Phishing – Email UI and the Target

In an earlier post, I wrote about how Spear Phishing attack successes are heavily favored over the target mounting a successful defense. This post is about how the modern email application, and even how emails are processed by targets favor the attacker.

Modern Email Applications:

Modern email applications, are about ease of use. They provide intuitive controls that minimize selecting, reading, deleting, and archiving of messages. Controls are designed to promote the rapid processing of messages. However, rapid processing is a positive for both the application user and the phishing attacker. Gone are the days of “You have mail”. Minimizing notifications, while designed to minimize intrusions in the busy life of a user, the applications are designed to bring the user back as often as possible. More times the user accesses the application, the more times that the application can generate income. The more times that the user accesses the application, the more times that the phishing attacker has to compromise the user. Getting the user to come back often is so effective, that there are users that rely upon the application for self esteem. The more messages from the sources deemed important, the increase in self esteem. The increase in self esteem makes it easier for the attacker to compromise.

The email application design and implementation are valuable to the phishing attacker. In addition, there are multiple off the shelf software development kits that help make email content more effective at engaging the user. There are even kits designed to enhance the phishing attack. The kits help build content that looks and feels as if the message was sent from a known source.

Plus one for the application, the application user and the phishing attacker.

Meta Cognition:

“The Dunning-Kruger effect is also related to difficulties with metacognition. Metacognition refers to the ability to step back and look at one’s behavior and abilities from outside of oneself.
People can often only evaluate themselves from their own limited and highly subjective point of view. From this limited perspective, they seem highly skilled, knowledgeable, and superior to others. Because of this, people sometimes struggle to have a more realistic view of their abilities”

Phishing attackers have learned how to exploit metacorrelation.

Most folks do something really well. Perhaps, two or three things really well. A baker learns how to make great pies and cakes. A chemical engineer knows how to make batteries.There are probably chemical engineers and bakers that are really good at golf. There are physicians that have studied for years that are very good at curing diseases. However, there are many documented cases that show physicians are terrible airplane pilots. Physicians, when they self assess, assume that because they are well educated and able to manage the stress of medicine, that they naturally have the ability to expertly fly an airplane. I am not picking on physicians. The lack of ability to successfully self assess crosses all fields of endeavor.

Email applications are designed to bridge the virtual and physical world. They are designed and implemented to give the appearance of being easy to use. And they most often succeed.

So, when an expert in one field goes to use an email application, that is designed to be easy to use, anxiety and suspicion levels are not raised. Raising levels of anxiety and suspicion are important in detecting that the user is under attack – a phishing attack. The phishing attacker understands how to leverage the stealth derived from the perception of ease of use. Ease of use – user plus one, phishing attacker plus one.

Heuristic-Systematic Model:

There is a model named the Heuristic-Systematic Model. Some folks believe, some folks have doubts. The model provides insights on how users process messages. Aligning with modern email applications and the rapid processing of messages, the heuristic approach maps nicely – fast and minimum use of cognitive resources. Taking more time to analyze message content and consuming more cognitive resources, the systematic approach maps nicely.

“Heuristic processing uses judgmental rules known as knowledge structures that are learned and stored in memory. The heuristic approach offers an economic advantage by requiring minimal cognitive effort on the part of the recipient. Heuristic processing is related to the concept of “satisficing.”

Heuristic processing is governed by availability, accessibility, and applicability. Availability refers to the knowledge structure, or heuristic, being stored in memory for future use. Accessibility of the heuristic applies to the ability to retrieve the memory for use. Applicability of the heuristic refers to the relevancy of the memory to the judgmental task. Due to the use of knowledge structures, a person using heuristic information processing is likely to agree with messages delivered by experts, or messages that are endorsed by others, without fully processing the semantic content of the message. In comparison to systematic processing, heuristic processing entails judging the validity of messages by relying more on accessible context information, such as the identity of the source or other non-content cues. Thus, heuristic views de-emphasize detailed information evaluation and focus on the role of simple rules or cognitive heuristics in mediating persuasion.

Individuals may be more likely to use heuristic processing when an issue is less personally important to them (they have low “issue involvement”) or when they believe their judgment will not have significant impacts on themselves (low “response involvement”).”

Key points:

1. Fast
2. Low cognitive resource consumption
3. Low level of concern – suspicion
4. Less important to the user – more important to the attacker

“Systematic processing involves comprehensive and analytic, cognitive processing of judgment-relevant information. The systematic approach values source reliability and message content, which may exert stronger impact on persuasion, when determining message validity. Judgments developed from systematic processing rely heavily on in-depth treatment of judgment-relevant information and respond accordingly to the semantic content of the message. Recipients developing attitudes from a systematic basis exert considerable cognitive effort and actively attempt to comprehend and evaluate the message’s arguments. When processing systematically, recipients also attempt to assess their validity as it relates to the message’s conclusion. Systematic views of persuasion emphasize detailed processing of message content and the role of message-based cognitions in mediating opinion change. While recipients utilizing systematic processing rely heavily on message content, source characteristics and other non-content may supplement the recipients’ assessment of validity in the persuasive message.”

Key Points:

1. Slower – more thoughtful analysis
2. High cognitive resource consumption
3. High level of concern – suspicion
4. More effective at detecting attack

Modern day email applications are about grabbing attention and rapid processing – no time for elevating suspicions or greater analysis.

The modern day email application and heuristics – phishing attacker 1, user zero

Summing up:

Modern day email and social media applications make the phishing attacker the odds on favorite.