Phishy Game
What is Phishing:
Phishing is a form of social engineering that tricks the victims into revealing their sensitive information. Often accomplished by the usage of fraudulent emails and website links that impersonate trustworthy websites. Corporate users have more chances of encountering fraudulent mails as the attackers target such users to get organization specific information. Phishing attacks have caused millions of dollars in loss due to identity theft, intellectual and customer information for companies, national secrets etc.
"Yes, your eyes can deceive you, unless you seek the truth"
https://chiplay.acrn.org/2018/
Our approach >>> Let’s Play
Several warning tools and plugins exist. Studies show that these tools vary in accuracy in detecting phishing links, with chances of finding false positives. Protection from phishing depends heavily upon the knowledge on the part of the individual. We selected Game based Awareness training for Enterprise users with following objectives of visual inspection.
Game Objectives: Our primary goal was to provide phishing awareness training to enterprise users. We focused on educating users with these three points:
a) How to identify phishing URLs by the method of inspection,
b) To get familiar with short URLs,
c) To search online for brand names to find their legitimate URLs.
Phishy is a navigation based adventure game where a character lost in the sea has to overcome challenges in order to reach the shore, with imminent dangers prevalent at all times. It also has an element of “survival” associated with the gameplay. Adventure games are found to be more ‘retention friendly’ because they help the user learn by doing, with a benefit of aural and visual stimuli. The ‘Survival’ element of the game puts the player in a constant state of life-death struggle. It brings out the human instinct of self-preservation. This helps in keeping the player motivated enough to survive against the odds throughout the game. The game play is analogous to the real life scenario of phishing where a mistake by the user leads to an attack and loss to the person.
ABOUT GAme
Phishy is a single-player, browser friendly game developed in javascript and “Phaser” library.
Game Story: Phishy is a story-based agent, it has a central playable character named “Sam”. The target audience included both genders. Before the game starts, a story is displayed to the players, in a comic format. The story begins with Sam getting a message on his phone stating he has won $5,00,000 and an all-expense paid cruise trip to Paradise Islands (panel 1). He is then told to click a link to enter bank details and confirm the acceptance of the offer (panel 2).
Sam gets excited after seeing the prize money (panel 3). Without checking further, he clicks on the link (panel 4). It was too late by the time Sam realized that it was a fake phishing message, and the criminals had taken all his money, and left him on a boat, with a hungry tiger, in the middle of the sea (panel 5). The game now starts from this point. Sam has to return to the shore in order to survive. The hungry tiger moves forward by one step if Sam fails to feed fish to it. The player has to navigate the boat to the shore, through 3 levels of gameplay.
In-game Challenges: The main challenge for the player is to reach the shore safely. This is made possible by:
a.) Hooking the fish and feeding the tiger
b.) Selecting the correct answers for the questions that pop up every time Sam hooks a fish by applying the onscreen tips provided
c.) Avoiding dangers like sharks and tentacles
If a player refuses to catch a fish, a pop-up message is displayed and s/he can’t proceed further unless a fish is caught.
Game mechanics
Game begins with a pre-game survey, which progresses to Level 1. The level 1 questions follow a pattern “Is the following a phishing URL?”. Player has to press the “Spacebar” key to hook the fish. Once hooked, a question pops up. A right answer is stating "yes" to phishing URL (true positive) and "no" to a legitimate URL (true negative). For a right answer, s/he is rewarded with points and the fish that will feed the hungry tiger. If s/he gives a wrong answer as stating "yes" to legitimate URL (false positive) and "no" to phishing URL (false negative), the points are deducted, the fish goes away and hungry tiger comes closer to Sam. This level focuses on URLs with Internet Protocol (IP) addresses, deceptive domain and sub-domains.
