When Internet users are asked to
make "trust" decisions they often make the wrong decision. Implicit
trust decisions include decisions about whether or not to open an
email attachment or provide information in response to an email that
claims to have been sent by a trusted entity. Explicit trust decisions
are decisions made in response to specific trust- or security-related
prompts such as pop-up boxes that ask the user whether to trust an
expired certificate, execute downloaded software, or allow macros to
execute. Attackers are able to take advantage of most users' poor
trust decision-making skills through a class of attacks known as
"semantic attacks." It is not always possible for systems to make
accurate trust decisions on a user's behalf, especially when those
decisions require knowledge of contextual information. The
goal of this research is not to make trust decisions for users, but
rather to develop approaches to support users when they make trust
decisions. This work is sponsored by the US National Science
Foundation under Grant No. 0524189, Fundação para a Ciência e Tecnologia (FCT) Portugal under a grant from the Information and Communications Technology Institute (ICTI) at CMU, and ARO/CyLab (See also the CyLab
announcement about this project.) Any opinions, findings, and
conclusions or recommendations expressed in this material are those
of the author(s) and do not necessarily reflect the views of the
National Science Foundation or the Army Research Office.
October 2009: After five very productive years, we've completed this project and moved on to
other things. Many of the solutions developed by this
project are now commercialized by Wombat Security Technologies,
Improving Phishing Countermeasures
S. Sheng, P. Kumaraguru, A. Acquisti, L. Cranor, and
J. Hong. Improving
phishing countermeasures: An analysis of expert interviews. In eCrime Researchers Summit,
2009. eCRIME'09., pages 1-15.
We are developing a web-based interactive game to teach people how
to avoid falling for phishing attacks. You can play the game online.
Through a collaboration between CMU and Portugal Telecom, we
Portuguese version of this game, Anti-Phishing Ze.
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti,
L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.
Anti-phishing toolbar testing
We have developed a test bed for semi-automated testing of
anti-phishing toolbars. We have used this testbed to test 10
popular anti-phishing toolbars. It has also been useful in testing
our own anti-phishing toolbar. We have also conducted a study to test whether users pay attention to anti-phishing toolbar warnings.
S. Sheng, B. Wardman, G. Warner, L. Cranor,
J. Hong, and C. Zhang. An Empirical
Analysis of Phishing Blacklists. CEAS 2009.
Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish:
Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28th February - 2nd March, 2007.
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the
Effectiveness of Web Browser Phishing Warnings. CHI 2008.
CANTINA (Carnegie Mellon ANTI-phishing and Network Analysis tool)
is a novel, content-based approach to detecting phishing web sites,
based on the well-known TF-IDF algorithm used in information
retrieval. Our experiments show that CANTINA is good at detecting
phishing sites, correctly labeling approximately 95% of phishing
Y. Zhang, J. Hong, and L. Cranor. CANTINA:
sites. In Proceedings
of the 16th International
conference on World Wide
Web, Banff, Alberta, Canada,
May 8-12, 2007.
Xiang, G., C. Rose, J. Hong, B. Pendleton. A Hierarchical Adaptive Probabilistic Approach for Zero Hour Phish Detection. European Symposium on Research in Computer Security (ESORICS 2010). To Appear.
We are developing a new email-based anti-phishing training system
called PhishGuru, in which training messages are designed to look like actual phishing
messages. When users "fall" for our messages, we immediately present
them with interventions that contain information about phishing and teach them how to avoid
falling for real scams. This approach has shown great promise in our
laboratory and field studies, and is now being commercialized by
Wombat Security Technologies.
P. Kumaraguru, L. Cranor, and L. Mather. Anti-Phishing Landing Page: Turning a
404 into a Teachable Moment for End Users. CEAS 2009.
P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor,
J. Hong, M.A. Blair, and T. Pham. School
of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.
Ponnurangam Kumaraguru. PhishGuru: A System for Educating Users about
Semantic Attacks. PhD Thesis, Computation, Oragnizations and Society,
Carnegie Mellon University, Pittsburgh, PA, CMU-ISR-O9-106, April 14, 2009.
P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan,
A. Acquisti, L. Cranor and J. Hong. Getting Users to Pay Attention to
Anti-Phishing Education: Evaluation of Retention and
Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit,
October 4-5, 2007, Pittsburgh, PA, p. 70-81.
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor,
and J. Hong. Teaching Johnny Not to Fall for Phish. ACM Trans. Internet Technol. 10, 2 (May. 2010), 1-31.
