The highly insidious extreme phishing attacks

Rui Zhao, Samantha John, Stacy Karas, Cara Bussell, Jennifer Roberts, Daniel Six, Brandon Gavett, Chuan Yue

Research output: Chapter in Book/Conference paperConference paper

4 Citations (Scopus)

Abstract

One of the most severe and challenging threats to Internet security is phishing, which uses spoofed websites to steal users' passwords and online identities. Phishers mainly use spoofed emails or instant messages to lure users to the phishing websites. A spoofed email or instant message provides the first-layer context to entice users to click on a phishing URL, and the phishing website further provides the second-layer context with the look and feel similar to a targeted legitimate website to lure users to submit their login credentials. In this paper, we focus on the second-layer context to explore the extreme of phishing attacks; we explore the feasibility of creating extreme phishing attacks that have the almost identical look and feel as those of the targeted legitimate websites, and evaluate the effectiveness of such phishing attacks. We design and implement a phishing toolkit that can support both the traditional phishing and the newly emergent Web Single Sign-On (SSO) phishing; our toolkit can automatically construct unlimited levels of phishing webpages in real time based on user interactions. We design and perform a user study to evaluate the effectiveness of the phishing attacks constructed from this toolkit. The user study results demonstrate that extreme phishing attacks are indeed highly effective and insidious. It is reasonable to assume that extreme phishing attacks will be widely adopted and deployed in the future, and we call for a collective effort to effectively defend against them.

Original languageEnglish
Title of host publication2016 25th International Conference on Computer Communications and Networks, ICCCN 2016
Place of PublicationUSA
PublisherIEEE, Institute of Electrical and Electronics Engineers
ISBN (Electronic)9781509022793
DOIs
Publication statusPublished - 14 Sep 2016
Externally publishedYes
Event25th International Conference on Computer Communications and Networks, ICCCN 2016 - Waikoloa, United States
Duration: 1 Aug 20164 Aug 2016

Conference

Conference25th International Conference on Computer Communications and Networks, ICCCN 2016
CountryUnited States
CityWaikoloa
Period1/08/164/08/16

Fingerprint Dive into the research topics of 'The highly insidious extreme phishing attacks'. Together they form a unique fingerprint.

  • Cite this

    Zhao, R., John, S., Karas, S., Bussell, C., Roberts, J., Six, D., Gavett, B., & Yue, C. (2016). The highly insidious extreme phishing attacks. In 2016 25th International Conference on Computer Communications and Networks, ICCCN 2016 [7568582] IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ICCCN.2016.7568582