フィッシング対策セミナー2022講演資料 / antiphishing-seminar2022-hasegawa

ϑΟογϯάʹର͢ΔϢʔβͷߦಈɾೝࣝ ۙ೥ͷֶज़ݚڀ͔Β ϑΟογϯάରࡦηϛφʔ ࠃཱݚڀ։ൃ๏ਓ ৘ใ௨৴ݚڀػߏ αΠόʔηΩϡϦςΟݚڀॴ ௕୩઒ ࠼ࢠ

ߨԋऀ ࣗݾ঺հ w ࢯ໊ɿ௕୩઒ ࠼ࢠ w ॴଐɿࠃཱݚڀ։ൃ๏ਓ ৘ใ௨৴ݚڀػߏ αΠόʔηΩϡϦςΟݚڀॴ w
৬Ґɿݚڀһ w ઐ໳ɿϢʔβϒϧηΩϡϦςΟݚڀ 2

ϢʔβϒϧηΩϡϦςΟݚڀͱ͸ w ώϡʔϚϯϑΝΫλͷ؍఺͔ΒηΩϡϦςΟٕज़Λݕ౼͢Δݚڀ෼໺ r ໊લͷ௨Γɼਓؒ Ϣʔβ ʹͱͬͯ lVTBCMFzͰ҆શͳηΩϡϦςΟٕज़ͷཱ͕֬໨ඪ r ͦͷͨΊʹϢʔβͷߦಈ΍ೝࣝΛ؍ଌ
3 γεςϜத৺ͷ ϑΟογϯάݚڀ ߴਫ਼౓ͳϑΟογϯάݕ஌ ΞϧΰϦζϜͷཱ֬ ػցֶश ਓؒத৺ͷ ϑΟογϯάݚڀ Ϣʔβ͕ὃ͞ΕΔཧ༝ͷղ໌ ˣ ޮՌతͳڭҭɾϢʔβαϙʔτπʔϧ ͷ૑ग़ ౰֘ݚڀ෼໺ͷৄࡉɿ ۚԬߊϢʔβϒϧηΩϡϦςΟೖ໳IUUQTTQFBLFSEFDLDPNBLJSBLBOBPLBVXTUJZVUPSJBSVZV[BCVSVTFLJZVSJUFJSVNFO 秋⼭満昭. ⾦融分野に求められるユーザブルセキュリティ. https://www.imes.boj.or.jp/jp/conference/citecs/22semi_02_docs/22sec_semi02_akiyama.pdf ྆ํͷΞϓϩʔν͕ॏཁ

"HFOEBʢݚڀࣄྫ঺հʣ ϢʔβΛὃ͢߈ܸऀͷ৺ཧςΫχοΫ Ϣʔβͷଐੑͱὃ͞Ε΍͢͞ ϢʔβͷϑΟογϯά߈ܸʹؔ͢Δ஌ࣝ ϢʔβʹޮՌతͳڭҭɾΞυόΠε
ϢʔβʹޮՌతͳܯࠂσβΠϯ 4

ϢʔβΛὃ͢߈ܸऀͷ৺ཧτϦοΫ

߈ܸऀ͸ਓؒͷ৺ཧಛੑΛѱ༻ w ߈ܸऀ͕ѱ༻͢Δਓؒͷ৺ཧಛੑ 3PCFSU$JBMEJOJ lQSJODJQMFTPGJOGMVFODFz 6 ᶃ ฦใੑʢSFDJQSPDJUZʣ ᶄ Ұ؏ੑʢDPOTJTUFODZʣ
ᶅ ࣾձతূ໌ʢTPDJBMQSPPGʣ ᶆ ݖҖʢBVUIPSJUZʣ ᶇ ޷ҙʢMJLJOHʣ ᶈ رগੑʢTDBSDJUZʣ

߈ܸऀ͕ѱ༻͢Δ৺ཧతಛੑɿฦใੑɾҰ؏ੑ 7 ᶃ ฦใੑɿड͚ͨԸʹ͓ฦ͠Λ͠ͳ͚Ε͹ͳΒͳ͍ͱײ͡Δ ᶄ Ұ؏ੑɿࣗ෼͕ද໌ͨ͠໿ଋ͸कΓͨ͘ͳΔ ౰αʔϏε͸͓٬༷ͷ҆શͷͨΊʹશྗΛਚ͍ͯ͘͠·͢ɻ͓٬༷ͷΞΧ΢ϯτͷ ҆શΛอͭͨΊʹɺҎԼͷϦϯΫ͔Β͝ڠྗΛ͓ئ͍͠·͢ɻ MJOL ౰αʔϏεͷར༻ن໿ʹ͋ͳͨ͸ಉҙ͠·ͨ͠ɻ͋ͳ͕ͨར༻ن໿ʹҧ൓͍ͯ͠ͳ͍
৔߹ɺҎԼͷϦϯΫ͔ΒΞΧ΢ϯτ࠶։ͷखଓ͖Λߦͳ͍ͬͯͩ͘͞ɻ MJOL

߈ܸऀ͕ѱ༻͢Δ৺ཧతಛੑɿࣾձతূ໌ɾݖҖ 8 ᶅ ࣾձతূ໌ɿपғͷಈ͖ʹಉௐͨ͘͠ͳΔ ᶆ ݖҖɿݖҖͷ͋Δਓʹ৴པΛ͓͖ͨ͘ͳΔ શͯͷϢʔβ͕ϝʔϧΞυϨεͷೝূΛ࣮ࢪ͢Δඞཁ͕͋Γ·͢ɻҎԼͷϦϯΫ͔ Β࣮ࢪ͍ͯͩ͘͠͞ɻ MJOL 999ࣾ$&0ͷࢁాଠ࿠Ͱ͢ɻࢿྉΛ֬͝ೝ͍ͩ͘͞ɻMJOL