P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor,
J. Hong, and E. Nunge. Protecting People
from Phishing: The Design and Evaluation of an Embedded Training
Email System. In CHI 2007: Conference on Human Factors in
Computing Systems, San Jose, California, 28 April - May 3, 2007,
[Originally published as CyLab Technical Report CMU-CyLab-06-017,
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Lessons from a real world evaluation of anti-phishing training. In Proceedings of the third eCrime Researchers Summit (eCrime 2008), October 15-16, 2008, Atlanta, GA.
Mental models study
We are conducting a series of mental models interviews aimed at
understanding and modeling how people make trust decisions in the
S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor, and J. Downs. Who Falls for Phish? A Demographic Analysis of Phishing
Susceptibility and Effectiveness of Interventions. CHI 2010.
J. Downs, M. Holbrook, and L. Cranor. Behavioral
Response to Phishing Risk. Proceedings of the 2nd Annual eCrime Researchers Summit,
October 4-5, 2007, Pittsburgh, PA, p. 37-44.
J. Downs, M. Holbrook, and L. Cranor. Decision
Susceptibility to Phishing. In Proceedings of the 2006 Symposium On
Usable Privacy and Security, 12-14 July 2006, Pittsburgh,
P. Kumaraguru, A. Acquisti and L.
Cranor. Trust modeling for online transactions: A phishing
scenario. In Privacy, Security, Trust, Oct 30 - Nov 1, 2006, Ontario,
We have developed a new framework for detecting phishing emails
called PILFER (Phishing Identification by Learning on Features of
Email Received). By incorporating features specifically designed to
highlight the deceptive methods used to fool users, we are able to
accurately classify over 96% of phishing emails, while maintaining a
false positive rate on the order of 0.1%.
I. Fette, N. Sadeh, and A. Tomasic. Learning
to Detect Phishing
Emails In Proceedings
of the 16th International
conference on World Wide
Web, Banff, Alberta, Canada,
May 8-12, 2007. [Earlier
version available as ISRI Technical
Report. CMU-ISRI-06-112, 2006.]
Other CMU Anti-Phishing Projects
Phoolproof Phishng Prevention
Phishing Prevention (developed by Adrian Perrig and his
students) uses a trusted device to perform mutual authentication
that eliminates reliance on perfect user behavior, thwarts
Man-in-the-Middle attacks after setup, and protects a user's
account even in the presence of keyloggers and most forms of
In the news
carries out phishing study by Edmund Huber, The Tartan, 6
tool detects something phishy by Bonnie Pfister, Pittsburgh Tribune-Review, 12/11/07.
Current education inadequate to fight phishing by Elizabeth
Montalbano, Computerworld, 10 October 2007.
teaches users about the threats of phishing by Kun Xian Leong,
The Tartan, 8 October 2007.
victims learn online security lesson by Robert Jacques, vnunet.com, 3 October 2007.
Phish, Dr. Dobb's Journal, 2 October 2007.
Coolest Security Tool Ever!
- Online game to teach cyber-security
by Alexandru Dumitru, Softpedia, 2 October 2007.
Game To Help Raise Awarness, Portalit.net, 1 October 2007.
develop Anti-Phishing game to educate Web users by Ruben Francia,
BLORGE.com, 29 September 2007.
Mellon's Online Game Helps People Recognize Internet Scams,
Phishing by Regina Sass, Associated Press, 28 September 2007.
new game developed at Carnegie Mellon University educates users on
phishing threats. by Christopher Nickson, Digital Trends, 27
caught hook, line and sinker by Stuart Turton, PC Pro, 26
Mellon floats anti-phishing game by Robert Jaques, PC Magazine, 26
Anti-Phishing Phil helps users identify Internet scams--try it! by
Deb Smit, POP City, 26 September 2007.
named Phil helps foil phishers, CBC News, 26 September 2007.
truth about anti-phishing toolbars by Paul
Roberts, InforWorld Tech Watch, 30 November 2006.
blasts failing phishing toolbars by Shaun
Nichols, vnunet.com, 22 November 2006.
toolbars: all as hopeless as one another by John E. Dunn,
Techworld, 20 November 2006.
Filter Prevents E-Mail Identity Theft by Brian Livingston,
Executive Tech, 18 July 2006.
click anything! by Thomas Olson, Pittsburgh Tribune-Review,
12 July 2006.
work to thwart cleverer cyber scammers by Corilyn
Shropshire, Pittsburgh Post-Gazette, 12 July 2006.