More Web Proxy on the site http://driver.im/

research-article

Open access

Who is targeted by email-based phishing and malware?: Measuring factors that differentiate risk

Authors:

Camelia Simoiu,

Elie BurszteinAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 567 - 576

https://doi.org/10.1145/3419394.3423617

Published: 27 October 2020 Publication History

Abstract

As technologies to defend against phishing and malware often impose an additional financial and usability cost on users (such as security keys), a question remains as to who should adopt these heightened protections. We measure over 1.2 billion email-based phishing and malware attacks against Gmail users to understand what factors place a person at heightened risk of attack. We find that attack campaigns are typically short-lived and at first glance indiscriminately target users on a global scale. However, by modeling the distribution of targeted users, we find that a person's demographics, location, email usage patterns, and security posture all significantly influence the likelihood of attack. Our findings represent a first step towards empirically identifying the most at-risk users.

Supplementary Material

MP4 File (zoom_8.mp4)

As technologies to defend against phishing and malware often impose an additional financial and usability cost on users (such as security keys), a question remains as to who should adopt these heightened protections. We measure over 1.2 billion email-based phishing and malware attacks against Gmail users to understand what factors place a person at heightened risk of attack. We find that attack campaigns are typically short-lived and at first glance indiscriminately target users on a global scale. However, by modeling the distribution of targeted users, we find that a person?s demographics, location, email usage patterns, and security posture all significantly influence the likelihood of attack. Our findings represent a first step towards empirically identifying the most at-risk users.

Download
35.51 MB

References

[1]

Devdatta Akhawe and Adrienne Porter Felt. Alice in warningland: A large-scale field study of browser security warning effectiveness. In Proceedings of the USENIX Security Symposium, 2013.

Digital Library

[2]

Monica Anderson and Madhumitha Kumar. Digital divide persists even as lower-income americans make gains in tech adoption. https://www.pewresearch.org/fact-tank/2019/05/07/digital-divide-persists-even-as-lower-income-americans-make-gains-in-tech-adoption/, 2019.

[3]

Ross Anderson, Chris Barton, Rainer Boehme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. Measuring the cost of cybercrime. In Proceedings of the Workshop on Economics of Information Security, 2012.

[4]

Anti-Phishing Working Group. APWG Trends Report Q1 2019. https://docs.apwg.org/reports/apwg_trends_report_q1_2019.pdf.

[5]

Zinaida Benenson, Freya Gassmann, and Robert Landwirth. Unpacking spear phishing susceptibility. In International Conference on Financial Cryptography and Data Security, pages610--627. Springer, 2017.

[6]

Elie Bursztein and Daniela Oliveira. Understanding why phishing attacks are so effective and how to mitigate them. https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html, 2019.

[7]

Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, and Agata McCormac. Breaching the human firewall: Social engineering in phishing and spear-phishing emails. arXiv preprint arXiv.1606.00887, 2016.

[8]

Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson. Measuring pay-per-install: The commoditization of malware distribution. In Proceedings of the USENIX Security Symposium, 2011.

Digital Library

[9]

Davide Canali, Leyla Bilge, and Davide Balzarotti. On the effectiveness of risk prediction based on users browsing behavior. In Proceedings of the 9th ACM symposium on Information, computer and communications security, pages 171--182, 2014.

Digital Library

[10]

Moses S Charikar. Similarity estimation techniques from rounding algorithms. In Proceedings of the ACM Symposium on Theory of Computing, 2002.

Digital Library

[11]

Richard Clayton. Do zebras get more spam than aardvarks? ratio, 20:40, 2008.

[12]

Sanchari Das, Andrew Dingman, and L Jean Camp. Why johnny doesn't use two factor a two-phase usability study of the fido u2f security key. In Proceedings of the International Conference on Financial Cryptography and Data Security, 2018.

Digital Library

[13]

Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, pages 581--590, New York, NY, USA, 2006. ACM.

Digital Library

[14]

Periwinkle Doerfler, Maija Marincenko, Juri Ranieri, Angelika Moscicki Yu Jiang, Damon McCoy, and Kurt Thomas. Evaluating login challenges as a defense against account takeover. In Proceedings of the Web Conference, 2019.

Digital Library

[15]

Julie S Downs, Mandy Holbrook, and Lorrie Faith Cranor. Behavioral response to phishing risk. In Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, pages37--44. ACM, 2007.

