Daniel Timko,Daniel Hernandez Castillo,Muhammad Lutfor Rahman

2024-05-30

Abstract:With the booming popularity of smartphones, threats related to these devices are increasingly on the rise. Smishing, a combination of SMS (Short Message Service) and phishing has emerged as a treacherous cyber threat used by malicious actors to deceive users, aiming to steal sensitive information, money or install malware on their mobile devices. Despite the increase in smishing attacks in recent years, there are very few studies aimed at understanding the factors that contribute to a user's ability to differentiate real from fake messages. To address this gap in knowledge, we have conducted an online survey on smishing detection with 187 participants. In this study, we presented them with 16 SMS screenshots and evaluated how different factors affect their decision making process in smishing detection. Next, we conducted a post-survey to garner information on the participants' security attitudes, behavior and knowledge. Our results highlighted that attention and security behavioral scores had a significant impact on participants' accuracy in identifying smishing messages. We found that participants had more difficulty identifying real messages from fake ones, with an accuracy of 67.1% with fake messages and 43.6% with real messages. Our study is crucial in developing proactive strategies to encounter and mitigate smishing attacks. By understanding what factors influence smishing detection, we aim to bolster users' resilience against such threats and create a safer digital environment for all.

Cryptography and Security,Human-Computer Interaction

Daniel Timko,Muhammad Lutfor Rahman

DOI: https://doi.org/10.1145/3626232.3653282

2024-04-29

Abstract:While smishing (SMS Phishing) attacks have risen to become one of the most common types of social engineering attacks, there is a lack of relevant smishing datasets. One of the biggest challenges in the domain of smishing prevention is the availability of fresh smishing datasets. Additionally, as time persists, smishing campaigns are shut down and the crucial information related to the attack are lost. With the changing nature of smishing attacks, a consistent flow of new smishing examples is needed by both researchers and engineers to create effective defenses. In this paper, we present the community-sourced smishing datasets from the

Cryptography and Security

Mingxuan Liu,Yiming Zhang,Baojun Liu,Zhou Li,Haixin Duan,Donghong Sun

DOI: https://doi.org/10.1145/3485832.3488012

2021-01-01

Abstract:Although spearphishing is a well-known security issue and has been widely researched, it is still an evolving threat with emerging forms. In recent years, Short Message Service (SMS) has been revealed as a new distribution channel for spearphishing messages, which already has caused a serious impact in the real world, but has not yet attracted enough attention from the academic community. In this paper, we report the first systemic study to spotlight this emerging threat, SMS spearphishing attack. Through cooperating with a leading security vendor, we obtain 31.96M real-world spam messages that span three months. We design and implement a novel NLP-based detection algorithm, and uncover 90,801 spearphishing messages on the entire dataset. And then, a large-scale measurement was performed on the detected messages to reveal and understand the characteristics of SMS spearphishing attack. Our findings are multi-fold. We discover that SMS spearphishing has a significant negative impact on the real-world, and a large number of victims have been affected. And the distribution of active illicit types between spearphishing message and common spam is quite inconsistent. At the micro-level, to evade detection and increase the probability of success, adversary campaigns have evolved a set of sophisticated strategies. Our research highlights the impact of SMS spearphishing attack is prominent. We call on different communities to work together to mitigate this emerging security threat.

Cori Faklaris,Heather Richter Lipford,Sarah Tabassum

DOI: https://doi.org/10.48550/arXiv.2309.06322

IF: 6.4588

2023-09-12

Human-Computer Interaction

Abstract:As adoption of mobile phones has skyrocketed, so have scams involving them. The text method is called SMiShing, (aka SMShing, or smishing) in which a fraudster sends a phishing link via Short Message Service (SMS) text to a phone. However, no data exists on who is most vulnerable to SMiShing. Prior work in phishing (its e-mail cousin) indicates that this is likely to vary by demographic and contextual factors. In our study, we collect this data from N=1007 U.S. adult mobile phone users. Younger people and college students emerge in this sample as the most vulnerable. Participants struggled to correctly identify legitimate messages and were easily misled when they knew they had an account with the faked message entity. Counterintuitively, participants with higher levels of security training and awareness were less correct in rating possible SMiSH. We recommend next steps for researchers, regulators and telecom providers.

