X-Platform phishing: Abusing trust for targeted attacks short paper

Hossein Siadati, Toan Nguyen, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The goal of anti-phishing techniques is to reduce the delivery rate of phishemails, and anti-phishing training aims to decrease the phishing click-through rates. This paper presents the X-Platform Phishing Attack, a deceptive phishing attack with an alarmingly high delivery and click-through rates, and highlights a subclass of phishing attacks that existing anti-phishing methods do not seem to be able to address. The main characteristic of this attack is that an attacker is able to embed a malicious link within a legitimate message generated by service providers (e.g., Github, Google, Amazon) and sends it using their infrastructure to his targets. This technique results in the bypassing of existing anti-phishing filters because it utilizes reputable service providers to generate seemingly legitimate emails. This also makes it highly likely for the targets of the attack to click on the phishing link as the email id of a legitimate provider is being used. An X-Platform Phishing attack can use email-based messaging and notification mechanisms such as friend requests, membership invitations, status updates, and customizable gift cards to embed and deliver phishing links to their targets. We have tested the delivery and click-through rates of this attack experimentally, based on a customized phishing email tunneled through GitHub’s pull-request mechanism. We observed that 100% of X-Platform Phishing emails passed the anti-phishing systems and were delivered to the inbox of the target subjects. All of the participants clicked on phishing messages, and in some cases, forwarded the message to other project collaborators who also clicked on the phishing links.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - FC 2017 International Workshops, WAHC, BITCOIN, VOTING, WTSC, and TA, Revised Selected Papers
EditorsAndrew Miller, Michael Brenner, Kurt Rohloff, Joseph Bonneau, Vanessa Teague, Andrea Bracciali, Massimiliano Sala, Federico Pintore, Markus Jakobsson, Peter Y.A. Ryan
PublisherSpringer Verlag
Pages587-596
Number of pages10
ISBN (Print)9783319702773
DOIs
StatePublished - 2017
Event21st International Workshops on Financial Cryptography and Data Security, FC 2017 held in conjuction with 5th Workshop on Encrypted Computing and Applied Homomorphic Cryptography, WAHC 2017, 4th Workshop on Bitcoin and Blockchain Research, BITCOIN 2017, 2nd Workshop on Advances in Secure Electronic Voting Schemes, VOTING 2017, 1st Workshop on Trusted Smart Contracts, WTSC 2017 and 1st Workshop on Targeted Attacks, TA 2017 - Sliema, Malta
Duration: Apr 7 2017Apr 7 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10323 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other21st International Workshops on Financial Cryptography and Data Security, FC 2017 held in conjuction with 5th Workshop on Encrypted Computing and Applied Homomorphic Cryptography, WAHC 2017, 4th Workshop on Bitcoin and Blockchain Research, BITCOIN 2017, 2nd Workshop on Advances in Secure Electronic Voting Schemes, VOTING 2017, 1st Workshop on Trusted Smart Contracts, WTSC 2017 and 1st Workshop on Targeted Attacks, TA 2017
Country/TerritoryMalta
CitySliema
Period4/7/174/7/17

Keywords

  • Cross-platform attack
  • Phishing
  • Targeted attack

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'X-Platform phishing: Abusing trust for targeted attacks short paper'. Together they form a unique fingerprint.

Cite this