However, these warnings are not always successful at safeguarding the user from a phishing attack. On several occasions, users ignore these warnings and 'click through' them, eventually landing at the potentially dangerous website and giving away confidential information. Failure to understand the warning, failure to differentiate different types of browser warnings, diminishing trust on browser warnings due to repeated encounter are some of the reasons that make users ignore these warnings. It is important to address these factors in order to eventually improve a user’s reaction to these warnings.
In this thesis, I propose a novel design to improve the effectiveness and reliability of phishing warning messages. This design utilizes the name of the target website that a fake website is mimicking, to display a simple, easy to understand and interactive warning message with the primary objective of keeping the user away from a potentially spoof website.
During October 2022, I contributed to the annual Cybersecurity Awareness Month (CSAM) program at Arizona State University (ASU). 4 cybersecurity domains were explored during the month: phishing, password hygiene, physical security, and social media security. The scope of my work involved designing and developing activities related to phishing and social media security. The deliverables included 8 emails for the ‘Spot the Phish’ activity, an educational flier on phishing indicators, discussion questions for The Tinder Swindler documentary, and a password security question guessing game. I also collected feedback from students and faculty who participated in ‘Spot the Phish’ and the security question game. Participants answered questions about the difficulty of the activities and how their cybersecurity knowledge improved. The security question game didn’t have much participation, so there wasn’t much information to gather from the feedback. The ‘Spot the Phish’ activity had over 50 feedback submissions. That data suggested that the ‘Spot the Phish’ activity improved participants’ confidence in identifying phishing emails. After reviewing the feedback and my own anecdotal experience conducting the activities, I looked into research regarding tools for cybersecurity education. Based on that research, I designed new activities to better inform students and faculty about phishing and social media security for 2023 CSAM.
In this dissertation, I analyze the state of the anti-phishing ecosystem and show that phishers use evasion techniques, including cloaking, to bypass anti-phishing mitigations in hopes of maximizing the return-on-investment of their attacks. I develop three novel, scalable data-collection and analysis frameworks to pinpoint the ecosystem vulnerabilities that sophisticated phishing websites exploit. The frameworks, which operate on real-world data and are designed for continuous deployment by anti-phishing organizations, empirically measure the robustness of industry-standard anti-phishing blacklists (PhishFarm and PhishTime) and proactively detect and map phishing attacks prior to launch (Golden Hour). Using these frameworks, I conduct a longitudinal study of blacklist performance and the first large-scale end-to-end analysis of phishing attacks (from spamming through monetization). As a result, I thoroughly characterize modern phishing websites and identify desirable characteristics for enhanced anti-phishing systems, such as more reliable methods for the ecosystem to collectively detect phishing websites and meaningfully share the corresponding intelligence. In addition, findings from these studies led to actionable security recommendations that were implemented by key organizations within the ecosystem to help improve the security of Internet users worldwide.