Jae Woo Seo,Jong Sung Lee,Hyunwoo Kim,Joonghwan Lee,Seongwon Han,Jungil Cho,Choong-Hoon Lee

DOI: https://doi.org/10.1109/access.2024.3349577

IF: 3.9

2024-01-01

IEEE Access

Abstract:Smishing (SMS phishing) is a cybercrime in which criminals send fraudulent messages, including malicious links, to steal the victims’ private data or cause financial losses. The damage caused by smishing has become more severe, particularly with the proliferation of mobile devices. In smishing, a major difficulty faced by victims is discrimination between normal and smishing messages. To resolve this problem, we present an on-device smishing classifier based on a deep-learning model. In real-world scenarios, access to a substantial, authentic dataset is crucial. We trained and evaluated the classifier using real SMS datasets containing approximately 250,000 smishing messages and 950,000 normal messages obtained from victims in Korea. To ensure privacy, the classifier operates solely on mobile devices without externally transmitting any data. It utilizes a lightweight method that does not require significant computing power on mobile devices. We explored several models to determine a suitable model for mobile devices and optimized it using real datasets. Furthermore, our statistical analysis of actual smishing messages revealed that 98% of smishing messages are variants of previously sent messages. To address the prevalence of variant smishing messages, we propose a text evasion attack tool called EVA that is capable of generating pseudo-variant messages from a given message using an adversarial attack approach. We used this tool to evaluate and enhance the robustness of our classifier against various messages. Our classifier exhibited exceptional classification accuracy (0.99) while being lightweight (at 127 kB) and robust against variant smishing messages (attack success rate of 0.41).

computer science, information systems,telecommunications,engineering, electrical & electronic

Belal Amro

DOI: https://doi.org/10.4236/jcc.2018.62003

2018-02-13

Abstract:The rapid evolution in mobile devices and communication technology has increased the number of mobile device users dramatically. The mobile device has replaced many other devices and is used to perform many tasks ranging from establishing a phone call to performing critical and sensitive tasks like money payments. Since the mobile device is accompanying a person most of his time, it is highly probably that it includes personal and sensitive data for that person. The increased use of mobile devices in daily life made mobile systems an excellent target for attacks. One of the most important attacks is phishing attack in which an attacker tries to get the credential of the victim and impersonate him. In this paper, analysis of different types of phishing attacks on mobile devices is provided. Mitigation techniques - anti-phishing techniques - are also analyzed. Assessment of each technique and a summary of its advantages and disadvantages is provided. At the end, important steps to guard against phishing attacks are provided. The aim of the work is to put phishing attacks on mobile systems in light, and to make people aware of these attacks and how to avoid them

Cryptography and Security

Cynthia Dhinakaran,Dhinaharan Nagamalai,Jae Kwang Lee

DOI: https://doi.org/10.48550/arXiv.1108.1593

2011-08-08

Abstract:Spam messes up users inbox, consumes resources and spread attacks like DDoS, MiM, phishing etc. Phishing is a byproduct of email and causes financial loss to users and loss of reputation to financial institutions. In this paper we examine the characteristics of phishing and technology used by Phishers. In order to counter anti-phishing technology, phishers change their mode of operation; therefore a continuous evaluation of phishing only helps us combat phisher effectiveness. In our study, we collected seven hundred thousand spam from a corporate server for a period of 13 months from February 2008 to February 2009. From the collected data, we identified different kinds of phishing scams and mode of operation. Our observation shows that phishers are dynamic and depend more on social engineering techniques rather than software vulnerabilities. We believe that this study will develop more efficient anti-phishing methodologies. Based on our analysis, we developed an anti-phishing methodology and implemented in our network. The results show that this approach is highly effective to prevent phishing attacks. The proposed approach reduced more than 80% of the false negatives and more than 95% of phishing attacks in our network.

Cryptography and Security

Muhammad Salman,Muhammad Ikram,Mohamed Ali Kaafar

DOI: https://doi.org/10.1109/access.2024.3364671

IF: 3.9

2024-02-20

IEEE Access

Abstract:The persistence of SMS spam remains a significant challenge, highlighting the need for research aimed at developing systems capable of effectively handling the evasive strategies used by spammers. Such research efforts are important for safeguarding the general public from the detrimental impact of SMS spam. In this study, we aim to highlight the challenges encountered in the current landscape of SMS spam detection and filtering. To address these challenges, we present a new SMS dataset comprising more than 68K SMS messages with 61% legitimate (ham) SMS and 39% spam messages. Notably, this dataset, we release for further research, represents the largest publicly available SMS spam dataset to date. To characterize the dataset, we perform a longitudinal analysis of spam evolution. We then extract semantic and syntactic features to evaluate and compare the performance of well-known machine learning based SMS spam detection methods, ranging from shallow machine learning approaches to advanced deep neural networks. We investigate the robustness of existing SMS spam detection models and popular anti-spam services against spammers' evasion techniques. Our findings reveal that the majority of shallow machine learning based techniques and anti-spam services exhibit inadequate performance when it comes to accurately classifying SMS spam messages. We observe that all of the machine learning approaches and anti-spam services are susceptible to various evasive strategies employed by spammers. To address the identified limitations, our study advocates for researchers to delve into these areas to advance the field of SMS spam detection and anti-spam services.

computer science, information systems,telecommunications,engineering, electrical & electronic

B. Issac,R. Chiong,S.M. Jacob

DOI: https://doi.org/10.48550/arXiv.1410.4672

2014-10-17

Abstract:One of the biggest problems with the Internet technology is the unwanted spam emails. The well disguised phishing email comes in as part of the spam and makes its entry into the inbox quite frequently nowadays. While phishing is normally considered a consumer issue, the fraudulent tactics the phishers use are now intimidating the corporate sector as well. In this paper, we analyze the various aspects of phishing attacks and draw on some possible defenses as countermeasures. We initially address the different forms of phishing attacks in theory, and then look at some examples of attacks in practice, along with their common defenses. We also highlight some recent statistical data on phishing scam to project the seriousness of the problem. Finally, some specific phishing countermeasures at both the user level and the organization level are listed, and a multi-layered anti-phishing proposal is presented to round up our studies.

Cryptography and Security

Jerson Francia,Derek Hansen,Ben Schooley,Matthew Taylor,Shydra Murray,Greg Snow

2024-06-19

Abstract:This paper explores the rising concern of utilizing Large Language Models (LLMs) in spear phishing message generation, and their performance compared to human-authored counterparts. Our pilot study compares the effectiveness of smishing (SMS phishing) messages created by GPT-4 and human authors, which have been personalized to willing targets. The targets assessed the messages in a modified ranked-order experiment using a novel methodology we call TRAPD (Threshold Ranking Approach for Personalized Deception). Specifically, targets provide personal information (job title and location, hobby, item purchased online), spear smishing messages are created using this information by humans and GPT-4, targets are invited back to rank-order 12 messages from most to least convincing (and identify which they would click on), and then asked questions about why they ranked messages the way they did. They also guess which messages are created by an LLM and their reasoning. Results from 25 targets show that LLM-generated messages are most often perceived as more convincing than those authored by humans, with messages related to jobs being the most convincing. We characterize different criteria used when assessing the authenticity of messages including word choice, style, and personal relevance. Results also show that targets were unable to identify whether the messages was AI-generated or human-authored and struggled to identify criteria to use in order to make this distinction. This study aims to highlight the urgent need for further research and improved countermeasures against personalized AI-enabled social engineering attacks.

Computers and Society,Artificial Intelligence

Muhammad Salman,Muhammad Ikram,Mohamed Ali Kaafar

DOI: https://doi.org/10.48550/arXiv.2210.10451

2022-10-19

Abstract:The short message service (SMS) was introduced a generation ago to the mobile phone users. They make up the world's oldest large-scale network, with billions of users and therefore attracts a lot of fraud. Due to the convergence of mobile network with internet, SMS based scams can potentially compromise the security of internet services as well. In this study, we present a new SMS scam dataset consisting of 153,551 SMSes. This dataset that we will release publicly for research purposes represents the largest publicly-available SMS scam dataset. We evaluate and compare the performance achieved by several established machine learning methods on the new dataset, ranging from shallow machine learning approaches to deep neural networks to syntactic and semantic feature models. We then study the existing models from an adversarial viewpoint by assessing its robustness against different level of adversarial manipulation. This perspective consolidates the current state of the art in SMS Spam filtering, highlights the limitations and the opportunities to improve the existing approaches.

Cryptography and Security

Cori Faklaris

2024-01-26

Abstract:This paper describes three principal challenges in smishing mitigation - limitations of device affordances, complexity of infrastructure, and cognitive and contextual factors of mobile device use. We give a high-level overview of ideas that can mitigate smishing and work around these challenges.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Ho Sung Shim,Hyoungjun Park,Kyuhan Lee,Jang-Sun Park,Seonhye Kang

