table 7.

Variables & Conditions for the Liking and Security template

Variable	Condition	Value
fake-name	gender == “male”	Dan
	gender == “female”	Lucy
	true (default)	Mel
break-into	owns == “shop”	shops
	owns == “car”	cars
	true (default)	homes or cars
incident-event	owns == “shop”	(for example, when three people destroyed the entire grocery last year in our street)
	owns == “car”	(for example, many years ago 10 cars were stolen in our street)
	true (default)	(empty text)

A.2 Reciprocation and Social Template

The Reciprocation and Social template aims to trigger a reciprocation feeling in the target by promising to donate a given amount of money to promote a particular product. Figure 9a presents the template proposed by Olivera et al. [18] for their experiment and Fig. 9b shows how the template can be enhanced to exploit target information. As for the Commitment and Ideological template (Fig. 7), the pretext and relative variables (see Table 9) are instantiated based on the interest (see Table 8) of the target (which objects he is interested in), so that he is more inclined to click the link in order to know more details. In particular, award is the amount of money donated to the target, obj-bought is what he can buy with that donation, donated-by is the organization who provided the award, org-claim is the purpose of the organization and award-application describes the shops where the target can use the donation, based on the product promoted. This way, the email template is instantiated automatically based on the value of target field interest. Additional target information (address, email, region in Table 8) are used to increase the credibility of the generated phishing email.

Table 8.

Target fields in the Reciprocation and Social template

Target field	Description
interest	The interests of the target, based on what he/she published in social networks
address	The address where the target lives
email	E-mail address of the target
region	The region (state, province, etc.) where the target lives

Table 9.

Variables & Conditions for the Reciprocation and Social template

Variable	Condition	Value
award	interest == “smartphone”	$40
	interest == “cycling”	$50
	true (default)	$20
obj-bought	interest == “smartphone”	Wiko smartphone
	interest == “cycling”	electric bicycle
	true (default)	edible goods
donated-by	interest == “smartphone”	EUTech
	interest == “cycling”	EcoLife
	true (default)	APPLES Co.
org-claim	interest == “smartphone”	european technologies
	interest == “cycling”	eco-friendly vehicles
	true (default)	organic food
award-application	interest == “smartphone”	any electronics store
	interest == “cycling”	any local shop
	true (default)	any local grocery supermarket

References

1.
dnstwist. https://github.com/elceef/dnstwist. Accessed 13 July 2020
2.
Gophish - Open-Source Phishing Framework. https://getgophish.com. Accessed 13 July 2020
3.
nslookup(1) - Linux man page. https://linux.die.net/man/1/nslookup. Accessed 13 July 2020
4.
Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Network and Distributed System Security Symposium. Internet Society (2015)Google Scholar
5.
Allodi, L., Chotza, T., Panina, E., Zannone, N.: The need for new anti-phishing measures against spear-phishing attacks. IEEE Secur. Priv. 18(2), 23–34 (2020)CrossRefGoogle Scholar
6.
Bullee, J.-W.: Experimental social engineering: investigation and prevention. Ph.D. thesis, University of Twente (2017)Google Scholar
7.
Burda, P., Allodi, L., Zannone, N.: Don’t forget the human: a crowdsourced approach to automate response and containment against spear phishing attacks. In: Proceedings of Workshop on Attackers and Cyber-Crime Operations. IEEE (2020)Google Scholar
8.
Burda, P., Chotza, T., Allodi, L., Zannone, N.: Testing the effectiveness of tailored phishing techniques in industry and academia: a field experiment. In: International Conference on Availability, Reliability and Security. ACM (2020)Google Scholar
9.
Burns, A., Johnson, M., Caputo, D.: Spear phishing in a barrel: insights from a targeted phishing campaign. J. Organ. Comput. Electron. Commer. 29, 24–39 (2019)CrossRefGoogle Scholar
10.
Hadnagy, C.: Social Engineering: The Science of Human Hacking. Wiley, Hoboken (2018)CrossRefGoogle Scholar
11.
Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: USENIX Security Symposium, pp. 1095–1112. USENIX Association (2018)Google Scholar
12.
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
13.
Jensen, M., Dinger, M., Wright, R., Thatcher, J.: Training to mitigate phishing attacks using mindfulness techniques. J. Manage. Inf. Syst. 34(2), 597–626 (2017)CrossRefGoogle Scholar
14.
Karumbaiah, S., Wright, R.T., Durcikova, A., Jensen, M.L.: Phishing training: a preliminary look at the effects of different types of training. In: Proceedings of the 11th Pre-ICIS Workshop on Information Security and Privacy, pp. 1–10 (2016)Google Scholar
15.
Kucherawy, M., Zwicky, E.: Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489, IETF (2015)Google Scholar
16.
Le Blond, S., Uritesc, A., Gilbert, C., Chua, Z.L., Saxena, P., Kirda, E.: A look at targeted attacks through the lense of an $\{$NGO$\}$. In: 23rd $\{$USENIX$\}$ Security Symposium, $\{$USENIX$\}$ Security 14, pp. 543–558 (2014)Google Scholar
17.
National Institute of Standards and Technology. Framework for improving critical infrastructure cybersecurity. Technical report (2018)Google Scholar
18.
Oliveira, D., et al.: Dissecting spear phishing emails for older vs young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: Conference on Human Factors in Computing Systems, pp. 6412–6424. ACM (2017)Google Scholar
19.
Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: USENIX Security Symposium, pp. 191–206. USENIX Association (2014)Google Scholar
20.
Tsow, A., Jakobsson, M.: Deceit and Deception: A Large User Study of Phishing. Technical report TR649, Indiana University (2007)Google Scholar
21.
Wash, R., Cooper, M.M.: Who provides phishing training? Facts, stories, and people like me. In: Conference on Human Factors in Computing Systems, pp. 1–12. ACM (2018)Google Scholar
22.
Wash, R., Rader, E.: Influencing mental models of security: a research agenda. In: Proceedings of New Security Paradigms Workshop, pp. 57–66 (2011)Google Scholar
23.
Wright, R.T., Jensen, M.L., Thatcher, J.B., Dinger, M., Marett, K.: Research note-influence techniques in phishing attacks: an examination of vulnerability and resistance. Inf. Syst. Res. 25(2), 385–400 (2014)CrossRefGoogle Scholar
24.
Wright, R.T., Marett, K.: The influence of experiential and dispositional factors in phishing: an empirical investigation of the deceived. J. Manage. Inf. Syst. 27(1), 273–303 (2010)CrossRefGoogle Scholar

Copyright information

Authors and Affiliations

Simone Pirocca
- 1
Luca Allodi
- 2
Nicola Zannone
- 2
Email authorView author's OrcID profile

1.University of TrentoTrentoItaly
2.Eindhoven University of TechnologyEindhovenThe Netherlands

A Toolkit for Security Awareness Training Against Targeted Phishing

Abstract

Supplementary material

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper