The e-mail appeared to be a routine correspondence between
two friends. “Check this out!” it read, then listed a Web address.
But the note was fake, part of an online ruse called
phishing that has become a scammer’s favorite way to get sensitive information
from unsuspecting computer users.
The catch? The scammers were Indiana University researchers,
the e-mail an experiment.
“I didn’t know I was being used,” said Kevin
McGrath, 25, a doctoral student at Indiana University whose e-mail address was
one of hundreds used as “passive participants” for an experiment to
study who gets duped by phishing.
As universities nationwide study ways to protect online
security, methods at Indiana are raising ethical and logistical questions for
researchers elsewhere: Does one have to steal to understand stealing? Should
study participants know they are being attacked as part of a study? Can
controlled phishing ever mimic real life?
Indiana researchers say the best way to understand online
security is to act like the bad guys.
“We don’t believe that you can go and ask people, ‘Have
you been phished?’ There’s a stigma associated with it. It’s like asking
people, ‘Have you been raped?'” said Markus Jakobsson, an associate professor
of informatics who directs IU’s Anti-Phishing Group.
The university has conducted nearly a dozen experiments in
the last two years. In one, called “Messin’ With Texas,” researchers
learned mothers’ maiden names for scores of people in Texas. Maiden names often
are used as a security challenge question.
Another conducted in May found that 72 percent of more than
600 students tested on the Bloomington, Ind., campus fell for an e-mail from an
account intended to look familiar that sought usernames and passwords.
By contrast, only 18 percent of 350 students in a separate
control group were fooled when they received e-mails from addresses they did
The experiments found that hackers have the most success by
using hijacked Web addresses or e-mail accounts that look real. The research
also showed computer users generally have little knowledge of Web site security
certificates and leave themselves open to attack with poorly configured routers
or operating systems.
Understanding those weaknesses is a key to combatting
phishing, which accounted for nearly three-quarters of 11,342 online attacks
recorded between January and March, according to the US-Cert, which monitors
online attacks for the Department of Homeland Security.
Many companies have taken steps to protect consumers, but
none have proven entirely effective which is why IU believes it’s important to
understand phishing “in the wild,” as Jakobsson describes it.
Federal laws governing university research allow scientists
to use deceptive means if the risk participants face is minimal and no greater
than what they would face in daily life.
Peter Finn, who serves on the Indiana
review board that approves the studies, said the university believes the
phishing experiments fall within those guidelines even though about 30 students
complained about the methods.
“The probability of harm from the study is nowhere near
the magnitude of the harm that would result from actual phishing attacks,”
Jakobsson said researchers take steps to protect information
from hackers who might snoop on the studies. The fake Web sites and e-mails
used in the phishing attempts are created behind a secure server. No
information submitted by test subjects is stored. The experiments, which are
not encrypted in order to mirror real conditions, record only that someone gave
information not what they provided.
Celia B. Fisher, a human research ethicist at Fordham
University in New
York, said the experiments qualify as “deception
research” and are legal, even necessary.
“There is no way to find this information out without
deceiving the participants, because as soon as you tell them what you’re doing,
you won’t have any real information,” she said.
But Lorrie Cranor, who directs an anti-phishing group at Carnegie
Mellon in Pittsburgh, said
controlled laboratory studies can be just as useful.
The school has developed an online tool accessible only from
its labs called “Anti-Phishing Phil” to lead participants through
scenarios based on actual phishing attempts. The experiment hopes to determine
which methods work the best at deceiving users.
Cranor’s research has found that successful phishing
attempts rely on human vulnerabilities such as greed, curiosity, ignorance and
“When you talk to someone, you look in their eyes and
say, “Does this look like they’re telling the truth?’ And we get pretty
good at making these judgments,” she said. “But most of are not very
good at making these judgments online.”
Conditioning users to recognize those weaknesses before it’s
too late is the safest way to combat phishing, she said.
“If we were to collect personal information from
people, we have to be very careful,” Cranor said. “You don’t want to
be responsible for holding a list of people’s Social Security numbers.”
On the Net:
The Anti-Phishing Group at Indiana University: http://www.indiana.edu/~phishing/
– Associated Press
© Copyright 2005 by DiverseEducation.com