2024-10-18

Abstract:Smishing, which aims to illicitly obtain personal information from unsuspecting victims, holds significance due to its negative impacts on our society. In prior studies, as a tool to counteract smishing, machine learning (ML) has been widely adopted, which filters and blocks smishing messages before they reach potential victims. However, a number of challenges remain in ML-based smishing detection, with the scarcity of annotated datasets being one major hurdle. Specifically, given the sensitive nature of smishing-related data, there is a lack of publicly accessible data that can be used for training and evaluating ML models. Additionally, the nuanced similarities between smishing messages and other types of social engineering attacks such as spam messages exacerbate the challenge of smishing classification with limited resources. To tackle this challenge, we introduce a novel data augmentation method utilizing a few-shot prompt learning approach. What sets our approach apart from extant methods is the use of the principles of persuasion, a psychology theory which explains the underlying mechanisms of smishing. By designing prompts grounded in the persuasion principles, our augmented dataset could effectively capture various, important aspects of smishing messages, enabling ML models to be effectively trained. Our evaluation within a real-world context demonstrates that our augmentation approach produces more diverse and higher-quality smishing data instances compared to other cutting-edging approaches, leading to substantial improvements in the ability of ML models to detect the subtle characteristics of smishing messages. Moreover, our additional analyses reveal that the performance improvement provided by our approach is more pronounced when used with ML models that have a larger number of parameters, demonstrating its effectiveness in training large-scale ML models.

Social and Information Networks,Artificial Intelligence

Xi Chen,Indranil Bose,Alvin Leung,Chenhui Guo

2009-01-01

Abstract:We assess the severity of phishing attacks in terms of their risk levels and the potential loss in market value to the firms. We analyze 1,030 phishing alerts released on a public database as well as financial data related to the targeted firms using a hybrid text and data mining method that predicts the severity of the attack with high accuracy. Our research identifies the important textual and financial variables that impact the severity of the attacks and determine that different antecedents influence risk level and potential financial loss associated with phishing attacks.

Matheesha Fernando,Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.2004.13262

2020-04-28

Abstract:Phishing is a way of stealing people's sensitive information such as username, password and banking details by disguising as a legitimate entity (i.e. email, website). Anti-phishing education considered to be vital in strengthening "human", the weakest link in information security. Previous research in anti-phishing education focuses on improving educational interventions to better interact the end user. However, one can argue that existing anti-phishing educational interventions are limited in success due to their outdated teaching content incorporated. Furthermore, teaching outdated anti-phishing techniques might not help combat contemporary phishing attacks. Therefore, this research focuses on investigating the obfuscation techniques of phishing URLs used in anti-phishing education against the contemporary phishing attacks reported in <a class="link-external link-http" href="http://PhishTank.com" rel="external noopener nofollow">this http URL</a>. Our results showed that URL obfuscation with IP address has become insignificant and it revealed two emerging URL obfuscation techniques, that attackers use lately, haven't been incorporated into existing anti-phishing educational interventions.

Cryptography and Security

Guan-Hua Tu,Yuanjie Li,Chunyi Peng,Chi-Yu Li,Muhammad Taqi Raza,Hsiao-Yun Tseng,Songwu Lu

DOI: https://doi.org/10.48550/arXiv.1510.08531

2015-10-29

Cryptography and Security

Abstract:Mobile Internet is becoming the norm. With more personalized mobile devices in hand, many services choose to offer alternative, usually more convenient, approaches to authenticating and delivering the content between mobile users and service providers. One main option is to use SMS (i.e., short messaging service). Such carrier-grade text service has been widely used to assist versatile mobile services, including social networking, banking, to name a few. Though the text service can be spoofed via certain Internet text service providers which cooperated with carriers, such attacks haven well studied and defended by industry due to the efforts of research community. However, as cellular network technology advances to the latest IP-based 4G LTE, we find that these mobile services are somehow exposed to new threats raised by this change, particularly on 4G LTE Text service (via brand-new distributed Mobile-Initiated Spoofed SMS attack which is not available in legacy 2G/3G systems). The reason is that messaging service over LTE shifts from the circuit-switched (CS) design to the packet-switched (PS) paradigm as 4G LTE supports PS only. Due to this change, 4G LTE Text Service becomes open to access. However, its shields to messaging integrity and user authentication are not in place. As a consequence, such weaknesses can be exploited to launch attacks (e.g., hijack Facebook accounts) against a targeted individual, a large scale of mobile users and even service providers, from mobile devices. Current defenses for Internet-Initiated Spoofed SMS attacks cannot defend the unprecedented attack. Our study shows that 53 of 64 mobile services over 27 industries are vulnerable to at least one threat. We validate these proof-of-concept attacks in one major US carrier which supports more than 100 million users. We finally propose quick fixes and discuss security insights and lessons we have learnt.

