PhD Thesis Summary

My PhD was funded by the UK EPSRC (grant EP/K035584/1) at the Centre for Doctoral Training in Cyber Security, at Royal Holloway, University of London. I was jointly supervised by Professor Peter Komisarczuk, Professor Kenny Paterson, and Professor Lorenzo Cavallaro.

Thesis Abstract

Phishing and malware attacks continue to plague the digital world; wreaking havoc on individuals, businesses, and governments worldwide. Attacks often target popular platforms, such as Twitter: a microblogging social networking service with over 330 million active monthly users, posting more than 500 million daily tweets.

My thesis explores how well-protected Twitter users are from phishing and malware attacks. We take an empirical, data-driven approach to investigate the effectiveness of Twitter's cybercrime defence system at time-of-tweet and time-of-click. We create Phishalytics: our measurement infrastructure that collects and analyses large-scale data sets. Our data feeds include Twitter's Stream API, Bitly's Clicks API, and 3 popular blacklists: Google Safe Browsing, PhishTank, and OpenPhish. We improve internet measurement studies by addressing soundness and limitations of existing work. Our studies include characterising URL blacklists, investigating blacklist delays, and examining Twitter's URL shortener (t.co). We aim to better enable policymakers, technology designers, and researchers to strengthen online user security.

We provide empirical evidence highlighting the state, and scale, of cybercrime on Twitter. Key findings show over 10,000 phishing and malware URLs -- publicly tweeted to more than 131 million Twitter accounts -- received over 1.6 million clicks from Twitter users. Twitter's time-of-click defence system blocks only 12% of blacklisted URLs and web browsers miss up to 62% of non-blacklisted phishing websites. We recommend Twitter users ensure their risk appetite aligns with their cybercrime defence strategy. Furthermore, blacklists do not offer absolute protection and cybercriminals can exploit uptake delays.

Our findings suggest more can be done to strengthen Twitter's phishing and malware defence system and improve user security. However, measuring and evaluating effectiveness is complex and non-trivial. We discuss the importance of soundness, the significance of measurement study reproducibility, and the challenges of measuring an ever-changing landscape.

Research Questions

I designed Phishalytics to help answer the following research questions:

Contributions

  1. Improve internet measurement studies by introducing new metrics and methodology; addressing soundness and limitations of existing work; strengthening current understanding of how to collect and analyse internet measurements of cybercrime on Twitter.
  2. Measurement infrastructure (full codebase), methodology, technical implementation details, and resulting data set from our longitudinal studies; aids reproducibility and internet measurement community.
  3. Provide empirical evidence, from our studies, to determine how effective Twitter's defence system is at protecting users from phishing and malware attacks. Our measurement snapshots also contribute towards future research by providing benchmarks for effectiveness.
  4. Improve current understanding of phishing and malware ground truth by characterising and analysing 3 popular blacklists: GSB, OP, and PT.

Awards

Our research won 2 awards -- best paper and best student paper -- at the Australasian Computer Science Week Multiconference (2020), for our paper: Measuring the Effectiveness of Twitter's URL Shortener (t.co) at Protecting Users from Phishing and Malware Attacks.

Research Projects

Full details of my research projects are on the projects page. The projects are:

Research Papers

My PhD research output includes the following papers:

Full PhD thesis, and related research papers, can be accessed from the publications page.