In Level 2 short URLs are displayed. Studies show that attackers often use URL shortening services to hide their original identity. It is also difficult to blacklist such URLs as spam and the users are less aware on judging them. These URLs are common nowadays, especially because of their increased usage on Twitter, SMS. In the game, the player is provided with instructions to expand the shortened URL using on-screen controls. Once expanded, the user can then determine its legitimacy. Tips provided for the two step identification of URLs (only for URLs shortened using ‘goo.gl’ and ‘bit.ly’ services): Step 1 – Add + at the end of the short URL and hit enter to get the expanded form Step 2 – Then apply the visual inspection method This level has a swamp environment and tentacles appear as obstacles which the player has to avoid.
Level 3 includes URLs of famous brands like Facebook, banking websites etc. The choices contain ambiguous domain names with change or addition of words. This process of changing domain names with extra words or phrases is called as combosquatting, and is an emerging threat. The player has to find the legitimate URL among the various options. Obstacles include sharks. Tips are provided to search the brand name using a search engine and find the top results. Each level has a different type of fish to be caught. The flow across the levels is continuous, however, the process of identifying the URLs changes. The tips are provided to give an idea as to what is expected in the real world, when they encounter such URLs. After completing level 3, Sam reaches the shore, and a “Congratulations” screen is shown. The game then culminates into the post-game survey page.
Game Data Content Creation
Phishy game focused on delivering adequate amount of learning content during gameplay. From the URLs found in the international repository called PhishTank, we identified common URL templates. We used the organization’s proxy server database to find those URLs which are often accessed by associates from within the organization (we filtered 20 out of 1000 such URLs and included social networking, banking, corporation, shopping sites etc.) and dynamically generated a list of phishing URLs using the templates.
Different URL types used are as follows:
Phishy game focused on delivering adequate amount of learning content during gameplay. From the URLs found in the international repository called PhishTank, we identified common URL templates. We used the organization’s proxy server database to find those URLs which are often accessed by associates from within the organization (we filtered 20 out of 1000 such URLs and included social networking, banking, corporation, shopping sites etc.) and dynamically generated a list of phishing URLs using the templates.
Different URL types used are as follows:
1) IP address and sub-domain based URLs, Example of a sub-domain based URL: oaa.onlinesbi.com.
2) Fake domain based -Combosquatting URLs, These are URLs with a popular trademark name with the addition of one or more phrases. Example github1.com.
3) Analysis of PhishTank data set revealed common transformations with similar domain names. Each of the URL is transformed according the identified operations. Example https://www.facedook.com/login.php
The URLs for the pre-game survey, post-game survey and the short URLs of Level 2 are also taken from the generated data set.
Interaction, Scoring and Reward system:
User interaction controls are very minimal in the game. Forward arrow key for navigating the boat and Spacebar key for catching fish are the main controls. The mouse is used in areas where the player has to select YES/NO option, and for clicking buttons like “Expand short URL”. The correct answers in each level, reward the player with points in the form of “coins”. The game requires at least 7 correct answers out of the 14 questions to complete the game. Studies show that offering rewards for learning games within a social context can motivate learners to complete their tasks, which they are otherwise unlikely to complete, and consider the experience as fun and enjoyable. Our organization has a reward system called “GEMS”, which is the equivalent of a virtual money. One Gem is roughly equal to one Indian Rupee (0.016$). A total of 30000 gems were allocated to Phishy. 100 winners were selected, 20 per day for 5 days of the InfoSecurity week, and were awarded 300 gems each (~5$).
User interaction controls are very minimal in the game. Forward arrow key for navigating the boat and Spacebar key for catching fish are the main controls. The mouse is used in areas where the player has to select YES/NO option, and for clicking buttons like “Expand short URL”. The correct answers in each level, reward the player with points in the form of “coins”. The game requires at least 7 correct answers out of the 14 questions to complete the game. Studies show that offering rewards for learning games within a social context can motivate learners to complete their tasks, which they are otherwise unlikely to complete, and consider the experience as fun and enjoyable. Our organization has a reward system called “GEMS”, which is the equivalent of a virtual money. One Gem is roughly equal to one Indian Rupee (0.016$). A total of 30000 gems were allocated to Phishy. 100 winners were selected, 20 per day for 5 days of the InfoSecurity week, and were awarded 300 gems each (~5$).
