Who is targeted by email-based phishing and malware?: Measuring factors that differentiate risk

As technologies to defend against phishing and malware often impose an additional financial and usability cost on users (such as security keys), a question remains as to who should adopt these heightened protections. We measure over 1.2 billion email-based phishing and malware attacks against Gmail users to understand what factors place a person at heightened risk of attack. We find that attack campaigns are typically short-lived and at first glance indiscriminately target users on a global scale. However, by modeling the distribution of targeted users, we find that a person's demographics, location, email usage patterns, and security posture all significantly influence the likelihood of attack. Our findings represent a first step towards empirically identifying the most at-risk users.

[1]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[2]  Kai Lung Hui,et al.  Who gets spammed? , 2006, CACM.

[3]  Vern Paxson,et al.  Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[4]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[5]  Bruno Bogaz Zarpelão,et al.  An Empirical Study of Factors Affecting the Rate of Spam , 2018 .

[6]  Latanya Sweeney,et al.  Achieving k-Anonymity Privacy Protection Using Generalization and Suppression , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[7]  Tian Lin,et al.  Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content , 2019, ACM Trans. Comput. Hum. Interact..

[8]  Joseph Bonneau,et al.  "I was told to buy a software or lose my computer. I ignored it": A study of ransomware , 2019, SOUPS @ USENIX Security Symposium.

[9]  Leyla Bilge,et al.  On the effectiveness of risk prediction based on users browsing behavior , 2014, AsiaCCS.

[10]  Oded Nov,et al.  Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks , 2015 .

[11]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[12]  Dennis F. Galletta,et al.  Which phish get caught? An exploratory study of individuals′ susceptibility to phishing , 2017, Eur. J. Inf. Syst..

[13]  L. Jean Camp,et al.  Why Johnny Doesn't Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key , 2018, Financial Cryptography.

[14]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[15]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[16]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[17]  Adam Senft,et al.  Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware , 2014, USENIX Security Symposium.

[18]  Adam Doupé,et al.  PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[19]  Zinaida Benenson,et al.  Unpacking Spear Phishing Susceptibility , 2017, Financial Cryptography Workshops.

[20]  Vern Paxson,et al.  When Governments Hack Opponents: A Look at Actors and Technology , 2014, USENIX Security Symposium.

[21]  Alexei Czeskis,et al.  Security Keys: Practical Cryptographic Second Factors for the Modern Web , 2016, Financial Cryptography.

[22]  Sonia Chiasson,et al.  A clinical study of risk factors related to malware infections , 2013, CCS.

[23]  Chris Kanich,et al.  On the Spam Campaign Trail , 2008, LEET.

[24]  Richard Clayton Do Zebras get more Spam than Aardvarks? , 2008, CEAS.

[25]  Nicholas Race,et al.  Email fraud: The search for psychological predictors of susceptibility , 2019, PloS one.

[26]  Malcolm Robert Pattinson,et al.  Do Users Focus on the Correct Cues to Differentiate Between Phishing and Genuine Emails? , 2016, ACIS.

[27]  Engin Kirda,et al.  A Look at Targeted Attacks Through the Lense of an NGO , 2014, USENIX Security Symposium.

[28]  Mathias Ekstedt,et al.  Shaping intention to resist social engineering through transformational leadership, information security culture and awareness , 2016, Comput. Secur..

[29]  Malcolm Robert Pattinson,et al.  Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails , 2016, ACIS.

[30]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[31]  R. Pyke,et al.  Logistic disease incidence models and case-control studies , 1979 .

[32]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[33]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[34]  Christopher Krügel,et al.  Framing Dependencies Introduced by Underground Commoditization , 2015, WEIS.

[35]  J. G. Mohebzada,et al.  Phishing in a university community: Two large scale phishing experiments , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[36]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[37]  Moses Charikar,et al.  Similarity estimation techniques from rounding algorithms , 2002, STOC '02.

[38]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[39]  Adam Doupé,et al.  Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale , 2020, USENIX Security Symposium.

[40]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[41]  Christopher Krügel,et al.  Nazca: Detecting Malware Distribution in Large-Scale Networks , 2014, NDSS.

[42]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[43]  Jason R. C. Nurse,et al.  Baiting the hook: factors impacting susceptibility to phishing attacks , 2016, Human-centric Computing and Information Sciences.

[44]  C. Mood Logistic Regression: Why We Cannot Do What We Think We Can Do, and What We Can Do About It , 2010 .

[45]  Yu Jiang,et al.  Evaluating Login Challenges as aDefense Against Account Takeover , 2019, WWW.