From fishing to phishing
Elmer Lastdrager is a PhD Student in the research group Services, Cybersecurity and Safety, his supervisors are professor Pieter Hartel from the faculty of Electrical Engineering and Computer Science and prof. Marianne Junger from the faculty of Behavioural Management and Social Sciences
Phishing is one of the many types of cybercrime targeting internet users. A phishing message is sent with the aim to obtain information from a potential victim. One of the reasons phishing is popular has to do with the connectivity that the internet provides. A message can be spread to thousands of recipients with little effort and at negligible cost. A successful phishing attack can lead to identity theft and loss of money for the victims. When an organisation is targeted, phishing can lead to, among other things, compromised network security and stolen intellectual property.
Phishing is highly scalable. On the other side of the scalability spectrum are less scalable modus operandi. We categorise less scalable methods as ``fishing for information''. In this thesis, we aim to explore the spectrum of scalability. This thesis uses a socio-technical approach by describing both experiments and technical perspectives to ``fishing'' and phishing.
This thesis starts by exploring definitions of phishing in literature and analysing their concepts. This provides us with a foundation of what constitutes phishing. Following on the definition, we explore two modus operandi that are less scalable than phishing, using USB keys and QR codes. We focus on measuring attack effectiveness on the boundary between the physical (i.e., objects on the floor) and digital world (i.e., getting a computer virus.) By quantifying the effectiveness of an attack using experiments, we investigate the feasibility of less scalable attacks. Then, we investigate the thought patterns that potential victims use in order to assess a phishing email. The thought patterns, or heuristics, determine whether a recipient of phishing becomes a victim or not. Knowledge on people's thought patterns can be used to improve user training. Subsequently, we created a anti-phishing training to be provided to children. We show that training children is feasible and increases their ability to detect phishing on the short term. Finally, we performed a large-scale analysis of phishing emails in the Netherlands. We discuss patterns in terms of both attacker behaviour as well as recipient behaviour. Our results demonstrate the effectiveness of phishing with different degrees of scalability. Less scalable methods of attack require more effort on the part of the attacker, but provide higher effectiveness. More scalable attacks provide lower success rates, but require less effort than scalable attacks. The contributions in this thesis allow researchers and security professionals to better understand the dynamic nature of phishing.
