Assessment of End-User Susceptibility to Cybersecurity Threats in Saudi Arabia by Simulating Phishing Attacks
Abstract
:1. Introduction
- To the best of our knowledge, this is the third related study conducted in Saudi Arabia. In the experiment, three types of phishing attacks were performed: clone phishing, email phishing and SNP.
- Each attack servers as model providing information about phishing and indicating possible preventive measures.
- We systematically analyse each attack and discuss the impact factors from the victim’s perspective. This analysis can facilitate the understanding of user behaviour and the development of security awareness.
2. Types of Phishing
- SMS phishing (smishing): This involves writing text messages so that the phishers can persuade and deceive people to disclose their personal information. These messages request victims to call a specific phone number or log to legitimate-looking website [11].
- Clone phishing: Phishers imitate a legitimate website by cloning its design, layout, logos, and images. Usually, these websites ask a user to log into a system with the purpose of stealing user information and breaching the security of the local computer by redirecting the user to pages infected with malware [13].
- Watering hole attack (WHA): This attack usually conducted in conjunction with any type of phishing attacks and social engineering attacks. As the name implies, the attackers search for the most frequently visited websites of a specific victim or organisation. Then, they inject the vulnerable website with malicious code or drive-by download malvertisement. The key method is to direct victims to a cloned/vulnerable website that deliver a malicious payload or trick the victim to click on a link and run malicious scripts [16,17].
3. Website Phishing Attack Simulation
3.1. Launching Website Phishing Attack through Cloning
3.2. Under-Control Group
3.3. Analysis of the Warning Page Form
- Q1: Occupation.Occupation was classified as follows: Students, faculty members and employees. This classification was used to determine the correlation between occupation and cyber risk exposure, and accordingly provide precise recommendations to increase security awareness. Figure 5 shows the number of participants who were tested in this experiment according to their occupation.
- Q2: Visual signs used to determine the legitimacy of phishing websites (multiple answers).This question provides different choices regarding the overall appearance and visual signs through which the participants determined the legitimacy of the website: design and colours, fonts, domain link, or the university logo. The answers can be used to raise the participants’ awareness of the most critical visual signs through which legitimate and phishing sites can be distinguished. The finding demonstrated that 76% of the victims agreed that they were deceived by the design, colours of the site, and the university logo. Those signs were the principal factors for determining the legitimacy of the site, whereas the domain link was ignored.
- Q3: Knowledge level in information security.This was categorised as follows: high, moderate, little, and no knowledge. The percentage of participants with little knowledge reached 47%, whereas the percentage corresponding to moderate knowledge was 39%.
- Q4: Do you think after this experiment you will be more careful before clicking on any link? (Yes/No answers)This question measured the effectiveness of the experiment in increasing the participants’ awareness of a phishing attack. All participants agreed that they would be more careful before visiting any website.
3.4. Discussion
- (1)
- X-squared =
- (2)
- Degrees of freedom =
- (3)
- Alpha = 0.05 (standard).
- (4)
- Probability value = 5.991, as shown in Table 2.
4. Domain Spoofing through Email Phishing
4.1. Structure of the Phishing Email
4.2. Structure of the ‘Awareness Page’ of the Phishing Website
4.3. Result of Spear-Phishing Email
5. Social Networking-Based Phishing Attack Simulation
Steps of Social-Networking Phishing Simulation
- Full name
- Contact number
- National ID or Iqama Number
- City
- Occupation
6. Discussion
- Commitment/consistency: the concept of completing an action you previously initiated.
- Liking: trust due to a prior interaction or familiarity, such as for a largely recognizable brand.
- Authority: an authority figure mandating an action, with consequences for failing to comply.
- Scarcity: a short and specific time frame to complete an action.