߈ܸऀ͕ѱ༻͢Δ৺ཧతಛੑɿ޷ҙɾرগੑ 9 ᶇ ޷ҙɿ޷͖ʹͳͬͯ͘ΕͨਓΛ޷͖ʹͳΓɼ޷͖ͳਓʹ͸ಉௐͨ͘͠ͳΔ ᶈ رগੑɿرগͳ΋ͷ΄Ͳཉ͘͠ͳΔ ౰αʔϏε͸͓٬༷Λେ੾ʹ͍ͯ͠·͢ɻզʑ͕͓٬༷ΛαϙʔτͰ͖ΔΑ͏ɺҎ ԼͷϦϯΫ͔ΒઃఆΛ࣮ࢪ͍ͩ͘͞ɻ MJOL ࣌ؒҎ಺ʹϩάΠϯ͍͍ͯͨͩͨ͠ํʹ͸ɺಛผʹϙΠϯτΛ্ࠩ͛͠·͢ɻ
MJOL

10 ࢀߟɿ<>")FJKEFOBOE -"MMPEJ$PHOJUJWF5SJBHJOHPG1IJTIJOH"UUBDLT *O1SPDPG4&$` <>੢઒߂ؽ΄͔ඪతܕϝʔϧʹ͓͚Δ৺ཧૢ࡞ςΫχοΫͱ ੑ֨ಛੑ͓Αͼߦಈಛੑͱͷؔ܎ੑ෼ੳ৘ใॲཧֶձ࿦จࢽ 7PM/P ˞͍ͣΕ΋จԽతൺֱΛ໨తͱͨ͠࿦จͰ͸ͳ͍͕ɼຊߨԋʹ͓͍ͯ͸ศ্ٓ྆࿦จͷ݁ՌΛൺֱͨ͠ ߨԋऀʹΑΔ ϑΟογϯάϝʔϧ
ͷಛ௃ ԤभͷϢʔβ <> ʢۚ༥ػؔʹͳΓ͢·ͨ͠ ϑΟογϯάϝʔϧͰ࣮ݧʣ ೔ຊͷϢʔβ <> ʢҰൠతͳ಺༰ͷඪతܕ ϑΟογϯάϝʔϧͰ࣮ݧʣ ฦใੑ͕ߴ͍ ΫϦοΫ཰͕௿͍ ΫϦοΫ཰ͱ༗ҙͳؔ܎ͳ͠ Ұ؏ੑ͕ߴ͍ ΫϦοΫ཰͕ߴ͍ ΫϦοΫ཰ͱ༗ҙͳؔ܎ͳ͠ ࣾձతূ໌͕ߴ͍ ΫϦοΫ཰ͱ༗ҙͳؔ܎ͳ͠ ΫϦοΫ཰ͱ༗ҙͳؔ܎ͳ͠ ݖҖ͕ߴ͍ ΫϦοΫ཰ͱ༗ҙͳؔ܎ͳ͠ ΫϦοΫ཰͕ߴ͍ ޷ҙ͕ߴ͍ ΫϦοΫ཰ͱ༗ҙͳؔ܎ͳ͠ ΫϦοΫ཰͕ߴ͍ رগੑ͕ߴ͍ ΫϦοΫ཰͕ߴ͍ ΫϦοΫ཰͕ߴ͍ ৺ཧτϦοΫ΁ͷϢʔβͷὃ͞Ε΍͢͞

11 ϑΟογϯ άϝʔϧͷ ಛ௃ ԤभͷϢʔβ ೔ຊͷϢʔβ ฦใੑ ௿͍ ༗ҙͳؔ܎ͳ͠ Ұ؏ੑ
ߴ͍ ༗ҙͳؔ܎ͳ͠ ࣾձతূ໌ ༗ҙͳؔ܎ͳ͠ ༗ҙͳؔ܎ͳ͠ ݖҖ ༗ҙͳؔ܎ͳ͠ ߴ͍ ޷ҙ ༗ҙͳؔ܎ͳ͠ ߴ͍ رগੑ ߴ͍ ߴ͍ ೔ຊ͸ԤभΑΓ͸ू߹ओٛ ⁶ ݸਓओٛ ͕ڧ͍ࠃͰ͋ΔͨΊɼݖҖʹऑ͍ ͱ͍͏ͷ͸ೲಘͰ͖Δ ʢҰൠʹ ू߹ओٛͷࠃͷॅຽͷ΄͏͕ ϑΟογϯάʹὃ͞Ε΍͍͢ͱ͞ΕΔ <> ʣ ͲͷΑ͏ͳϢʔβʹରͯ͠΋ൺֱతޮ Ռ͕ߴ͍ͱ͢Δͱɼ߈ܸऀʹͱͬͯ͸ ࠷΋ศརͳ৺ཧτϦοΫʁ <>.#VUBWJDJVT FUBM6OEFSTUBOEJOH4VTDFQUJCJMJUZUP1IJTIJOH&NBJMT"TTFTTJOHUIF*NQBDUPG*OEJWJEVBM%JGGFSFODFTBOE$VMUVSF *O1SPDPG)"*4"` ৺ཧτϦοΫ΁ͷϢʔβͷὃ͞Ε΍͢͞

͜ͷΑ͏ͳݚڀ੒Ռ ஌ݟ ΛͲ͏׆͔͔͢ Ø Ϣʔβ͕ಛʹὃ͞Ε΍͍͢৺ཧτϦοΫʹؔͯ͠ɼͦͷ৺ཧτϦοΫ͕༻͍ΒΕ ͨϝʔϧΛࣗಈͰ൑ผ͠ɼ༏ઌతʹௐࠪ͢ΔɾܯࠂΛදࣔͤ͞ΔͳͲ 12

