Improving phishing countermeasures: An analysis of expert interviews

2009 eCrime Researchers Summit, eCRIME '09

Volumn , Issue , 2009, Pages

  Sheng, Steve ^a   Kumaraguru, Ponnurangam ^b   Acquisti, Alessandro ^c   Cranor, Lorrie ^a,b   Hong, Jason ^a,b  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b Carnegie Mellon University   (United States)

^c CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Anti phishing; Electronic crime; Expert interview

Indexed keywords

ANTI-PHISHING; PHISHING; SEMI STRUCTURED INTERVIEWS;

LAW ENFORCEMENT;

ELECTRONIC CRIME COUNTERMEASURES;

EID: 72449210440     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ECRIME.2009.5342608     Document Type: Conference Paper

References (43)

1. Messagelabs, "MessageLabs Intelligence May 2009," 2009. [online]. Available: http://www.messagelabs.com/intelligence.aspx. [Accessed: Jan. 10, 2009].
2. D. Florencio and C. Herley, "A large-scale study of web password habits," In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 657-666, New York, NY, USA, 2007. ACM Press.
3. T. Moore and R. Clayton, "Examining the Impact of Website Takedown on Phishing," In eCrime '07: Proceedings of the 2007 e-Crime Researchers summit, pages 1-13, New York, NY, USA, 2007. ACM Press.
4. Gartner Research, "Number of Phishing E-Mails Sent to U.S. Adults Nearly Doubles in Just Two Years," Press Release, 2006. [online]. Available: http://www.gartner.com/it/page.jsp?id=498245. [Accessed: Jan. 10, 2009].
5. Google Inc, "Google safe browsing for Firefox," 2007. [online] Available:http://www.google.com/tools/firefox/safebrowsing/. [Accessed: Jan. 10, 2009].
6. Microsoft Corporation, "Phishing filter: Help protect yourself from online scams," 2008. [online] Available: http://www.microsoft.com/protect/ products/yourself/phishingfilter.mspx. [Accessed: Jan. 10, 2009].
7. Apple Inc. Visited Jan 1, 2009. http://www.apple.com/safari/features. html#security.
8. J. Franklin, V. Paxson, A. Perrig, and S. Savage, "An inquiry into the nature and causes of the wealth of Internet miscreants," In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), ACM, pp. 375-388.
9. G. Keizer, "Phishers Beat Bank's Two-factor Authentication," Information Week, 2006. [online] Available: http://www.informationweek.com/news/ showArticle.jhtml?articleID=190400362. [Accessed: Jan 10, 2009]
10. Financial Services Technology Consortium, "Understanding and Countering the Phishing Threat," White Paper, 2005. [online]. Available: http://www.fstc.org/projects/docs/FSTC-Counter-Phishing-Project-Whitepaper.pdf. [Accessed: Jan 10, 2009]
11. Identity Theft Technology Council, "Online identity theft: Phishing technology, chokepoints and countermeasures," 2005. [online]. Available: http://www.antiphishing.org/Phishing-dhs-report.pdf. [Accessed Jan. 10, 2009]
12. National Consumers League, "A Call for Action: Report from National Consumers League Anti-Phishing Retreat," Report, 2006. [online]. Available: http://www.nclnet.org/news/2006/Final%20NC%20Phishing%20Report.pdf. [Accessed: Jan. 10, 2009].
13. Dept. of Homeland Security and the Anti-phishing Working Group, "The crimeware landscape: malware, phishing, identity theft and beyond," Report, 2006. [online]. Available: http://www.antiphishing.org/reports/APWG- CrimewareReport.pdf. [Accessed: Jun. 10, 2009].
14. Anti-Phishing Working Group, "What to Do If Your Website Has Been Hacked by Phishers," Report, 2009. [online]. Available: http://www.apwg.org/reports/APWG-WTD-HackedWebsite.pdf. [Accessed May. 18, 2009].
15. Anti-Phishing Working Group, "Anti-Phishing Best Practices Recommendations for Registrars," Report, 2008. [online] Available: http://www.apwg.org/reports/APWG-RegistrarBestPractices.pdf. [Accesse May. 18,2009].
16. Message Anti-Abuse Working Group and Anti-Phishing Working Group, "Anti-Phishing Best Practices for ISPs and Mailbox Providers," Report, 2006. [online]. Available: http://www.apwg.org/reports/bestpracticesforisps. pdf. [Accessed May. 18,2009]
17. R. Rosenthal, R.L. Rosnow. Essentials of Behavioral Research, third ed. McGraw Hill, New York, NY, USA, 2008.
18. S. Dynes, H. Brechbuhl and M. E. Johnson, "Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm," Fourth Workshop on the Economics of Information Security, Harvard University. Available:http://infosecon.net/workshop/pdf/51.pdf. [Accessed: Jun 10, 2009]
19. B.R. Rowe and M. P. Gallaher, "Private Sector Cyber Security Investment: An Empirical Analysis," Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK. Available: http://weis2006. econinfosec.org/docs/18.pdf. [Accessed: Jun 10, 2009]