7. Related Works
8. Conclusions
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
References
- Al-Khater, W.A.; Al-Maadeed, S.; Ahmed, A.A.; Sadiq, A.S.; Khan, M.K. Comprehensive Review of Cybercrime Detection Techniques. IEEE Access 2020, 8, 137293–137311. [Google Scholar] [CrossRef]
- Joseph, D.P.; Norman, J. An analysis of digital forensics in cyber security. In First International Conference on Artificial Intelligence and Cognitive Computing; Springer: Singapore, 2019; pp. 701–708. [Google Scholar]
- Hakar, H.K.; Joshi, R.A.; Dobariya, A. An Analysis on Scope of Cyber Security. In Proceedings of the 2019 6th International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 13–15 March 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 612–615. [Google Scholar]
- Leukfeldt, R.; Holt, T.J. (Eds.) The Human Factor of Cybercrime; Routledge: Abingdon, UK, 2019. [Google Scholar]
- Kahimise, J.; Shava, F.B. An analysis of children’s online activities and behaviours that expose them to cybercrimes. In Proceedings of the 2019 27th Telecommunications Forum (TELFOR), Belgrade, Serbia, 26–27 November 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 1–4. [Google Scholar]
- Arora, B. Exploring and analyzing internet crimes and their behaviours. Perspect. Sci. 2016, 8, 540–542. [Google Scholar] [CrossRef] [Green Version]
- Surwade, A.U. Phishing e-mail is an increasing menace. Int. J. Inf. Technol. 2020, 12, 611–617. [Google Scholar] [CrossRef]
- Furnell, S.; Millet, K.; Papadaki, M. Fifteen years of phishing: Can technology save us? Comput. Fraud. Secur. 2019, 2019, 11–16. [Google Scholar] [CrossRef]
- APWG. Phishing Activity Trends Report: 3rd Quarter 2017. Anti-Phishing Working Group, Retrieved 30 April 2018. p. 2018. Available online: https://docs.apwg.org//reports/apwg_trends_report_q3_2017.pdf (accessed on 24 November 2020).
- Vijayalakshmi, M.; Shalinie, S.M.; Yang, M.H. Web phishing detection techniques: A survey on the state-of-the-art, taxonomy and future directions. IET Netw. 2020, 9, 235–246. [Google Scholar] [CrossRef]
- Banu, M.N.; Banu, S.M. A comprehensive study of phishing attacks. Int. J. Comput. Sci. Inf. Technol. 2013, 4, 783–786. [Google Scholar]
- Ozkaya, E. Learn Social Engineering: Learn the Art of Human Hacking with an Internationally Renowned Expert; Packt Publishing Ltd.: Birmingham, UK, 2018. [Google Scholar]
- Bossetta, M. The weaponization of social media: Spear phishing and cyberattacks on democracy. J. Int. Aff. 2018, 71, 97–106. [Google Scholar]
- Bhavsar, V.; Kadlak, A.; Sharma, S. Study on phishing attacks. Int. J. Comput. Appl. 2018, 182, 27–29. [Google Scholar] [CrossRef]
- Vishwanath, A. Getting phished on social media. Decis. Support Syst. 2017, 103, 70–81. [Google Scholar] [CrossRef]
- Anson, S. Applied Incident Response; John Wiley & Sons: Hoboken, NJ, USA, 2020. [Google Scholar]
- Allen, J.; Yang, Z.; Landen, M.; Bhat, R.; Grover, H.; Chang, A.; Ji, Y.; Perdisci, R.; Lee, W. Mnemosyne: An Effective and Efficient Postmortem Watering Hole Attack Investigation System. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, 9–13 November 2020; pp. 787–802. [Google Scholar]
- O’Leary, D.E. What phishing e-mails reveal: An exploratory analysis of phishing attempts using text analysis. J. Inf. Syst. 2019, 33, 285–307. [Google Scholar] [CrossRef]
- HTTrack. HTTrack Website Copier. 2017. Available online: https://www.httrack.com/ (accessed on 2 April 2020).