Ϣʔβͷଐੑͱὃ͞Ε΍͢͞

Ϣʔβଐੑͱὃ͞Ε΍͢͞ Ϣʔβͷଐੑʢ೥୅ɾੑผɾੑ֨ಛੑɾաڈͷܦݧɾจԽ FUDʣʹΑΓϑΟο γϯά΁ͷὃ͞Ε΍͕͢͞ҟͳΔ͜ͱ͕໌Β͔ʹͳ͍ͬͯΔ ˠὃ͞Ε΍͍͢ଐੑͷϢʔβΛੵۃతʹαϙʔτ w ೥୅ɾੑผ<> r ߴྸͷঁੑ͕࠷΋ὃ͞Ε΍͍͢܏޲ r
एऀ͸رগੑʹὃ͞Ε΍͘͢ɼߴྸऀ͸ฦใੑʹὃ͞Ε΍͍͢܏޲ r ߴྸऀͷ΄͏͕ὃ͞Ε΍͢͞ͷ֮ࣗͱ࣮ࡍͷὃ͞Ε΍͢͞ʹ͕ࠩେ͖͍܏޲ʢա৴ʣ 14 ࢀߟɿ <>%0MJWFJSBFUBM%JTTFDUJOH4QFBS1IJTIJOH&NBJMTGPS0MEFSWT:PVOH"EVMUT0OUIF*OUFSQMBZPG8FBQPOTPG*OGMVFODFBOE-JGF %PNBJOTJO1SFEJDUJOH4VTDFQUJCJMJUZUP 1IJTIJOH *O1SPDPG$)*`

Ϣʔβଐੑͱὃ͞Ε΍͢͞ w ੑ֨ಛੑ r ྑ৺తͳੑ֨ͳਓ͸ͦ͏Ͱͳ͍ਓΑΓ΋ὃ͞Ε΍͍͢܏޲ <> w աڈͷܦݧ r աڈʹϑΟογϯάτϨʔχϯάΛड͚ͨਓ͸ͦ͏Ͱͳ͍ਓΑΓ΋ὃ͞Εʹ͍͘܏޲
<> w ଞͷଐੑʢ೥ྸɾੑผʣΑΓ΋Өڹ౓͕େ͖͍ w จԽɾݴޠ r ू߹ओٛͷࠃͷॅຽͷ΄͏͕ὃ͞Ε΍͍͢܏޲ <> 15 ࢀߟɿ <>5)BMFWJFUBM 4QFBS1IJTIJOHJOUIF8JME"3FBM8PSME4UVEZPG1FSTPOBMJUZ 1IJTIJOH4FMGFGGJDBDZBOE7VMOFSBCJMJUZUP4QFBS1IJTIJOH"UUBDLT443/&MFDUSPOJD+PVSOBM <>44IFOHFUBM8IP'BMMTGPS1IJTI "%FNPHSBQIJD"OBMZTJTPG1IJTIJOH4VTDFQUJCJMJUZBOE&GGFDUJWFOFTTPG*OUFSWFOUJPOT *O1SPDPG$)*` <>.#VUBWJDJVT FUBM6OEFSTUBOEJOH4VTDFQUJCJMJUZUP1IJTIJOH&NBJMT"TTFTTJOHUIF*NQBDUPG*OEJWJEVBM%JGGFSFODFTBOE$VMUVSF *O1SPDPG)"*4"`

ϢʔβͷϑΟογϯά߈ܸʹؔ͢Δ஌ࣝ

ϑΟογϯάʹؔ͢ΔϢʔβͷ࣭໰ ೔ຊͷ2ˍ"αΠτʹ౤ߘ͞ΕͨηΩϡϦςΟɾϓϥΠόγʔؔ࿈ͷ࣭໰ͷ͏ͪ ໿ׂ͕ϑΟογϯά౳ͷαΠόʔ߈ܸʹؔ͢Δ࣭໰Ͱ͋ͬͨ<> w ࠷΋ଟ͍࣭໰ɿʮ͜ͷϝʔϧ4.4αΠτ͸࠮ٗͰ͔͢ʁʯ r ࣭໰ऀ͕ఴ෇͍ͯͨ͠ϝʔϧ4.4αΠτ͸యܕతͳϑΟογϯά߈ܸͰ͋ͬͨɽయܕత ͳϑΟογϯά߈ܸͰ͋ͬͯ΋ɼϢʔβ͕ࣗྗͰ൑அ͢Δͷ͸ࠔ೉ w యܕతͳUZQPTRVBUUJOHʢྫɿ"QQMF4VQQSUʣ΍ɼ༗໊ͳϑϦʔϝʔϧαʔϏεͷϝʔϧΞυ
ϨεΛར༻͢Δ߈ܸʢྫɿ(NBJMΞυϨεΛ࢖ͬͯ(PPHMFʹͳΓ͢·͢ʣ w ࣍ʹଟ͍࣭໰ɿʮ࠮ٗαΠτʹϩάΠϯ৘ใ΍Χʔυ৘ใΛೖྗͯ͠͠·͍· ͨ͠ɻ͜ͷޙԿΛ͢΂͖Ͱ͔͢ʁʯ r ϑΟογϯάϝʔϧαΠτͷಛఆํ๏΍ո͍͠ϝʔϧ΁ͷରॲํ๏ʹൺ΂ͯɼϑΟογϯ άʹὃ͞Εͨޙͷߦಈʹ͍ͭͯͷΞυόΠεΛܝࡌ͍ͯ͠Δ΢ΣϒαΠτ͸গͳ͍ <> 17 ࢀߟɿ<>")BTFHBXBFUBM 6OEFSTUBOEJOH/PO&YQFSUT`4FDVSJUZ BOE1SJWBDZ3FMBUFE2VFTUJPOTPOB2"4JUF*O1SPDPG40614` <>..PTTBOP FUBM "OBMZTJTPG1VCMJDMZ"WBJMBCMF"OUJ1IJTIJOH8FCQBHFT$POUSBEJDUJOH*OGPSNBUJPO -BDLPG$PODSFUF"EWJDFBOE7FSZ/BSSPX"UUBDL7FDUPS *O1SPDPG&VSP64&$`

