Phishing researcher 'targets' the unsuspecting

Executes online attacks as part of experiments aimed at improving security

Another experiment targeted Indiana University professors, prompting them to use their university-issued passwords to get onto a site that appeared to be hosted outside of the school. Most were duped.

"We sent them to a page that said 'service temporarily unavailable, please try again later.' That would stimulate people's interest and many people returned," he said. "It was nice to see computer scientists never fell for the experimental attack when it was sent by a stranger. ... It was a wakeup call that the people in the School of Education did not distinguish whether it was from a friend or someone unknown to them."

One finding could have been predicted by anyone: Men are more likely to click on a link sent to them by a female than by a male. But the study dug up some more surprising facts by targeting e-mail addresses from a social networking site that listed political affiliations.

"It was delightful for me to see that people on the far left and far right were much more vulnerable than people in the middle, which confirms to me that they're crazier than the rest of us," Jakobsson said.

In another study, Jakobsson and his wife exposed weaknesses in eBay's system that allows communication between buyers and sellers. A recipient of an e-mail sees a yellow button that says "respond now," but the button carries no information about the intended recipient. Jakobsson pasted the button onto a spoofed e-mail to a victim, making it appear to be a legitimate e-mail from an eBay user. Instead, the victim -- or, in this case, research subject -- is taken to a site with a URL that's similar to eBay's but was actually run by Jakobsson.

The researchers spoke with eBay after performing their experiment.

"Just a few months after we performed this experiment and told them the results, this attack started to happen in the wild, pretty big-scale too," he said. "We were terrified that we caused it to happen."

It turned out the same type of attack had already been occurring, but on a smaller scale, so Jakobsson was off the hook. He said eBay officials reacted positively to his research because it gives them information that can help improve security. For reasons related to public relations, eBay doesn't experiment on its own customers, he said.

There are several good reasons to perform such experiments, Jakobsson argues. They improve phishing countermeasures by discovering what works and what doesn't. Jakobsson said one experiment showed 400 subjects one of two AT&T links: one with the company name in the URL or one with the phrase "accountonline.com."

The accountonline.com link was the real one used by AT&T -- yet users deemed it less trustworthy than the one with AT&T's name in the URL. Phishers seem to know this already, as they tend to register domain names that look similar to the site they want people to think they are logging on to.

"Custom name attacks are remarkably successful," Jakobsson said.

Experiments can help researchers predict trends by discovering what human vulnerabilities haven't been exploited yet, Jakobsson said.

Although some argue users can't be taught to avoid online attacks, Jakobsson thinks his research can lead to better education methods. Some common advice is so vague that it's pretty much useless, he said, leaving lots of room for improvement.

"The technical component is important, but it's not all," Jakobsson said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?