Trusted Phishing: A Model to Teach Computer Security Through the Theft of Cookies

Abstract

Social engineering is a common practice to obtain information through the manipulation of users’ trust; while phishing refers to a computer attack model that is executed through social engineering. Combined with Cross-Site scripting (XSS), users’ curiosity to access their cookies and steal information from their sessions could be abused. The objective of this proposal was to teach concepts about cookie theft through vulnerable blogs. Our idea was to develop a blog vulnerable to XSS attacks to steal information from a test cookie that was created on the computer of users who accessed this site. Subsequently, the information corresponding to the attack was organized to present a new publication on the blog in order to explain to users how, with great care, we stole their cookies. Our goal was to challenge the trust and curiosity of our contacts in the social network Facebook and in the WhatsApp messaging application, so that they were tempted to visit this compromised blog whose content was false information. The results show that 182 contacts accessed the compromised blog and 100% of the users assumed that the blog was reliable. It was also shown that through this controlled attack, all 182 contacts learned about the theft of cookies that can be produced through fake blogs.