ҰൠతͳΤϯυϢʔβʹ63-ͷѼઌΛ໰͏ΞϯέʔτΛ࣮ࢪ<> 63-ͷߏ଄ʹؔ͢ΔϢʔβͷ஌ࣝ 18 2ҎԼͷ63-͸ͦΕͧΕͲͷΑ͏ͳ΢ΣϒαΠτʹܨ͕Δͱࢥ͍·͔͢ʁ ᶃ IUUQTQSPGJMFGBDFCPPLDPN ᶄ IUUQTGBDFCPPLQSPGJMFDPN ᶅ IUUQTUXJUUFSDPNGBDFCPPLDPN
! ! ! ࢀߟɿ<>4"MCBLSZ FUBM8IBUJTUIJT63-T%FTUJOBUJPO &NQJSJDBM&WBMVBUJPOPG6TFST63-3FBEJOH *O1SPDPG$)*`

63-ͷߏ଄ʹؔ͢ΔϢʔβͷ஌ࣝ 19 ᶃ IUUQTQSPGJMFGBDFCPPLDPN 㱺'BDFCPPL ᶄ IUUQTGBDFCPPLQSPGJMFDPN 㱺1SPGJMF ᶅ IUUQTUXJUUFSDPNGBDFCPPLDPN
㱺5XJUUFS αϒυϝΠϯ αϒυϝΠϯ αϒσΟϨΫτϦ υϝΠϯ໊ υϝΠϯ໊ υϝΠϯ໊

63-ͷߏ଄ʹؔ͢ΔϢʔβͷ஌ࣝ w ࢀՃऀ͸υϝΠϯͱαϒυϝΠϯͷ۠ผ͕͍͓ͭͯΒͣ ʮ'2%/ʹؚ·ΕΔαʔϏε ໊শ ʹ ܨ͕Δ΢ΣϒαΠτʯͰ͋Δͱޡղ͕ͪ͠ w ᶅ αϒσΟϨΫτϦʹαʔϏε໊
͸ൺֱతޡ౴͸গͳ͔ͬͨ w શ໰ਖ਼ղͨ͠ࢀՃऀɼͭ·Γ63-ͷߏ଄Λཧղ͍ͯͨ͠ࢀՃऀ͸ͷΈɽٕज़ܥͷ ࢀՃऀͰ͋ͬͯ΋ޡ౴ͨ͠ 20 ᶃ IUUQTQSPGJMFGBDFCPPLDPN 㱺 ࢀՃऀ͸ 'BDFCPPL ʹܨ͕Δͱճ౴ ᶄ IUUQTGBDFCPPLQSPGJMFDPN 㱺 ࢀՃऀ͸ 'BDFCPPL ʹܨ͕Δͱճ౴ʢޡʣ Ϣʔβ͸63-Λݟͯ΋ͦͷѼઌΛ൑அͰ͖ͳ͍͜ͱ͕͋ΔͨΊɼʮϝʔϧதͷϦϯΫΛ ϗόϦϯάͯ͠ਅͷ63-Λ֬ೝ͠·͠ΐ͏ʯͷΑ͏ͳΞυόΠεͰ͸ෆे෼

֤छ63-ِ૷ςΫχοΫʹؔ͢ΔϢʔβͷ஌ࣝ 21 ࢀߟɿ<>+3FZOPMETFUBM.FBTVSJOH*EFOUJUZ$POGVTJPOXJUI6OJGPSN3FTPVSDF-PDBUPST *O1SPDPG$)*` 2ҎԼͷ63-͸ͲͷΑ͏ͳ΢ΣϒαΠτʹܨ͕Δͱࢥ͍·͔͢ʁ • IUUQTUXJUUUFSDPN • IUUQTCPGBDPNTJHOJOJOGP •
IUUQT • IUUQTЛBZЛBMDPN • IUUQTTFDVSFHNBJMDPN • IUUQTUXJUUFSDPNJTTVFTTVQQPSU • IUUQTUXJUUFSDPNF ! ! ! ҰൠతͳΤϯυϢʔβʹ63-ͷѼઌΛ໰͏ΞϯέʔτΛ࣮ࢪ<> 5ZQPTRVBUUJOH 4VCEPNBJOBT%PNBJO *1"EESFTT *%/)PNPHSBQIT 4FMGEFDMBSFETFDVSF 6OGBNJMJBS5-% 63-&ODPEFE $IBSBDUFST

