Phishing researcher 'targets' the unsuspecting

Executes online attacks as part of experiments aimed at improving security

If he weren't so ethical, Markus Jakobsson could be a world-class online fraudster. In a way, he already is.

Jakobsson, a cybersecurity researcher and professor at Indiana University in Bloomington, spends much of his time perpetrating online attacks of unsuspecting Web surfers - without actually harming them, of course - to see what types of ruses people will fall for and to predict potential new techniques phishers might pursue.

The university that gave the world Alfred Kinsey, the famous sex researcher, is more than willing to tolerate experiments that might improve computer security, even if it annoys a few unwitting participants.

"They think everything that is not immoral or illegal is fine," Jakobsson joked Wednesday at the Usenix Security Symposium in Boston, while delivering a talk on the human factor in online fraud such as phishing, click fraud and crimeware. Victims of online attacks often give up personal information, such as bank account details, or have their computers controlled remotely by hackers.

Jakobsson's research subjects can't know they're being experimented upon, or the results would be meaningless. The typical procedure is to tell them about the research after they've unknowingly participated, which Jakobsson admits has led to some angry responses.

In one experiment, Jakobsson and his students sent e-mails to about 20 people directing them to a site authenticated only by a self-signed certificate, an identity certificate signed by its creator. Many people accepted the certificate even though anyone knowledgeable in computer security should not have.

"We were on four continents within a day with a starting point of 20 of these messages," Jakobsson said. "We could have put malware on computers."

In another study, Jakobsson found that while people often won't click on a suspicious link within an e-mail, they will go to the site if they are instructed to copy and paste the same URL into their browsers. The lesson Jakobsson took from the study - which involved an e-mail asking users to update their eBay accounts - is that public education efforts about the danger of online attacks are insufficient. People know they're not supposed to click on suspicious links, but they haven't been told not to copy and paste the same links into an address bar. A slight change in approach causes victims to let their guards down and pays dividends for bad guys.

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.

"People think [the phrase] 'starting with' is just as good as 'ending with,' which of course is remarkable insight," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?