Jason Hong
Abstract
Looking past the systems people use, they target the people using the systems.
- Abu-Nimeh, S., Nappa, D., Wang, X., and Nair, S. A comparison of machine learning techniques for phishing detection. In Proceedings of The Anti-Phishing Working Group's Second Annual eCrime Researchers Summit (Pittsburgh, PA, Oct. 4--5, 2007), 60--69. Google Scholar
Digital Library
- Anti-Phishing Working Group. APWG & Carnegie Mellon University's phishing education landing page; http://education.apwg.org/r/en/Google Scholar
- Anti-Phishing Working Group. Phishing Activity Trends Report: Third Quarter Report, Jan. 2010; http://apwg.org/reports/apwg_report_Q3_2009.pdfGoogle Scholar
- Arthur, C. Facebook hit by phishing attack. The Guardian (Apr. 30, 2009); http://www.guardian.co.uk/technology/2009/apr/30/facebook-phishing-scamGoogle Scholar
- Blizzard Entertainment. Battle.net Authenticator FAQ; http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660Google Scholar
- Cavalli, E. World of Warcraft phishing attempts on the rise. Wired (Apr. 29, 2009); http://www.wired.com/gamelife/2009/04/world-of-warcraft-phishing-attempts-on-the-rise/Google Scholar
- Cova, M., Kruegel, C., and Vigna, G. There is no free phish: An analysis of 'free' and live phishing kits. In Proceedings of the Second USENIX Workshop on Offensive Technologies (San Jose, CA, July 28, 2008). Usenix; http://portal.acm.org/citation.cfm?id=1496706 Google ScholarDigital Library
- Dhamija, R., Tygar, J.D., and Hearst, M.A. Why phishing works. In Proceedings of the CHI Conference on Human Factors in Computing Systems (Quebec, Apr. 24--27). ACM Press, New York, 2006, 581--590; http://portal.acm.org/citation.cfm?id=1124861 Google ScholarDigital Library
- Downs, J.S., Holbrook, M.B., and Cranor, L.F. Decision strategies and susceptibility to phishing. In Proceedings of the SOUPS Symposium on Usable Privacy and Security (Pittsburgh, July 12--14). ACM Press, New York, 2006. Google ScholarDigital Library
- Egelman, S., Cranor, L.F., and Hong, J.I. You've been warned: An empirical study of the effectiveness of Web browser phishing warnings. In Proceedings of the CHI Conference on Human Factors in Computing Systems (Florence, Italy, Apr. 5--10). ACM Press, New York, 2008, 1065--1074. Google ScholarDigital Library
- Fette, I., Sadeh, N., and Tomasic, A. Learning to detect phishing emails. In Proceedings of the 16th International World Wide Web Conference (Banff, Canada, May 8--12, 2007), 649--656. Google ScholarDigital Library
- Garera, S., Provos, N., Chew, M., and Rubin, A.D. A framework for detection and measurement of phishing attacks. In Proceedings of the WORM Workshop on Rapid Malcode (Alexandria, VA, Nov. 2). ACM Press, New York, 2007; http://portal.acm.org/citation.cfm?id=1314391 Google ScholarDigital Library
- Görling, S. An overview of the Sender Policy Framework as an anti-phishing mechanism. Internet Research 17, 2 (2007), 169--179.Google ScholarCross Ref
- Herley, C. and Florencio, D. A Profitless endeavor: Phishing as a tragedy of the commons. In Proceedings of the New Security Paradigms Workshop (Lake Tahoe, CA, Sept. 22--25, 2008). Google ScholarDigital Library
- Herley, C. and Florencio, D. Nobody sells gold for the price of silver: Dishonesty, uncertainty, and the underground economy. In Proceedings of Workshop on the Economics of Information Security (London, June 24--25, 2009).Google Scholar
- Hong, J. Why have there been so many security breaches recently? Blog@CACM (Apr. 27, 2011); http://cacm.acm.org/blogs/blog-cacm/107800-why-have-there-been-so-many-security-breaches-recently/fulltextGoogle Scholar
- Hong, J.I. Statistical analysis of phished email users intercepted by the APWG/CMU phishing education landing page. In Proceedings of the Anti-Phishing Working Group Counter eCrime Operations Summit IV (Sao Paulo, Brazil, May 11--13, 2010); http://www.antiphishing.org/events/2010_opSummit.htmlGoogle Scholar
- Jackson, C., Simon, D.R., Tan, D.S., and Barth, A. An evaluation of extended validation and picture-in-picture phishing attacks. In Proceedings of the 11th International Conference on Financial Cryptography (Trinidad/Tobago, Feb. 12--15, 2007), 281--293. Google ScholarDigital Library
- Jagatic, T.N., Johnson, N.A., Jakobsson, M., and Menczer, F. Social phishing. Commun. ACM 50, 10 (Oct. 2007), 94--100. Google ScholarDigital Library
- Jakobsson, M. and Myers, S. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience, 2006. Google ScholarDigital Library
- Keizer, G. California enacts tough anti-phishing law. InformationWeek (Oct. 3, 2005); http://informationweek.com/news/171202672Google Scholar
- Krastev, N. U.S. indicts dozens from Eastern Europe in Internet theft scheme. Radio Free Europe (Oct. 1, 2010); http://www.rferl.org/content/US_Indicts_Dozens_From_Eastern_Europe_In_Internet_Theft_Scheme/2173545.htmlGoogle Scholar
- Kumaraguru, P., Rhee, Y., Sheng, S. et al. Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. In Proceedings of the Anti-Phishing Working Group's Second Annual eCrime Researchers Summit (Pittsburgh, Oct. 3--5, 2007), 70--81. Google ScholarDigital Library
- Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., and Hong, J.I. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10, 2 (2010), 1--31. Google ScholarDigital Library
- Litan, A. Phishing attack victims likely targets for identity theft. Gartner Group, May 2004.Google Scholar
- Markoff, J. Larger prey are targets of phishing. New York Times (Apr. 16, 2008); http://www.nytimes.com/2008/04/16/technology/16whale.htmlGoogle Scholar
- Moore, T. and Clayton, R. Examining the impact of Website take-down on phishing. In Proceedings of the Anti-Phishing Working Group's Second Annual eCrime Researchers Summit (Pittsburgh, Oct. 3--5, 2007), 1--13. Google ScholarDigital Library