- Alsharnouby, M.; Alaca, F.; Chiasson, S. Why phishing still works: User strategies for combating phishing attacks. Int. J. Hum. Comput. Stud. 2015, 82, 69–82. [Google Scholar] [CrossRef]
- Kintis, P.; Miramirkhani, N.; Lever, C.; Chen, Y.; Romero-Gómez, R.; Pitropakis, N.; Nikiforakis, N.; Antonakakis, M. Hiding in plain sight: A longitudinal study of combosquatting abuse. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 569–586. [Google Scholar]
- Statistics Solutions. Using Chi-Square Statistic in Research. 2019. Available online: https://www.statisticssolutions.com/using-chi-square-statistic-in-research/ (accessed on 2 April 2020).
- Pagliery, J. The Inside Story of the Biggest Hack in History. 2015. Available online: https://money.cnn.com/2015/08/05/technology/aramco-hack/index.html (accessed on 27 January 2019).
- Yacowenia, A. Social Networking Sites: The Malicious Use. Ph.D. Thesis, Utica College, New York, NY, USA, 2020. [Google Scholar]
- Naylor, D.; Finamore, A.; Leontiadis, I.; Grunenberger, Y.; Mellia, M.; Munafò, M.; Papagiannaki, K.; Steenkiste, P. The cost of the “s” in https. In Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies, Sydney, Australia, 2 December 2014; pp. 133–140. [Google Scholar]
- Maimon, D.; Wu, Y.; McGuire, M.; Stubler, N.; Qui, Z. SSL/TLS Certificates and Their Prevalence on the Dark Web (First Report). 2019. Available online: https://www.venafi.com/sites/default/files/2019-02/Dark-Web-WP.pdf (accessed on 25 November 2020).
- Xiao, C.; Zhang, L.; Liu, W.; Bergmann, N.; Xie, Y. Energy-efficient crypto acceleration with HW/SW co-design for HTTPS. Future Gener. Comput. Syst. 2019, 96, 336–347. [Google Scholar] [CrossRef]
- Kraus, L.; Ukrop, M.; Matyas, V.; Fiebig, T. Evolution of SSL/TLS Indicators and Warnings in Web Browsers. In Security Protocols XXVII. Security Protocols 2019. Lecture Notes in Computer Science; Anderson, J., Stajano, F., Christianson, B., Matyáš, V., Eds.; Springer: Cham, Switzerland, 2020; Volume 12287. [Google Scholar]
- Volkman, E. 49 Percent of Phishing Sites Now Use HTTPS. 2018. Available online: https://info.phishlabs.com/blog/49-percent-of-phishing-sites-now-use-https (accessed on 25 November 2020).
- Mohammad, R.M.; Thabtah, F.; McCluskey, L. Tutorial and critical analysis of phishing websites methods. Comput. Sci. Rev. 2015, 17, 1–24. [Google Scholar] [CrossRef] [Green Version]
- Lawson, P.; Pearson, C.J.; Crowson, A.; Mayhorn, C.B. Email phishing and signal detection: How persuasion principles and personality influence response patterns and accuracy. Appl. Ergon. 2020, 86, 103084. [Google Scholar] [CrossRef] [PubMed]
- Cialdini, R.B. Influence: The Psychology of Persuasion; Collins: New York, NY, USA, 2007; Volume 55, p. 339. [Google Scholar]
- Mohammad, R.M.; Thabtah, F.; McCluskey, L. An assessment of features related to phishing websites using an automated technique. In Proceedings of the 2012 International Conference for Internet Technology and Secured Transactions, London, UK, 10–12 December 2012; IEEE: Piscataway, NJ, USA, 2012; pp. 492–497. [Google Scholar]