Azhar Ghafoor,,Munam Ali Shah,Bilal Zaka,Muhammad Nawaz,,,

DOI: https://doi.org/10.58245/ipsi.tir.2402.06

2024-07-01

Abstract:Phishing remains a pervasive cybersecurity threat, leveraging social engineering and technological deception to obtain sensitive information and credentials. This research explores novel attack paths employed by sophisticated adversaries, focusing on the identification and analysis of emerging tactics to enhance understanding and awareness of evolving phishing threats. The study uncovers various attack vectors, including the impersonation of reputable entities and the exploitation of legitimate platforms for malicious purposes. Notably, it highlights the increasing prevalence of documentbased and social media-based phishing campaigns, underscoring the adaptability of attackers in exploiting diverse channels to deceive users. Furthermore, the research evaluates the effectiveness of current countermeasures and proposes actionable strategies to mitigate phishing risks for organizations. Recommendations include strengthening email protection measures, implementing robust web filtering systems, and conducting simulated phishing campaigns to enhance employee awareness. By providing insights into emerging attack paths and practical recommendations, this research contributes to the ongoing efforts to combat phishing threats and strengthen cybersecurity resilience. The findings underscore the critical importance of proactive measures and continuous vigilance in safeguarding against evolving cyber threats in today's dynamic digital landscape.

Trevor Wood,Vitor Basto-Fernandes,Eerke Boiten,Iryna Yevseyeva

DOI: https://doi.org/10.48550/arXiv.2204.13054

2022-04-28

Abstract:Most research into anti-phishing defence assumes that the mal-actor is attempting to harvest end-users' personally identifiable information or login credentials and, hence, focuses on detecting phishing websites. The defences for this type of attack are usually activated after the end-user clicks on a link, at which point the link is checked. This is known as after-the-click detection. However, more sophisticated phishing attacks (such as spear-phishing and whaling) are rarely designed to get the end-user to visit a website. Instead, they attempt to get the end-user to perform some other action, for example, transferring money from their bank account to the mal-actors account. These attacks are rarer, and before-the-click defence has been investigated less than after-the-click defence. To better integrate and contextualize these studies in the overall anti-phishing research, this paper presents a systematic literature review of proposed anti-phishing defences. From a total of 6330 papers, 21 primary studies and 335 secondary studies were identified and examined. The current research was grouped into six primary categories, blocklist/allowlist, heuristics, content, visual, artificial intelligence/machine learning and proactive, with an additional category of "other" for detection techniques that do not fit into any of the primary categories. It then discusses the performance and suitability of using these techniques for detecting phishing emails before the end-user even reads the email. Finally, it suggests some promising areas for further research.

Cryptography and Security

M. Tariq Banday,Jameel A. Qadri

DOI: https://doi.org/10.48550/arXiv.1112.5732

2011-12-24

Abstract:In today's business environment, it is difficult to imagine a workplace without access to the web, yet a variety of email born viruses, spyware, adware, Trojan horses, phishing attacks, directory harvest attacks, DoS attacks, and other threats combine to attack businesses and customers. This paper is an attempt to review phishing - a constantly growing and evolving threat to Internet based commercial transactions. Various phishing approaches that include vishing, spear phishng, pharming, keyloggers, malware, web Trojans, and others will be discussed. This paper also highlights the latest phishing analysis made by Anti-Phishing Working Group (APWG) and Korean Internet Security Center.

Cryptography and Security

Claudio Marforio,Ramya Jayaram Masti,Claudio Soriente,Kari Kostiainen,Srdjan Capkun

DOI: https://doi.org/10.48550/arXiv.1502.06824

2015-02-24

Cryptography and Security

Abstract:Phishing in mobile applications is a relevant threat with successful attacks reported in the wild. In such attacks, malicious mobile applications masquerade as legitimate ones to steal user credentials. In this paper we categorize application phishing attacks in mobile platforms and possible countermeasures. We show that personalized security indicators can help users to detect phishing attacks and have very little deployment cost. Personalized security indicators, however, rely on the user alertness to detect phishing attacks. Previous work in the context of website phishing has shown that users tend to ignore the absence of security indicators and fall victim of the attacker. Consequently, the research community has deemed personalized security indicators as an ineffective phishing detection mechanism. We evaluate personalized security indicators as a phishing detection solution in the context of mobile applications. We conducted a large-scale user study where a significant amount of participants that used personalized security indicators were able to detect phishing. All participants that did not use indicators could not detect the attack and entered their credentials to a phishing application. We found the difference in the attack detection ratio to be statistically significant. Personalized security indicators can, therefore, help phishing detection in mobile applications and their reputation as an anti-phishing mechanism should be reconsidered. We also propose a novel protocol to setup personalized security indicators under a strong adversarial model and provide details on its performance and usability.