Digital Library

[16]

Julie S. Downs, Mandy B. Holbrook, and Lorrie Faith Cranor. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS '06, pages 79--90, New York, NY, USA, 2006. ACM.

Digital Library

[17]

Waldo Rocha Flores and Mathias Ekstedt. Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. computers & security, 59:26--44, 2016.

[18]

Dan Goodin. There's a reason your inbox has more malicious spam-emotet is back. https://arstechnica.com/information-technology/2020/07/destructive-emotet-botnet-returns-with-250k-strong-blast-of-toxic-email/, 2020.

[19]

Google. About targeting geographic locations. https://support.google.com/google-ads/answer/2453995?visit_id=637363906136362321-1839693281&rd=1, 2020.

[20]

Google. File types blocked in Gmail. https://support.google.com/mail/answer/6590?hl=en, 2020.

[21]

Google. Google Safe Browsing. https://https://safebrowsing.google.com/, 2020.

[22]

Google. Google's strongest security for those who need it most. https://landing.google.com/advancedprotection/, 2020.

[23]

Google. How Google infers interest and demographic categories. https://support.google.com/google-ads/answer/2580383?hl=en, 2020.

[24]

Tzipora Halevi, Nasir Memon, and Oded Nov. Spear-phishing in the wild: A real-world study of personality, phishing self-efficacy and vulnerability to spearphishing attacks. Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks (January 2, 2015), 2015.

[25]

Il-Horn Hann, Kai-Lung Hui, Yee-Lin Lai, Sang-Yong Tom Lee, and Ivan PL Png. Who gets spammed? Communications of the ACM, 49(10):83--87, 2006.

Digital Library

[26]

Seth Hardy, Masashi Crete-Nishihata, Katharine Kleemola, Adam Senft, Byron Sonne, Greg Wiseman, Phillipa Gill, and Ronald J Deibert. Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware. In Proceedings of the USENIX Security Symposium, 2014.

[27]

Luca Invernizzi, Stanislav Miskovic, Ruben Torres, Christopher Kruegel, Sabyasachi Saha, Giovanni Vigna, Sung-Ju Lee, and Marco Mellia. Nazca: Detecting malware distribution in large-scale networks. In NDSS, volume 14, pages23--26. Citeseer, 2014.

[28]

Cristian Iuga, Jason RC Nurse, and Arnau Erola. Baiting the hook: factors impacting susceptibility to phishing attacks. Human-centric Computing and Information Sciences, 6(1):8, 2016.

Digital Library

[29]

Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. Social phishing. Communications of the ACM, 2007.

Digital Library

[30]

Helen S Jones, John N Towse, Nicholas Race, and Timothy Harrison. Email fraud: The search for psychological predictors of susceptibility. PloS one, 14(1):e0209684, 2019.

[31]

Christian Kreibich, Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage. On the spam campaign trail. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.

Digital Library

[32]

Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. Teaching johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2):7, 2010.

[33]

Neil Kumaran and Sam Lugani. Protecting businesses against cyber threats during COVID-19 and beyond. https://cloud.google.com/blog/products/identity-security/protecting-against-cyber-threats-during-covid-19-and-beyond, 2020.

[34]

Fanny Lalonde Levesque, Jude Nsiempba, José M Fernandez, Sonia Chiasson, and Anil Somayaji. A clinical study of risk factors related to malware infections. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 97--108, 2013.

Digital Library

[35]

Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius Schilder, and Sampath Srinivas. Security keys: Practical cryptographic second factors for the modern web. In Proceedings of the International Conference on Financial Cryptography and Data Security, 2016.

[36]

Stevens Le Blond, Adina Uritesc, Cédric Gilbert, Zheng Leong Chua, Prateek Saxena, and Engin Kirda. A Look at Targeted Attacks Through the Lense of an NGO. In Proceedings of the USENIXSecurity Symposium, 2014.

[37]

Tian Lin, Daniel E Capecci, Donovan M Ellis, Harold A Rocha, Sandeep Dommaraju, Daniela S Oliveira, and Natalie C Ebner. Susceptibility to spear-phishing emails: Effects of internet user demographics and email content. ACM Transactions on Computer-Human Interaction (TOCHI), 2019.