- Chiew, K.L.; Tan, C.L.; Wong, K.; Yong, K.S.; Tiong, W.K. A new hybrid ensemble feature selection framework for machine learning-based phishing detection system. Inf. Sci. 2019, 484, 153–166. [Google Scholar] [CrossRef]
- Sahingoz, O.K.; Buber, E.; Demir, O.; Diri, B. Machine learning based phishing detection from URLs. Expert Syst. Appl. 2019, 117, 345–357. [Google Scholar] [CrossRef]
- Jain, A.K.; Gupta, B.B. A machine learning based approach for phishing detection using hyperlinks information. J. Ambient Intell. Humaniz. Comput. 2019, 10, 2015–2028. [Google Scholar] [CrossRef]
- Cuzzocrea, A.; Martinelli, F.; Mercaldo, F. Applying Machine Learning Techniques to Detect and Analyze Web Phishing Attacks. In Proceedings of the 20th International Conference on Information Integration and Web-based Applications & Services, Yogyakarta, Indonesia, 19–21 November 2018; pp. 355–359. [Google Scholar]
- Sarker, I.H.; Kayes, A.S.M.; Badsha, S.; Alqahtani, H.; Watters, P.; Ng, A. Cybersecurity data science: An overview from machine learning perspective. J. Big Data 2020, 7, 41. [Google Scholar] [CrossRef]
- Alseadoon, I.; Chan, T.; Foo, E.; Gonzalez Nieto, J. Who is More Susceptible to Phishing Emails? A Saudi Arabian Study. In Proceedings of the 23rd Australasian Conference on Information Systems, Geelong, Australia, 3–5 December 2012. [Google Scholar]
- Alghazo, J.M.; Kazimi, Z. Social Engineering in Phishing Attacks in the Eastern Province of Saudi Arabia. Asian J. Inf. Technol. 2013, 12, 91–98. [Google Scholar]
- Heartfield, R.; Loukas, G.; Gan, D. You are probably not the weakest link: Towards practical prediction of susceptibility to semantic social engineering attacks. IEEE Access 2016, 4, 6910–6928. [Google Scholar] [CrossRef]
- Williams, E.J.; Hinds, J.; Joinson, A.N. Exploring susceptibility to phishing in the workplace. Int. J. Hum. Comput. Stud. 2018, 120, 1–13. [Google Scholar] [CrossRef]
- Williams, E.J.; Polage, D. How persuasive is phishing email? The role of authentic design, influence and current events in email judgements. Behav. Inf. Technol. 2019, 38, 184–197. [Google Scholar] [CrossRef] [Green Version]
- Chatchalermpun, S.; Wuttidittachotti, P.; Daengsi, T. Cybersecurity Drill Test Using Phishing Attack: A Pilot Study of a Large Financial Services Firm in Thailand. In Proceedings of the 2020 IEEE 10th Symposium on Computer Applications & Industrial Electronics (ISCAIE), Malaysia, 18–19 April 2020. [Google Scholar] [CrossRef]
Occupation | Total | |||||
---|---|---|---|---|---|---|
Employees | Faculty Members | Students | ||||
Exposure | Exposed | Count | 16 | 14 | 21 | 51 |
Expected Count | 16.2 | 15.5 | 19.3 | 51.0 | ||
% within exposed | 31% | 28% | 41% | 100% | ||
Not Exposed | Count | 5 | 6 | 4 | 15 | |
Expected Count | 4.8 | 4.5 | 5.7 | 15.0 | ||
% within not exposed | 33% | 40% | 27% | 100% | ||
Total | Count | 21 | 20 | 25 | 66 | |
Expected Count | 21.0 | 20.0 | 25.0 | 66.0 |
d.f. | 0.995 | 0.99 | 0.975 | 0.95 | 0.9 | 0.1 | 0.05 | 0.025 | 0.01 |
---|---|---|---|---|---|---|---|---|---|
1 | 0.00 | 0.00 | 0.00 | 0.00 | 0.02 | 2.71 | 3.84 | 5.02 | 6.63 |
2 | 0.01 | 0.02 | 0.05 | 0.10 | 0.21 | 4.61 | 5.99 | 7.38 | 9.21 |
3 | 0.07 | 0.11 | 0.22 | 0.35 | 0.58 | 6.25 | 7.81 | 9.35 | 11.34 |
4 | 0.21 | 0.30 | 0.48 | 0.71 | 1.06 | 7.78 | 9.49 | 11.14 | 13.28 |