֤छ63-ِ૷ςΫχοΫʹؔ͢ΔϢʔβͷ஌ࣝ 22 ࢀՃऀ͕ѼઌΛਖ਼౴Ͱ͖ͨͷ͸ˋͷ63-ʹͱͲ·ͬͨ 63-ِ૷ςΫχοΫ ྫ ਖ਼౴཰ 5ZQPTRVBUUJOH IUUQTUXJUUUFSDPN *%/)PNPHSBQIT
IUUQTЛBZЛBMDPN 4FMGEFDMBSFETFDVSF IUUQTTFDVSFHNBJMDPN *1"EESFTT IUUQT 6OGBNJMJBS5-% IUUQTUXJUUFSDPNJTTVFTTVQQPSU 4VCEPNBJOBT%PNBJO IUUQTCPGBDPNTJHOJOJOGP 63-&ODPEFE$IBSBDUFST IUUQTUXJUUFSDPNF

w lηΩϡϦςΟϦςϥγzͱͯ͠ɼϢʔβ͸63-ͷߏ଄΍ِ૷ςΫχοΫΛ஌͓ͬͯ͘ ͷ͕޷·͍͠ r ͨͩ͠ɼਓ͕ؒࢹ֮తʹݟഁΔ͜ͱ͕ඇৗʹࠔ೉ͳɼߴ౓ͳ*%/)PNPHSBQIT΋ଘࡏ w ͦͷҰํͰɼϢʔβͷ63-൑ผεΩϧ͚ͩʹґଘ͢Δ͜ͱ͸ͤͣɼαʔϏεࣗۀऀ͔ ΒϢʔβ΁ͷϝʔϧͷதʹ63-ΛؚΊΔ͜ͱ͸ආ͚Δ ϒοΫϚʔΫ͔ΒΞΫηε͠ ͯ΋Β͏Α͏༠ಋ
౳ͷରࡦ΋ݕ౼͢΂͖ <> 23 ࢀߟɿ<>秋⼭満昭. ⾦融分野に求められるユーザブルセキュリティ. https://www.imes.boj.or.jp/jp/conference/citecs/22semi_02_docs/22sec_semi02_akiyama.pdf

ϑΟογϯάʹର͢ΔϢʔβͷ஫໨Օॴ 24 w <ϝʔϧ>Ϣʔβ͸ϔομʔ΍63-ʹ͸΄ͱΜͲ஫໨ͤͣɼຊจͷ಺༰Ͱਖ਼ن͔ϑΟογϯά͔ Λ൑அ͢Δ܏޲ <> w <ϝʔϧ>ૹ৴ݩʹ஫໨͢ΔϢʔβ͸ϑΟογϯάʹὃ͞Εʹ͘͘ɼ໊݅΍ۓٸͷݴ༿ͷଘࡏʹ ஫໨͢ΔϢʔβ͸ϑΟογϯάʹὃ͞Ε΍͍͢܏޲ <>
w <ϝʔϧ>ۓٸͷݴ༿ͷଘࡏΑΓ΋ɼϛεεϖϧͷଘࡏͷ΄͏͕Ϣʔβ͸ϑΟογϯάΛ͍ٙ΍ ͍͢܏޲ <> w <αΠτ>Ϣʔβ͸ϒϥ΢βͷηΩϡϦςΟΠϯδέʔλʹ΄΅஫໨ͤͣɼ΢ΣϒαΠτͷίϯ ςϯπʹ஫໨͢Δ܏޲ <> w ϑΟογϯάϝʔϧαΠτͷಛఆͷͨΊʹ͸ʮ஌ࣝʴ࣌ؒʯ͕ॏཁ <> ࢀߟɿ<>+%PXOTFUBM%FDJTJPOTUSBUFHJFTBOETVTDFQUJCJMJUZUPQIJTIJOH *O1SPDPG40614` <>"7JTIXBOBUIFUBM8IZEPQFPQMFHFUQIJTIFE UFTUJOHJOEJWJEVBMEJGGFSFODFTJOQIJTIJOHWVMOFSBCJMJUZXJUIJOBOJOUFHSBUFE JOGPSNBUJPOQSPDFTTJOHNPEFM%FDJTJPO4VQQPSU4ZTUFNT <>+.D"MBOFZ BOE1)JMMTUnderstanding Phishing Email Processing and Perceived Trustworthiness Through Eye Tracking 'SPOUJFSTJO1TZDIPMPHZ <>."MTIBSOPVCZ FUBM8IZQIJTIJOH TUJMMXPSLTVTFSTUSBUFHJFTGPSDPNCBUJOHQIJTIJOHBUUBDLT*OUFSOBUJPOBM+PVSOBMPG)VNBO$PNQVUFS4UVEJFT <>,1GFGGFM FUBM8IFSFUIFVTFSEPFTMPPLXIFOSFBEJOHQIJTIJOHNBJMTr "OFZFUSBDLJOHTUVEZ *O1SPDPG)$**`

ϢʔβʹޮՌతͳڭҭɾΞυόΠε

ϑΟογϯάରࡦΞυόΠεͷ࣮ଶௐࠪ ΢ΣϒαΠτʹܝࡌ͞ΕͨΞυόΠε Χࠃ Λ෼ੳͯ͠൑໌ͨ͠՝୊<> w ந৅తͳΞυόΠε͕ଟ͍ r ྫʣʮΫϦοΫ͢Δલʹ63-Λ֬ೝ͠·͠ΐ͏ʯ w ࠞཚΛੜΉΞυόΠε͕ܝࡌ͞Ε͍ͯΔ
r ྫʣʮෆࣗવͳจষͷϝʔϧ͸ϑΟογϯάͷՄೳੑ͕͋Γ·͢ʯͱʮ߈ܸऀ͸ࣗવͳจ ষΛॻ͖·͢ʯ w ߴ౓ͳϑΟογϯάʹؔ͢ΔΞυόΠε͕ͳ͍ r ྫʣΫϩʔϯϑΟογϯά Ҏલʹૹ৴͞Εͨਖ਼نͷϝʔϧΛѱ༻͞ΕΔ ʹؔ͢Δ৘ใ͕ ܝࡌ͞Ε͍ͯͳ͍ 26 ࢀߟɿ<>..PTTBOP FUBM "OBMZTJTPG1VCMJDMZ"WBJMBCMF"OUJ1IJTIJOH8FCQBHFT$POUSBEJDUJOH*OGPSNBUJPO -BDLPG$PODSFUF"EWJDFBOE7FSZ/BSSPX"UUBDL7FDUPS *O1SPDPG&VSP64&$`

