, 13 tweets, 5 min read Read on Twitter
paper available here (pre-print): arxiv.org/abs/1905.02162. See thread below for an overview 👇
A set of heuristics help humans in coping with uncertain scenarios and social expectations. The cognitive psychology literature defines six “principles of influence” (Cialdini) relating to these heuristics. Phishers exploit these “cognitive vulns” to trick their victims 1/n
The intuition behind this paper is that if we can measure the effectiveness or intensity of these cognitive attacks, we can predict to what extent a phishing email can be expected to be successful. 2/n
This is critical for a quick response, esp. for large organizations whose customer base receives hundreds or thousands of unique phishing emails. Effective takedown actions, notifications to customers, and threat awareness all require a prompt response. 3/n
We collect data from a large European financial organization that gives us insights on emails received by their customers as well as the successfulness of each email in triggering “clicks” from the victims. 4/n
In line with previous research, the number of recorded clicks is relatively low. Due to infrastructural limitations, click data is available mostly for the second collection period. 5/n
To extract cognitive features from emails we employ Labeled Latent Dirichlet Allocation (LLDA) to assign emails to a topic (= cognitive vuln). We evaluate the intensity of a cognitive attack as the number of keywords (vuln. triggers) associated with that topic. 6/n
In the paper we report a number of stats on observed campaigns, their duration, and attack characteristics. Reporting some self-explanatory plots here. 7/n
Across all emails, Consistency and Scarcity appear to be the most frequently employed cognitive vulnerabilities. This may be domain dependent (here we are in the financial domain). 8/n
Relating vulnerability triggers with observed clicks, we see a range of effects: consistency, scarcity clearly positively related with #clicks. Reciprocity is negatively corr, likely because of weak exploits in text. (dis-)similarity of spoofed domains also has clear effect. 9/n
We model the data using a set of (bootstrapped) regressions (full table in paper). Effect of Reciprocity, Consistency, Scarcity, Spoofing distance are confirmed. Full model suffers from relatively few data points. We use robust estimation methods to quantify uncertainty. 10/n
We use the models to predict number of clicks that can be expected for unmeasured emails. In our sample, top 10% of emails likely to trigger twice as much as “median” email. Rather than going FCFS or random, our method allows for an efficient response prioritization. 11/n
The paper discusses implications of the results and specific effects emerging from our analysis (sec 6). Summary of paper below. 12/12 Full paper 👉 arxiv.org/abs/1905.02162
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Luca
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!