ISO carries out phishing study

Edmund Huber Apr 6, 2009

“Dear CMU Webmail Subscriber,
To complete your CMU Webmail account, you must reply to this email immediately and enter your password here.... Failure to do this....”
You may have received an e-mail like this once or twice, and it may have made you suspicious. But if you were busy or careless you might have fallen for it — and e-mailed back your password.

“Phishing” is the collection of techniques that take advantage of an unwary user’s belief that an e-mail, or other message, originated from a trusted source.
The goal is typically to obtain computer account or financial information.“Spear-phishing,” in particular, is a highly targeted form of phishing that attempts to emulate the style and content of a specific authority.

Carnegie Mellon’s Information Security Office (ISO) attempts to continuously identify and confront threats to the campus computer network and its users.
“In August of last year, more than 700 Carnegie Mellon accounts received the [spear-phishing] attacks,” said Mary Ann Blair, director of the ISO.
As Blair explained, although the ISO has offered training on how to avoid falling prey to phishing, there remains the issue that “there is no good way of measuring effectiveness of security training.”

Without objective measures of different security training regimes, it is hard to improve the training. Blair added that the ISO’s willingness to work with security groups on campus means that “researchers have a ready-made laboratory ... to test interventions.”

In a collaboration begun with the ISO last fall, Lorrie Cranor, an associate professor of engineering and public policy and also director of the CyLab Usable Privacy and Security Laboratory (CUPS), and her student Ponnurangam Kumaraguru from the computation, organizations, and society Ph.D. program have recently concluded a campus-wide study on phishing prevention.

The study invited all Andrew account holders to volunteer and drew 515 participants, each of whom were placed in one of three separate groups. Over the course of 28 days, the researchers sent out 10 e-mails, seven of which were simulated spear-phishing messages. For the first group, one of the malicious e-mails led to a comic explaining the security risk of phishing and how to avoid becoming a victim.

For the second group, the comic appeared twice. The final group had no training at all on how to avoid the phishing e-mails. The researchers found that more training was more effective, and that the knowledge gained from training was maintained after a month’s time. In addition, the training did not result in participants’ avoiding legitimate e-mails in fear of a phishing attempt.

“The kind of attacks that we used in this study were very realistic,” explained Cranor. “Any attacker who looked at a few CMU websites would have enough information to perpetrate these attacks.”

PhishGuru, the security training technology used in the study, is being commercialized by Wombat Security Technologies, Inc., a start-up co-founded by Cranor with Norman Sadeh, a professor of computer science, and Jason Hong, an assistant professor in the Human-Computer Interaction Institute.
The results from the study will be presented on Friday, April 10 from 1–2 p.m. in McConomy Auditorium.