摘要:Phishing is a growing threat to Internet users and causes billions of dollars in damage every year.While there are a number of research articles that study the tactics, techniques and proceduresemployed by phishers in the literature, in this paper, we present a theoretical yet practical modelto study this menacing threat in a formal manner. While it is common folklore knowledge that asuccessful phishing attack entails creating messages that are indistinguishable from the natural,expected messages by the intended victim, this concept has not been formalized. Our modelattempts to capture a phishing attack in terms of this indistinguishability between the natural andphishing message probability distributions. We view the actions performed by a phisher as anattempt to create messages that are indistinguishable to the victim from that of “normal”messages. To the best of our knowledge, this is the first study that places phishing on a concretetheoretical framework and offers a new perspective to analyze this threat. We propose metrics toanalyze the success probability of a phishing attack taking into account the input used by aphisher and the work involved in creating deceptive email messages. Finally, we study and applyour model to a new class of phishing attacks called collaborative spear phishing that is gainingmomentum. Recent examples include Operation Woolen-Goldfish in 2015, Rocket Kitten in 2014and Epsilon email breach in 2011. We point out fundamental flaws in the current email-basedmarketing business model which enables such targeted spear phishing collaborative attacks. Inthis sense, our study is very timely and presents new and emerging trends in phishing.
关键词:Phishing; Email Fraud; Data Hiding; Identity Linking; Social Engineering.
Loading...
