Revisiting Email Spoofing Attacks

The email system is the central battleground against phishing and social engineering attacks, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions: (1) How do email providers detect and handle forged emails? (2) Under what conditions can forged emails penetrate the defense to reach user inbox? (3) Once the forged email gets in, how email providers warn users? Is the warning truly effective? We answer these questions through end-to-end measurements on 35 popular email providers (used by billions of users), and extensive user studies (N = 913) that consist of both simulated and real-world phishing experiments. We have four key findings. First, most popular email providers have the necessary protocols to detect spoofing, but still allow forged emails to get into user inbox (e.g., Yahoo Mail, iCloud, Gmail). Second, once a forged email gets in, most email providers have no warnings for users, particularly on mobile email apps. Some providers (e.g., Gmail Inbox) even have misleading UIs that make the forged email look authentic. Third, a few email providers (9/35) have implemented visual security cues for unverified emails, which demonstrate a positive impact to reduce risky user actions. Comparing simulated experiments with realistic phishing tests, we observe that the impact of security cue is less significant when users are caught off guard in the real-world setting.

[1]  Ramana Rao Kompella,et al.  PhishNet: Predictive Blacklisting to Detect Phishing Attacks , 2010, 2010 Proceedings IEEE INFOCOM.

[2]  Kathryn Parsons,et al.  Information Management & Computer Security Why do some people manage phishing e-mails better than others ? , 2016 .

[3]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[4]  Enrico Blanzieri,et al.  A survey of learning-based techniques of email spam filtering , 2008, Artificial Intelligence Review.

[5]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[6]  Jon Postel,et al.  Simple Mail Transfer Protocol , 1981, RFC.

[7]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[8]  Miljenko Huzak,et al.  Chi-Square Distribution , 2011, International Encyclopedia of Statistical Science.

[9]  Brian Ryner,et al.  Large-Scale Automatic Classification of Phishing Pages , 2010, NDSS.

[10]  Bo Zhang,et al.  Effects of security warnings and instant gratification cues on attitudes toward mobile websites , 2014, CHI.

[11]  Pieter H. Hartel,et al.  How Effective is Anti-Phishing Training for Children? , 2017, SOUPS.

[12]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[13]  Lorrie Faith Cranor,et al.  Phinding Phish: Evaluating Anti-Phishing Tools , 2006 .

[14]  Mohamed Ali Kâafar,et al.  TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication , 2015, NDSS.

[15]  Edward W. Felten,et al.  Secrecy, flagging, and paranoia: adoption criteria in encrypted email , 2006, CHI.

[16]  Sholom Cohen,et al.  Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits , 2014, 2014 IEEE Security and Privacy Workshops.

[17]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[18]  Kat Krol,et al.  Don't work. Can't work? Why it's time to rethink security warnings , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[19]  Simson L. Garfinkel,et al.  PGP: Pretty Good Privacy , 1994 .

[20]  Meng Luo,et al.  Hindsight: Understanding the Evolution of UI Vulnerabilities in Mobile Browsers , 2017, CCS.

[21]  Bonnie Brinton Anderson,et al.  Users Aren't (Necessarily) Lazy: Using NeuroIS to Explain Habituation to Security Warnings , 2014, ICIS.

[22]  Aaron D. Shaw,et al.  Social desirability bias and self-reports of motivation: a study of amazon mechanical turk in the US and India , 2012, CHI.

[23]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[24]  Ponnurangam Kumaraguru,et al.  Analyzing social and stylometric features to identify spear phishing emails , 2014, 2014 APWG Symposium on Electronic Crime Research (eCrime).

[25]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[26]  Adrienne Porter Felt,et al.  A Week to Remember: The Impact of Browser Warning Storage Policies , 2016, SOUPS.

[27]  Reza Shokri,et al.  Predicting Users' Motivations behind Location Check-Ins and Utility Implications of Privacy Protection Mechanisms , 2015, NDSS.

[28]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[29]  Viktor Krammer Phishing defense against IDN address spoofing attacks , 2006, PST.

[30]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[31]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[32]  Wouter Joosen,et al.  Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse , 2015, NDSS.

[33]  Sunny Consolvo,et al.  Rethinking Connection Security Indicators , 2016, SOUPS.

[34]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[35]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[36]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[37]  William K. Robertson,et al.  EmailProfiler: Spearphishing Filtering with Header and Stylometric Features of Emails , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[38]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[39]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[40]  Murray S. Kucherawy,et al.  DomainKeys Identified Mail (DKIM) Signatures , 2011, RFC.

[41]  Javier Vargas,et al.  Knowing your enemies: leveraging data analysis to expose phishing patterns against a major US financial institution , 2016, 2016 APWG Symposium on Electronic Crime Research (eCrime).

[42]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[43]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[44]  Minaxi Gupta,et al.  Behind Phishing: An Examination of Phisher Modi Operandi , 2008, LEET.

[45]  Santosh S. Vempala,et al.  Filtering spam with behavioral blacklisting , 2007, CCS '07.

[46]  Stefan Savage,et al.  Security by Any Other Name: On the Effectiveness of Provider Based Email Security , 2015, CCS.

[47]  Vern Paxson,et al.  Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[48]  David A. Wagner,et al.  Detecting Credential Spearphishing in Enterprise Settings , 2017, USENIX Security Symposium.

[49]  Jingguo Wang,et al.  Overconfidence in Phishing Email Detection , 2016, J. Assoc. Inf. Syst..

[50]  Qian Cui,et al.  Tracking Phishing Attacks Over Time , 2017, WWW.

[51]  Scott Kitterman,et al.  Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 , 2014, RFC.

[52]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[53]  Xiao Han,et al.  PhishEye: Live Monitoring of Sandboxed Phishing Kits , 2016, CCS.

[54]  Fang Chen,et al.  A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing , 2017, SOUPS.

[55]  Stefan Dietze,et al.  Understanding Malicious Behavior in Crowdsourcing Platforms: The Case of Online Surveys , 2015, CHI.

[56]  Murray S. Kucherawy,et al.  Domain-based Message Authentication, Reporting, and Conformance (DMARC) , 2015, RFC.

[57]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[58]  J. Alex Halderman,et al.  Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security , 2015, Internet Measurement Conference.