ޮՌతͳڭҭํ๏ɾڭҭλΠϛϯά υΠπͷͱ͋Δ૊৫Ͱ࣮ࢪ͞ΕͨϑΟογϯάڭҭɾϑΟογϯάಛఆςετ<> w ΦϯαΠτνϡʔτϦΞϧͷޮՌ͸ͲΕ͘Β͍࣋ଓ͢Δ͔ʁ ὎ ϲ݄ఔ౓ɽϲ݄ޙʹ͸νϡʔτϦΞϧલͱେࠩͳ͍ύϑΥʔϚϯεʹ w ͲͷΑ͏ͳܗࣜͷϦϚΠϯμʔڭҭ͕ޮՌత͔ʁ ςΩετɾ୹͍ςΩετɾ ϏσΦɾϝʔϧը໘ʹ஫ҙϙΠϯτ͕هࡌ͞Εͨڭࡐ
὎ ϏσΦɾϝʔϧը໘ڭࡐͷޮՌ͕ߴ͘ɼ࣮ࢪޙϲ݄ޙ͸ޮՌ༗ 27 ࢀߟɿ<>#3FJOIFJNFS FUBM"OJOWFTUJHBUJPOPGQIJTIJOHBXBSFOFTTBOEFEVDBUJPOPWFSUJNF8IFOBOEIPXUPCFTUSFNJOEVTFST *O1SPDPG40614` ὎ ߴස౓Ͱͷܧଓతͳڭҭ͕ඞཁ

ޮՌతͳڭҭํ๏ ΞυόΠεܗࣜ ͱ ετʔϦʔ ମݧஊ ܗࣜͷޮՌͷҧ͍ <> ΞυόΠεܗࣜ ˠ ޮՌ͕ߴ͘ɼઐ໳Ո͔Β༩͑ΒΕͨࡍʹಛʹޮՌత
ετʔϦʔܗࣜ ˠ ޮՌ͸ߴ͘ͳ͍͕ɼಉ྅͔Β༩͑ΒΕͨ৔߹ʹ͸ޮՌ༗ 28 ࢀߟɿ<>38BTIFUBM8IP1SPWJEFT1IJTIJOH5SBJOJOH 'BDUT 4UPSJFT BOE1FPQMF-JLF.F *O1SPDPG$)*`

ͱ͋Δ૊৫Ͱ࣮ࢪ͞ΕͨϑΟογϯάγϛϡϨʔγϣϯ <> <ௐࠪ಺༰> ໛ٖϑΟογϯάϝʔϧΛΫϦοΫͨ͠ैۀһʹର͠ɼ ৚݅"ɿϑΟογϯάʹὃ͞Εͨ͜ͱΛ௨஌͢Δը໘Λදࣔ ৚݅#ɿϑΟογϯάʹὃ͞Εͨ͜ͱΛ௨஌͢Δը໘Λදࣔ ˠ ϑΟογϯάڭҭϖʔδΛදࣔ <݁Ռ> ༧૝ͱ͸ҟͳΓɼ৚݅#ͷैۀһͷ΄͏͕ͦͷޙͷةݥߦಈ͕ଟ͔ͬͨ
ˠ ৚݅#Ͱ͸ैۀһʹ҆৺ײΛ༩͑ͯ͠·ͬͨʁ ʢ৚݅"Ͱ͸ΫϦοΫߦಈͱۓுײ͕݁ͼ͍ͭͨʁʣ 29 ࢀߟɿ<>%-BJOFUBM1IJTIJOHJO0SHBOJ[BUJPOT'JOEJOHTGSPNB-BSHF4DBMFBOE-POH5FSN4UVEZ *O1SPDPG4ˍ1` ૊৫಺Ͱͷ૊ΈࠐΈܕϑΟογϯάڭҭ͸ٯޮՌʁ

ϢʔβʹޮՌతͳܯࠂσβΠϯ

ϝʔϧΫϥΠΞϯτͰͷܯࠂ w ܯࠂදࣔҐஔ 31 ࢀߟɿ+1FUFMLB FUBM1VU:PVS8BSOJOH8IFSF:PVS-JOL*T*NQSPWJOHBOE&WBMVBUJOH&NBJM1IJTIJOH8BSOJOHT *O1SPDPG$)*` 4VCKFDU ʜ 'SPNʜ
ʜ ʜ MJOL ʜ ʜ ʜ ʜ 4VCKFDU ʜ 'SPNʜ ʜ ʜ ʜ ʜ MJOL ʜ ʜ 5IJTFNBJMTFFNTEBOHFSPVT 5IJTFNBJMDPOUBJOTBMJOLUP BGBLFXFCTJUF Ϣʔβͷ ΫϦοΫ཈ࢭޮՌ όφʔ ϦϯΫ෇ۙ

w ϦϯΫແޮԽ༗ແ 4VCKFDU ʜ 'SPNʜ ʜ ʜ ʜ IUUQTXXXZBIPPDPN ʜ
ʜ ϝʔϧΫϥΠΞϯτͰͷܯࠂ 32 'BLFXFCTJUF -JOLHPFTUP XXXZBIPPMPHJODPNCS Ϣʔβͷ ΫϦοΫ཈ࢭޮՌ ϦϯΫແޮԽແ͠ 4VCKFDU ʜ 'SPNʜ ʜ ʜ ʜ IUUQTXXXZBIPPDPN ʜ ʜ 'BLFXFCTJUF -JOLHPFTUP XXXZBIPPMPHJODPNCS ϦϯΫແޮԽ༗Γ ΫϦοΫ Մೳ ΫϦοΫ ෆՄೳ ΫϦοΫ Մೳ

