End-to-End Measurements of Email Spoofing Attacks

Spear phishing has been a persistent threat to users and organizations, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions: (1) How do email providers detect and handle forged emails? (2) Under what conditions can forged emails penetrate the defense to reach user inbox? (3) Once the forged email gets in, how email providers warn users? Is the warning truly effective? We answer these questions by conducting an end-toend measurement on 35 popular email providers and examining user reactions to spoofing through a real-world spoofing/phishing test. Our key findings are three folds. First, we observe that most email providers have the necessary protocols to detect spoofing, but still allow forged emails to reach the user inbox (e.g., Yahoo Mail, iCloud, Gmail). Second, once a forged email gets in, most email providers have no warning for users, particularly for mobile email apps. Some providers (e.g., Gmail Inbox) even have misleading UIs that make the forged email look authentic. Third, a few email providers (9/35) have implemented visual security indicators on unverified emails. Our phishing experiment shows that security indicators have a positive impact on reducing risky user actions, but cannot eliminate the risk. Our study reveals a major miscommunication between email providers and endusers. Improvements at both ends (server-side protocols and UIs) are needed to bridge the gap.

[1]  Javier Vargas,et al.  Knowing your enemies: leveraging data analysis to expose phishing patterns against a major US financial institution , 2016, 2016 APWG Symposium on Electronic Crime Research (eCrime).

[2]  Gang Wang,et al.  Towards the Adoption of Anti-spoofing Protocols , 2017 .

[3]  Bonnie Brinton Anderson,et al.  Users Aren't (Necessarily) Lazy: Using NeuroIS to Explain Habituation to Security Warnings , 2014, ICIS.

[4]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[5]  Gang Wang,et al.  Towards Understanding the Adoption of Anti-Spoofing Protocols in Email Systems , 2018, 2018 IEEE Cybersecurity Development (SecDev).

[6]  Adrienne Porter Felt,et al.  A Week to Remember: The Impact of Browser Warning Storage Policies , 2016, SOUPS.

[7]  Sholom Cohen,et al.  Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits , 2014, 2014 IEEE Security and Privacy Workshops.

[8]  Kat Krol,et al.  Don't work. Can't work? Why it's time to rethink security warnings , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[9]  Meng Luo,et al.  Hindsight: Understanding the Evolution of UI Vulnerabilities in Mobile Browsers , 2017, CCS.

[10]  Bo Zhang,et al.  Effects of security warnings and instant gratification cues on attitudes toward mobile websites , 2014, CHI.

[11]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[12]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[13]  Kathryn Parsons,et al.  Information Management & Computer Security Why do some people manage phishing e-mails better than others ? , 2016 .

[14]  Pieter H. Hartel,et al.  How Effective is Anti-Phishing Training for Children? , 2017, SOUPS.

[15]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[16]  Minaxi Gupta,et al.  Behind Phishing: An Examination of Phisher Modi Operandi , 2008, LEET.

[17]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[18]  William K. Robertson,et al.  EmailProfiler: Spearphishing Filtering with Header and Stylometric Features of Emails , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[19]  Fang Chen,et al.  A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing , 2017, SOUPS.

[20]  Stefan Dietze,et al.  Understanding Malicious Behavior in Crowdsourcing Platforms: The Case of Online Surveys , 2015, CHI.

[21]  Ramana Rao Kompella,et al.  PhishNet: Predictive Blacklisting to Detect Phishing Attacks , 2010, 2010 Proceedings IEEE INFOCOM.

[22]  Brian Ryner,et al.  Large-Scale Automatic Classification of Phishing Pages , 2010, NDSS.

[23]  Enrico Blanzieri,et al.  A survey of learning-based techniques of email spam filtering , 2008, Artificial Intelligence Review.

[24]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[25]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[26]  Xiao Han,et al.  PhishEye: Live Monitoring of Sandboxed Phishing Kits , 2016, CCS.

[27]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[28]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[29]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[30]  Tsuyoshi Murata,et al.  {m , 1934, ACML.

[31]  Lorrie Faith Cranor,et al.  Phinding Phish: Evaluating Anti-Phishing Tools , 2006 .

[32]  Mohamed Ali Kâafar,et al.  TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication , 2015, NDSS.

[33]  Rick Wash,et al.  Who Provides Phishing Training?: Facts, Stories, and People Like Me , 2018, CHI.

[34]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[35]  Viktor Krammer Phishing defense against IDN address spoofing attacks , 2006, PST.

[36]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[37]  Edward W. Felten,et al.  Secrecy, flagging, and paranoia: adoption criteria in encrypted email , 2006, CHI.

[38]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[39]  J. Alex Halderman,et al.  Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security , 2015, Internet Measurement Conference.

[40]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[41]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[42]  Santosh S. Vempala,et al.  Filtering spam with behavioral blacklisting , 2007, CCS '07.

[43]  Stefan Savage,et al.  Security by Any Other Name: On the Effectiveness of Provider Based Email Security , 2015, CCS.

[44]  Vern Paxson,et al.  Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[45]  David A. Wagner,et al.  Detecting Credential Spearphishing in Enterprise Settings , 2017, USENIX Security Symposium.

[46]  Jingguo Wang,et al.  Overconfidence in Phishing Email Detection , 2016, J. Assoc. Inf. Syst..

[47]  Aaron D. Shaw,et al.  Social desirability bias and self-reports of motivation: a study of amazon mechanical turk in the US and India , 2012, CHI.

[48]  Reza Shokri,et al.  Predicting Users' Motivations behind Location Check-Ins and Utility Implications of Privacy Protection Mechanisms , 2015, NDSS.

[49]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[50]  Wouter Joosen,et al.  Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse , 2015, NDSS.

[51]  Sunny Consolvo,et al.  Rethinking Connection Security Indicators , 2016, SOUPS.

[52]  Ponnurangam Kumaraguru,et al.  Analyzing social and stylometric features to identify spear phishing emails , 2014, 2014 APWG Symposium on Electronic Crime Research (eCrime).

[53]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.