Digital Library

[38]

William R Marczak, John Scott-Railton, Morgan Marquis-Boire, and Vern Paxson. When governments hack opponents: a look at actors and technology. In Proceedings of the USENIX Security Symposium, 2014.

Digital Library

[39]

Rodrigo Sanches Miani, Danielle Oliveira, Kil Jin Brandini Park, and Bruno Bogaz Zarpelao. An empirical study of factors affecting the rate of spam. In Anais Principais do XXXVI Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuidos. SBC, 2018.

[40]

Microsft. Microsoft AccountGuard. https://www.microsoftaccountguard.com/enus/, 2020.

[41]

Jamshaid G Mohebzada, Ahmed El Zarka, Arsalan H BHojani, and Ali Darwish. Phishing in a university community: Two large scale phishing experiments. In 2012 International Conference on Innovations in Information Technology (IIT), pages249--254. IEEE, 2012.

[42]

Carina Mood. Logistic regression: Why we cannot do what we think we can do, and what we can do about it. European sociological review, 26(1):67--82, 2010.

[43]

Gregory D Moody, Dennis F Galletta, and Brian Kimball Dunn. Which phish get caught? an exploratory study of individuals' susceptibility to phishing. European Journal of Information Systems, 26(6):564--584, 2017.

[44]

Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers. Phishfarm: A scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists. In Proceedings of the IEEE Symposium on Security and Privacy, 2019.

[45]

Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In Proceedings of the U SENIX Security Symposium, 2020.

[46]

Daniela Oliveira, Harold Rocha, Huizi Yang, Donovan Ellis, Sandeep Dommaraju, Melis Muradoglu, Devon Weir, Adam Soliman, Tian Lin, and Natalie Ebner. Dissecting spear phishing emails for older vs young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pages6412--6424. ACM, 2017.

Digital Library

[47]

Kathryn Parsons, Marcus Butavicius, Malcolm Pattinson, Dragana Calic, Agata Mccormac, and Cate Jerram. Do users focus on the correct cues to differentiate between phishing and genuine emails? In Australasian Conference on Information Systems, 2016.

[48]

Ross L Prentice and Ronald Pyke. Logistic disease incidence models and case-control studies. Biometrika, 66(3):403--411, 1979.

[49]

rdocumentation. Fitting generalized linear models. https://www.rdocumentation.org/packages/stats/versions/3.6.2/topics/glm, 2020.

[50]

Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI'10, pages 373--382, New York, NY, USA, 2010. ACM.

Digital Library

[51]

Camelia Simoiu, Joseph Bonneau, Christopher Gates, and Sharad Goel. " i was told to buy a software or lose my computer. i ignored it": A study of ransomware. In Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019), 2019.

[52]

Sri Somanchi. New built-in gmail protections to combat malware in attachments. https://gsuiteupdates.googleblog.com/2017/05/new-built-in-gmail-protections-to.html, 2017.

[53]

Latanya Sweeney. Achieving k-anonymity privacy protection using generalization and suppression. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05):571--588, 2002.

Digital Library

[54]

Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Tom Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, and Giovanni Vigna. Framing Dependencies Introduced by Underground Commoditization. In Proceedings of the Workshop on the Economics of Information Security, 2015.

[55]

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, et al. Data breaches, phishing, or malware?: Understanding the risks of stolen credentials. In Proceedings of the ACM Conference on Computer and Communications Security, 2017.

Digital Library

[56]

Maria Vergelis, Tatyana Shcherbakova, and Tatyana Sidorina. Spam and phishing in Q2 2019. https://securelist.com/spam-and-phishing-in-q2-2019/92379/, 2019.

[57]

Arun Vishwanath, Tejaswini Herath, Rui Chen, Jingguo Wang, and H Raghav Rao. Why do people get phished? testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51(3):576--586, 2011.

Digital Library

[58]

Jingguo Wang, Tejaswini Herath, Rui Chen, Arun Vishwanath, and H Raghav Rao. Research article phishing susceptibility: An investigation into the processing of a targeted spear phishing email. IEEE transactions on professional communication, 55(4):345--362, 2012.