Ϣʔβʹ lߟ͑ͯ΋Β͏zܯࠂ Ϩϙʔτ 33 ࢀߟɿ,"MUIPCBJUJ FUBM*%POU/FFEBO&YQFSU.BLJOH63-1IJTIJOH'FBUVSFT)VNBO$PNQSFIFOTJCMF *O1SPDPG$)*` 63-IUUQTCFTUDOBSHFSVFYDIBOHFSTNLUFOJE ˙ 4VNNBSZ
LOPXOJTTVF1PTTJCMFJTTVF/PJTTVF ˙ %FUBJMFEJOGPSNBUJPO .BOJQVMBUJPO5SJDLT lCFTUDOBSHFSVzJTTJNJMBSUPQPQVMBSEPNBJO lCFTUDIBSHFSVz %PNBJO"HF3FHJTUFSFEPO+VMZUI NPOUI 6TFE5SJDL 4FBSDI 3FTVMU /P.BUDI %PNBJO "HF NPOUI %PNBJO 1PQVMBSJUZ -PX ! ! !

࠷ޙʹʢ࠶ܝʣ 34 γεςϜத৺ͷ ϑΟογϯάݚڀ ߴਫ਼౓ͳϑΟογϯάݕ஌ ΞϧΰϦζϜͷཱ֬ ػցֶश ਓؒத৺ͷ ϑΟογϯάݚڀ Ϣʔβ͕ὃ͞ΕΔཧ༝ͷղ໌
ˣ ޮՌతͳڭҭɾϢʔβαϙʔτπʔϧ ͷ૑ग़ ྆ํͷΞϓϩʔν͕ॏཁ

フィッシング対策セミナー2022講演資料 / antiphishing-seminar202...

フィッシング対策セミナー2022講演資料 / antiphishing-seminar2022-hasegawa

Ayako Hasegawa

More Decks by Ayako Hasegawa

Other Decks in Research

Featured

Transcript

ϑΟογϯάʹର͢ΔϢʔβͷߦಈɾೝࣝ ۙ೥ͷֶज़ݚڀ͔Β ϑΟογϯάରࡦηϛφʔ ࠃཱݚڀ։ൃ๏ਓ ৘ใ௨৴ݚڀػߏ αΠόʔηΩϡϦςΟݚڀॴ ௕୩઒ ࠼ࢠ

ߨԋऀ ࣗݾ঺հ w ࢯ໊ɿ௕୩઒ ࠼ࢠ w ॴଐɿࠃཱݚڀ։ൃ๏ਓ ৘ใ௨৴ݚڀػߏ αΠόʔηΩϡϦςΟݚڀॴ w

ϢʔβϒϧηΩϡϦςΟݚڀͱ͸ w ώϡʔϚϯϑΝΫλͷ؍఺͔ΒηΩϡϦςΟٕज़Λݕ౼͢Δݚڀ෼໺ r ໊લͷ௨Γɼਓؒ Ϣʔβ ʹͱͬͯ lVTBCMFzͰ҆શͳηΩϡϦςΟٕज़ͷཱ͕֬໨ඪ r ͦͷͨΊʹϢʔβͷߦಈ΍ೝࣝΛ؍ଌ

"HFOEBʢݚڀࣄྫ঺հʣ ϢʔβΛὃ͢߈ܸऀͷ৺ཧςΫχοΫ Ϣʔβͷଐੑͱὃ͞Ε΍͢͞ ϢʔβͷϑΟογϯά߈ܸʹؔ͢Δ஌ࣝ ϢʔβʹޮՌతͳڭҭɾΞυόΠε

ϢʔβΛὃ͢߈ܸऀͷ৺ཧτϦοΫ

߈ܸऀ͸ਓؒͷ৺ཧಛੑΛѱ༻ w ߈ܸऀ͕ѱ༻͢Δਓؒͷ৺ཧಛੑ 3PCFSU$JBMEJOJ lQSJODJQMFTPGJOGMVFODFz 6 ᶃ ฦใੑʢSFDJQSPDJUZʣ ᶄ Ұ؏ੑʢDPOTJTUFODZʣ

11 ϑΟογϯ άϝʔϧͷ ಛ௃ ԤभͷϢʔβ ೔ຊͷϢʔβ ฦใੑ ௿͍ ༗ҙͳؔ܎ͳ͠ Ұ؏ੑ

͜ͷΑ͏ͳݚڀ੒Ռ ஌ݟ ΛͲ͏׆͔͔͢ Ø Ϣʔβ͕ಛʹὃ͞Ε΍͍͢৺ཧτϦοΫʹؔͯ͠ɼͦͷ৺ཧτϦοΫ͕༻͍ΒΕ ͨϝʔϧΛࣗಈͰ൑ผ͠ɼ༏ઌతʹௐࠪ͢ΔɾܯࠂΛදࣔͤ͞ΔͳͲ 12

Ϣʔβͷଐੑͱὃ͞Ε΍͢͞

Ϣʔβଐੑͱὃ͞Ε΍͢͞ Ϣʔβͷଐੑʢ೥୅ɾੑผɾੑ֨ಛੑɾաڈͷܦݧɾจԽ FUDʣʹΑΓϑΟο γϯά΁ͷὃ͞Ε΍͕͢͞ҟͳΔ͜ͱ͕໌Β͔ʹͳ͍ͬͯΔ ˠὃ͞Ε΍͍͢ଐੑͷϢʔβΛੵۃతʹαϙʔτ w ೥୅ɾੑผ<> r ߴྸͷঁੑ͕࠷΋ὃ͞Ε΍͍͢܏޲ r

Ϣʔβଐੑͱὃ͞Ε΍͢͞ w ੑ֨ಛੑ r ྑ৺తͳੑ֨ͳਓ͸ͦ͏Ͱͳ͍ਓΑΓ΋ὃ͞Ε΍͍͢܏޲ <> w աڈͷܦݧ r աڈʹϑΟογϯάτϨʔχϯάΛड͚ͨਓ͸ͦ͏Ͱͳ͍ਓΑΓ΋ὃ͞Εʹ͍͘܏޲

ϢʔβͷϑΟογϯά߈ܸʹؔ͢Δ஌ࣝ

ҰൠతͳΤϯυϢʔβʹ63-ͷѼઌΛ໰͏ΞϯέʔτΛ࣮ࢪ<> 63-ͷߏ଄ʹؔ͢ΔϢʔβͷ஌ࣝ 18 2ҎԼͷ63-͸ͦΕͧΕͲͷΑ͏ͳ΢ΣϒαΠτʹܨ͕Δͱࢥ͍·͔͢ʁ ᶃ IUUQTQSPGJMFGBDFCPPLDPN ᶄ IUUQTGBDFCPPLQSPGJMFDPN ᶅ IUUQTUXJUUFSDPNGBDFCPPLDPN

63-ͷߏ଄ʹؔ͢ΔϢʔβͷ஌ࣝ 19 ᶃ IUUQTQSPGJMFGBDFCPPLDPN 㱺'BDFCPPL ᶄ IUUQTGBDFCPPLQSPGJMFDPN 㱺1SPGJMF ᶅ IUUQTUXJUUFSDPNGBDFCPPLDPN

63-ͷߏ଄ʹؔ͢ΔϢʔβͷ஌ࣝ w ࢀՃऀ͸υϝΠϯͱαϒυϝΠϯͷ۠ผ͕͍͓ͭͯΒͣ ʮ'2%/ʹؚ·ΕΔαʔϏε ໊শ ʹ ܨ͕Δ΢ΣϒαΠτʯͰ͋Δͱޡղ͕ͪ͠ w ᶅ αϒσΟϨΫτϦʹαʔϏε໊

֤छ63-ِ૷ςΫχοΫʹؔ͢ΔϢʔβͷ஌ࣝ 21 ࢀߟɿ<>+3FZOPMETFUBM.FBTVSJOHEFOUJUZ$POGVTJPOXJUI6OJGPSN3FTPVSDF-PDBUPST O1SPDPG$)*` 2ҎԼͷ63-͸ͲͷΑ͏ͳ΢ΣϒαΠτʹܨ͕Δͱࢥ͍·͔͢ʁ • IUUQTUXJUUUFSDPN • IUUQTCPGBDPNTJHOJOJOGP •

֤छ63-ِ૷ςΫχοΫʹؔ͢ΔϢʔβͷ஌ࣝ 22 ࢀՃऀ͕ѼઌΛਖ਼౴Ͱ͖ͨͷ͸ˋͷ63-ʹͱͲ·ͬͨ 63-ِ૷ςΫχοΫ ྫ ਖ਼౴཰ 5ZQPTRVBUUJOH IUUQTUXJUUUFSDPN *%/)PNPHSBQIT

ϢʔβʹޮՌతͳڭҭɾΞυόΠε

ϑΟογϯάରࡦΞυόΠεͷ࣮ଶௐࠪ ΢ΣϒαΠτʹܝࡌ͞ΕͨΞυόΠε Χࠃ Λ෼ੳͯ͠൑໌ͨ͠՝୊<> w ந৅తͳΞυόΠε͕ଟ͍ r ྫʣʮΫϦοΫ͢Δલʹ63-Λ֬ೝ͠·͠ΐ͏ʯ w ࠞཚΛੜΉΞυόΠε͕ܝࡌ͞Ε͍ͯΔ

ޮՌతͳڭҭํ๏ ΞυόΠεܗࣜ ͱ ετʔϦʔ ମݧஊ ܗࣜͷޮՌͷҧ͍ <> ΞυόΠεܗࣜ ˠ ޮՌ͕ߴ͘ɼઐ໳Ո͔Β༩͑ΒΕͨࡍʹಛʹޮՌత

ϢʔβʹޮՌతͳܯࠂσβΠϯ

ϝʔϧΫϥΠΞϯτͰͷܯࠂ w ܯࠂදࣔҐஔ 31 ࢀߟɿ+1FUFMLB FUBM1VU:PVS8BSOJOH8IFSF:PVS-JOLTNQSPWJOHBOE&WBMVBUJOH&NBJM1IJTIJOH8BSOJOHT O1SPDPG$)` 4VCKFDU ʜ 'SPNʜ

w ϦϯΫແޮԽ༗ແ 4VCKFDU ʜ 'SPNʜ ʜ ʜ ʜ IUUQTXXXZBIPPDPN ʜ

Ϣʔβʹ lߟ͑ͯ΋Β͏zܯࠂ Ϩϙʔτ 33 ࢀߟɿ,"MUIPCBJUJ FUBM%POU/FFEBO&YQFSU.BLJOH63-1IJTIJOH'FBUVSFT)VNBO$PNQSFIFOTJCMF O1SPDPG$)*` 63-IUUQTCFTUDOBSHFSVFYDIBOHFSTNLUFOJE ˙ 4VNNBSZ

࠷ޙʹʢ࠶ܝʣ 34 γεςϜத৺ͷ ϑΟογϯάݚڀ ߴਫ਼౓ͳϑΟογϯάݕ஌ ΞϧΰϦζϜͷཱ֬ ػցֶश ਓؒத৺ͷ ϑΟογϯάݚڀ Ϣʔβ͕ὃ͞ΕΔཧ༝ͷղ໌