20. T. Moore, R. Clayton and H. Stern, "Temporal Correlations between Spam and Phishing Websites," 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09). April 21, 2009: Boston, MA.
21. T.N. Jagatic, N.A. Johnson, M. Jakobsson, and F. Menczer, "Social phishing," Commun. ACM 50, 10 (Oct. 2007), 94-100. DOI= http://doi.acm.org/10.1145/1290958.1290968
22. Symantec, "Symantec Global Internet Security Threat Report," volume XIV, 2009. [online]. Available: http://eval.symantec.com/mktginfo/ enterprise/white-papers/b-whitepaper-internet-security-threat-report-xiv-04- 2009.en-us.pdf. [Accessed: Mar. 19, 2009].
23. Merchant Risk Council, "Annual e-Commerce Fraud Survey Results," March 3, 2009. [online]. Available: https://www. merchantriskcouncil.org/index.cfm?fuseaction=Feature.showFeature&FeatureID= 119. [Accessed: June 10, 2009].
24. H. Varian, "Managing Online Security Risks," New York Times; New York, NY.; Jun 1, 2000. [online]. Available: http://people.ischool.berkeley. edu/~hal/people/hal/NYTimes/2000-06-01.html. [Accessed: Jun 1, 2009].
25. S. Egelman, L. F. Cranor, and J. Hong, "You've been warned: an empirical study of the effectiveness of web browser phishing warnings," In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 1065-1074, New York, NY, USA, 2008. ACM.
26. Net Applications. Inc, "Browser market share Q4 2008," [online]. Available: http://marketshare.hitslink.com/report.aspx?qprid= 0&qpmr=15&qpdt=1&qpct=3&qpcal=l&qptimeframe=Q&qpsp=39. [Accessed: Jan. 10, 2009].
27. Zone Alarm, "Smart Defense System", 2004 [online]. Available: http://smartdefense.zonealarm.com/tmpl/AdvisoryArticle?action=detail&aid= 20040128sa-000013. [Accessed: Jun. 1 2009].
28. Avantgarde, "Time to Live on the Network," Technical Report, 2004. [online]. Available:http://www.avantgarde.com/xxxxttln.pdf. [Accessed: Jun 10, 2009]
29. T. Moore and R. Clayton. "Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing," 13th International Conference on Financial Cryptography and Data Security. February 23-26, 2009: Barbados.
30. S. Sheng, B. Wardman, G. Warner, L.F. Cranor, J. Hong, and C. Zhang, "An Empirical Analysis of Phishing Blacklists," To appear in 6th Conference in Email and Anti-Spam (Mountain view, CA, July 16-17, 2009). CEAS '09.
31. T. Moore and R. Clayton, "The Consequence of Non-Cooperation in the Fight Against Phishing," Third APWG eCrime Researchers Summit. October 15-16, 2008: Atlanta, GA.
32. B. Krebs, "Host of Internet Spam Groups Is Cut Off," Washington Post, Nov. 12, 2008.
33. D. Danchev, "Google: Spam volume for Q1 back to pre-McColo levels," CBS Interactive, April 2, 2009. [online]. Available: http://blogs.zdnet.com/security/?p=3073&tag=rbxccnbzd1. [Accessed: Jun 1, 2009].
34. R.E. Church, "McColo and the Difficulty of Fighting Spam", Internet.com, November 20, 2008. [online]. Available: http://itmanagement. earthweb.com/features/print.php/3786296. [Accessed: Jun. 1 2009].
35. ASSOCIATEDBANK-CORP v. EARTHLINK, INC. Memorandum and order, 05-c-0233-s 2005. Available:http://www.iplawobserver.com/cases/2005-09-14-Associated-Banc- Corp-CDA-Section-230.pdf. [Accessed: Mar. 18, 2009].
36. C. Ludl, S. Mcallister, E. Kirda, and C. Kruegel, "On the effectiveness of techniques to detect phishing sites," In DIMVA '07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 20-39, Berlin, Heidelberg, 2007. Springer-Verlag.
37. The Anti-phishing Working Group, "Global Phishing Survey: Trends and Domain name use in 2H 2008", May 2009. [online]. Available: http://www.antiphishing.org/reports/APWG-GlobalPhishingSurvey2H2008.pdf. [Accessed: Jun. 1, 2009].
38. G. Xiang and J. Hong, "An Adaptive Shingling-based Approach using Search Engines for Zero False Positive Phish Detection," 2009. Under Submission.
39. B. Pendleton, G. Xiang, and J. Hong, "Augmenting the Crowds: Fighting Phishing on a Budget," 2009. Under Submission.
40. P. Kumaraguru, S. Sheng., A. Acquisti, L.F.Cranor, and J. Hong, "Teaching Johnny not to fall for phish," Tech. rep. 2007, Carnegie Mellon University. Available:http://www.cylab.cmu.edu/files/cmucylab07003.pdf.
41. P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L.F. Cranor, and J. Hong, "Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer." e-Crime Researchers Summit, Anti-Phishing Working Group, October 4 - 5, 2007, Pittsburgh, USA.
42. P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham, "School of phish: A real-word evaluation of antiphishing training," to appear in Symposium for Usable Privacy and Security (SOUPS), Mountain view, 2009.
43. S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, "Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish." In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 88-99, New York, NY, USA, 2007. ACM.