Abstract
Email spear-phishing attack is one of the most devastating cyber threat against individual and business victims. Using spear-phishing emails, adversaries can manage to impersonate authoritative identities in order to incite victims to perform actions that help adversaries to gain financial and/hacking goals. Many of these targeted spear-phishing can be undetectable based on analyzing emails because, for example, they can be sent from compromised benign accounts (called lateral spear-phishing attack).
In this paper, we developed a novel proactive defense technique using sender email address mutation to protect a group of related users against lateral spear-phishing. In our approach, we frequently change the sender email address randomly that can only be verified by trusted peers, without imposing any overhead or restriction on email communication with external users. Our Email mutation technique is transparent, secure, and effective because it allows users to use their email as usual, while they are fully protected from such stealthy spear-phishing.
We present the Email mutation technique (algorithm and protocol) and develop a formal model to verify its correctness. The processing overhead due to mutation is a few milliseconds, which is negligible with the prospective of end-to-end email transmission delay. We also describe a real-world implementation of the Email mutation technique that works with any email service providers such as Gmail, Apple iCloud, Yahoo Mail, and seamlessly integrates with standard email clients such as Gmail web clients (mail.google.com), Microsoft Outlook, and Thunderbird.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Business email compromise: The \$26 billion scam (2019). https://www.ic3.gov/media/2019/190910.aspx
Email security gateways. (2020). https://www.expertinsights.com/insights/top-11-email-security-gateways/
Multi-factor authentication (2020). https://en.wikipedia.org/wiki/Multi-factor_authentication
Spear-phishing email reports (2020). https://www.phishingbox.com/
Aggarwal, S., Kumar, V., Sudarsan, S.: Identification and detection of phishing emails using natural language processing techniques. In: Proceedings of the 7th International Conference on Security of Information and Networks. ACM (2014)
Callas, J., Donnerhacke, L., Finney, H., Thayer, R.: Openpgp message format. Technical report, RFC 2440, November (1998)
Crocker, D.: Rfc0822: standard for the format of ARPA internet text messages (1982)
Crocker, D., Hansen, T., Kucherawy, M.: Domainkeys identified mail (dkim) signatures. RFC6376 (2011). https://doi.org/10.17487/RFC6376, https://tools.ietf.org/html/rfc6376
Dalton, A., Islam, M.M., Dorr, B.J., et al.: Active defense against social engineering: The case for human language technology. In: Proceedings on Social Threats in Online Conversations: Understanding and Management, pp. 1–8 (2020)
Duman, S., Kalkan, K., Egele, M., Robertson, W., Kirda, E.: Emailprofiler: spearphishing filtering with header and stylometric features of emails. In: IEEE 40th COMPSAC, vol. 1, pp. 408–416. IEEE (2016)
Gascon, H., Ullrich, S., Stritter, B., Rieck, K.: Reading between the lines: content-agnostic detection of spear-phishing emails. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 69–91. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_4
Ho, G., et al.: Detecting and characterizing lateral phishing at scale. In: 28th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 19), pp. 1273–1290 (2019)
Ho, G., Sharma, A., Javed, M., Paxson, V., Wagner, D.: Detecting credential spearphishing in enterprise settings. In: 26th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 17), pp. 469–485 (2017)
Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 1095–1112 (2018)
Hu, X., Li, B., Zhang, Y., Zhou, C., Ma, H.: Detecting compromised email accounts from the perspective of graph topology. In: Proceedings of the 11th International Conference on Future Internet Technologies, pp. 76–82 (2016)
Islam, M.M., Al-Shaer, E.: Active deception framework: an extensible development environment for adaptive cyber deception. In: 2020 IEEE Cybersecurity Development (SecDev). IEEE (2020)
Islam, M.M., Duan, Q., Al-Shaer, E.: Specification-driven moving target defense synthesis. In: Proceedings of the 6th ACM Workshop on Moving Target Defense, pp. 13–24 (2019)
Khonji, M., Iraqi, Y., Andrew, J.: Mitigation of spear phishing attacks: a content-based authorship identification framework. In: 2011 International Conference for ITST, pp. 416–421. IEEE (2011)
Kitterman, S.: Sender policy framework (spf). RFC7208 (2014). https://tools.ietf.org/html/rfc7208
Klensin, J., et al.: Simple mail transfer protocol. Technical report, rfc 2821 (2001)
Kucherawy, M., Zwicky, E.: Domain-based message authentication, reporting, and conformance (dmarc). RFC7489 (2015). https://tools.ietf.org/html/rfc7489
Larsen, K.G., Pettersson, P., Yi, W.: Uppaal in a nutshell. Int. J. Softw. Tools Technol. Transf. 1(1–2), 134–152 (1997)
Müller, J., Brinkmann, M., Böck, H., Schinzel, S., Schwenk, J., et al.: “johnny, you are fired!”-spoofing openpgp and s/mime signatures in emails. In: 28th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 19), pp. 1011–1028 (2019)
Ramsdell, B., et al.: S/mime version 3 message specification. Technical report, RFC 2633 (1999)
Ruoti, S., Andersen, J., Seamons, K., et al.: “we’re on the same page” a usability study of secure email using pairs of novice users. In: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, pp. 4298–4308 (2016)
Sheng, S., Broderick, L., Koranda, C.A., Hyland, J.J.: Why johnny still can’t encrypt: evaluating the usability of email encryption software. In: Symposium On Usable Privacy and Security, pp. 3–4. ACM (2006)
Stringhini, G., Thonnard, O.: That ain’t you: blocking spearphishing through behavioral modelling. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 78–97. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_5
Thomson, I.: Who’s using 2fa? sweet fa. less than 10% of gmail users enable two-factor authentication. The Register (2018)
Verizon: 2018 data breach investigations report (2018). https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf
Acknowledgement
This research was supported in part by the Defense Advanced Research Projects Agency (DARPA), United States Army Research Office (ARO) and Office of Naval Research (ONR). Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the funding sources.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Islam, M.M., Al-Shaer, E., Rahim, M.A.B.U. (2020). Email Address Mutation for Proactive Deterrence Against Lateral Spear-Phishing Attacks. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-63086-7_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63085-0
Online ISBN: 978-3-030-63086-7
eBook Packages: Computer ScienceComputer Science (R0)