5 | 0.41 | 0.55 | 0.83 | 1.15 | 1.61 | 9.24 | 11.07 | 12.83 | 15.09 |
6 | 0.68 | 0.87 | 1,24 | 1.64 | 2.20 | 10.64 | 12.59 | 14.45 | 16.81 |
7 | 0.99 | 1.24 | 1.69 | 2.17 | 2.83 | 12.02 | 14.07 | 16.01 | 18.48 |
8 | 1.34 | 1.65 | 2.18 | 2.73 | 3.49 | 13.36 | 15.51 | 17.53 | 20.09 |
9 | 1.73 | 2.09 | 2.70 | 3.33 | 4.17 | 14.68 | 16.92 | 19.02 | 21.67 |
10 | 2.16 | 2.56 | 3.25 | 3.94 | 4.87 | 15.99 | 18.31 | 20.48 | 23.21 |
11 | 2.60 | 3.05 | 3.82 | 4.57 | 5.58 | 17.28 | 19.68 | 21.92 | 24.72 |
12 | 3.07 | 3.57 | 4.40 | 5.23 | 6.30 | 18.55 | 21.03 | 23.34 | 26.22 |
13 | 3.57 | 4.11 | 5.01 | 5.89 | 7.04 | 19.81 | 22.36 | 24.74 | 27.69 |
14 | 4.07 | 4.66 | 5.63 | 6.57 | 7.79 | 21.06 | 23.68 | 26.12 | 29.14 |
Experiment | Phishing Type | Techniques | Type of Influence Technique | Authenticity Features | Other Cyber Threats Associated with Phishing Attack |
---|---|---|---|---|---|
Attack simulation 1 | Website forgery | Cloning tools Domain squatting | Invoke a sense of Commitment and liking | Authentic appearance Presence of SSL | Man-in-the-middle (MITM) Watering hole attack (WHA) Cross-site scripting (XSS) Data breach |
Attack simulation 2 | Spear email phishing | Domain squatting | Invoke a sense of urgency and scarcity | Authentic appearance Presence of SSL | Botnets Watering hole attack (WHA) Dynamic malware Data breach |
Attack simulation 3 | Social networking phishing | NA | Promising monetary/prize reward | Presence of SSL | Cross-site scripting (XSS) Watering hole attack (WHA) Dynamic malware Blend malicious code Data breach |
Sample Size | Gender | Age Group | Type of Phishing | Authentic Appearance | DNS Squatting | SSL | ||
---|---|---|---|---|---|---|---|---|
Alseadoon et al. (2012) | 200 | - | 18–25 | Spear email phishing | Yes | Yes | No | |
Alghazo et al. (2013) | 200 | Male | 18–25 | Website forgery | Yes, but with low quality graphics | Yes | No | |
Our experiment | Simulation 1 | 66 | Female | 17> | Website forgery | Yes | Yes | Yes |
Simulation 2 | 165 | Female | 18–25 | Spear email phishing | Yes | Yes | Yes | |
Simulation 3 | 342 | Both | all | Social networking phishing | NA | NA | Yes |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Aljeaid, D.; Alzhrani, A.; Alrougi, M.; Almalki, O. Assessment of End-User Susceptibility to Cybersecurity Threats in Saudi Arabia by Simulating Phishing Attacks. Information 2020, 11, 547. https://doi.org/10.3390/info11120547
Aljeaid D, Alzhrani A, Alrougi M, Almalki O. Assessment of End-User Susceptibility to Cybersecurity Threats in Saudi Arabia by Simulating Phishing Attacks. Information. 2020; 11(12):547. https://doi.org/10.3390/info11120547
Chicago/Turabian StyleAljeaid, Dania, Amal Alzhrani, Mona Alrougi, and Oroob Almalki. 2020. "Assessment of End-User Susceptibility to Cybersecurity Threats in Saudi Arabia by Simulating Phishing Attacks" Information 11, no. 12: 547. https://doi.org/10.3390/info11120547
APA StyleAljeaid, D., Alzhrani, A., Alrougi, M., & Almalki, O. (2020). Assessment of End-User Susceptibility to Cybersecurity Threats in Saudi Arabia by Simulating Phishing Attacks. Information, 11(12), 547. https://doi.org/10.3390/info11120547