Abstract
The attack landscape is evolving, and attackers are employing new techniques to launch increasingly targeted and sophisticated social engineering attacks that exploit human vulnerabilities. Many organizations provide their employees with security awareness training to counter and mitigate such threats. However, recent studies have shown that current embedded phishing training programs and tools are often ineffective or incapable of addressing modern, tailored social engineering attacks. This paper presents a toolkit for the deployment of sophisticated, tailored phishing campaigns at scale (e.g., to deploy specific training within an organization). We enable the use of highly customizable phishing email templates that can be instantiated with a large range of information about the specific target and a semi-automated process for the selection of the phishing domain name. We demonstrate our tool by showing how tailored phishing campaigns proposed in previous studies can be enhanced to increase the credibility of the phishing email, effectively addressing the very limitations identified in those studies.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Security experts at Kaspersky Lab over 60,000 stolen profiles are offered for sale on an invitation-based private marketplace. https://securityaffairs.co/wordpress/83630/deep-web/genesis-store-fingerprints.html.
- 2.
If more than one condition is satisfied by the victim, the variable is instantiated with the value associated to the first condition met by the victim.
References
dnstwist. https://github.com/elceef/dnstwist. Accessed 13 July 2020
Gophish - Open-Source Phishing Framework. https://getgophish.com. Accessed 13 July 2020
nslookup(1) - Linux man page. https://linux.die.net/man/1/nslookup. Accessed 13 July 2020
Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Network and Distributed System Security Symposium. Internet Society (2015)
Allodi, L., Chotza, T., Panina, E., Zannone, N.: The need for new anti-phishing measures against spear-phishing attacks. IEEE Secur. Priv. 18(2), 23–34 (2020)
Bullee, J.-W.: Experimental social engineering: investigation and prevention. Ph.D. thesis, University of Twente (2017)
Burda, P., Allodi, L., Zannone, N.: Don’t forget the human: a crowdsourced approach to automate response and containment against spear phishing attacks. In: Proceedings of Workshop on Attackers and Cyber-Crime Operations. IEEE (2020)
Burda, P., Chotza, T., Allodi, L., Zannone, N.: Testing the effectiveness of tailored phishing techniques in industry and academia: a field experiment. In: International Conference on Availability, Reliability and Security. ACM (2020)
Burns, A., Johnson, M., Caputo, D.: Spear phishing in a barrel: insights from a targeted phishing campaign. J. Organ. Comput. Electron. Commer. 29, 24–39 (2019)
Hadnagy, C.: Social Engineering: The Science of Human Hacking. Wiley, Hoboken (2018)
Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: USENIX Security Symposium, pp. 1095–1112. USENIX Association (2018)
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)
Jensen, M., Dinger, M., Wright, R., Thatcher, J.: Training to mitigate phishing attacks using mindfulness techniques. J. Manage. Inf. Syst. 34(2), 597–626 (2017)
Karumbaiah, S., Wright, R.T., Durcikova, A., Jensen, M.L.: Phishing training: a preliminary look at the effects of different types of training. In: Proceedings of the 11th Pre-ICIS Workshop on Information Security and Privacy, pp. 1–10 (2016)
Kucherawy, M., Zwicky, E.: Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489, IETF (2015)
Le Blond, S., Uritesc, A., Gilbert, C., Chua, Z.L., Saxena, P., Kirda, E.: A look at targeted attacks through the lense of an \(\{\)NGO\(\}\). In: 23rd \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 14, pp. 543–558 (2014)
National Institute of Standards and Technology. Framework for improving critical infrastructure cybersecurity. Technical report (2018)
Oliveira, D., et al.: Dissecting spear phishing emails for older vs young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: Conference on Human Factors in Computing Systems, pp. 6412–6424. ACM (2017)
Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: USENIX Security Symposium, pp. 191–206. USENIX Association (2014)
Tsow, A., Jakobsson, M.: Deceit and Deception: A Large User Study of Phishing. Technical report TR649, Indiana University (2007)
Wash, R., Cooper, M.M.: Who provides phishing training? Facts, stories, and people like me. In: Conference on Human Factors in Computing Systems, pp. 1–12. ACM (2018)
Wash, R., Rader, E.: Influencing mental models of security: a research agenda. In: Proceedings of New Security Paradigms Workshop, pp. 57–66 (2011)
Wright, R.T., Jensen, M.L., Thatcher, J.B., Dinger, M., Marett, K.: Research note-influence techniques in phishing attacks: an examination of vulnerability and resistance. Inf. Syst. Res. 25(2), 385–400 (2014)
Wright, R.T., Marett, K.: The influence of experiential and dispositional factors in phishing: an empirical investigation of the deceived. J. Manage. Inf. Syst. 27(1), 273–303 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Phishing Email Templates
A Phishing Email Templates
1.1 A.1 Liking and Security Template
The Liking and Security template aims to exploit the liking principle by letting the target believe that the email sender is someone like the victim. Figure 8a presents the template proposed by Olivera et al. [18] for their experiment and Fig. 8b shows how the template can be enhanced to exploit target information. In particular, we have enhanced the template in [18] to strengthen the liking weapon and to avoid possible mismatches between the spelling used in the email and the one typically used by the target, which may raise suspicion in the target.
Liking and Security template and our modification
To emulate the spelling typically used by the victim, we use target field american-spelling to determine, for instance, from the country of the target and from previous communications that the target had, whether he usually communicates in American English or not, and, based on this field, customize the email using the proper spelling (e.g., neighbor vs. neighbour). We also use variable fake-name to choose a name for the email sender that reflects the gender of the target, as it has been shown that people are more inclined to respond to persons of the same gender [6]. If the gender of the victim is unknown, a gender-neutral name is used for the sender (default option in Table 7). Other target fields (Table 6) and variables (Table 7) are used to customize the email based on information about the target. For instance, variable break-into and incident-event are used to customize the pretext based on the target field own.
1.2 A.2 Reciprocation and Social Template
The Reciprocation and Social template aims to trigger a reciprocation feeling in the target by promising to donate a given amount of money to promote a particular product. Figure 9a presents the template proposed by Olivera et al. [18] for their experiment and Fig. 9b shows how the template can be enhanced to exploit target information. As for the Commitment and Ideological template (Fig. 7), the pretext and relative variables (see Table 9) are instantiated based on the interest (see Table 8) of the target (which objects he is interested in), so that he is more inclined to click the link in order to know more details. In particular, award is the amount of money donated to the target, obj-bought is what he can buy with that donation, donated-by is the organization who provided the award, org-claim is the purpose of the organization and award-application describes the shops where the target can use the donation, based on the product promoted. This way, the email template is instantiated automatically based on the value of target field interest. Additional target information (address, email, region in Table 8) are used to increase the credibility of the generated phishing email.
Template Reciprocation and Social and our modification
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Pirocca, S., Allodi, L., Zannone, N. (2020). A Toolkit for Security Awareness Training Against Targeted Phishing. In: Kanhere, S., Patil, V.T., Sural, S., Gaur, M.S. (eds) Information Systems Security. ICISS 2020. Lecture Notes in Computer Science(), vol 12553. Springer, Cham. https://doi.org/10.1007/978-3-030-65610-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-65610-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65609-6
Online ISBN: 978-3-030-65610-2
eBook Packages: Computer ScienceComputer Science (R0)