research-article

User trust assessment: a new approach to combat deception

Author:

Markus JakobssonAuthors Info & Claims

STAST '16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust

Pages 73 - 78

https://doi.org/10.1145/3046055.3046063

Published: 05 December 2016 Publication History

Abstract

Deception is rapidly on the rise on the Internet, and email is the attack vector of choice for a broad array of attacks, including ransomware distribution, enterprise-facing cons, and mass-deployed phishing attacks. It is widely believed that this is due to the ubiquity of email and the limited extent to which relevant email security measures have been rolled out. The most troubling type of attack is the targeted attack, in which the attacker poses as somebody the intended victim knows. There are three common ways used by attackers to masquerade as somebody trusted: spoofing, look-alike domain attacks and display name attacks. We collectively refer to these as impersonation attacks.

References

[1]

C. Bravo-Lillo, S. Komanduri, L. F. Cranor, R. W. Reeder, M. Sleeper, J. Downs, and S. Schechter. Your attention please: designing security-decision uis to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security, page 6. ACM, 2013.

Digital Library

[2]

R. Dhamija and J. D. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS '05, pages 77--88, New York, NY, USA, 2005. ACM.

Digital Library

[3]

R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, pages 581--590, New York, NY, USA, 2006. ACM.

Digital Library

[4]

A. Ferreira, L. Coventry, and G. Lenzini. Principles of Persuasion in Social Engineering and Their Use in Phishing, pages 36--47. Springer International Publishing, Cham, 2015.

Digital Library

[5]

S. Fiegerman. Yahoo says 500 million accounts stolen, http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/, September 23, 2016.

[6]

S. L. Garfinkel and R. C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS '05, pages 13--24, New York, NY, USA, 2005. ACM.

Digital Library

[7]

C. Hadnagy. Social Engineering: The Art of Human Hacking. ISBN-13: 9780470639535. Wiley, 2010.

[8]

C. Herley. Why do Nigerian scammers say they are from Nigeria? In WEIS, 2014, 2012.

[9]

Iconix plugin, http://www.iconix.com/paypal/, visited Nov 11, 2016.

[10]

J. Isacenkova, O. Thonnard, A. Costin, A. Francillon, and D. Balzarotti. Inside the SCAM jungle: A closer look at 419 scam email operations. EURASIP Journal on Information Security, 2014, ISSN: 1687-417X, 01 2014.

[11]

T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Commun. ACM, 50(10):94--100, Oct. 2007.

Digital Library

[12]

M. Jakobsson and H. Siadati. SpoofKiller: You Can Teach People How to Pay, but Not How to Pay Attention. In Proceedings of the 2012 Workshop on Socio-Technical Aspects in Security and Trust (STAST), STAST '12, pages 3--10, Washington, DC, USA, 2012. IEEE Computer Society.

Digital Library

[13]

Markus Jakobsson (Ed.). Understanding Social Engineering Based Scams, ISBN 978-1-4939-6457-4. Springer Verlag, 2016.

Digital Library

[14]

NIST. Usability of Security. http://csrc.nist.gov/security-usability/HTML/research.html.

[15]

Y. Park, J. Jones, D. McCoy, E. Shi, and M. Jakobsson. Scambaiter: Understanding targeted nigerian scams on craigslist. In NDSS. The Internet Society, 2014.

[16]

C. Whittaker, B. Ryner, and M. Nazif. Large-scale automatic classification of phishing pages. In NDSS '10, 2010.

[17]

A. Whitten and J. D. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th Conference on USENIX Security Symposium-Volume 8, SSYM'99, pages 14--14, Berkeley, CA, USA, 1999. USENIX Association.

Digital Library

[18]

E. Zwicky, F. Martin, E. Lear, T. Draegen, and K. Andersen. Interoperability Issues Between DMARC and Indirect Email Flows. Internet-Draft draft-ietf-dmarc-interoperability-18, Internet Engineering Task Force, Sept. 2016. Work in Progress.

Cited By

Mathew A(2022)Can Security Be Decentralised?Socio-Technical Aspects in Security10.1007/978-3-031-10183-0_4(67-85)Online publication date: 14-Jul-2022
https://doi.org/10.1007/978-3-031-10183-0_4
Gach KBrubaker J(2020)Experiences of Trust in Postmortem Profile ManagementACM Transactions on Social Computing10.1145/33655253:1(1-26)Online publication date: 8-Feb-2020
https://dl.acm.org/doi/10.1145/3365525
Jakobsson M(2017)Short Paper: Addressing Sophisticated Email AttacksFinancial Cryptography and Data Security10.1007/978-3-319-70972-7_17(310-317)Online publication date: 2017
https://doi.org/10.1007/978-3-319-70972-7_17
Show More Cited By

Recommendations

Insider Threat Assessment: a Model-Based Methodology

Security is a major challenge for today's companies, especially ICT ones which manage large scale cyber-critical systems. Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insider attackers i.e., users with ...
Vulnerabilities assessment - Part 2: Getting in through the 'Net'

In the first part of this article we defined a vulnerability and discussed how to determine the importance of vulnerabilities. We looked at many types of vulnerabilities. Most people think of a vulnerability as something that gets exploited by 'hacking ...
Trust-Based Countermeasures for Securing OLSR Protocol
CSE '09: Proceedings of the 2009 International Conference on Computational Science and Engineering - Volume 02

In this paper, we present two measures to counter attacks against OLSR: prevention that solves some protocol's vulnerabilities, and countermeasures that treat misbehavior and inconsistency concerned by the vulnerabilities that have not been solved with ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

STAST '16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust

December 2016

101 pages

ISBN:9781450348263

DOI:10.1145/3046055

General Chairs:
Gabriele Lenzini
SnT/University of Luxembourg, LU
,
Giampaolo Bella
University of Catania, IT
,
Program Chairs:
Zinaida Benenson
University of Erlangen-Nuremberg
,
Carrie Gates

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

STAST '16

STAST '16: Socio-Technical Aspects in Security and Trust

December 5, 2016

California, Los Angeles

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
121
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mathew A(2022)Can Security Be Decentralised?Socio-Technical Aspects in Security10.1007/978-3-031-10183-0_4(67-85)Online publication date: 14-Jul-2022
https://doi.org/10.1007/978-3-031-10183-0_4
Gach KBrubaker J(2020)Experiences of Trust in Postmortem Profile ManagementACM Transactions on Social Computing10.1145/33655253:1(1-26)Online publication date: 8-Feb-2020
https://dl.acm.org/doi/10.1145/3365525
Jakobsson M(2017)Short Paper: Addressing Sophisticated Email AttacksFinancial Cryptography and Data Security10.1007/978-3-319-70972-7_17(310-317)Online publication date: 2017
https://doi.org/10.1007/978-3-319-70972-7_17

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents