Defending the weakest link - Intrusion via ...

Fraud has always been with us and with the rise of cyberspace opportunities for fraud abound. Recent years have seen a dramatic increase in what have become known as 'phishing' attacks. You might receive an email purporting to be from a familiar organisation, e.g. your bank, indicating that some information they maintain on you is inaccurate. A link is offered that takes you to a web page where you are asked to enter confidential information, such as your account number and on-line banking password details (and other confidential information). The message might also threaten to suspend your account if you do not do so. On the face of it this is a plausible scenario. The messages and web site look authentic, but they are not. If you have responded as requested then your confidential details are now in the hands of a fraudster.

The user typically gets the blame for the above, but often the design of the system neglects to take the user and their context adequately into account. Our project has developed a user-oriented threat analysis technique for web-based authentication systems to address this issue. Consideration of a lifecycle of authentication credentials allows a systematic search for user-oriented threats, neatly complementing existing threat modelling techniques.

To protect users from phishing attacks system designers and security professionals need to understand how users interact with those attacks and be able to predict users' behaviours in a given situation. We have introduced the first model to visualise user-phishing interaction. Our method allows users' perceptions to be described in a uniform and compact manner. Within the context of this model we have investigated what mismatches may occur between perception and reality in an attack, how to detect those mismatches, and why users often fail to do so. Our model allows us to identify where the security tools/indicators are lacking, to suggest new aspects for security evaluation of the user interface, and to provide guidance on effective anti-phishing user education.

Phishing detection systems are principally based on the analysis of data moving from phishers to victims. We have developed an approach for detecting phishing websites based on analysis of users' online behaviours, i.e., the websites users have visited, and the data users have submitted to those websites. Such user behaviours can not be manipulated freely by attackers; detection based on those data can achieve high accuracy whilst being fundamentally resilient against changing deception methods.

We have also carried various studies of phishing emails. We began with a content analysis of a sample of phish taken from an on-line archive. The findings indicate that phishers are becoming better spellers and using more sophisticated visual aids such as logos and advertising images. We have also considered phish as a literary form from perspectives drawn from literary and critical theory. This identifies the most common forms of scam and the most frequently used strategies. We have also carried out a qualitative study of eight blind users who were interviewed about their email routine. They were asked to read ten example phish and identify any points in the text that would arouse suspicion. The interviews suggested that blind users may be less rather than more vulnerable to phishing attacks because screen readers can make spelling errors more obvious and they do not pick up on visual logos. This work was followed up in an on-line questionnaire which asked its 248 respondents to consider twenty email messages and identify which ten were phish. The vast majority of respondents were fairly sure they had spotted a phish from the subject line and definite when they had read the accompanying text. But a minority of respondents were fooled by certain emails. Work in progress seeks to identify and document which kinds of attack are most successful for men and women, and for the blind and the sighted.