Cited By

Luo EYoung LHo GAfifi MSchweighauser MKatz-Bassett ECidon A(2025)Characterizing the Networks Sending Enterprise Phishing EmailsPassive and Active Measurement10.1007/978-3-031-85960-1_18(437-466)Online publication date: 7-Mar-2025
https://doi.org/10.1007/978-3-031-85960-1_18
Stevens KErdemir MZhang HKim TPearce P(2024)BluePrint: Automatic Malware Signature Generation for Internet ScanningProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678923(197-214)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678923
Köhler DPünter WMeinel C(2024)We have Phishing at Home: Quantitative Study on Email Phishing Susceptibility in Private ContextsInformation Security10.1007/978-3-031-75764-8_13(246-265)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1007/978-3-031-75764-8_13
Show More Cited By

Recommendations

Detecting Targeted Malicious Email

Targeted malicious emails (TME) for computer network exploitation have become more insidious and more widely documented in recent years. Beyond spam or phishing designed to trick users into revealing personal information, TME can exploit computer ...
Indicators of employee phishing email behaviours: Intuition, elaboration, attention, and email typology
Highlights
- Response behaviours to phishing emails can strengthen or undermine cyber security.
Abstract
Employees’ behaviour to phishing emails can strengthen or undermine business organisations’ cyber security. This phishing simulation and survey study explored the relationship between sociodemographic, cyber security training, phishing ...
Detecting targeted malicious email through supervised classification of persistent threat and recipient oriented features

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '20: Proceedings of the ACM Internet Measurement Conference

October 2020

751 pages

ISBN:9781450381383

DOI:10.1145/3419394

Copyright © 2020 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

IMC '20

Sponsor:

IMC '20: ACM Internet Measurement Conference

October 27 - 29, 2020

Virtual Event, USA

Acceptance Rates

IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
1,976
Total Downloads

Downloads (Last 12 months)410
Downloads (Last 6 weeks)50

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Luo EYoung LHo GAfifi MSchweighauser MKatz-Bassett ECidon A(2025)Characterizing the Networks Sending Enterprise Phishing EmailsPassive and Active Measurement10.1007/978-3-031-85960-1_18(437-466)Online publication date: 7-Mar-2025
https://doi.org/10.1007/978-3-031-85960-1_18
Stevens KErdemir MZhang HKim TPearce P(2024)BluePrint: Automatic Malware Signature Generation for Internet ScanningProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678923(197-214)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678923
Köhler DPünter WMeinel C(2024)We have Phishing at Home: Quantitative Study on Email Phishing Susceptibility in Private ContextsInformation Security10.1007/978-3-031-75764-8_13(246-265)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1007/978-3-031-75764-8_13
Dambra SBilge LKotzias PShen YCaballero JCalandrino JTroncoso C(2023)One size does not fit allProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620555(5683-5700)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620555
Pandit SSarker KPerdisci RAhamad MYang DCalandrino JTroncoso C(2023)Combating robocalls with phone virtual assistant mediated interactionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620264(463-480)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620264
Stivala GAbdelnabi SMengascini AGraziano MFritz MPellegrino G(2023)From Attachments to SEO: Click Here to Learn More about Clickbait PDFs!Proceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627172(14-28)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627172
Czybik SHorlboge MRieck KMontpetit MLeivadeas AUhlig SJaved M(2023)Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the WildProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624827(344-355)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624827
Zhou LZhang DLiu Z(2023)A Stage Model for Understanding Phishing Victimization Behavior in Embedded Training2023 IEEE International Conference on Intelligence and Security Informatics (ISI)10.1109/ISI58743.2023.10297204(1-6)Online publication date: 2-Oct-2023
https://doi.org/10.1109/ISI58743.2023.10297204
Hussain AAhmad STanveer MIqbal A(2022)Computer Malware Classification, Factors, and Detection Techniques: A Systematic Literature Review (SLR)International Journal of Innovations in Science and Technology10.33411/IJIST/20220403204:3(899-918)Online publication date: 29-Aug-2022
https://doi.org/10.33411/IJIST/2022040320
Qachfar FVerma RMukherjee AJoshi AFernandez MVerma R(2022)Leveraging Synthetic Data and PU Learning For Phishing Email DetectionProceedings of the Twelfth ACM Conference on Data and Application Security and Privacy10.1145/3508398.3511524(29-40)Online publication date: 14-Apr-2022
https://dl.acm.org/doi/10.1145/3508398.3511524
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten