Social Phishing



The term ‘phishing’ was first coined by the famous hacker and spammer Khan C. Smith in 1990s. Wikipedia defines phishing as the fraudulent attempt to obtain sensitive information, by disguising as a trustworthy entity in an electronic communication. However, phishing might also occur through online social media, otherwise known as Social Phishing.

 Phishing attacks via emails, prompting users to click malicious links or divulge personal information such as credit card number or password are well known. We have heard of numerous stories of emails with Nigerian princes asking for financial favours or your bank supposedly asking you to reset your password urgently. However, what most of us forget is social media as a great vector of attack in today’s age. In Social Media, people generally view content posted by their friends, family and companies or brands they chose to follow. This creates a trusted environment, different from that of emails, inundated with spam. This feeling of security along with the widespread use of social media networks attracts phishers.







Aim and Motivation

AIM:

The aim of our project was to 

  • Find the level of susceptibility of students at IIIT-H to social phishing
  • Analyze the process involved
  • Recognize which demographic is more susceptible and 
  • Raise awareness among the students regarding such attacks
MOTIVATION:

Given that there are a large number of subscribers on different social media platforms, phishing attacks on online social networks is on the rise. Here are some statistics from 2016:

Method

To test IIIT-H’s awareness of social phishing, we first sent out a questionnaire, asking them for their opinion on privacy and security in online social media. We then used their responses to formulate our vector of attack. Based on their responses, we chose three social media networks to infiltrate, sent out requests within the community and then analyzed the results.



Our survey

We first asked people which social media services they used. Based on their responses, we chose Instagram, Facebook and LinkedIn which seemed to be among the most popular.


We then asked people about their experience with phishing on social media. It seemed like 2/3rds of them had never been phished. About 15% of them had been phished via emails.



Consequently, we asked people about the steps they take to ensure privacy and security online.


Forms response chart. Question title: Do you read the privacy policy of websites while creating an account?. Number of responses: 79 responses.Forms response chart. Question title: Have you ever modified default privacy settings on online social networks?. Number of responses: 79 responses.



Finally, we allowed people to evaluate how susceptible they thought they were to phishing and how privacy-conscious they were.
Forms response chart. Question title: How susceptible do you think you are to phishing scams? . Number of responses: 79 responses.Forms response chart. Question title: How privacy-conscious are you?. Number of responses: 79 responses.

We then moved on to create a fake account on each of the social media websites, send out connection requests and analyze the response.

Facebook

In Facebook, we created the profile of a girl named Neha Aggarwal from IIIT - Delhi. Out of the 210 requests sent out, 73 people accepted the friend request.







We plotted the cumulative graph between the number of hours passed since the friend requests were sent and the number of people who accepted it. We found that approximately six hours after the messages were sent was the peak acceptance time for those friend requests.


We also drew a graph showing the relative percentages of the students in each batch who accepted the friend requests. We found that first years and interns and PGSSP students (classified as other in the graph) were most vulnerable to accepting requests from our fake account.

LinkedIn


We created a fake profile on LinkedIn as well and provided this account with a more fleshed out backstory with information about his workplace, an obscure university in Europe and prior connections. We changed the privacy settings to try to hide the fact that the account was fake. We sent out connection requests to people requesting information for summer internships. 



We sent around 200 connection requests to IIIT students on LinkedIn. Around 70% of the people who accepted the invitations also filled the form for further details that we requested.

Approximately 90% of the people who filled the forms provided resume details. Resumes contain addresses and phone numbers and other personal sensitive information and thus this was a scarily effective phishing attack.




Instagram


We found that a majority of the people who accepted friend requests on facebook were boys. So we decided to do a gender analysis on Instagram. 



We created two fake accounts, one male and one female. Each one was attached to a stock image profile and a stock image post with generic profile description. We sent 260 follow requests from each account to students in IIIT.


As expected the female account received more accepts and follow back requests as compared to the male one. The above graph shows the incoming and outgoing connections for the male and female accounts.





Another interesting observation is the fact that most of the people who accepted the male account’s request had also accepted the female account’s request. This seems to lead to the conclusion that there is a nucleus of people who accept all requests sent to them and those are the people that accepted the boy’s requests.


Results and conclusions

We compared people's tendency to accept requests on Facebook, Instagram and LinkedIn. In the graph below each vertical line represents one subject, where the blue dot represents Facebook, the red Instagram and the yellow LinkedIn. If the subject was phished on all three sites, he will have a dot in every row.


We also analyzed the responses of people who got phished, regarding their opinion of their susceptibility. Most people who got phished had initially responded to the survey very confidently about their privacy consciousness. They rated themselves 4/5 in privacy consciousness and mostly thought their susceptibility to phishing scams is about 2/5. This shows that often people, who have lesser exposure, tend to be ignorant of the possible risk and fall prey to such scams.



Some tips to stay safe on social media:

  • Don’t click unidentified links. Think before you click! Google’s Transparency report on Safe Browsing is a useful website to check links before clicking on them.
  • Don’t accept requests from strangers or send sensitive information to them.
  • If you suspect an account is fake, reverse search the profile picture to ensure authenticity.


Our Poster Presentation:










Comments

Post a Comment

Popular posts from this blog

Hate Speech Analysis on Gab

Image
Introduction Our project deals with the social media website Gab, which rose to prominence recently when Pittsburgh synagogue shooter, Robert Bowers, was found to be an active user of the social media website. But, what is Gab? Gab is basically a Twitter clone, and just like Twitter, it allows users to read and write multimedia messages of up to 300 characters, called "gabs". The major difference in the two websites is the guidelines governing them. Unlike Twitter, Gab has a small set of rules: No threats/terrorism, No illegal pornography, Legal pornography is allowed(but must be marked NSFW), and No doxxing Due to Gab's very limited set of rules rules (along with poor enforcement), it has become a breeding ground for conservative, libertarian, nationalists and populist internet users. Data Using Gab's API, we crawled the website and collected a total of 18562 gabs, around 10000 user profiles, 600 trending topics and 7500 trendi
Read more

LinkIt

Image
Introduction Our world today revolves largely around the internet, especially social media. With the advent of internet giants like Facebook, Twitter, Google, the internet has become a hub for a large part of the human population. Naturally, a large amount of personal data exists within the “secure” databases of these giants. Just how much about a person can be inferred from this treasure trove of personal data on these databases? That is exactly what we decided to figure out with this project. What is LinkIt? LinkIt is a project of the Privacy and Secirity in Online Social Media Course that aims to create awareness about the consequences of accepting requests from unknown people on online social media platforms. Aim We attempt to analyze the statistics of a group of people across multiple social networks like Facebook, Instagram, and Twitter to gauge the following Emotional band Popularity Level of activity and active hours What their broad interests are (based
Read more

Authenticity of Linkedin Profiles

Image
Authenticity of Linkedin Profiles poster Webapp demo webapp Problem Lot of people put false work experience and other information on Linkedin in order to gain attention of the recruiters. Given a linkedin profile, determine the evidence of authenticity of information present on the user's linkedin profile from publicly available information about that user on other social networks (for example facebook). Data Collection Approach : Given a username on linkedin, we scrape the information on the profile (such as work experience, education etc). From the personal information such as name, age, city etc, we then go to facebook and search for similar profiles. We try to find the most similar profile from the search result. We then scrape the timeline of the user and compare that information with the information on linkedin profile. Method : Linkedin does not provide any API to get the user profile information. Wrote a scraper using selenium to
Read more