1 / 0

You’ve Been Warned (Phishing Study paper)

You’ve Been Warned (Phishing Study paper). 6.033 Review Session May 19, 2014. Background.

latona
Download Presentation

You’ve Been Warned (Phishing Study paper)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. You’ve Been Warned(Phishing Study paper)

    6.033 Review Session May 19, 2014
  2. Background “Phishing is the act of attempting to acquire sensitive information (usernames, passwords credit card numbers etc.) by masquerading as a trustworthy entity in electronic communication.” (Wikipedia definition) The paper, from 2008, studies the effectiveness of 3 different phishing warning messages that had been integrated into web browsers at the time, and interviews users about their thought process.
  3. Phishing Warnings Under Study
  4. Study Recruit people from “All over Pittsburgh”. Tell them we’re doing an “Online Shopping Study” (which the researchers were in fact doing simultaneously) Put subjects in the lab, ask them to buy a box of paperclips ($6.50 incl. shipping) from Amazon or eBay using their own credit card and email account. Immediately after purchase is complete, send a simulated spear-phishing email to the subject “Amazon needs some more information to complete your international shipment; plz click link below and enter your username/password to avoid order getting canceled.”
  5. (no warning)
  6. Warning Comprehension vs.
  7. Conclusions 97% clicked the links in the emails (before warnings were shown) With active warning, 79% did not enter username/password in phishing site With passive warning, only 13% did not enter username/password Even when interviewed afterwards about the attack, subjects had problem understanding what had happened (e.g. that Amazon or eBay did not in fact send the phishing email)
More Related