UNIQUE FEATURES OF PHISHY
Phishy tried to incorporate some real life scenarios. This makes it different from the counterparts like the Anti-Phishing Phil.
Phishy tried to incorporate some real life scenarios. This makes it different from the counterparts like the Anti-Phishing Phil.
a) No timers in game: Timer might create an unwanted sense of urgency and may limit the game play experience affecting the player enjoyment. Removing it might give the player more freedom to experiment at their own pace, which could help them experience a more enjoyable game flow.
b) Players were not allowed to skip questions: Similar to the real life unavoidable decisions.
c) Players get appropriate error messages, learning tips and feedback: simulates how people can take online help for finding legitimacy of URLs. Previous games didn’t model reality to this extent.
d) Uninterrupted gameplay: Unlike Anti-Phishing Phil, Phishy has a unique feature which promotes uninterrupted gameplay for up to 7 incorrect answers. We believe that serious games should focus more on teaching, instead of giving penalties.
e) Differences in genre and gameplay: Anti-Phishing Phil follows a uniform game pattern and level setup. Phishy has progressive levels, varied answering techniques and changing visual appearance. It follows an Adventure Game approach, which is found to be more engaging and retention-friendly.
f) Addition of Short URLs: Phishy included short URLs and their expansion methodology which was absent in the game Anti-Phishing Phil.
GAME Evaluation:
The game was online for a week, and later extended to a month due to overwhelming response. Players could access the game using their organization email address and a unique pass code. Each question in the pre-survey is followed by a sub question which asks the player’s confidence level for the given answer. Once the game is completed, the players were redirected to the post-game survey page with similar questions. The survey questions were divided into 2 groups A and B, of 9 questions each, which were randomly given to participants as either pre or post-game surveys. The results of the game play were recorded only after both the surveys were completed, to ensure that the players did not skip any answers and unfinished attempts were avoided.
We had divided the participants based on their pre-game survey correct answers and calculated the correctness. We also used paired t-test if the variable is continuous and claim the results to be significant if p-value<0.05. Based on the above parameters, we found that the confidence and correctness increase is significant, with 4.06 to 4.43 (p < 0.05) for pre- game survey and 0.71 to 0.79 (p = 4.12E-142) for post-game survey. FNR and FPR decreased significantly from 0.22 to 0.14 (p = 5.03E-091) and 0.34 to 0.25 (p = 7.71E -076) respectively. As per the feedback data 95.92% agreed the game to be fun, 97.23% found the game to be educational and 95.17 considered they have learned about phishing. 25% players attempted the game more than once; a definite improvement over the existing mandatory quiz and trainings within the organization. In game few users failed in judging sub-domain based URLs, which is a main target for the future work.
Publications
1) GOVID: Repurposing Serious Game for Enterprise COVID-19 Awareness. Gokul CJ, Vijayanand Banahatti & Sachin Lodha, (IndiaHCI 2021)
2) PHISHY - A Serious Game to Train Enterprise Users on Phishing Awareness, Gokul CJ, Sankalp Pandit, Sukanya Vaddepalli, Harshal Tupsamudre, Vijayanand Banahatti and Sachin Lodha. Proceedings of Annual Symposium on Computer-Human Interaction in Play (CHI Play 2018) Page 169–181
----------------------------------------------------
Team size: (min-max): 2-3
Technology: JAVA/J2EE, JavaScript
My Role: Team Lead
My Contribution: Initial idea, Brainstorming, Experiment design, Data analysis, Team coordination.
----------------------------------------------------
Team size: (min-max): 2-3
Technology: JAVA/J2EE, JavaScript
My Role: Team Lead
My Contribution: Initial idea, Brainstorming, Experiment design, Data analysis, Team coordination.
----------------------------------------------------
Acknowledgment: All the game animation done by my team memeber Gokul CJ