- PhishTank. PhishTank Stats, 2011; http://www.phishtank.com/stats.phpGoogle Scholar
- Schechter, S.E., Dhamija, R., Ozment, A., and Fischer, I. The emperor's new security indicators: An evaluation of Website authentication and the effect of role playing on usability studies. In Proceedings of the IEEE Symposium on Security and Privacy (Washington, D.C., 2007), 51--65. Google ScholarDigital Library
- Sheng, S., Holbrook, M.B., Kumaraguru, P., Cranor, L.F., and Downs, J.S. Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the CHI Conference on Human Factors in Computing Systems (Atlanta, Apr. 10--15). ACM Press, New York, 2010, 373--382. Google ScholarDigital Library
- Sheng, S., Kumaraguru, P., Acquisti, A., Cranor, L.F., and Hong, J.I. Improving phishing countermeasures: An analysis of expert interviews. In Proceedings of the Fourth Anti-Phishing Working Group eCrime Researchers Summit (Tacoma, WA, Oct. 20--21, 2009).Google ScholarCross Ref
- Sheng, S., Magnien, B., Kumaraguru, P. et al. Anti-Phishing Phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the Third Symposium on Usable Privacy and Security (Pittsburgh, July 18--20). ACM Press, New York, 2007, 88--99. Google ScholarDigital Library
- Sheng, S., Wardman, B., Warner, G., Cranor, L.F., Hong, J.I., and Zhang, C. An empirical analysis of phishing blacklists. In Proceedings of the Sixth Conference on Email and Anti-Spam (Mountain View, CA, July 16--17, 2009).Google Scholar
- Stajano, F. and Wilson, P. Understanding scam victims: Seven principles for systems security. Commun. ACM 54, 3 (Mar. 2011), 70--75. Google ScholarDigital Library
- Verisign. Fraud Alert: Phishing: The Latest Tactics and Potential Business Impact. White Paper, 2009; http://www.verisign.com/static/phishing-tactics.pdfGoogle Scholar
- Wu, M., Miller, R.C., and Garfinkel, S. Do security toolbars actually prevent phishing attacks? In Proceedings of the CHI Conference on Human Factors in Computing Systems (Montréal, Apr. 24--27). ACM Press, New York, 2006, 601--610. Google ScholarDigital Library
- Xiang, G. and Hong, J.I. A hybrid phish detection approach by identity discovery and keywords retrieval. In Proceedings of the International World Wide Web Conference (Madrid, Apr. 20--24, 2009), 571--580. Google ScholarDigital Library
- Xiang, G., Rose, C., Hong, J.I., and Pendleton, B. A hierarchical adaptive probabilistic approach for zero-hour phish detection. In Proceedings of the ESORICS 15th European Symposium on Research in Computer Security (Athens, 2010), 571--589. Google ScholarDigital Library
- Zhang, Y., Hong, J.I., and Cranor, L.F. Cantina: A content-based approach to detecting phishing Web sites. In Proceedings of the 16th International World Wide Web Conference (Banff, Canada, May 8--12, 2007), 639--648. Google ScholarDigital Library
Index Terms
- The state of phishing attacks
Recommendations
Phishing Attacks: Phishing in depth
If an email that we receive appears actually to have been sent by our bank, we are less likely to question its authenticity, says Dario Forte, but we may still be the target of a phishing attack, whose objective is to trick us into revealing sensitive ...
Fighting against phishing attacks: state of the art and future challenges
In the last few years, phishing scams have rapidly grown posing huge threat to global Internet security. Today, phishing attack is one of the most common and serious threats over Internet where cyber attackers try to steal user's personal or financial ...
Mitigating Phishing Attacks: An Overview
ACM SE '19: Proceedings of the 2019 ACM Southeast ConferenceSocial engineering is the process of getting a person to provide a service or complete a task that may give away private or confidential information. Phishing is the most common type of social engineering. In phishing, an attacker poses as a trustworthy ...
Reviews
Brad D. Reid
Phishing is a social-engineering attack utilizing spoofed email messages to trick recipients into sharing sensitive information or installing malware on their computers. "Whaling" involves sophisticated attacks against a high-value target. In this well-written article, the author details the current countermeasures in nontechnical language. System managers, developers, administrators, and students will find the paper beneficial. Developers must go beyond blaming users, as sophisticated attacks have spread to all media. Three strategic countermeasure approaches involve invisible protections so the user does nothing, better user interfaces, and effective training. Over 500 toolkits exist for phishing attacks, some of which even defraud the phisher of the ill-gotten information. A true arms race exists between criminals and security professionals. Pools of proxies and domain names to hide the phish location ("fast flux") extend the average phishing Web site life to 196 hours-significantly longer than the average 62 hours before a phishing attack location is taken down. Given the expansion of phishing, the underground economy in stolen materials of all kinds, and the resulting economic damage as well as the damage to reputation, effective countermeasures are critical. These include filters, machine learning, blacklists, and a variety of active and passive indicators that are signaled to users. Training users is typically not helpful, given low motivation and the limited desire to actually read the training materials. While the author does not address the governmental and competitive business aspects of phishing or the existence of state-sponsored phishing, this is a helpful, readable survey on an important topic. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments