,
13 tweets,
5 min read
Read on Twitter
paper available here (pre-print): arxiv.org/abs/1905.02162. See thread below for an overview 👇
A set of heuristics help humans in coping with uncertain scenarios and social expectations. The cognitive psychology literature defines six “principles of influence” (Cialdini) relating to these heuristics. Phishers exploit these “cognitive vulns” to trick their victims 1/n 
The intuition behind this paper is that if we can measure the effectiveness or intensity of these cognitive attacks, we can predict to what extent a phishing email can be expected to be successful. 2/n
This is critical for a quick response, esp. for large organizations whose customer base receives hundreds or thousands of unique phishing emails. Effective takedown actions, notifications to customers, and threat awareness all require a prompt response. 3/n
We collect data from a large European financial organization that gives us insights on emails received by their customers as well as the successfulness of each email in triggering “clicks” from the victims. 4/n
In line with previous research, the number of recorded clicks is relatively low. Due to infrastructural limitations, click data is available mostly for the second collection period. 5/n
To extract cognitive features from emails we employ Labeled Latent Dirichlet Allocation (LLDA) to assign emails to a topic (= cognitive vuln). We evaluate the intensity of a cognitive attack as the number of keywords (vuln. triggers) associated with that topic. 6/n
In the paper we report a number of stats on observed campaigns, their duration, and attack characteristics. Reporting some self-explanatory plots here. 7/n
Across all emails, Consistency and Scarcity appear to be the most frequently employed cognitive vulnerabilities. This may be domain dependent (here we are in the financial domain). 8/n
Relating vulnerability triggers with observed clicks, we see a range of effects: consistency, scarcity clearly positively related with #clicks. Reciprocity is negatively corr, likely because of weak exploits in text. (dis-)similarity of spoofed domains also has clear effect. 9/n
We model the data using a set of (bootstrapped) regressions (full table in paper). Effect of Reciprocity, Consistency, Scarcity, Spoofing distance are confirmed. Full model suffers from relatively few data points. We use robust estimation methods to quantify uncertainty. 10/n
We use the models to predict number of clicks that can be expected for unmeasured emails. In our sample, top 10% of emails likely to trigger twice as much as “median” email. Rather than going FCFS or random, our method allows for an efficient response prioritization. 11/n
The paper discusses implications of the results and specific effects emerging from our analysis (sec 6). Summary of paper below. 12/12 Full paper 👉 arxiv.org/abs/1905.02162
