With the advances in deep learning, speaker verification has achieved very high accuracy and is gaining popularity as a type of biometric authentication option in many scenes of our daily life, especially the growing market of web services. Compared to traditional passwords, “vocal passwords” are much more convenient as they relieve people from memorizing different passwords. However, new machine learning attacks are putting these voice authentication systems at risk. Without a strong security guarantee, attackers could access legitimate users’ web accounts by fooling the deep neural network (DNN) based voice recognition models. In this article, we demonstrate an easy-to-implement data poisoning attack to the voice authentication system, which cannot be captured effectively by existing defense mechanisms. Thus, we also propose a more robust defense method called Guardian, a convolutional neural network-based discriminator. The Guardian discriminator integrates a series of novel techniques including bias reduction, input augmentation, and ensemble learning. Our approach is able to distinguish about 95% of attacked accounts from normal accounts, which is much more effective than existing approaches with only 60% accuracy.
more »
« less
Hack for Hire: Exploring the Emerging Market for Account Hijacking
Email accounts represent an enticing target for attackers, both for the information they contain and the root of trust they provide to other connected web services. While defense-in-depth approaches such as phishing detection, risk analysis, and two-factor authentication help to stem large-scale hijackings, targeted attacks remain a potent threat due to the customization and effort involved. In this paper, we study a segment of targeted attackers known as "hack for hire" services to understand the playbook that attackers use to gain access to victim accounts. Posing as buyers, we interacted with 27 English, Russian, and Chinese blackmarket services, only five of which succeeded in attacking synthetic (though realistic) identities we controlled. Attackers primarily relied on tailored phishing messages, with enough sophistication to bypass SMS two-factor authentication. However, despite the ability to successfully deliver account access, the market exhibited low volume, poor customer service, and had multiple scammers. As such, we surmise that retail email hijacking has yet to mature to the level of other criminal market segments.
more »
« less
- PAR ID:
- 10100956
- Date Published:
- Journal Name:
- The World Wide Web Conference
- Page Range / eLocation ID:
- 1279 to 1289
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are ``off'' about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email --- usually, the presence of a link requesting an action --- triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing.more » « less
-
The critical role played by email has led to a range of extension protocols (e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email sender domains. These protocols are complex as is, but are further complicated by automated email forwarding — used by individual users to manage multiple accounts and by mailing lists to redistribute messages. In this paper, we explore how such email forwarding and its implementations can break the implicit assumptions in widely deployed anti-spoofing protocols. Using large-scale empirical measurements of 20 email forwarding services (16 leading email providers and four popular mailing list services), we identify a range of security issues rooted in forwarding behavior and show how they can be combined to reliably evade existing anti-spoofing controls. We further show how these issues allow attackers to not only deliver spoofed email messages to prominent email providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof email on behalf of tens of thousands of popular domains including sensitive domains used by organizations in government (e.g., state.gov), finance (e.g., transunion.com), law (e.g., perkinscoie.com) and news (e.g., washingtonpost.com) among others.more » « less
-
Older adults are rapidly increasing their use of online services such as banking, social media, and email - services that come with subtle and serious security and privacy risks. Older adults with mild cognitive impairment (MCI) are particularly vulnerable to these risks because MCI can reduce their ability to recognize scams such as email phishing, follow recommended password guidelines, and consider the implications of sharing personal information. Older adults with MCI often cope with their impairments with the help of caregivers, including partners, children, and professional health personnel, when using and managing online services. Yet, this too carries security and privacy risks: sharing personal information with caregivers can create issues of agency, autonomy, and even risk embarrassment and information leakage; caregivers also do not always act in their charges' best interest. Through a series of interviews conducted in the US, we identify a spectrum of safeguarding strategies used and consider them through the lens of 'upside and downside risk' where there are tradeoffs between reduced privacy and maintaining older adults' autonomy and access to online services.more » « less
-
more » « less
To assess the efficacy of routine activity theory (RAT) for explaining phishing victimization and guide evidence-based policy, we launched two phishing attacks via a university Listserv ( N = 25,875). The first email offered access to a pdf file; the second offered free concert tickets. Several interesting findings emerged demonstrating phishing victimization results from network users’ routine behaviors. Students were significantly less likely to open the phishing email sharing a pdf but more likely to open the email offering free concert tickets. Moreover, students were mor e likely to click the malicious link embedded within the phishing email in both studies, often using mobile devices. Conversely, employees were more likely to click the link while connected to the university network, thus exposing the network to greater levels of risk. Finally, the email offering concert tickets was opened at a frequency more than double the email containing the pdf. Theoretical and policy implications are discussed.
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1145/3308558.3313489
