ANALYSING PERSUASION PRINCIPLES IN PHISHING EMAILS nurul akbar Supervisors: Prof.Dr.P.H. Hartel E.E.H. Lastdrager MSc. SERVICES, CYBERSECURITY AND SAFETY GROUP Faculty of Electrical Engineering, Mathematics and Computer Science University of Twente 2014 August Nurul Akbar: Analysingpersuasionprinciplesinphishingemails, Master 2014 thesis, © August supervisors : Prof.Dr.P.H. Hartel E.E.H. Lastdrager MSc. location : Enschede The life of this world is only the enjoyment of deception. 3185 — Quran : ABSTRACT As the barrier to abuse system vulnerabilities has been raised signifi- cantly with time, attacking users’ psyche has rapidly become a more efficient and effective alternative. The usage of email as an electronic means of communication has been exploited by phishers to deliver their attacks. The success of a phishing attack through distributed emails is determined by the response from the unsuspecting victims. Although persuasion can be used as a tool for a good reason, it can also be used for a malicious reason by phishers to get a positive re- sponse from an intended victim in phishing emails. To protect users from phishing attacks on the email level, system designers and security professionals need to understand how phish- ers use persuasion techniques in phishing emails. In this thesis, we present an analysis of persuasion techniques in phishing emails. Our research is aimed at understanding the characteristics of phishing emails, by considering persuasion techniques in the real world analy- sis. We have conducted a quantitative analysis on our dataset that con- 2013 sistsofreportedphishingemailsbetweenAugust andDecember 2013 . The findings are mainly observed from three different view- points: general structural properties; persuasion principles character- istics; and their relationships. We have found that financial institu- tions are the most common target with high number of occurrences 1 in our dataset. Three important findings of our research are that: ( ) authority is the most popular persuasion technique regardless of the 2 target and the reason used; ( ) depending on the target types and the reason types, the next most popular persuasion principles are 3 scarcity, consistency, and likeability; and ( ) scarcity principle has a high involvement with administrator target type and account-related concerns. v Our technological powers increase, but the side effects and potential hazards also escalate. — Arthur C, Clarke ACKNOWLEDGMENTS Firstandforemost,Iwouldlikeusethisopportunitytothankbothof my supervisors, Prof. Dr. Pieter Hartel and Elmer Lastdrager MSc. I am thankful for their unrelenting guidance and support, which have made this research possible. They have gone beyond the expected duties as supervisors and helped make this master thesis possible. They have provided me with invaluably constructive thoughts and critical feedback. I am sincerely grateful to them for sharing their truthful and illuminating views on a number of issues related to the research. It was Elmer’s vision to integrate a phishing emails corpus with Cialdini’s principles as the core of my research. He has assisted me in obtaining the data as it is confidential and sensitive. I would like to thank PhD candidates in the SCS group for letting me pick their brains when I did a brief presentation at the beginning of my research. Thanks to Geert Jan for letting me work in the lab. andtoSuseandBertineforlendingmethekeywhennooneelsewas in the lab. I would also like to express my appreciation and gratitude to Drs. Jan Schut for providing me invaluable advice and direction throughout my study in University of Twente. A special thanks to Eyla who has give me incentives to strive to- wards my goal and for being there in difficult times, and Gaurav and Vignesh who have assisted me by giving feedback on my writing. I appreciate all my friends, Aldi, Saud and all the others who sup- ported me either directly and indirectly during my master studies. Without all their support, accomplishing my studies would not have beenpossible.Iwouldliketothankmyfamilymembersandrelatives who have supported me financially and emotionally throughout my entire master education. Words cannot express how grateful I am to my mother and father in spite of all the difficult times, I thank you all for letting me cherish my dream. Lastly, I thank God almighty for answering my prayers. – Nurul Akbar (Nolie) vii CONTENTS 1 introduction 1 11 2 . Problem statement 12 7 . Research goal 13 8 . Research Questions 14 8 . Structures 2 background literature review 9 & 21 9 . What is phishing? 211 10 . . The History 212 11 . . The universal definition 22 12 . The costs of phishing attacks 23 13 . Modus operandi 24 19 . Types of phishing 241 20 . . Phishing based on visual similarities 242 20 . . Malware-based phishing 25 21 . Current countermeasures 251 21 . . Phishing detection 252 29 . . Phishing prevention 26 32 . Human factor and persuasion 3 research questions and hypotheses 35 4 data and analysis 41 41 41 . Research Methodology 411 42 . . Data collection 412 42 . . Selection 413 44 . . Data Classification 414 49 . . Statistical analysis 42 49 . Results 421 . . Relationshipbetweenpersuasionprinciplesand 63 target types 422 . . Relationshipbetweenpersuasionprinciplesand 69 reason types 423 72 . . Target types and reason types 5 discussion 75 51 75 . Research questions 52 78 . Conclusion 53 80 . Limitation 54 81 . Future work a appendices 83 a1 83 . Target Types a2 83 . Reason Types a3 84 . Financial targeted phishing emails b bibliography 85 ix LIST OF FIGURES 1 18 15 Figure PhishingprocessesbasedonFrauenstein[ ] 2 Figure ExampleofaphishingemailimpersonatingING 16 bank 3 74 17 Figure Phishingattacktaxonomyandlifecycle[ ] 4 17 17 Figure Flowofinformationinphishingattack[ ] 5 18 Figure Information flow phishing attack 6 18 30 Figure Holistic anti-phishing framework [ ] 7 38 31 Figure Simulated phishing attack [ ] 8 38 31 Figure Embedded phishing training [ ] 9 41 Figure Research methodology diagram 10 42 Figure Selection diagram 11 Figure Integration pseudo-code of Cialdini’s princi- 48 ples 12 54 Figure Detailed account related reason graph 13 65 Figure Financial target and scarcity 14 65 Figure E-Commerce/Retails and scarcity 15 66 Figure Administrator and scarcity 16 67 Figure Government and consistency (a) 17 67 Figure Government and consistency (b) 18 70 Figure Exampleoffinancialincentiveandconsistency 19 71 Figure Social reason and likeability principle 20 84 Figure Detailed of financial sectors LIST OF TABLES 1 3 Table QuerysearchesinScopusandWebofScience 2 33 Table A map of message argument quality [ ] to 8 7 Cialdini’s persuasion principles [ ] 3 14 Table Compilation of phishing phases 4 22 Table Summary phishtank studies 5 52 24 Table Comparison summary [ ] 6 44 78 26 Table Existing lexical features [ , ] 7 45 46 44 78 27 Table Host-based features [ , , , ] 8 78 44 28 Table Site popularity features [ , ] 9 50 Table Attachment analysis 10 Table Request analysis of all total emails (one email can contain more than one instructions so the 100 51 total here does not sum up to %) x
Description: